You are on page 1of 174

Juniper Networks Horizontal Campus Validated Design Guide

Published: 2012-05-11

Copyright 2012, Juniper Networks, Inc.

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright 1986-1997, Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain. This product includes memory allocation software developed by Mark Moraes, copyright 1988, 1989, 1993, University of Toronto. This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved. GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirtons EGP, UC Berkeleys routing daemon (routed), and DCNs HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright 1991, D. L. S. Associates. This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Junos OS Juniper Networks Horizontal Campus Validated Design Guide Copyright 2012, Juniper Networks, Inc. All rights reserved. Revision History April 2012Revision 1 The information in this document is current as of the date on the title page.

END USER LICENSE AGREEMENT


The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (EULA) posted at

http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions
of that EULA.

ii

Copyright 2012, Juniper Networks, Inc.

Table of Contents
Part 1
Chapter 1

Overview
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Junos OS Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Using the Examples in This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Merging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 2

Juniper Networks Validated Design Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 11


Understanding Validated Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Design Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Design Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Who Should Read This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 How This Guide Is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 LAN Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 WLAN Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Horizontal Campus Topography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Juniper Networks Validated Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Design Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Design Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Wired LAN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Wireless LAN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 SRX Series Services Gateway Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Clustering SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . 22 Virtual Chassis For Collapsed Backbone Design . . . . . . . . . . . . . . . . . . . . . . . 24 Subnets and VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Copyright 2012, Juniper Networks, Inc.

iii

Juniper Networks Horizontal Campus Validated Design Guide

Part 2
Chapter 3

Network Deployment
Wired LAN Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Configuring the Core Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Procedure Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Configuring Global Settings for the Core Switch . . . . . . . . . . . . . . . . . . . . . . . 35 Configuring a Virtual Chassis for the Core Switch . . . . . . . . . . . . . . . . . . . . . . 36 Configuring Layer 2 Settings for the Core Switch . . . . . . . . . . . . . . . . . . . . . . 38 Configuring Power over Ethernet (optional) . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Configuring Layer 3 Settings for the Core Switch . . . . . . . . . . . . . . . . . . . . . . 44 Configuring the Access Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Configuring the Access Switch in Extended Mode . . . . . . . . . . . . . . . . . . . . . 46 Procedure Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Configuring Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Configuring the Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Configuring Layer 2 settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Configuring the Access Switch in Dedicated Mode . . . . . . . . . . . . . . . . . . . . . 59 Procedure Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Configuring Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Configuring a Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Configuring Layer 2 settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Chapter 4

Wireless Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Wireless Services Deployment Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Configuring the Primary WLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Configuring the Secondary WLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Chapter 5

SRX Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Configuring the SRX Series Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Part 3
Appendix A

Appendix
Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Appendix B

Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Virtual Chassis Advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Types of Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Dedicated Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Extended Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Mixed Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Pre-Provisioning the Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Virtual Chassis Base Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Layer 3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Appendix C

Configuring DHCP on EX Series Ethernet Switches . . . . . . . . . . . . . . . . . . . 103


Configuring EX Series Ethernet Switches to Provide DHCP . . . . . . . . . . . . . . . . . 103

iv

Copyright 2012, Juniper Networks, Inc.

Table of Contents

Appendix D

Configurations Used in This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105


EX4200vc1 Set Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 EX4200vc1 Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 EX4200vc2 Set Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 EX4200vc2 Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 EX4200vc3 Set Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 EX4200vc3 Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 EX4542vc1 Set Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 EX4542vc1 Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 WLC-1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 WLC-2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 SRX650 Cluster Set Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 SRX650 Cluster Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Appendix E

Bill of Materials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Copyright 2012, Juniper Networks, Inc.

Juniper Networks Horizontal Campus Validated Design Guide

vi

Copyright 2012, Juniper Networks, Inc.

List of Figures
Part 1
Chapter 2

Overview
Juniper Networks Validated Design Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Figure 1: Horizontal Network Topography for a Single Building . . . . . . . . . . . . . . . . 14 Figure 2: Topography Model for the Horizontal Campus Validated Design . . . . . . 15 Figure 3: Horizontal Campus Reference Architecture for the Validated Design . . . 16 Figure 4: Wired LAN Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Figure 5: Centralized Switching for the Wireless LAN Controller . . . . . . . . . . . . . . 20 Figure 6: Clustered Switching for the Wireless LAN Controller . . . . . . . . . . . . . . . . 21 Figure 7: SRX Zone Map (logical) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Figure 8: SRX reth Failure Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Figure 9: SRX reth Failure Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Figure 10: Common Access Switch Configurations . . . . . . . . . . . . . . . . . . . . . . . . . 25 Figure 11: Virtual Chassis Advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Figure 12: VLAN-to-Device Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Part 2
Chapter 3

Network Deployment
Wired LAN Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Figure 13: Core Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Figure 14: Extended Mode Access Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Figure 15: Dedicated Mode Access Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Chapter 4

Wireless Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Figure 16: Wireless LAN Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Chapter 5

SRX Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Figure 17: The SRX Series Services Gateway Cluster . . . . . . . . . . . . . . . . . . . . . . . . 77 Figure 18: SRX Series Cluster Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Figure 19: Deployment Complete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Copyright 2012, Juniper Networks, Inc.

vii

Juniper Networks Horizontal Campus Validated Design Guide

viii

Copyright 2012, Juniper Networks, Inc.

List of Tables
Part 1
Chapter 1

Overview
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Chapter 2

Juniper Networks Validated Design Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 11


Table 3: Equipment and Hardware Used for the Small Campus Validated Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Table 4: VLAN-to-Device Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Table 5: Devices Mapped Across VLANS and Subnets . . . . . . . . . . . . . . . . . . . . . 28

Part 3

Appendix
Table 6: Hardware List for the Network Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Table 7: Hardware List for Closet 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Table 8: Hardware List for Closet 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Table 9: Hardware List for Closet 2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Table 10: Hardware List for Closet 2.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Appendix E

Bill of Materials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161


Table 6: Hardware List for the Network Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Table 7: Hardware List for Closet 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Table 8: Hardware List for Closet 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Table 9: Hardware List for Closet 2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Table 10: Hardware List for Closet 2.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Copyright 2012, Juniper Networks, Inc.

ix

Juniper Networks Horizontal Campus Validated Design Guide

Copyright 2012, Juniper Networks, Inc.

PART 1

Overview

About This Guide on page 3 Juniper Networks Validated Design Overview on page 11

Copyright 2012, Juniper Networks, Inc.

Juniper Networks Horizontal Campus Validated Design Guide

Copyright 2012, Juniper Networks, Inc.

CHAPTER 1

About This Guide


This preface provides the following guidelines for using the Juniper Networks Horizontal Campus Validated Design Guide.

Junos OS Documentation and Release Notes on page 3 Objectives on page 4 Audience on page 4 Examples on page 4 Documentation Conventions on page 6 Documentation Feedback on page 8 Technical Support on page 8

Junos OS Documentation and Release Notes


For a list of related Junos OS documentation, see the Junos OS Documentation for EX Series Ethernet Switches , Junos OS Documentation for Wireless LAN Services, and Junos OS Documentation for SRX Series Services Gateways. If the information in the latest release notes differs from the information in the documentation, follow the Junos OS Release Notes. To obtain the most current version of all Juniper Networks technical documentation, see the product documentation page on the Juniper Networks web site at http://www.juniper.net/techpubs/. Juniper Networks supports a technical book program to publish books by Juniper Networks engineers and subject matter experts with book publishers around the world. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration using the Junos operating system (Junos OS) and Juniper Networks devices. In addition, the Juniper Networks Technical Library, published in conjunction with O'Reilly Media, explores improving network security, reliability, and availability using Junos OS configuration techniques. All the books are for sale at technical bookstores and book outlets around the world. The current list can be viewed at http://www.juniper.net/books.

Copyright 2012, Juniper Networks, Inc.

Juniper Networks Horizontal Campus Validated Design Guide

Objectives
This guide provides a simple, step-by-step process that businesses can use to rapidly deploy a small campus solution. The deployment in this guide is based on a tested reference topology that can easily be scaled and adapted to your specific requirements.

Audience
This guide is designed for network administrators who are tasked with designing and deploying a small campus network for a small enterprise. To use this guide, you need to have a broad understanding of networks in general, the Internet in particular, networking principles, and network configuration.

Examples

Using the Examples in This Guide on page 4 Merging a Full Example on page 5 Merging a Snippet on page 5

Using the Examples in This Guide


This guide provides two types of configuration examples. As you go through the step-by-step configuration sections of the guide, the actual commands that are provided can be cut and pasted onto a device as you go through the guide. We have also provided the configurations from all the devices in appendix D. The configuration section gives two examples for each of the EX Series and SRX Series devices.

The configuration displayed in a hierarchical format is what you would normally see when displaying the configuring from the CLI of the device. The configuration expressed by set commands like the ones used when configuring the devices line by line is the format that can be viewed from the CLI by adding the display set modifier when issuing a show configuration command.
user@host> show configuration | display set

Both examples are presented here so that you can pick the format that works best for you. For the wireless LAN controllers, the configuration commands can be cut and pasted onto the device. The configuration itself is only available as a list of commands and does not have a hierarchical equivalent to the EX or SRX series. If you want to use the examples in this manual, you can cut and paste the set commands at the configuration prompt, or you can use the load merge or the load merge relative to add commands in their hierarchical format. These commands cause the software to merge the incoming configuration into the current candidate configuration. The example does not become active until you commit the candidate configuration.

Copyright 2012, Juniper Networks, Inc.

Chapter 1: About This Guide

If the example configuration contains the top level of the hierarchy (or multiple hierarchies), the example is a full example. In this case, use the load merge command. If the example configuration does not start at the top level of the hierarchy, the example is a snippet. In this case, use the load merge relative command. These procedures are described in the following sections.

Merging a Full Example


To merge a full example, follow these steps:
1.

From the HTML or PDF version of the manual, copy a configuration example into a text file, save the file with a name, and copy the file to a directory on your EX Series or SRX Series device. For example, copy the following configuration to a file and name the file ex-script.conf. Copy the ex-script.conf file to the /var/tmp directory on your EX Series or SRX Series device.
system { scripts { commit { file ex-script.xsl; } } } interfaces { fxp0 { disable; unit 0 { family inet { address 10.0.0.1/24; } } } }

2. Merge the contents of the file into your routing platform configuration by issuing the

load merge configuration mode command: [edit] user@host# load merge /var/tmp/ex-script.conf load complete

Merging a Snippet
To merge a snippet, follow these steps:
1.

From the HTML or PDF version of the manual, copy a configuration snippet into a text file, save the file with a name, and copy the file to a directory on your routing platform. For example, copy the following snippet to a file and name the file ex-script-snippet.conf. Copy the ex-script-snippet.conf file to the /var/tmp directory on your routing platform.
commit {

Copyright 2012, Juniper Networks, Inc.

Juniper Networks Horizontal Campus Validated Design Guide

file ex-script-snippet.xsl; }
2. Move to the hierarchy level that is relevant for this snippet by issuing the following

configuration mode command:


[edit] user@host# edit system scripts [edit system scripts]
3. Merge the contents of the file into your routing platform configuration by issuing the

load merge relative configuration mode command: [edit system scripts] user@host# load merge relative /var/tmp/ex-script-snippet.conf load complete

Documentation Conventions
Table 1 on page 6 defines notice icons used in this guide.

Table 1: Notice Icons


Icon Meaning
Informational note

Description
Indicates important features or instructions.

Caution

Indicates a situation that might result in loss of data or hardware damage.

Warning

Alerts you to the risk of personal injury or death.

Laser warning

Alerts you to the risk of personal injury from a laser.

Table 2 on page 6 defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions


Convention
Bold text like this

Description
Represents text that you type.

Examples
To enter configuration mode, type theconfigure command: user@host> configure

Fixed-width text like this

Represents output that appears on the terminal screen.

user@host> show chassis alarms No alarms currently active

Copyright 2012, Juniper Networks, Inc.

Chapter 1: About This Guide

Table 2: Text and Syntax Conventions (continued)


Convention
Italic text like this

Description

Examples

Introduces or emphasizes important new terms. Identifies book names. Identifies RFC and Internet draft titles.

A policy term is a named structure that defines match conditions and actions. Junos OS System Basics Configuration Guide RFC 1997, BGP Communities Attribute

Italic text like this

Represents variables (options for which you substitute a value) in commands or configuration statements.

Configure the machines domain name: [edit] root@# set system domain-name domain-name

Text like this

Represents names of configuration statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform components. Enclose optional keywords or variables. Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. Indicates a comment specified on the same line as the configuration statement to which it applies. Enclose a variable for which you can substitute one or more values. Identify a level in the configuration hierarchy. Identifies a leaf statement at a configuration hierarchy level.

To configure a stub area, include the stub statement at the[edit protocols ospf area area-id] hierarchy level. The console port is labeled CONSOLE.

< > (angle brackets) | (pipe symbol)

stub <default-metric metric>; broadcast | multicast (string1 | string2 | string3)

# (pound sign)

rsvp { # Required for dynamic MPLS only

[ ] (square brackets)

community name members [ community-ids ] [edit] routing-options { static { route default { nexthop address; retain; } } }

Indention and braces ( { } )

; (semicolon)

J-Web GUI Conventions


Bold text like this Represents J-Web graphical user interface (GUI) items you click or select.

In the Logical Interfaces box, select All Interfaces. To cancel the configuration, click Cancel.

> (bold right angle bracket)

Separates levels in a hierarchy of J-Web selections.

In the configuration editor hierarchy, select Protocols>Ospf.

Copyright 2012, Juniper Networks, Inc.

Juniper Networks Horizontal Campus Validated Design Guide

Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can send your comments to techpubs-comments@juniper.net, or fill out the documentation feedback form at https://www.juniper.net/cgi-bin/docbugreport/ . If you are using e-mail, be sure to include the following information with your comments:

Document or topic name URL or page number Software release version (if applicable)

Technical Support

Requesting Technical Support on page 8 Self-Help Online Tools and Resources on page 8 Opening a Case with JTAC on page 9

Requesting Technical Support


Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need post sales technical support, you can access our tools and resources online or open a case with JTAC.

JTAC policiesFor a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf . Product warrantiesFor product warranty information, visit http://www.juniper.net/support/warranty/ . JTAC Hours of Operation The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources


For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

Find CSC offerings: http://www.juniper.net/customers/support/ Find product documentation: http://www.juniper.net/techpubs/ Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/ Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/

Copyright 2012, Juniper Networks, Inc.

Chapter 1: About This Guide

Search technical bulletins for relevant hardware and software notifications:


https://www.juniper.net/alerts/

Join and participate in the Juniper Networks Community Forum:


http://www.juniper.net/company/communities/

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

Opening a Case with JTAC


You can open a case with JTAC on the Web or by telephone.

Use the Case Management tool in the CSC at http://www.juniper.net/cm/ . Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, visit us at


http://www.juniper.net/support/requesting-support.html

Copyright 2012, Juniper Networks, Inc.

Juniper Networks Horizontal Campus Validated Design Guide

10

Copyright 2012, Juniper Networks, Inc.

CHAPTER 2

Juniper Networks Validated Design Overview


Understanding Validated Designs on page 11 Design Goals on page 12 Design Benefits on page 12 Who Should Read This Guide on page 12 How This Guide Is Organized on page 13 Horizontal Campus Topography on page 14 Juniper Networks Validated Design on page 15 Design Overview on page 16 Design Components on page 18

Understanding Validated Designs


Juniper Networks offers validated designs for the campus and branch domain to help customers start building and configuring their own networks. A validated design represents a specific configuration of Juniper Networks hardware and software platforms that has been tested together and represents a reliable foundation on which to base a customized network for your business. This document presents a sequential construction and configuration of a validated (tested) design, so that it can be reproduced with success. The first part of the document describes the network elements used and their operation. It also describes a scheme for a common L2/L3 set of boundaries and network interfaces to be used. The second part of the document contains specific configurations used to create this network.

Copyright 2012, Juniper Networks, Inc.

11

Juniper Networks Horizontal Campus Validated Design Guide

Design Goals
The validated design is created with the following design objectives:

Easy to deployConsistent deployment approach for all of the products included in

the design. The examples must provide reference methodologies and configurations to enable rapid deployment of a resilient network infrastructure.

ResilientSimple and robust design, maximizing user productivity by protecting user

traffic against unplanned outage.

FlexibleFlexible design, adapted for modular expansion so that users can scale and

adapt the network without requiring extensive changes or forklift upgrades.

Solid foundationEasy support for additional technologies (such as video, collaboration,

and so on).

Design Benefits
Some of the advantages of the validated design include:

Modular deployment. Each technology presented here can be deployed independently of the others Efficient and cost-effective deployment using a standardized design methodology Redundant infrastructure for wired, wireless, and Internet connectivity Can be deployed by IT professionals with a moderate amount of technical experience Easy to manage, with few logical devices and protocols to configure Standardized methodology reduces deployment time Reduced number of hardware and software platforms to learn, maintain, and spare Highly available, redundant LAN and wireless access for all applications

Who Should Read This Guide


This guide is intended primarily for network designers and administrators who:

Have a network that supports 1000 or fewer connected employees Need wired and wireless access for their employees Need a simple, resilient network infrastructure Need a high-performance network that can be easily expanded and adapted to support new technologies Are new to Juniper Networks products Are system engineers who need a standardized process to design and deploy networks that comprise Juniper Networks LAN, WLAN, and security products.

12

Copyright 2012, Juniper Networks, Inc.

Chapter 2: Juniper Networks Validated Design Overview

How This Guide Is Organized


The Juniper Networks Horizontal Campus Validated Design Guide provides a simple, step-by-step process that businesses can use to rapidly deploy a small campus solution. This example deployment uses the most commonly used enterprise network technologies to provide a simple and scalable network architecture that includes LAN, WLAN, and Security components.

LAN Infrastructure on page 13 WLAN Infrastructure on page 13 Firewall on page 14

LAN Infrastructure
The LAN section covers all of the base infrastructure requirements included in planning and deploying VLANs, subnets, and switching and routing protocols. The core LAN section covers:

Configuring resilience Aggregating all networking components Configuring user services Deploying servers, WLAN, firewalls, and resilient connections to the access switching layer

The access layer LAN section covers:


Configuring trunks and VLANs Configuring access switch-specific settings to provide redundant core connections Configuring port security Configuring wired and wireless connectivity for desktop services and mobile devices

WLAN Infrastructure
The section on wireless LAN (WLAN) explains how to configure and deploy redundant WLAN controllers to provide resilient wireless connectivity for enterprise and guest users. Enterprise and guest users are completely isolated from one another, allowing enterprise wireless users to have full access to the network and the Internet, whereas wireless guest users can access only the Internet. The WLAN section covers:

Clustering of wireless LAN controllers for redundancy and resilience Configuring enterprise access using 802.1x Configuring guest access using captive portal

Copyright 2012, Juniper Networks, Inc.

13

Juniper Networks Horizontal Campus Validated Design Guide

Firewall
The section on firewalls covers configuring clustered firewalls to provide secure, redundant access to Internet-based services. It also details how to configure security policies for Internet and guest services. The Firewall section covers:

Clustering of SRX Series Services Gateways for redundancy and resilience Configuring security zones and policies Configuring two Internet/WAN connections in active/passive mode Configuring guest security and services

Horizontal Campus Topography


Juniper Networks defines the horizontal network topography as a network in a single building with up to three floors and low-to-medium user density. The Juniper Networks Horizontal Campus Validated Design Guide is based on this topography model depicted in Figure 2 on page 15. The actual validated network differs in some details from the exact topography in order to provide a wider variety of configuration examples for those who design and implement networks.

Figure 1: Horizontal Network Topography for a Single Building

The validated network uses the same architecture and network components as the horizontal topography reference on which it is based, and inherits all of the benefits of the design principles laid out in the horizontal topography. The benefits of the horizontal topography model include resiliency for LAN/Switching, wireless LAN and security networking components. Using a two-tiered network design commonly called a collapsed core, reduces network complexity. The Juniper Networks Virtual Chassis technology reduces the number of actively managed devices and removes the need for relying on legacy redundancy protocols such as spanning tree and VRRP. Virtual Chassis also provides the flexibility to incrementally grow the network on an as needed basis without concern for compromise of performance or availability.

14

Copyright 2012, Juniper Networks, Inc.

Chapter 2: Juniper Networks Validated Design Overview

Figure 2: Topography Model for the Horizontal Campus Validated Design

Juniper Networks Validated Design


The Juniper Networks horizontal campus validated design is based on Juniper Networks switching, wireless LAN and security products. It presents a design with configurations to construct a campus network for 1000 or fewer users. This validated design is intended to be a starting point for configuring your own network. The validated design focuses on a proven architecture and addresses the most common configuration requirements needed to bring up a campus network. For information on additional functionality for each of the products, please consult the appendixes found at the end of this document. This document offers the following information about the validated design:

Architecture overviewThis section explains the overall architecture and the networking

components.

Design detailsThis section gives step-by-step instructions on how to implement the

design and deploy the network.

Configuration detailsThis section provides all of the exact configurations used. These

can be cut and pasted for use in your own network. This validated design verifies that the network components all work together as expected when configured together according to this guide. Testing was conducted on

Copyright 2012, Juniper Networks, Inc.

15

Juniper Networks Horizontal Campus Validated Design Guide

interoperability and high availability (HA) of the design. Scale testing was not emphasized, because the products scale characteristics are well documented and in the case of wireless, may require a site survey to size equipment properly.

Design Overview
At the heart of the network is the switching infrastructure, as shown in Figure 3 on page 16. Juniper Networks EX Series Ethernet Switches are used here, because they provide many HA features found in chassis-based solutions such as redundant route engines, power, and blowers. In addition, up to 10 EX Series Ethernet Switches can be connected together with a high-speed 64-Gbps backplane or using 10-Gbps Ethernet ports, and be managed as single switch. The flexibility of the EX Series provides an excellent way for users to easily expand network capacity one switch at a time, as needed. This validated network example uses only EX4500 and EX4200 switches, because they were generally available, mature products at the time these tests were done, and support the same Virtual Chassis technology.

Figure 3: Horizontal Campus Reference Architecture for the Validated Design

The horizontal campus uses a collapsed core architecture, reducing much of the management burden with fewer individual devices to manage, and most of the configuration is centralized in the core. Resiliency is not compromised by taking this approach, because the EX Series, using Virtual Chassis provides box-level redundancy without the overhead of managing multiple devices and keeping their configurations in sync with every change made to the network.

16

Copyright 2012, Juniper Networks, Inc.

Chapter 2: Juniper Networks Validated Design Overview

The Juniper Networks wireless infrastructure utilizes a clustering technology that simplifies managing the entire wireless network by using a single seed cluster controller to configure and manage up to 32 wireless LAN controllers (WLC). Clustering also dynamically load balances access points (AP) across WLCs and automatically assigns primary and backup WLCs for each AP. In addition, clustering also provides subsecond failover for wireless sessions in case of WLC failure. Juniper Networks SRX Series Services Gateways provide secure and highly available Internet access for the validated network. The SRX Series devices are clustered and configured as a single device, simplifying security management. The SRX Series cluster replicates a session state so that active sessions can be preserved in case of failure. The SRX Series and EX Series share a common Junos OS operating system. Using a common operating system reduces the number of different interfaces that need to be managed, and simplifies many common operational tasks. The equipment and software listed in Table 3 on page 17, refer to what was used to verify this design and its included features. Future software releases should support all of the same functionality. Before deploying equipment and software in your specific environment, it is always recommended that you check the release notes for the specific version of software you intend to deploy.

Table 3: Equipment and Hardware Used for the Small Campus Validated Design
Hardware
EX4500-40F-FB-C EX4200-24PX EX-UM-2X4SFP SRX650-BASE-SRE6-645AP SRX-GP-16GE WLC8R* WLA522

Software
11.4r1.6 11.4r1.6 n/a 11.4r1.6 n/a 7.6.1.3.0 n/a

* The WLC8R was sufficient for our validation testing, but it only supports 12 access points. When planning for your wireless equipment needs, you need to determine the maximum number of access points you require, and then size your wireless LAN controller to that number. As a rule of thumb, one access point per 10-15 users is a good starting point for estimating your wireless needs. For example, a small campus that has 1000 users would typically require 75100 access points for wireless coverage, and need a pair of WLC800s or WLC880s to support that number of access points.

Copyright 2012, Juniper Networks, Inc.

17

Juniper Networks Horizontal Campus Validated Design Guide

Design Components
The network detailed in this document is divided into three separate components or modulesLAN or switching infrastructure, wireless, and security. These sections highlight the design choices and main features implemented for each of these components. Although each section can stand on its own, the sections are presented in the logical sequence in which the network would be deployed.

Wired LAN Overview on page 18 Wireless LAN Overview on page 19 SRX Series Services Gateway Overview on page 21 Virtual Chassis For Collapsed Backbone Design on page 24 Subnets and VLANs on page 26

Wired LAN Overview


For our example we use the validated network shown in Figure 4 on page 19. The validated network uses a two-tiered collapsed core network model. This design combines the distribution and core layers together, reducing the complexity and cost of the network. You can easily expand the network capacity by adding additional EX Series Ethernet Switches to any of the existing Virtual Chassis (up to 10 EX4200 Series switches in a single Virtual Chassis).

NOTE: The different Virtual Chassis in this network are highlighted in blue.

18

Copyright 2012, Juniper Networks, Inc.

Chapter 2: Juniper Networks Validated Design Overview

Figure 4: Wired LAN Topology

The core network provides high-density 10-Gigabit Ethernet and 1-Gigabit Ethernet connectivity by combining both EX4500 and EX4200 switches together in a single Virtual Chassis. This provides the core connectivity and routing for the network, and acts as the Layer 2 and Layer 3 boundary for the access switches. The access layer uses EX4200 series switches providing power over Ethernet (PoE) and Layer 2 connectivity back to the core, using two 10-Gigabit Ethernet ports configured for Ethernet link aggregation (LAG). Each access switch is connected back to the core on different line cards, providing protection in case a single device fails on either end. The first floor of the building operates as a single Virtual Chassis. The two closets are connected using 10-Gigabit Ethernet ports that are configured to act as Virtual Chassis Extended ports. The second floor closets do not have available fiber to connect the Virtual Chassis together, so each closet has its own Virtual Chassis.

Wireless LAN Overview


In the validated network design, the wireless network is configured for centralized switching, as shown in Figure 5 on page 20. In this configuration, wireless user traffic is received by access points (APs) and then sent to the wireless LAN controller (WLC). The WLC then identifies the traffic by user profile and places it into the proper VLAN. When it is on the LAN, traffic is treated according to policies or priorities configured on the LAN.

Copyright 2012, Juniper Networks, Inc.

19

Juniper Networks Horizontal Campus Validated Design Guide

Figure 5: Centralized Switching for the Wireless LAN Controller

On the validated network, guest users are placed on the guest VLAN and can access the Internet, whereas corporate users are placed on the Wireless_Data VLAN and have access to the intranet and the Internet. The WLCs can be configured in clusters of up to 32 WLCs in a cluster. The validated design uses a two-WLC cluster, as shown in Figure 6 on page 21. The primary WLC (also known as the primary seed controller) is in charge of configuration management for all WLCs and APs and acts as a central configuration point for all wireless LAN changes. The primary WLC also configures and load-balances the APs across the WLCs to distribute the wireless traffic load. Access points form connections with two separate WLCsone connection is active, and the other connection acts as a backup. If the connection to the active WLC is interrupted (WLC failure), the backup connection takes over immediately, preserving all existing wireless sessions so that users are not affected.

20

Copyright 2012, Juniper Networks, Inc.

Chapter 2: Juniper Networks Validated Design Overview

Figure 6: Clustered Switching for the Wireless LAN Controller

The configuration examples in this document use local authentication for the WLAN authorization. This is to provide a simple way to verify WLAN functionality. In a production environment, local authentication is generally used only for testing or as a last resort authentication method. Use of a RADIUS server for authentication is highly recommended.

SRX Series Services Gateway Overview


The Juniper Networks SRX Series Services Gateway is a zone-based firewall in which different traffic networks are classified as logical zones for easier management.

Figure 7: SRX Zone Map (logical)

Figure 7 on page 21 illustrates the logical zones that are defined for the validated design. The smaller text inside each zone bubble is a list of the VLANs contained in each of these zones. In the figure, to provide a clearer logical view, the Guest Zone is set apart from the EX Series Switches because the EX Series Switches only provide Layer 2 connectivity for these zones. The Guest VLANs use the SRX Series Services Gateway as their default gateway to obtain IP addresses using DHCP. The Internet Edge zone is where most of the validated network VLANs reside. Each of these VLANs uses the EX Series core switch as its gateway. The Internet_Edge VLAN

Copyright 2012, Juniper Networks, Inc.

21

Juniper Networks Horizontal Campus Validated Design Guide

listed in this zone network is where the EX Series forwards any traffic requests intended for the Internet to the SRX Series. The Management Zone is the Management VLAN and is kept separate by specifying security policies on the SRX Series from the other networks because this is used for management of network devices. The Untrust Zone is where the SRX Series connects to the Internet and NAT takes place. This zone is highly restrictive about what traffic is allowed to come from the Internet.

Clustering SRX Series Services Gateways


The Juniper Networks SRX Series Services Gateways can be configured as a cluster in which they operate as a single device, and are configured from a single point. Traffic states are maintained between each pair of devices. When the SRX series devices are clustered, you can configure special interfaces called redundant Ethernet (reth) interfaces in the configuration. A reth interface has a primary and secondary owner. Traffic is directed to the primary owner. The secondary owner takes over in case of a failure. When clustered, the SRX Series devices have a control link to maintain state, configuration, and so on. They also have a fabric link that can be used to forward traffic to each other. In the validated network, the SRX Services Gateways are configured to use the fabric link to forward traffic in case of failures. This is useful in networks similar to the validated network design, in which two service providers are used and NAT is configured, resulting in two possible source addresses for Internet-bound traffic. Figure 8 on page 23 and Figure 9 on page 24 illustrate normal traffic flow and what traffic flow looks like in a few different failure scenarios. The SRX devices on the validated network are configured in an active or passive mode where Service Provider 1 has a better route preference and is used for all Internet traffic unless there is an outage. We also allow traffic to be routed across the fabric link so that in case of a local interface outage service provider 1 is still used. This removes the need for sessions to be reset, because the source addresses do not change.

22

Copyright 2012, Juniper Networks, Inc.

Chapter 2: Juniper Networks Validated Design Overview

Figure 8: SRX reth Failure Scenario 1

In the examples illustrated in Figure 8 on page 23, no session is reset in the case of local link failure since there is no change in the source address for the sessions, because they continue to use the same service provider. In the examples illustrated in Figure 9 on page 24, where the source address for SRX650-1 or service provider 1 is lost completely, traffic switches to service provider 2. When this occurs, the source IP address for the traffic changes, resulting in existing sessions being reset due to the change in source address.

Copyright 2012, Juniper Networks, Inc.

23

Juniper Networks Horizontal Campus Validated Design Guide

Figure 9: SRX reth Failure Scenario 2

Virtual Chassis For Collapsed Backbone Design


The validated network design documented in this guide can support up to 1000 connected users. The same design principles can be used for larger networks, by replacing the core switch with a larger-capacity switch. This document, however, only covers the smaller network deployment in detail. Traditional networks achieve high availability and performance by configuring redundant devices and complex protocols in multiple tiers that each require independent configuration, thereby greatly increasing network complexity. This design uses a two-tier model commonly called a collapsed core, as shown in Figure 10 on page 25. A collapsed core combines the distribution and core layers together, thereby reducing both the complexity and cost of the network. Even though the tiers are reduced, the network provides the redundancy benefits typically associated with multiple-tiered designs. The key tool that enables this simple and resilient design is the implementation of Juniper Networks Virtual Chassis technology. Virtual Chassis allows multiple EX Series Ethernet Switches to operate as a single device, with a high-speed network fabric connecting them together. This provides device-level redundancy without the complexity of managing multiple devices and protocols. It also provides a simple-pay-as-you-grow model of network deployment and expansion. Up to 10 EX Series Ethernet Switches can be aggregated in a single Virtual Chassis.

24

Copyright 2012, Juniper Networks, Inc.

Chapter 2: Juniper Networks Validated Design Overview

Figure 10: Common Access Switch Configurations

The core and distribution layer is commonly configured as the Layer 2 and Layer 3 boundary. The simplest of these designs uses access switches that are configured as Layer 2 devices and requires very little configuration. Reusing the same VLAN and other settings allows for simple replication across multiple switches and closets. This reuse significantly reduces the time it takes to deploy the network, and keeps things simple at the access layer. The drawbacks with this design are that it often creates loops, and is very inefficient from a bandwidth perspective, because only half of the links can forward traffic. Although Spanning Tree Protocol (STP) is used to manage redundancy, it has slow convergence times, and in case of a faulty configuration, STP may take down part of the network and can be difficult to troubleshoot. A design using VRRP or HSRP removes the loops and can help provide better link utilization. This design removes STP from the design and has improved reliability and failover, but can get complicated quickly by manually load-balancing per-VLAN or subnet traffic across the switches. This approach requires more configuration per switch for both access layer and distribution layer devices. More VLAN, interface, protocol, and switch configurations at the core and distribution layer must be manually kept in sync. Layer 3 at the access layer eliminates loops and provides load balancing. This could, however, translate into additional license fees, and additional, redundant hardware, thereby increasing the cost of the solution. Using VRRP or HSRP is also the most configuration-intensive approach, because it increases the number of devices that must be managed at the access layer, and introduces routing protocols as another layer. This also means that each switch configuration would have many unique items, resulting in increased overall deployment complexity and management overhead.

Copyright 2012, Juniper Networks, Inc.

25

Juniper Networks Horizontal Campus Validated Design Guide

Figure 11: Virtual Chassis Advantage

A Virtual Chassis allows multiple Juniper Networks EX Series Ethernet Switches to act as a single device. This means that box-level redundancy can be achieved without creating loops in the network, or requiring additional protocols or tedious configuration management between devices. All of the links can be fully utilized, which reduces the costs associated with bandwidth upgrades and providing improved resiliency and performance. In Figure 11 on page 26 the highlighted chassis represent Virtual Chassis (a single logical unit made up of two or more EX Series Switches). In the core/distribution picture, access switches are connected using link aggregation group (LAG) uplinks to the core/distribution Virtual Chassis connected to separate switches providing device-level redundancy, without the usual complexity. By taking this even further and using a Virtual Chassis in both the core and access layer, we can further simplify the network by reducing the number of actively managed devices.

NOTE: A Virtual Chassis is unique in its ability to span distances of up to 40 km between devices. This means that multiple wiring closets in the same or even different buildings can be easily combined to reduce the total number of managed devices.

Subnets and VLANs


This section on subnetting and VLANs is intended to be used as a reference for implementing a network foundation that is easy to understand and maintain. Although based on the validated network design, this configuration can be easily adapted to any network environment. This configuration matches the VLAN ID with the third octet of the subnet used where applicable, to simplify the network and maintain consistency. We highly recommend that you consistently implement the VLAN and subnetting system throughout, because each exception increases the complexity of the network.

26

Copyright 2012, Juniper Networks, Inc.

Chapter 2: Juniper Networks Validated Design Overview

We also recommended leaving some room between VLANs to allow for possible future expansion, while maintaining a consistent range of VLANs for specific functions.

LANs 1017 are dedicated for wired voice and data. In our validated design, we use only four VLANs for wired data and voice, leaving plenty of room for future expansion. VLANs 1821 are dedicated for corporate wireless access. This design uses only VLAN 18. VLANs 2229 are dedicated for network infrastructure. This example allocates only three VLANSManagement, Servers, and Internet Edge.

The Management VLAN is used to manage all of the network devices such as switches and routers. In the validated network, this is also where the wireless APs reside. The Servers VLAN is where network servers and services are connected to the network (DHCP, file services, and so on). The Internet Edge VLAN is where the EX Series Ethernet Switch connects to the SRX Series Services Gateway and further out to the Internet. This is where the majority of security policies on the SRX Series are enforced.

VLANs 3032 are used for guest wired and wireless access.

The guest VLANs connect directly to the SRX Series Services Gateway. The core EX Series switch does not have any interfaces on these VLANsit only acts as an Layer 2 switch.

The validated network uses private addressing, which enables flexible IP address allocation. In this design, all of the networks use a 24-bit subnet mask, but larger subnet masks can be used if desired to further simplify configuration by reducing the number of subnets required, and allowing more hosts to participate in each subnet. You should also reserve some addresses on each subnet for networking devices. This is typically the first few or last few addresses in a subnet. In this design, we reserve the first 10 IP addresses of the subnet for network devices and the last IP address (.254) for the SRX Series interface if it resides on a subnet (See Table 4 on page 27).

Table 4: VLAN-to-Device Mapping


VLAN
10 12 14 16 18 22

Purpose/VLAN Name
Data_Wired_1 Data_Wired_2 VOIP_Wired_1 VOIP_Wired_2 Data_Wireless_1 Internet_Edge

Subnet
10.10.10.0/24 10.10.12.0/24 10.10.14.0/24 10.10.16.0/24 10.10.18.0/24 10.10.22.0/24

Copyright 2012, Juniper Networks, Inc.

27

Juniper Networks Horizontal Campus Validated Design Guide

Table 4: VLAN-to-Device Mapping (continued)


VLAN
24 28 30 32

Purpose/VLAN Name
Servers Management Guest_Wired Guest_Wireless

Subnet
10.10.24.0/24 10.10.28.0/24 10.10.30.0/24 10.10.32.0/24

Figure 12: VLAN-to-Device Mapping

Table 5: Devices Mapped Across VLANS and Subnets


VLAN Name
Data_Wired_1 Data_Wired_2 VOIP_Wired_1 VOIP_Wired_2 Data_Wireless_1 Internet_Edge Servers

ID
10 12 14 16 18 22 24

Subnet
10 10.10.10.0 /24 10 10.10.12.0 /24 10 10.10.14.0 /24 10 10.10.16.0 /24 10 10.10.18.0 /24 10 10.10.22.0 /24 10 10.10.24.0 /24

EX4542-vc1
X X X X X X X

EX4200-vc1
X

EX4200-vc2

EX4200-vc3

WLC

AP

SRX

X X X

X X X

28

Copyright 2012, Juniper Networks, Inc.

Chapter 2: Juniper Networks Validated Design Overview

Table 5: Devices Mapped Across VLANS and Subnets (continued)


VLAN Name
Management Guest_Wired Guest_Wireless

ID
28 3 0 32

Subnet
10 10.10.28.0 /24 10 10.10.30.0 /24 10 10.10.32.0 /24

EX4542-vc1
X X X

EX4200-vc1
X X

EX4200-vc2
X X

EX4200-vc3
X X

WLC
X

AP
X

SRX
X X

NOTE:

EX4542-vc1 is .1 on all subnets except for the guest networks, on which it only acts as a Layer 2 switch and the SRX Series handle all routing functions. SRX Series Services Gateways use address .254 on all subnets to which they are connected.

Figure 12 on page 28 maps the VLANs that are configured on each device in the network. The core switch is configured to support all VLANs. Each of the access switches are configured with the Management and Guest VLANs. In addition, Data_Wired_1 and VOIP_Wired_1 are configured on access switches supporting the first floor and Data_Wired_2 and VOIP_Wired_2 are configured on access switches supporting the second floor. The Wireless access Points will be on the Management VLAN and communicate to the wireless LAN controllers on the same subnet. Wireless traffic from the APs will be placed in their proper VLAN once they have been received by the WLC. The WLCs each have trunk ports configured, and are configured on the following VLANs: Data_Wireless_1, Management, and Guest_Wireless. The SRX Series Services Gateways are clustered, and each has a trunk port configured for the following VLANs: Internet Edge, Management, Guest_Wired, and Guest_Wireless.

Copyright 2012, Juniper Networks, Inc.

29

Juniper Networks Horizontal Campus Validated Design Guide

30

Copyright 2012, Juniper Networks, Inc.

PART 2

Network Deployment

Wired LAN Deployment on page 33 Wireless Deployment on page 67 SRX Deployment on page 77

Copyright 2012, Juniper Networks, Inc.

31

Juniper Networks Horizontal Campus Validated Design Guide

32

Copyright 2012, Juniper Networks, Inc.

CHAPTER 3

Wired LAN Deployment


Each of the following network deployment sections provides detailed step-by-step processes about how to set up each of the network componentswired LANs using Juniper Networks EX Series Switches, wireless LAN, and a firewall, using Juniper Networks SRX Series Services Gateways. This is intended to act as a base configuration focusing on getting the main components up and running and functioning together. Although each section can stand independently of the others and could be configured in any order, they are presented here in a logical chronology where each section builds upon the previous one. When you deploy a network from scratch, we recommend that you follow the order outlined here. In our examples, we refer to the network as the validated network, and as you progress through the deployment sections, different checkpoints correspond to diagrams that indicate the components being configured. The You are here labels point to where you are in the configuration process. The contents in this section are intended to provide a basic guideline for configuring EX Series Switches that can be applied in any network. In the core switch and access switch examples later in this document we will step through these processes for each switch in the validated network. This section includes the following topics:

Configuring the Core Switch on page 33 Configuring the Access Switch on page 45

Configuring the Core Switch


All configuration components (VLANs, IP Addresses, and so on) are from the validated network example and may need to be changed to conform to your network. The core switch is responsible for connecting all networking components together. In the validated network, it is responsible for routing all traffic on the intranet and is the default gateway for all user networks except the Guest VLANs, which route directly to the SRX Series to maintain clear separation between the guest and user network traffic. The WLCs, SRX Series and network servers and services are also connected directly to the core.

Copyright 2012, Juniper Networks, Inc.

33

Juniper Networks Horizontal Campus Validated Design Guide

Figure 13: Core Switch

1.

Procedure Overview on page 34

2. Configuring Global Settings for the Core Switch on page 35 3. Configuring a Virtual Chassis for the Core Switch on page 36 4. Configuring Layer 2 Settings for the Core Switch on page 38 5. Configuring Power over Ethernet (optional) on page 44 6. Configuring Layer 3 Settings for the Core Switch on page 44

Procedure Overview
1.

Unpack and perform the initial setup of the first switch.

2. Configure global configuration items 3. Configure the Virtual Chassis


Identify the type of Virtual Chassis Pre-provision the Virtual Chassis Perform the Virtual Chassis type-specific configuration Perform the Virtual Chassis standard configuration

4. Configure Layer 2 settings 5. Configure Layer 3 settings

34

Copyright 2012, Juniper Networks, Inc.

Chapter 3: Wired LAN Deployment

Configuring Global Settings for the Core Switch


To configure global settings on the core switch:
1.

Unpack and boot up the core switch, and then configure global settings.

2. Connect to the Console port of the EX4200 switch (Setting: s9600, 8, 1, none).

Press Enter. The following prompt appears.


Amnesiac (ttyu0) login
a. Log in as root and press Enter .

Because no password is configured, you are not prompted for one.


login: root Logging to master . JUNOS 11.4R1.6 built 2011-11-15 11:14:01 UTC root@:RE:0%
b. Type cli at the % prompt.

root@:RE:0% cli {master:0} root>

You should now be at the >prompt.


3. Configure the date and time in the format: YYYYMMDDhhmm.ss.

set date 201201220830.00


4. Enter configuration mode by typing configure or edit.

root> configure Entering configuration mode {master:0}[edit] root#

You should now be at the # prompt and ready to start configuring the switch.
5. Configure the password.

root# set system root-authentication plain-text-password New password:******* Retype new password:******* {master:0}[edit] root#
6. Configure the time zone.

root# set system time-zone America/Los_Angeles


7. Configure the hostname.

root# set system host-name EX4542-vc1


8. Configure the management and vme interface (optional).

Copyright 2012, Juniper Networks, Inc.

35

Juniper Networks Horizontal Campus Validated Design Guide

NOTE: This optional item is only recommended if you plan on having a separate out-of-band network just for managing devices. If you are unsure, you can always add this item later. For more information on the VME interface, see Virtual Chassis on page 95, or the Day One book, Configuring EX Series Ethernet Switches.

set interfaces vme unit 0 family inet address 10.94.188.101/24


9. Configure management access.

root@EX4542-vc1# set system services web-management https system-generated-certificate set system services ssh delete system services web-management http delete system services telnet
10. Configure DNS.

root@EX4542-vc1# set system name-server 10.10.24.100 set system domain-name xyzcompany.com

Configuring a Virtual Chassis for the Core Switch


To configure a Virtual Chassis for the core switch
1.

Identify the Virtual Chassis type. In the case of the validated network, the core switch is a mixed mode Virtual Chassis (both EX4500 and EX4200 switches in the same Virtual Chassis). For more information about Virtual Chassis, see Virtual Chassis on page 95, or the Day One book, Configuring EX Series Ethernet Switches.

2. Configure a pre-provisioned Virtual Chassis.

The recommended setup process for a Virtual Chassis is called pre-provisioned, which is the process we will use here. To pre-provision a Virtual Chassis, you need to identify the serial numbers of each device that will be part of the Virtual Chassis, the device function, and the order in which you want each switch to be placed. Here we have configured the EX4500 switches to be in slot 0 and slot 1, and act as the Routing Engines. The EX4200 switches are in slot 2 and slot 3, and configured as line cards. Later when all the switches are connected and powered up, they will automatically be assigned the proper function and slot. Make sure you pay attention to the serial numbers and ordering of each switch when you connect them together later. The EX Series Switches by default automatically form a Virtual Chassis, but because the ordering is nondeterministic, and so the switches may not be numbered sequentially, making things confusing. For more information about Virtual Chassis, see Virtual Chassis on page 95, or the Day One book, Configuring EX Series Ethernet Switches.
root@EX4542-vc1# set virtual-chassis preprovisioned set virtual-chassis member 0 role routing-engine

36

Copyright 2012, Juniper Networks, Inc.

Chapter 3: Wired LAN Deployment

set virtual-chassis member 0 serial-number GX0211411253 set virtual-chassis member 1 role routing-engine set virtual-chassis member 1 serial-number GX0211411250 set virtual-chassis member 2 role line-card set virtual-chassis member 2 serial-number FP0211333181 set virtual-chassis member 3 role line-card set virtual-chassis member 3 serial-number FP0211333260

Now commit the configuration.


root@EX4542-vc1# commit configuration check succeeds commit complete
3. Configure specific Virtual Chassis commands.

NOTE: Because this is a mixed mode chassis, we need to configure it to accept a mix of EX4500 and EX4200 devices in the same Virtual Chassis. Exit configuration mode by typing exit at the # prompt. The next command is an operational command.

root@EX4542-vc1> request virtual-chassis mode mixed


a. Verify that the mode is correct, by typing show virtual-chassis.

root@EX4542-vc1> show virtual-chassis Preprovisioned Virtual Chassis Virtual Chassis ID: 8c7a.9353.df56 Virtual Chassis Mode: Mixed Mstr Mixed Neighbor List Member ID Status Serial No Model prio Role Mode ID Interface 0 (FPC 0) Prsnt GX0211411253 ex4500-40f 129 Master* Y

Using the VCP ports at the back of the units, cable the remaining members together in a daisy-chained configuration. When all of the units are cabled properly, power them up. Remember to pay attention to the serial number of each switch when connecting them together to ensure they are in the right position.
b. After the switches finish booting up, verify that all of the members of the Virtual

Chassis are active by running the show virtual-chassis command.


Preprovisioned Virtual Chassis Virtual Chassis ID: 8c7a.9353.df56 Virtual Chassis Mode: Mixed Mstr Mixed Neighbor List Member ID Status Serial No Model prio Role Mode ID Interface 0 (FPC 0) Prsnt GX0211411253 ex4500-40f 129 Master* Y 3 vcp-1 1 vcp-0 1 (FPC 1) Prsnt GX0211411250 ex4500-40f 129 Backup Y 0 vcp-1 2 vcp-0 2 (FPC 2) Prsnt FP0211333181 ex4200-48px 0 Linecard Y 1 vcp-0 3 vcp-1 3 (FPC 3) Prsnt FP0211333260 ex4200-48px 0 Linecard Y 2 vcp-0 0 vcp-1

Enter configuration mode again.

Copyright 2012, Juniper Networks, Inc.

37

Juniper Networks Horizontal Campus Validated Design Guide

4. Configure global Virtual Chassis commands.

root@EX4542-vc1# set system commit synchronize set ethernet-switching-options nonstop-bridging set chassis redundancy graceful-switchover
5. Configure default settings.

The following items should be enabled by default in the configuration. You may wish to review and verify that these setting are desired for your specific network.
root@EX4542-vc1# set protocols igmp-snooping vlan all set protocols rstp set protocols lldp interface all set protocols lldp-med interface all set poe interface all set ethernet-switching-options storm-control interface all

Configuring Layer 2 Settings for the Core Switch


To configure Layer 2 parameters and settings on the core switch:
1.

Set the bridge priority on the core switch.

NOTE: We enable Spanning Tree Protocol to prevent loops from forming in the network, even though we do not use it as a topology protocol. As an extra precaution, we set the bridge priority on the core switch to 8192, so that is the default root bridge in the event another bridging device is connected to the network for some reason. Juniper Networks EX Series Switches run RSTP by default.

root@EX4542-vc1# set protocols rstp bridge-priority 8k


2. Configure VLANs and IP interfaces.

NOTE: We configure all of the inter-VLAN routing on the core switch, except for our guest VLANs. This makes it easier to simultaneously configure the VLANs and IP interfaces for those VLANs. When creating VLAN names, it is important to note that these names are case sensitive. The first command creates the VLAN Data_Wired_1 with a VLAN ID of 10 and then assigns a Layer 3 interface called vlan.10 to that VLAN. The second line creates the vlan.10 interface and assigns an IP address.

root@EX4542-vc1# set vlans Data_Wired_1 vlan-id 10 l3-interface vlan.10 set interfaces vlan unit 10 family inet address 10.10.10.1/24

You may notice that the VLAN ID and the interface VLAN unit number match (both are number 10). This is not mandatory, but it is a recommended practice, because it keeps things easier to understand later, when you have many VLANs and interfaces to track.

38

Copyright 2012, Juniper Networks, Inc.

Chapter 3: Wired LAN Deployment

We also used a compound command for the first line. We created the VLAN, assigned the VLAN ID, and assigned a Layer 3 interface all at the same time. This can save you some time but does not have to be done in a single statement. When you look at the configuration, you will notice that this is separated into two disparate statements.

NOTE: When you issue a large number of commands at once, we recommend that you issue a commit command to verify that the commands take effect with no configuration errors. Alternatively, you can do a commit check instead, which verifies the configuration without making it active.

The complete set of VLAN and Layer 3 interface statements for the core switch in the validated network example follows. We have also added the guest VLANs here, but we have not assigned any Layer 3 interfaces to these VLANs, because routing for the VLANs will be done using the SRX Series firewall.

VLAN Configurations
root@EX4542-vc1# set vlans Data_Wired_1 vlan-id 10 set vlans Data_Wired_1 l3-interface vlan.10 set vlans Data_Wired_2 vlan-id 12 set vlans Data_Wired_2 l3-interface vlan.12 set vlans Data_Wireless_1 vlan-id 18 set vlans Data_Wireless_1 l3-interface vlan.18 set vlans Guest_Wired vlan-id 30 set vlans Guest_Wireless vlan-id 32 set vlans Internet_Edge vlan-id 22 set vlans Internet_Edge l3-interface vlan.22 set vlans Management vlan-id 28 set vlans Management l3-interface vlan.28 set vlans Servers vlan-id 24 set vlans Servers l3-interface vlan.24 set vlans VOIP_Wired_1 vlan-id 14 set vlans VOIP_Wired_1 l3-interface vlan.14 set vlans VOIP_Wired_2 vlan-id 16 set vlans VOIP_Wired_2 l3-interface vlan.16

Interface Configurations
root@EX4542-vc1# set interfaces vlan unit 10 family inet address 10.10.10.1/24 set interfaces vlan unit 12 family inet address 10.10.12.1/24 set interfaces vlan unit 14 family inet address 10.10.14.1/24 set interfaces vlan unit 16 family inet address 10.10.16.1/24 set interfaces vlan unit 18 family inet address 10.10.18.1/24 set interfaces vlan unit 20 family inet address 10.10.20.1/24 set interfaces vlan unit 22 family inet address 10.10.22.1/24 set interfaces vlan unit 24 family inet address 10.10.24.1/24 set interfaces vlan unit 28 family inet address 10.10.28.1/24
3. Configure LAG (aggregated Ethernet) ports.

Copyright 2012, Juniper Networks, Inc.

39

Juniper Networks Horizontal Campus Validated Design Guide

In the validated network configuration, the only LAG ports configured will be used to connect to access switches. This means that we need to configure three of these on the core switch. Junos OS requires that you configure the number of LAG interfaces you want to use before you begin configuring the interfaces. We suggest picking a number slightly larger than you might need, in case you need to add more LAG interfaces later. You can change this value in the future. We need three aggregated Ethernet ports for the validated network example, so we will configure the core chassis with four, in case we add another access switch.
root@EX4542-vc1#set chassis aggregated-devices ethernet device-count 4

To provide the highest level of resilience, you need to configure the LAG to span multiple EX Series Switches. In the validated network example, we use xe-0/0/0 through xe-0/0/2 and xe-1/0/0 through xe-1/0/2 for the LAG connections to the access switches. We need to assign the LAG ports in matching pairs (For example, xe-0/0/0 and xe-1/0/0) between the EX4500 switches so that they will be part of the same LAG interface. This provides link-level and hardware-level redundancy and provides consistency, making things easier to remember.
a. First, we need to remove any port-specific configuration on the physical ports that

we want to aggregate. Interfaces have unit 0 defined by default, but this is not allowed on an interface that is part of an aggregated interface, because it would conflict with unit 0 on the logical aggregated interface.
root@EX4542-vc1# delete interfaces xe-0/0/0 unit 0 delete interfaces xe-1/0/0 unit 0 delete interfaces xe-0/0/1 unit 0 delete interfaces xe-1/0/1 unit 0 delete interfaces xe-0/0/2 unit 0 delete interfaces xe-1/0/2 unit 0
b. Then we configure the interfaces to be part of the respective aggregated interfaces.

root@EX4542-vc1# set interfaces xe-0/0/0 ether-options 802.3ad ae0 set interfaces xe-1/0/0 ether-options 802.3ad ae0 set interfaces xe-0/0/1 ether-options 802.3ad ae1 set interfaces xe-1/0/1 ether-options 802.3ad ae1 set interfaces xe-0/0/2 ether-options 802.3ad ae2 set interfaces xe-1/0/2 ether-options 802.3ad ae2
c. Next we want to add LACP to each LAG interface to provide some health checking.

NOTE: You need to configure LACP on the interfaces at both ends for the LAG port to become active.

root@EX4542-vc1# set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 aggregated-ether-options lacp periodic slow set interfaces ae1 aggregated-ether-options lacp active set interfaces ae1 aggregated-ether-options lacp periodic slow set interfaces ae2 aggregated-ether-options lacp active set interfaces ae2 aggregated-ether-options lacp periodic slow

40

Copyright 2012, Juniper Networks, Inc.

Chapter 3: Wired LAN Deployment

4. Disable RSTP on LAG connections to access switches.

Because we are not using STP, we can disable it on the LAG ports going to our access switches. This also reduces potential convergence times in case a LAG member fails, because fewer protocols need to converge.

NOTE: All access switches have RSTP enabled locally to prevent looping.
root@EX4542-vc1# set protocols rstp interface ae0.0 disable set protocols rstp interface ae1.0 disable set protocols rstp interface ae2.0 disable
5. Configure trunk and VLAN settings.

We need to configure the LAG ports as trunks and add the VLANs that will be supported on the individual access switches.
root@EX4542-vc1# set interfaces ae0 unit 0 family ethernet-switching port-mode trunk set interfaces ae1 unit 0 family ethernet-switching port-mode trunk set interfaces ae2 unit 0 family ethernet-switching port-mode trunk

Now commit the configuration.


6. Configure VLANs on the trunk ports.

You can configure port-to-VLAN mapping in two different ways:


You can configure the VLANs directly as part of the port configuration. You can configure the ports included in the VLAN under the VLAN configuration. Each of these has different advantages and disadvantages.

Generally, it makes sense to configure access ports (client-facing) under the VLAN configuration and configure VLANs directly on the port for trunk port configuration. You cannot configure the VLAN mapping in both places, because that might result in errors when doing a configuration commit operation. As discussed previously, we need to configure the VLANs that the trunk port will carry directly on the interface configuration section. This makes it easier to tell what VLANs a specific trunk is part of when viewing the configuration. When you add VLANs directly to a trunk port you have the option of adding them by their VLAN ID or by the VLAN name. In this example, we will add them by VLAN name, because this makes the overall configuration more readable. When adding several VLANs to a trunk, you can either specify them one at a time or you can specify several VLANs at the same time by enclosing them in [] brackets and separating them with spaces.
a. The VLAN configuration for ae0 which connects to EX4200-vc1 in the case of the

validated network EX4200-vc1 has four EX4200s that cover the first floor using the extended Virtual Chassis feature. This floor uses Data_Wired_1 and VOIP_Wired_1 for data and voice and be part of the Management VLAN for access points and

Copyright 2012, Juniper Networks, Inc.

41

Juniper Networks Horizontal Campus Validated Design Guide

switch management. In the case of Guests requiring wired access the Guest_Wired VLAN will also be configured on this trunk.
root@EX4542-vc1# set interfaces ae0 unit 0 family ethernet-switching vlan members [Data_Wired_1 VOIP_Wired_1 Management Guest_Wired]
b. The VLAN configuration for ae1 and ae2 connecting to EX4200-vc2 and EX4200-vc3

these two switches handle the second floor and will use the Data_Wired_2 and VOIP_Wired_2 VLANs for data and voice and be part of the Management VLAN for access points and switch management. In the case of Guests requiring wired access the Guest_Wired VLAN will also be configured on these trunks.
root@EX4542-vc1# set interfaces ae1 unit 0 family ethernet-switching vlan members [Data_Wired_2 VOIP_Wired_2 Management Guest_Wired] set interfaces ae2 unit 0 family ethernet-switching vlan members [Data_Wired_2 VOIP_Wired_2 Management Guest_Wired]
7. Configure dual-homed or other network device connections

Configuring connections for other devices that are dual homed, but do not use LAG connections or other network equipment typically involves connecting to the core and requires trunk ports. In the validated network, the SRX Series and wireless LAN controllers both use clustering technologies to provide High Availability and in this case are not configured with LAG connections to the core. Each of these devices require two identical port configurations on separate EX Series Switches to provide link-level and box-level redundancy.
8. Configure wireless LAN controllers

Connect wireless LAN controllers (WLCs) to ports ge-2/0/1 and ge-3/0/1 and add them to the following VLANs: Data_Wireless_1, Management, and Guest_Wireless.
root@EX4542-vc1# set interfaces ge-2/0/1 unit 0 family ethernet-switching port-mode trunk set interfaces ge-2/0/1 unit 0 family ethernet-switching vlan members [Data_Wireless_1 Management Guest_Wireless] set interfaces ge-3/0/1 unit 0 family ethernet-switching port-mode trunk set interfaces ge-3/0/1 unit 0 family ethernet-switching vlan members [Data_Wireless_1 Management Guest_Wireless]
9. Configure SRX firewalls.

Connect the SRX firewalls to ports ge-2/0/47 and ge-3/0/47 and make them part of the following VLANs: Internet_Edge, Management, Guest_Wired and Guest_Wireless.
root@EX4542-vc1# set interfaces ge-2/0/47 unit 0 family ethernet-switching port-mode trunk set interfaces ge-2/0/47 unit 0 family ethernet-switching vlan members [Internet_Edge Management Guest_Wired Guest_Wireless] set interfaces ge-3/0/47 unit 0 family ethernet-switching port-mode trunk set interfaces ge-3/0/47 unit 0 family ethernet-switching vlan members [Internet_Edge Management Guest_Wired Guest_Wireless]

Commit the configuration.


10. Configure the server port

42

Copyright 2012, Juniper Networks, Inc.

Chapter 3: Wired LAN Deployment

Server ports are typically configured as access ports that have a single VLAN. In the validated network example, we have a VLAN called Servers where servers would typically reside. To configure a server port that is part of a single VLAN, it must first be configured as an access port.
a. Set port ge-2/0/5 into access mode:

root@EX4542-vc1#set interfaces ge-2/0/5 unit 0 family ethernet-switching port-mode access


b. Assign the port to a VLAN. As a general rule, we assign access ports under the VLAN

configuration instead of the port configuration, but either can be used. In this case we need to assign the server port to the VLAN Servers.
root@EX4542-vc1# set vlans Servers interface ge-2/0/5.0

In some cases, it may make more sense to assign the VLAN directly in the port configuration because servers are different from a standard network host.
11. Enable BPDU-Block for server interfaces.

Because we do not expect to connect any bridges to the network, the bpdu-block command protects the network should anyone connect a bridge to the core switch that may shut down any ports sending BPDUs. This command maintains network stability if someone connects an unauthorized bridge to the network.
root@EX4542-vc1# set ethernet-switching-options bpdu-block interface ge-2/0/5

If interfaces become blocked, you need to clear them manually. The following commands can be used to clear a blocked port condition:

root@EX4542-vc1> clear ethernet-switching bpdu-error root@EX4542-vc1> clear ethernet-switching port-error

To view the current state of interfaces run the following command:


root@EX4542-vc1> show ethernet-switching interfaces
12. Configure server port in trunk mode (optional).

Many servers reside on more than one VLAN and require a trunk port. In this case, configure the port for trunking and assign the VLANs it should belong to directly in the port configuration like we did for the LAG ports. Below is an example of an interface configured as a trunk that belongs to the VLANs Servers and Management.
root@EX4542-vc1# set interfaces <interface> unit 0 family ethernet-switching port-mode trunk set interfaces <interface> unit 0 family ethernet-switching vlan members [Servers Management]
13. Configure secure access port features

Most ports on the core switch do not need any secure access port features enabled because these may be more work than they are worth. The reason is that statically assigned IP addresses are typically used for servers and other networking devices, and each of these would require exceptions to be manually entered in order to work if these features are enabled. There are some VLANs on the core switch, however, on

Copyright 2012, Juniper Networks, Inc.

43

Juniper Networks Horizontal Campus Validated Design Guide

which we recommend enabling these features: the Data_Wireless_1, Guest_Wireless and Guest_Wired are all client-facing VLANs that are configured on the core.
root@EX4542-vc1# set ethernet-switching-options secure-access-port vlan Data_Wireless_1 arp-inspection set ethernet-switching-options secure-access-port vlan Data_Wireless_1 examine-dhcp set ethernet-switching-options secure-access-port vlan Data_Wireless_1 ip-source-guard set ethernet-switching-options secure-access-port vlan Guest_Wired arp-inspection set ethernet-switching-options secure-access-port vlan Guest_Wired examine-dhcp set ethernet-switching-options secure-access-port vlan Guest_Wired ip-source-guard set ethernet-switching-options secure-access-port vlan Guest_Wireless arp-inspection set ethernet-switching-options secure-access-port vlan Guest_Wireless examine-dhcp set ethernet-switching-options secure-access-port vlan Guest_Wireless ip-source-guard

Configuring Power over Ethernet (optional)


If you have PoE-capable EX4200 switches, you can enable PoE on the system. By default this is disabled, because the default configuration is derived from the EX4500 switch, which does not have PoE support. To enable PoE on the core switch you can just type set poe interface all.
root@EX4542-vc1# set poe interface all

Configuring Layer 3 Settings for the Core Switch


To configure Layer 3 parameters on the core switch:
1.

Configure DHCP The validated network example uses DHCP forwarding and a central DHCP server for all IP address allocation except the Guest_Wireless and Guest_Wired VLANs that are allocated IP addresses directly from the SRX Series Gateways to keep these isolated from the rest of the network. DHCP services can be set up directly on the EX Series Switches if desired (See Appendix C). DHCP forwarding is essentially a broadcast forwarding system for DHCP requests that allows users to consolidate their DHCP services in a centralized location instead of having a DHCP server for every subnet. The following configuration enables DHCP forwarding on the VLAN interfaces listed, and forwards DHCP requests to the DHCP server 10.10.24.100.
root@EX4542-vc1# set forwarding-options helpers bootp description DHCP-SERVER set forwarding-options helpers bootp server 10.10.24.100 set forwarding-options helpers bootp interface vlan.24 set forwarding-options helpers bootp interface vlan.10 set forwarding-options helpers bootp interface vlan.12 set forwarding-options helpers bootp interface vlan.14 set forwarding-options helpers bootp interface vlan.16 set forwarding-options helpers bootp interface vlan.18 set forwarding-options helpers bootp interface vlan.20 set forwarding-options helpers bootp interface vlan.26 set forwarding-options helpers bootp interface vlan.28

2. Configure default gateway and static routes

root@EX4542-vc1# set routing-options static route 0.0.0.0/0 next-hop 10.10.22.254

44

Copyright 2012, Juniper Networks, Inc.

Chapter 3: Wired LAN Deployment

3. Configure OSPF.

We need to configure a single OSPF area that will be the backbone area 0.0.0.0 and add the interfaces/subnets we wish to advertise to the SRX Series Gateway.

NOTE: The subnet is all that is required to add the interface to the area. Mask information will be automatically imported into OSPF and redistributed.

root@EX4542-vc1# set protocols ospf area 0.0.0.0 interface vlan.22 set protocols ospf area 0.0.0.0 interface vlan.10 set protocols ospf area 0.0.0.0 interface vlan.12 set protocols ospf area 0.0.0.0 interface vlan.14 set protocols ospf area 0.0.0.0 interface vlan.16 set protocols ospf area 0.0.0.0 interface vlan.18 set protocols ospf area 0.0.0.0 interface vlan.20 set protocols ospf area 0.0.0.0 interface vlan.24
4. Configure non-stop routing.

Configure non-stop routing to keep the Routing Engines in sync with routing protocol state.
root@EX4542-vc1# set routing-options nonstop-routing

Commit the configuration.

Configuring the Access Switch


Configuring the Access Switch in Extended Mode on page 46 Configuring the Access Switch in Dedicated Mode on page 59

Copyright 2012, Juniper Networks, Inc.

45

Juniper Networks Horizontal Campus Validated Design Guide

Configuring the Access Switch in Extended Mode Figure 14: Extended Mode Access Switch

Configuring access switches is simpler than configuring the core switch. We only configure Layer 2 services on the access switches, and an IP address on the Management VLAN in order to provide remote access. This section covers the configuration for EX4200-vc1, which is an extended mode Virtual Chassis in the validated network. This section includes the following topics:

Procedure Overview on page 46 Configuring Global Settings on page 47 Configuring the Virtual Chassis on page 48 Configuring Layer 2 settings on page 53

Procedure Overview
1.

Unpack and perform the initial setup of the first switch.

2. Configure global configuration items. 3. Configure the Virtual Chassis.


Identify the type of Virtual Chassis. Pre-provision the Virtual Chassis. Perform the Virtual Chassis type-specific configuration Perform the Virtual Chassis standard configuration.

46

Copyright 2012, Juniper Networks, Inc.

Chapter 3: Wired LAN Deployment

4. Configure Layer 2 settings 5. Configure Layer 3 settings

Configuring Global Settings


To configure global settings on the access switch in extended mode:
1.

Unpack and boot up the access switch, and then configure global settings

2. Connect to the Console port of the EX4200 switch (setting: s9600, 8, 1, none)

Press Enter. The following prompt appears.


Amnesiac (ttyu0) login
a. Log in as root and press Enter. Because no password is configured, you are not

prompted for one.


login: root Logging to master . JUNOS 11.4R1.6 built 2011-11-15 11:14:01 UTC root@:RE:0%
b. Type cli at the % prompt.

root@:RE:0% cli {master:0} root>

You should now be at the > prompt.


3. Configure the date and time in the format: YYYYMMDDhhmm.ss.

root> set date 201201220830.00

NOTE: There is a known issue where the following message appears, but the date is actually set:
root> set date 201202101339.00 date: connect: Can't assign requested address Fri Feb 10 13:39:00 UTC 2012Enter configuration mode

4. Enter configuration mode by typing configure or edit.

Type
root> configure Entering configuration mode {master:0}[edit] root#

You should now be at the # prompt and ready to start configuring the switch.
5. Configure the password.

root# set system root-authentication plain-text-password

Copyright 2012, Juniper Networks, Inc.

47

Juniper Networks Horizontal Campus Validated Design Guide

New password:******* Retype new password:******* {master:0}[edit] root#


6. Configure the time zone.

root# set system time-zone America/Los_Angeles


7. Configure the hostname.

root# set system host-name EX4200-vc1


8. Configure management or vme interface.

NOTE: This is optional, and is only recommended if you plan on having a separate out-of-band network just for managing devices. If you are not sure, you can always add this item later. For more information on the VME interface, see Virtual Chassis on page 95, or the Day One book, Configuring EX Series Ethernet Switches.

root@EX4200-vc1# set interfaces vme unit 0 family inet address 10.94.188.91/24


9. Configure management access.

root@EX4200-vc1# set system services web-management https system-generated-certificate set system services ssh delete system services web-management http delete system services telnet
10. Configure DNS.

root@EX4200-vc1# set system name-server 10.10.24.100 set system domain-name xyzcompany.com

Configuring the Virtual Chassis


To configure the Virtual Chassis for the access switch in extended mode:
1.

Identify the Virtual Chassis type. In the case of the validated network, the access switch EX4200-vc1 is an extended mode Virtual Chassis (it uses 10-Gigabit Ethernet links to extend the Virtual Chassis between wiring closets and is managed as a single logical switch).

2. Configure the pre-provisioned Virtual Chassis

To pre-provision a Virtual Chassis, you need to identify the serial number of each device that will be part of the Virtual Chassis, the device function, and in what order you want each switch to be placed. Later, when all of the switches are connected and powered up, they will automatically be assigned the proper function and slot. Pay attention to the serial numbers and ordering of each switch when you connect them together later. By default, the EX Series devices automatically form a Virtual Chassis, but because the ordering is nondeterministic and so switches may not be numbered sequentially.

48

Copyright 2012, Juniper Networks, Inc.

Chapter 3: Wired LAN Deployment

For more information about Virtual Chassis, see Virtual Chassis on page 95, or the Day One book, Configuring EX Series Ethernet Switches.
root@EX4200-vc1# set virtual-chassis preprovisioned set virtual-chassis member 0 role routing-engine set virtual-chassis member 0 serial-number FP0211333190 set virtual-chassis member 1 role line-card set virtual-chassis member 1 serial-number FP0211333201 set virtual-chassis member 2 role routing-engine set virtual-chassis member 2 serial-number FP0211333173 set virtual-chassis member 3 role line-card set virtual-chassis member 3 serial-number FP0211333265
3. Set the Virtual Chassis to support fast failover on 10-Gigabit Ethernet Virtual Chassis

interfaces.
root@EX4200-vc1# set virtual-chassis fast-failover xe
4. Configure global Virtual Chassis commands.

root@EX4200-vc1# set system commit synchronize set ethernet-switching-options nonstop-bridging set chassis redundancy graceful-switchover

Commit the configuration.


root@EX4200-vc1# commit

If you see an error message like the following, you can ignore it. The configuration commit operation has been completed.
root@EX4200-vc1# commit
error: Could not connect to fpc-1 : Can't assign requested address warning: Cannot connect to other RE, ignoring it configuration check succeeds commit complete

Using the VCP ports at the back of the units, cable each pair of EX Series switches together. Remember to pay careful attention to the serial numbers of each switch before cabling them together.

WARNING: Do not connect the 10-Gigabit Ethernet ports at this time.

When all of the switches are cabled properly, power them up. You should now have two Virtual Chassis each, with two members. One of the two-member chassis will be pre-provisioned. Verify that this is working properly by running the show virtual-chassis command. Output similar to the one shown here indicates that the chassis members are present, the Virtual Chassis is pre-provisioned, and that the members are correctly identified. Here, member 0 is supposed to be a Routing Engine and member 1 is supposed to be in linecard mode. We can verify that from the output.
root@EX4200-vc1> show virtual-chassis
Preprovisioned Virtual Chassis Virtual Chassis ID: e3d7.6832.7772 Virtual Chassis Mode: Enabled Mstr Mixed Neighbor List

Copyright 2012, Juniper Networks, Inc.

49

Juniper Networks Horizontal Campus Validated Design Guide

Member ID 0 (FPC 0) 1 (FPC 1)

Status Prsnt Prsnt

Serial No Model prio Role FP0211333190 ex4200-48px 129 Master* FP0211333201 ex4200-48px 0 Linecard

Mode ID N 1 1 N 0 0

Interface vcp-0 vcp-1 vcp-0 vcp-1

5. Configure Virtual Chassis extended ports.

Since this is an extended mode chassis, we need to configure it to use some of the 10-Gigabit Ethernet ports as Virtual Chassis extended ports so the switches can form a single Virtual Chassis. In our example, we use the EX-UM-2x4SFP uplink module on our chassis that supports either two 10-Gbps or four 1-Gbps ports . The first and third positions coincide with the 10-Gigabit Ethernet ports and are filled on the uplink module, so we will configure ports xe-x/1/0 and xe-x/1/2. We will use port 0 in our case for each switch.

NOTE: The port definition in your example could be different if you use a different model of EX Series device as your uplink module, but as it should still have port 0, this part of the configuration does not change.

root@EX4200-vc1> request virtual-chassis vc-port set pic-slot 1 port 0 member 0 request virtual-chassis vc-port set pic-slot 1 port 0 member 1
a. Use the show virtual-chassis vc-port command to verify that the ports are configured

correctly. Here we can see that interface 1/0 on each switch is configured and up but has no neighbors.
root@EX4200-vc1> show virtual-chassis vc-port
fpc0: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 1 vcp-1 vcp-1 Dedicated 2 Up 32000 1 vcp-0 1/0 Configured -1 Up 10000

fpc1: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 0 vcp-1 vcp-1 Dedicated 2 Up 32000 0 vcp-0 1/0 Configured -1 Up 10000 b. Connect your console to the second pair of switches. Press Enter and you should

see the following prompt:


Amnesiac (ttyu0) login:
c. Log in as root and press Enter. There should be no password configured, so you

should not be prompted for one.

50

Copyright 2012, Juniper Networks, Inc.

Chapter 3: Wired LAN Deployment

You should now be at the % prompt of the switch.


login: root Logging to master . - - - JUNOS 11.4R1.6 built 2011-11-15 11:14:01 UTC root@:RE:0%
d. Type cli at the % prompt.

root@:RE:0% cli {master:0} root>

You should now be at the > prompt.


e. Use the show virtual-chassis command to verify that the switches are up and

running. When both of the switches show up, we can configure the Virtual Chassis ports on these switches.
root> show virtual-chassis
Virtual Chassis ID: b155.0783.e272 Virtual Chassis Mode: Enabled Mstr List Member ID 0 (FPC 0) 1 (FPC 1) Status Prsnt Prsnt Mixed Neighbor

Serial No Model prio Role Mode ID Interface FP0211333265 ex4200-48px 128 Master* N 1 vcp-0 1 vcp-1 FP0211333173 ex4200-48px 128 Backup N 0 vcp-0 0 vcp-1

6. Configure the second set of Virtual Chassis extended ports.

root>request virtual-chassis vc-port set pic-slot 1 port 0 member 0 request virtual-chassis vc-port set pic-slot 1 port 0 member 1

Use the show virtual-chassis vc-port command to verify the ports are configured correctly. Here we can see that interface 1/0 on each switch is configured and up but has no neighbors.
root> show virtual-chassis vc-port

fpc0: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 1 vcp-1 vcp-1 Dedicated 2 Up 32000 1 vcp-0 1/0 Configured -1 Down 10000

fpc1: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 0 vcp-1

Copyright 2012, Juniper Networks, Inc.

51

Juniper Networks Horizontal Campus Validated Design Guide

vcp-1 1/0

Dedicated Configured

2 -1

Up Down

32000 10000

vcp-0

7. Connect the Virtual Chassis extended ports. a. Connect switches 1 and 3 together using the 10-Gigabit Ethernet port xe-x/1/0 on

each switch.
b. Connect switches 2 and 4 together using the 10-Gigabit Ethernet port xe-x/1/0 on

each switch.
8. Verify Virtual Chassis extended ports. a. Connect the console back to the first pair of switches. b. Use the show virtual-chassis vc-port command to verify the port configuration is

correct. All of the four switches are visible, with one configured 1/0 port that has a neighbor listed.
{master:0} root@EX4200-vc1> show virtual-chassis vc-port
fpc0: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 1 vcp-1 vcp-1 Dedicated 2 Up 32000 1 vcp-0 1/0 Configured -1 Up 10000 2 vcp-255/1/0

fpc1: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 0 vcp-1 vcp-1 Dedicated 2 Up 32000 0 vcp-0 1/0 Configured -1 Up 10000 3 vcp-255/1/0

fpc2: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 3 vcp-1 vcp-1 Dedicated 2 Up 32000 3 vcp-0 1/0 Configured -1 Up 10000 0 vcp-255/1/0

fpc3: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port

52

Copyright 2012, Juniper Networks, Inc.

Chapter 3: Wired LAN Deployment

vcp-0 Dedicated vcp-1 Dedicated 1/0 Configured vcp-255/1/0

1 2 -1

Up Up Up

32000 32000 10000

2 2 1

vcp-1 vcp-0

c. Use the show virtual-chassis command to verify that the Virtual Chassis is built

as expected, based on the pre-provisioning configuration we did earlier.


root@EX4200-vc1> show virtual-chassis
Preprovisioned Virtual Chassis Virtual Chassis ID: e3d7.6832.7772 Virtual Chassis Mode: Enabled Mstr List Member ID 0 (FPC 0) Status Prsnt Mixed Neighbor

Serial No Model prio Role Mode ID Interface FP0211333190 ex4200-48px 129 Master* N 1 vcp-0 1 vcp-1 2 FP0211333201 ex4200-48px 0 Linecard N 0 0 3 3 3 0 2 2 1 vcp-0 vcp-1

vcp-255/1/0 1 (FPC 1) Prsnt

vcp-255/1/0 2 (FPC 2) Prsnt

FP0211333173 ex4200-48px 129 Backup

vcp-0 vcp-1

vcp-255/1/0 3 (FPC 3) Prsnt

FP0211333265 ex4200-48px

0 Linecard

vcp-0 vcp-1

vcp-255/1/0 9. Configure default settings.

The following commands show items that should be enabled by default in the configuration. You may wish to review and verify that these setting are desired for your specific network.
root@EX4200-vc1# set protocols igmp-snooping vlan all set protocols rstp set protocols lldp interface all set protocols lldp-med interface all set poe interface all set ethernet-switching-options storm-control interface all

Configuring Layer 2 settings


To configure Layer 2 parameters and settings on the access switch in extended mode:
1.

Configure VLANs. The EX4200-vc1 chassis has the following VLANs assigned: Data_Wired_1, VOIP_Wired_1, Management and Guest_Wired. It has only one IP interface defined, which is on the Management VLAN.
root@EX4200-vc1# set vlans Data_Wired_1 vlan-id 10 set vlans VOIP_Wired_1 vlan-id 14 set vlans Management vlan-id 28

Copyright 2012, Juniper Networks, Inc.

53

Juniper Networks Horizontal Campus Validated Design Guide

set vlans Management l3-interface vlan.28 set vlans Guest_Wired vlan-id 30


2. Configure Interfaces.

We need to configure one IP interface on the Management VLAN.


set interfaces vlan unit 28 family inet address 10.10.28.244/24
3. Configure LAG (aggregated Ethernet) ports.

The EX4200-vc1 chassis has only one LAG port configured to connect to the core switch. Junos OS requires that you configure the number of LAG interfaces you want to use before you begin configuring the LAG interfaces . We suggest picking a number slightly larger than what you need in case you add more LAG interfaces later. You can change this value in the future.
a. Because we need one LAG interface for this configuration, we will configure the

EX4200-vc1 chassis with two in case we add another LAG connection later.
root@EX4200-vc1# set chassis aggregated-devices ethernet device-count 2

The 10-Gigabit Ethernet ports on the EX4200-vc1 are only available using the uplink module ports. We have uplink modules on each of the four switches. However, the first port xe-x/1/0 is already in use on each switch to form the extended Virtual Chassis. We need to configure the LAG connection on switch members 1 and 3, using ports xe-1/1/2 and xe-3/1/2.
b. First, we need to remove any port-specific configuration on the physical ports we

want to aggregate. By default, interfaces have unit 0 defined, but this is not allowed on an interface that is part of an aggregate interface because it would conflict with unit 0 on the logical aggregate interface.
root@EX4200-vc1# delete interfaces xe-0/1/2 unit 0 delete interfaces xe-2/1/2 unit 0 root@EX4200-vc1# set interfaces xe-0/1/2 ether-options 802.3ad ae0 set interfaces xe-2/1/2 ether-options 802.3ad ae0
c. Next, we need to add LACP to each LAG interface to provide some health checking.

NOTE: LACP must be configured on both sides for the LAG port to become active.

root@EX4200-vc1# set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 aggregated-ether-options lacp periodic slow
4. Disable RSTP on LAG connections to access switches.

Because we are not using RSTP as a topology protocol, we can disable it on the LAG ports going to our access switches. Disabling RSTP also reduces potential convergence times in case of a LAG member failure, because fewer protocols need to converge.

54

Copyright 2012, Juniper Networks, Inc.

Chapter 3: Wired LAN Deployment

NOTE: All access switches will have RSTP enabled for loop protection locally.

root@EX4200-vc1# set protocols rstp interface ae0.0 disable


5. Configure the trunk port and VLAN configuration.

Next, we need to configure the LAG port as a trunk and add the VLANs that will be supported going to the core switch. To enable the LAG port as a trunk port, use the set interfaces command.
root@EX4200-vc1# set interfaces ae0 unit 0 family ethernet-switching port-mode trunk
6. Configure VLANs on trunk ports.

VLAN configuration for ae0, which connects to the EX4542-vc1 has Data_Wired_1, VOIP_Wired_1, and theManagement VLAN for access points and switch management. The Guest_Wired VLAN will also be configured on this trunk to support guests needing a wired connection (conference rooms, and so on).
root@EX4200-vc1# set interfaces ae0 unit 0 family ethernet-switching vlan members [Data_Wired_1 VOIP_Wired_1 Management Guest_Wired]
a. Commit the configuration.

commit

You should see the commit operation finish on each of the EX Series switches in the Virtual Chassis.
root@ex4200-vc1# commit fpc0: configuration check succeeds fpc1: commit complete fpc2: commit complete fpc3: commit complete fpc0: commit complete b. Now connect the LAG connections to the core switch.

Run the show lldp neighbors command to verify that the connection is up and you can see the other side of the connection.
root@ex4200-vc1> show lldp neighbors
Local Interface System Name vme.0 xe-0/1/2.0 EX4542-vc1 xe-2/1/2.0 EX4542-vc1 Parent Interface ae0.0 ae0.0 Chassis Id 5c:5e:ab:79:bc:c0 88:e0:f3:74:55:c0 88:e0:f3:74:55:c0 Port info ge-0/0/38.0 xe-0/0/0.0 xe-1/0/0.0

c. Run the show lacp interfaces command to verify that lacp is running

Copyright 2012, Juniper Networks, Inc.

55

Juniper Networks Horizontal Campus Validated Design Guide

root@ex4200-vc1> show lacp interfaces


Aggregated interface: ae0 LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity xe-0/1/2 Actor No No Yes Yes Yes Yes Fast Active xe-0/1/2 Partner No No Yes Yes Yes Yes Fast Active xe-2/1/2 Actor No No Yes Yes Yes Yes Fast Active xe-2/1/2 Partner No No Yes Yes Yes Yes Fast Active LACP protocol: Receive State Transmit State Mux State xe-0/1/2 Current Fast periodic Collecting distributing xe-2/1/2 Current Fast periodic Collecting distributing

7. Configure secure access port features.

We recommend configuring these basic security features on the majority of the VLANs on access switches. We need to enable these features on the Data_Wired_1, VOIP_Wired_1, and Guest_Wired VLANs. You may notice that we do not enable these features on the Management VLAN. There is a greater tendency to have statically configured devices on management VLANs. Each device with a static IP address attached to a port on a VLAN, with these features enabled, requires a static port configuration with an IP address and a MAC address in order to communicate with the rest of the network. If required, this additional level of security can be configured, but it will add some overhead when network changes are made.
root@EX4200-vc1# set ethernet-switching-options secure-access-port vlan Data_Wired_1 arp-inspection set ethernet-switching-options secure-access-port vlan Data_Wired_1 examine-dhcp set ethernet-switching-options secure-access-port vlan Data_Wired_1 ip-source-guard set ethernet-switching-options secure-access-port vlan VOIP_Wired_1 arp-inspection set ethernet-switching-options secure-access-port vlan VOIP_Wired_1 examine-dhcp set ethernet-switching-options secure-access-port vlan VOIP_Wired_1 ip-source-guard set ethernet-switching-options secure-access-port vlan Guest_Wired arp-inspection set ethernet-switching-options secure-access-port vlan Guest_Wired examine-dhcp set ethernet-switching-options secure-access-port vlan Guest_Wired ip-source-guard

For more information about port security features, see the Day One book, Configuring EX Series Ethernet Switches, or Port Security on EX Series Switches Guide at www.juniper.net/techpubs.

56

Copyright 2012, Juniper Networks, Inc.

Chapter 3: Wired LAN Deployment

NOTE: Using the interface-range statement. Junos OS supports a feature called interface-range, which allows you to group several interfaces together so that you can configure the entire group using one statement. This can be helpful when you have many similar ports that will share much of the same configuration, and this statement can be used to simplify configurations. With the access switches in the validated network, each member in the Virtual Chassis is divided up by port type. Ports 04 are reserved for wireless access points, Ports 526 are reserved for Data and 2747 reserved for Voice. Since these ports are typically configured identically, you use the interface-range statement to simplify operations and create three different port groups: Access_Points, Wired_Data and Wired_Voice.

root@EX4200-vc1# set interfaces interface-range Wired_Data member-range ge-0/0/5 to ge-0/0/26 set interfaces interface-range Wired_Data member-range ge-1/0/5 to ge-1/0/26 set interfaces interface-range Wired_Data member-range ge-2/0/5 to ge-2/0/26 set interfaces interface-range Wired_Data member-range ge-3/0/5 to ge-3/0/26 set interfaces interface-range Wired_Voice member-range ge-0/0/27 to ge-0/0/47 set interfaces interface-range Wired_Voice member-range ge-1/0/27 to ge-1/0/47 set interfaces interface-range Wired_Voice member-range ge-2/0/27 to ge-2/0/47 set interfaces interface-range Wired_Voice member-range ge-3/0/27 to ge-3/0/47 set interfaces interface-range Access_Points member-range ge-0/0/0 to ge-0/0/4 set interfaces interface-range Access_Points member-range ge-1/0/0 to ge-1/0/4 set interfaces interface-range Access_Points member-range ge-2/0/0 to ge-2/0/4 set interfaces interface-range Access_Points member-range ge-3/0/0 to ge-3/0/4
8. Set the port mode.

Set the port mode to access. Because we have used the interface-ranges statement, we only need to set the port mode at the interface-range instead of editing every port.
root@EX4200-vc1# set interfaces interface-range Wired_Data unit 0 family ethernet-switching port-mode access set interfaces interface-range Wired_Voice unit 0 family ethernet-switching port-mode access set interfaces interface-range Access_Points unit 0 family ethernet-switching port-mode access
9. Configure port to VLAN.

root@EX4200-vc1# set vlans Data_Wired_1 interface Wired_Data set vlans Management interface Access_Points set vlans VOIP_Wired_1 interface Wired_Voice
10. Configure Layer 3 settings.

Layer 3 configuration for the access switch involves setting a default route in the case of the validated network. In this case, it points to 10.10.28.1 which is the core switch IP interface on the Management VLAN.
root@EX4200-vc1# set routing-options static route 0.0.0.0/0 next-hop 10.10.28.1

Copyright 2012, Juniper Networks, Inc.

57

Juniper Networks Horizontal Campus Validated Design Guide

Commit the configuration.


root@EX4200-vc1# commit
11. Verify IP reachability.

Next, you need to verify IP reachability by pinging the core switch management IP address from the access switch. This also indicates that trunking is configured properly on the interface and working properly.
root@EX4200-vc1> ping 10.10.28.1
PING 10.10.28.1 (10.10.28.1): 56 data bytes 64 bytes from 10.10.28.1: icmp_seq=0 ttl=64 time=4.441 ms 64 bytes from 10.10.28.1: icmp_seq=1 ttl=64 time=4.383 ms 64 bytes from 10.10.28.1: icmp_seq=2 ttl=64 time=4.134 ms 12. Verify VLANs and trunking. a. To verify that the proper VLANs are configured for trunking on the ae0 interface,

you can use the show ethernet-switching interfaces ae0 command.


root@EX4200-vc1> show ethernet-switching interfaces ae0
Interface ae0.0 State up VLAN members Data_Wired_1 Guest_Wired Management VOIP_Wired_1 Tag 10 30 28 14 Tagging tagged tagged tagged tagged Blocking unblocked unblocked unblocked unblocked

b. To see what ports are configured for specific VLANs use the show vlans command.

NOTE: Because of the large number of ports in ex4200-vc1, the show command output below show the first VLANs output.

root@EX4200-vc1>show vlans
Name Data_Wired_1 ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0*, ge-0/0/11.0, ge-0/0/12.0, ge-0/0/13.0, ge-0/0/14.0, ge-0/0/15.0, ge-0/0/16.0, ge-0/0/17.0, ge-0/0/18.0, ge-0/0/19.0, ge-0/0/20.0, ge-0/0/21.0, ge-0/0/22.0, ge-0/0/23.0, ge-0/0/24.0, ge-0/0/25.0, ge-0/0/26.0, ge-1/0/5.0, ge-1/0/6.0, ge-1/0/7.0, ge-1/0/8.0, ge-1/0/9.0, ge-1/0/10.0*, ge-1/0/11.0, ge-1/0/12.0, ge-1/0/13.0, ge-1/0/14.0, ge-1/0/15.0, ge-1/0/16.0, ge-1/0/17.0, ge-1/0/18.0, ge-1/0/19.0, ge-1/0/20.0, ge-1/0/21.0, ge-1/0/22.0, ge-1/0/23.0, ge-1/0/24.0, ge-1/0/25.0, ge-1/0/26.0, ge-2/0/5.0, ge-2/0/6.0, ge-2/0/7.0, ge-2/0/8.0, ge-2/0/9.0, ge-2/0/10.0*, ge-2/0/11.0*, ge-2/0/12.0, ge-2/0/13.0, ge-2/0/14.0, ge-2/0/15.0, ge-2/0/16.0, ge-2/0/17.0, ge-2/0/18.0, ge-2/0/19.0, ge-2/0/20.0, ge-2/0/21.0, ge-2/0/22.0, ge-2/0/23.0, ge-2/0/24.0, ge-2/0/25.0, ge-2/0/26.0, ge-3/0/5.0, ge-3/0/6.0, ge-3/0/7.0, ge-3/0/8.0, ge-3/0/9.0, ge-3/0/10.0, ge-3/0/11.0, ge-3/0/12.0, ge-3/0/13.0, ge-3/0/14.0, Tag 10 Interfaces ae0.0*, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0,

58

Copyright 2012, Juniper Networks, Inc.

Chapter 3: Wired LAN Deployment

ge-3/0/15.0, ge-3/0/16.0, ge-3/0/17.0, ge-3/0/18.0, ge-3/0/19.0, ge-3/0/20.0, ge-3/0/21.0, ge-3/0/22.0, ge-3/0/23.0, ge-3/0/24.0, ge-3/0/25.0, ge-3/0/26.0

Configuring the Access Switch in Dedicated Mode


The configuration for the remaining access switches EX4200-vc2 and EX4200-vc3 are identical to that of the extended mode access switch with the exception of IP addressing differences. In this section, we only step through the setup of EX4200-vc2, as shown in Figure 15 on page 59.

Figure 15: Dedicated Mode Access Switch

This configuration includes the following topics.


Procedure Overview on page 60 Configuring Global Settings on page 60 Configuring a Virtual Chassis on page 61 Configuring Layer 2 settings on page 63

Copyright 2012, Juniper Networks, Inc.

59

Juniper Networks Horizontal Campus Validated Design Guide

Procedure Overview
Procedure Overview
1.

Unpack and perform the initial setup of the first switch.

2. Configure global configuration items. 3. Configure the Virtual Chassis.


Identify the type of Virtual Chassis. Pre-provision the Virtual Chassis. Perform the Virtual Chassis type-specific configuration. Perform the Virtual Chassis standard configuration.

4. Configure Layer 2 settings. 5. Configure Layer 3 settings.

Configuring Global Settings


To configure global settings on the access switch in dedicated mode:
1.

Unpack and perform the initial setup of the first switch.

2. Connect to the console port of the EX4200 switch (setting: s9600, 8, 1, none). a. Press Enter. The following prompt appears:

Amnesiac (ttyu0) login


b. Log in as root and press Enter. Because no password is configured, you are not

prompted for one.


login: root Logging to master . JUNOS 11.4R1.6 built 2011-11-15 11:14:01 UTC root@:RE:0%
c. Type cli at the % prompt.

root@:RE:0% cli {master:0} root>

You should now be at the >prompt.


3. Configure the date and time in the following format: YYYYMMDDhhmm.ss

root> set date 201201220830.00


4. Enter configuration mode by typing configure or edit.

root> configure Entering configuration mode

60

Copyright 2012, Juniper Networks, Inc.

Chapter 3: Wired LAN Deployment

{master:0}[edit] root#

You should now be at the # prompt and ready to start configuring the switch.
5. Configure the password.

root# set system root-authentication plain-text-password New password:******* Retype new password:******* {master:0}[edit] root#
6. Configure the time zone.

root# set system time-zone America/Los_Angeles


7. Configure the hostname.

set system host-name EX4200-vc2


8. Configure the management and VME interface.

NOTE: This is optional, and is only recommended if you plan on having a separate out-of-band network just for managing devices. If you are not sure, you can add this item later. For more information on the VME interface, see Virtual Chassis on page 95, or the Day One book, Configuring EX Series Ethernet Switches.

root@EX4200-vc2# set interfaces vme unit 0 family inet address 10.94.188.95/24


9. Configure management access.

root@EX4200-vc2# set system services web-management https system-generated-certificate set system services ssh delete system services web-management http delete system services telnet
10. Configure DNS.

root@EX4200-vc2# set system name-server 10.10.24.100 set system domain-name xyzcompany.com

Configuring a Virtual Chassis


To configure the Virtual Chassis for the access switch in dedicated mode:
1.

Identify the Virtual Chassis type. In the case of the validated network access switch EX4200-vc2 is a dedicated mode Virtual Chassis using only the VCP ports to form the switching fabric interconnect and all switches are the same model.

2. Configure a pre-provisioned Virtual Chassis.

To pre-provision a Virtual Chassis you need to identify the serial numbers of each device that will be part of the Virtual Chassis, the device function, and the order in

Copyright 2012, Juniper Networks, Inc.

61

Juniper Networks Horizontal Campus Validated Design Guide

which you want each switch to be placed. Later, when all of the switches are connected and powered up, they will automatically be assigned the proper function and slot. Make sure you pay attention to the serial numbers and ordering of each switch when you connect them together later. By default, the EX Series devices automatically form a Virtual Chassis, but because the ordering is nondeterministic, the switches may not be numbered sequentially. For more information about Virtual Chassis, see Virtual Chassis on page 95, or the Day One book, Configuring EX Series Ethernet Switches.
root@EX4200-vc2# set virtual-chassis preprovisioned set virtual-chassis member 0 role routing-engine set virtual-chassis member 0 serial-number FP0211333274 set virtual-chassis member 1 role routing-engine set virtual-chassis member 1 serial-number FP0211333245
3. Configure specific Virtual Chassis commands.

Because this is only a two-member Virtual Chassis and both members are located together, we need to disable split detection.
root@EX4200-vc2# set virtual-chassis no-split-detection
4. Configure global Virtual Chassis commands.

root@EX4200-vc2# set system commit synchronize set ethernet-switching-options nonstop-bridging set chassis redundancy graceful-switchover
a. Commit the configuration.

root@EX4200-vc2# commit
b. Using the VCP ports at the back of the units, cable each pair of EX Series Switches

together. When all of the switches are cabled properly, power up the remaining switch. Once all the switches are powered up, verify that all of th members are active by running the Commit the configurationshow virtual-chassis command.
root@EX4200-vc-2> show virtual-chassis
Preprovisioned Virtual Chassis Virtual Chassis ID: 77df.abcc.3e2f Virtual Chassis Mode: Enabled Mstr List Member ID 0 (FPC 0) 1 (FPC 1) Status Prsnt Prsnt Mixed Neighbor

Serial No Model prio Role Mode ID Interface FP0211333274 ex4200-48px 129 Backup N 1 vcp-0 1 vcp-1 FP0211333245 ex4200-48px 129 Master* N 0 vcp-0 0 vcp-1

5. Configure default settings.

The following commands show items that should be enabled by default in the configuration. You may wish to review and verify that these setting are desired for your specific network.
root@EX4200-vc2# set protocols igmp-snooping vlan all set protocols rstp set protocols lldp interface all

62

Copyright 2012, Juniper Networks, Inc.

Chapter 3: Wired LAN Deployment

set protocols lldp-med interface all set poe interface all set ethernet-switching-options storm-control interface all

Configuring Layer 2 settings


To configure Layer 2 parameters and settings on the access switch in dedicated mode:
1.

Configure VLANs. The EX4200-vc2 chassis has the following VLANs assigned: Data_Wired_2, VOIP_Wired_2 , Management and Guest_Wired. It has only one IP interface defined, which is on the Management VLAN
root@EX4200-vc2# set vlans Data_Wired_2 vlan-id 12 set vlans VOIP_Wired_2 vlan-id 16 set vlans Management vlan-id 28 set vlans Management l3-interface vlan.28 set vlans Guest_Wired vlan-id 30

2. Configure interfaces.

We need to configure one IP interface on the ManagementVLAN.


root@EX4200-vc2# set interfaces vlan unit 28 family inet address 10.10.28.243/24
3. Configure LAG (aggregated Ethernet) ports.

The EX4200-vc2 chassis has only one LAG port configured to connect to the core switch. Junos OS requires that you configure the number of LAG interfaces you want to use before you begin configuring the LAG interfaces . We suggest picking a number slightly larger than what you need in case you add more LAG interfaces later. You can change this value in the future.
a. Because we need one LAG interface for this configuration, we will configure the

EX4200-vc2 chassis with two in case we add another LAG connection later.
root@EX4200-vc2# set chassis aggregated-devices ethernet device-count 2

The 10-Gigabit Ethernet ports on the EX4200-vc1 are only available using the uplink module ports. We have uplink modules on each of the four switches. However, the first port xe-x/1/0 is already in use on each switch to form the extended Virtual Chassis. We need to configure the LAG connection on switch members 1 and 3, using ports xe-1/1/2 and xe-3/1/2.
b. First, we need to remove any port-specific configuration on the physical ports we

want to aggregate. By default, interfaces have unit 0 defined, but this is not allowed on an interface that is part of an aggregate interface because it would conflict with unit 0 on the logical aggregate interface.
root@EX4200-vc2# delete interfaces xe-0/1/0 unit 0 delete interfaces xe-1/1/0 unit 0 root@EX4200-vc2# set interfaces xe-0/1/2 ether-options 802.3ad ae0 set interfaces xe-2/1/2 ether-options 802.3ad ae0

Copyright 2012, Juniper Networks, Inc.

63

Juniper Networks Horizontal Campus Validated Design Guide

c. Next, we need to add LACP to each LAG interface to provide some health checking.

NOTE: LACP must be configured on both sides for the LAG port to become active.

root@EX4200-vc2# set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 aggregated-ether-options lacp periodic slow
4. Disable RSTP on LAG connections to access switches.

Because we do not use RSTP as a topology protocol, we can disable it on the LAG ports going to our access switches. Disabling RSTP also reduces potential convergence times in case a LAG member fails, because fewer protocols need to converge.

NOTE: Note all access switches have RSTP enabled locally for loop protection.

root@EX4200-vc2# set protocols rstp interface ae0.0 disable


5. Configure the trunk port and VLAN.

Next, we need to configure the LAG port as a trunk and add the VLANs that will be supported going to the core switch. To enable the LAG port as a trunk port, use the set interfaces command.
root@EX4200-vc2# set interfaces ae0 unit 0 family ethernet-switching port-mode trunk
6. Configure VLANs on trunk ports.

VLAN configuration for ae0, which connects to the EX4542-vc1 switch, has Data_Wired_2, VOIP_Wired_2, and theManagement VLAN for access points and switch management. The Guest_Wired VLAN will also be configured on this trunk to support guests needing a wired connection (conference rooms, and so on).
root@EX4200-vc2# set interfaces ae0 unit 0 family ethernet-switching vlan members [Data_Wired_2 VOIP_Wired_2 Management Guest_Wired]
a. Commit the configuration.

root@EX4200-vc2# commit
b. Connect the LAG connections to the core switch using the show lldp neighbors

command to verify that the connection is up and you can see the other side of the connection.
root@EX4200-vc2> show lldp neighbors Local Interface Parent Interface System Name vme.0 xe-0/1/0.0 ae0.0 EX4542-vc1 xe-1/1/0.0 ae0.0 EX4542-vc1 ge-0/0/0.0 Chassis Id 5c:5e:ab:79:bc:c0 88:e0:f3:74:55:c0 88:e0:f3:74:55:c0 10.10.28.52 Port info ge-0/0/12.0 xe-0/0/1.0 xe-1/0/1.0 port 1

64

Copyright 2012, Juniper Networks, Inc.

Chapter 3: Wired LAN Deployment

MP-522 ge-1/0/0.0 MP-522

10.10.28.53

port 1

c. Run the show lacp interfaces command to verify that LACP is running. root@EX4200-vc2> show lacp interfaces Aggregated interface: ae0 LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity xe-0/1/0 Actor No No Yes Yes Yes Yes Slow Active xe-0/1/0 Partner No No Yes Yes Yes Yes Slow Active xe-1/1/0 Actor No No Yes Yes Yes Yes Slow Active xe-1/1/0 Partner No No Yes Yes Yes Yes Slow Active LACP protocol: Receive State Transmit State Mux State xe-0/1/0 Current Slow periodic Collecting distributing xe-1/1/0 Current Slow periodic Collecting distributing 7. Configure secure access port features

We recommend configuring these basic security features on most VLANs on access switches. We need to enable these features on the Data_Wired_2, VOIP_Wired_2, and Guest_Wired VLANs. You may notice that we do not enable these features on the Management VLAN. There is a greater tendency to have statically configured devices on management VLANs. Each device with a static IP address attached to a port on a VLAN, with these features enabled, requires a static port configuration with an IP address and a MAC address in order to communicate with the rest of the network. If required, this additional level of security can be configured, but it will add some overhead when network changes are made.
root@EX4200-vc2# set ethernet-switching-options secure-access-port vlan Data_Wired_2 arp-inspection set ethernet-switching-options secure-access-port vlan Data_Wired_2 examine-dhcp set ethernet-switching-options secure-access-port vlan Data_Wired_2 ip-source-guard set ethernet-switching-options secure-access-port vlan VOIP_Wired_2 arp-inspection set ethernet-switching-options secure-access-port vlan VOIP_Wired_2 examine-dhcp set ethernet-switching-options secure-access-port vlan VOIP_Wired_2 ip-source-guard set ethernet-switching-options secure-access-port vlan Guest_Wired arp-inspection set ethernet-switching-options secure-access-port vlan Guest_Wired examine-dhcp set ethernet-switching-options secure-access-port vlan Guest_Wired ip-source-guard

For more information on the VME interface, see Virtual Chassis on page 95, or the Day One book, Configuring EX Series Ethernet Switches.

Copyright 2012, Juniper Networks, Inc.

65

Juniper Networks Horizontal Campus Validated Design Guide

NOTE: Using the interface-range statement. Junos OS supports a feature called interface-range, which allows you to group several interfaces together so that you can configure the entire group using one statement. This can be helpful when you have many similar ports that share much of the same configuration. This statement can be used to simplify configurations. With access switches in the validated network, each member in the Virtual Chassis is divided up by port type. Ports 04 are reserved for Wireless access points, ports 526 are reserved for Data, and ports 2747 are reserved for voice. Because these ports are typically configured identically, they use the interface-range statement to simplify operations and create three different port groups Access_Points, Wired_Data and Wired_Voice.

root@EX4200-vc2# set interfaces interface-range Wired_Data member-range ge-1/0/5 to ge-1/0/26 set interfaces interface-range Wired_Data member-range ge-0/0/5 to ge-0/0/26 set interfaces interface-range Wired_Voice member-range ge-0/0/27 to ge-0/0/47 set interfaces interface-range Wired_Voice member-range ge-1/0/27 to ge-1/0/47 set interfaces interface-range Access_Points member-range ge-0/0/0 to ge-0/0/4 set interfaces interface-range Access_Points member-range ge-1/0/0 to ge-1/0/4
8. Set the port mode.

We need to set the port mode to access. Because we have used the interface-ranges statement, we only need to set the port mode at the interface-range level, instead of editing every port.
root@EX4200-vc2# set interfaces interface-range Wired_Data unit 0 family ethernet-switching port-mode access set interfaces interface-range Wired_Voice unit 0 family ethernet-switching port-mode access set interfaces interface-range Access_Points unit 0 family ethernet-switching port-mode access
9. Configure port to VLAN.

root@EX4200-vc2# set vlans Data_Wired_2 interface Wired_Data set vlans Management interface Access_Points set vlans VOIP_Wired_2 interface Wired_Voice
10. Configure Layer 3 settings.

Layer 3 configuration for the access switch involves setting a default route in the case of the validated network. In this case, it points to 10.10.28.1 which is the core switch IP interface on the Mangement VLAN
set routing-options static route 0.0.0.0/0 next-hop 10.10.28.1

Commit the configuration.


commit

66

Copyright 2012, Juniper Networks, Inc.

CHAPTER 4

Wireless Deployment

Wireless Services Deployment Overview on page 67 Configuring the Primary WLC on page 68 Configuring the Secondary WLC on page 73

Wireless Services Deployment Overview


Figure 16: Wireless LAN Controllers

This section covers the essential steps involved in setting up a wireless network for corporate users using local authentication and wireless guest access. Wireless LAN Controllers (WLCs) are clustered to provide high availability (HA) and dynamic load balancing of access points (APs).

NOTE: Guest access enables guest users to connect to the Internet, and is isolated from the corporate network.

Copyright 2012, Juniper Networks, Inc.

67

Juniper Networks Horizontal Campus Validated Design Guide

For the setup process, we assume that your WLC is running the factory default configuration.

Configuring the Primary WLC


To configure wireless services on the network:
1.

Run Quick Start. The Quick Start configuration script guides you through the initial setup of WLC-1.

NOTE: You can configure more items using the quick start script than this procedure outlines, but manually stepping through the process allows for greater control. You can change configuration settings later if needed.

a. Connect to the console port of the WLC using the settings: 9600, 8, N, 1, None. b. Press the Enter key a few times until you get a prompt. c. Log in without providing a username or password. d. Type enable at the prompt.

Because no password is configured by default, just press the Enter key when prompted for a password.
e. Type quickstart at the prompt. MXR-2-5BF3A6# quickstart This will erase any existing config. Continue? [n]: y Answer the following questions. Enter '?' for help. ^C to break out System Name [MXR-2]: WLC-1 Country Code [US]: System IP address []: 10.10.28.100 System IP address netmask []: 255.255.255.0 Default route []: 10.10.28.1 Do you need to use 802.1Q tagged ports for connectivity on the default VLAN? [n]: Enable Webview [y]: Admin username [admin]: admin Admin password [mandatory]: Enable password [optional]: Do you wish to set the time? [y]: y Enter the date (dd/mm/yy) []: 15/06/11 Is daylight saving time (DST) in effect [n]: y Enter the time (hh:mm:ss) []: 12:27:00 Enter the timezone []: PST Enter the offset (without DST) from GMT for PST in hh:mm [0:0]: -08:00 Do you wish to configure wireless? [y]: n success: created keypair for ssh success: Type "save config" to save the configuration f.

Save your configuration.

68

Copyright 2012, Juniper Networks, Inc.

Chapter 4: Wireless Deployment

WLC-1# save config


g. Connect port 8 on WLC-1 to EX4542-vc1 port ge-2/0/1. 2. Configure VLANs and 802.1q trunking.

You need to configure the VLANs and enable them on the trunk port. The WLCs are configured as part of the following VLANs.

NOTE: The WLCs can be configured with a different VLAN ID from the actual 802.1q tag. This is specific to the WLC and should not be confused with the 802.1q tag. For example, you could have a VLAN ID of 5 on the WLC, but it is sent out as 802.1q tag 13 so, to the network it is VLAN ID13. There are advantages to this in more complex deployments, but that is outside the scope of this document. To make things easier to understand, we will configure the internal VLAN ID to correspond with the 802.1q tag that the rest of the network uses.

We need to configure the following VLANs on WLC-1


Management: vlan-id 28 Data_Wireless_1: vlan-id 18 Guest_Wireless: vlan-id 32

a. Create VLANs.

WLC-1# set vlan 28 name Management set vlan 18 name Data_Wireless_1 set vlan 32 name Guest_Wireless
b. Assign VLANs to ports.

WLC-1# set vlan Management port 8 tag 28 set vlan Data_Wireless_1 port 8 tag 18 set vlan Guest_Wireless port 8 tag 32
c. Assign IP interfaces to VLANs.

When you use the Quick Start script, the system IP address is automatically assigned to VLAN 1 . In our case, this needs to be VLAN 28, the Management VLAN, so we need to first delete the IP address association with VLAN 1 and then add it to VLAN 28.

NOTE: This is still the system IP address, which is the source IP address it uses to communicate with the APs and WLCs.

WLC-1# clear interface 1 ip WLC-1# set interface Management ip 10.10.28.100/24 set interface Data_Wireless_1 ip 10.10.18.100/24 set interface Guest_Wireless ip 10.10.32.100/24

Copyright 2012, Juniper Networks, Inc.

69

Juniper Networks Horizontal Campus Validated Design Guide

d. Save your configuration.

WLC-1# save config


e. You should now be able to ping the IP address of the EX4542-vc1 on the

Management VLAN.
WLC-1# ping 10.10.28.1

NOTE: You may notice that we have configured the IP address 10.10.28.100 twice. We actually first configured this as the system IP address, and then assigned it to a VLAN. The system IP address needs to reside on the Management network because that is the address that will be used to communicate to the access point and with other WLCs.

3. Configure wireless SSIDs.

You need to create two different types of SSIDs:


The SSID for corporate users uses WPA2 encryption and 802.1x authentication. The SSID for guest users uses an open network that relies on a captive portal to authenticate users.

a. Configure the Data_Wireless_1 SSID.

The following commands create the SSID Data_Wireless_1, configure 802.1 x authentication for the SSID, and configures traffic encryption over the SSID.
WLC-1# set service-profile Secure-802.1X ssid-name Data_Wireless_1 set service-profile Secure-802.1X rsn-ie cipher-ccmp enable set service-profile Secure-802.1X rsn-ie enable set service-profile Secure-802.1X attr vlan-name Data_Wireless_1 set authentication dot1x ssid Data_Wireless_1 ** peap-mschapv2 local
b. Configure the Guest_Wireless SSID.

The following commands configure the Guest_Wireless SSID and set it up for captive portal authentication.
WLC-1# set service-profile Web-Portal ssid-name Guest_Wireless set service-profile Web-Portal ssid-type clear set service-profile Web-Portal auth-fallthru web-portal set service-profile Web-Portal wpa-ie auth-dot1x disable set service-profile Web-Portal rsn-ie auth-dot1x disable set service-profile Web-Portal attr vlan-name Guest_Wireless set authentication web ssid Guest_Wireless ** local

70

Copyright 2012, Juniper Networks, Inc.

Chapter 4: Wireless Deployment

NOTE: The portal lines do the following.

The first rule permits UDP traffic from everyone towards port 68 and 67 only, which is used for DHCP. The second rule creates a capture by the controller for all traffic matching this rule. In this case, we block all traffic and force the traffic to the capture portal for authentication.

4. Configure service profiles.

WLC-1# set radio-profile default service-profile Secure-802.1X set radio-profile default service-profile Web-Portal
5. Add local users for wireless services.

NOTE: We recommend that you only use local authentication to verify initial operation and for last-resort authentication. Use a RADIUS server as the preferred method for user authentication.

a. To create local users, you need to use the command set user username password.

NOTE: You are prompted to provide a password.

WLC-1# set user bob password Enter new password: Retype new password: success: change accepted. WLC-1# set user guest password Enter new password: Retype new password: success: change accepted.
b. Assign users to specific SSIDs.

WLC-1# set user bob attr ssid Data_Wireless_1 set user guest attr ssid Guest_Wireless

NOTE: Because each user is mapped to a specific SSID, different rules apply to them when they log on to the network. For example, the user bob must authenticate via 802.1x to log on to the wireless network. The user guest can log on to the Guest_Wireless network, but has to authenticate against the captive portal to get to the Internet, otherwise they can do nothing.

c. Configure the access points.

Copyright 2012, Juniper Networks, Inc.

71

Juniper Networks Horizontal Campus Validated Design Guide

You need to use the auto setup to configure the access points. On the console, you can see several messages while the access points are configured and booted.
WLC-1# set ap auto mode enable
d. Save your configuration.

WLC-1# save config


e. After the access points have booted up, you can verify that they are active by issuing

the command, show ap status.


WLC-1# show ap status
Flags: o = operational[8], c = configure[0], d = download[0], b = boot[0] a = auto AP, m = mesh AP, p/P = mesh portal (ena/actv), r = redundant[0] z = remote AP in outage, i/I = insecure (control/control+data) u = unencrypted, e/E = encrypted (control/control+data) Radio: E = enabled - 20MHz channel, S = sentry, s = spectral-data W/w = enabled - 40MHz wide channel (HTplus/HTminus) D = admin disabled, U = mesh uplink IP Address: * = AP behind NAT AP Flag Uptime ---- --------9992 oa-i 01m05s 9993 oa-i 01m06s 9994 oa-i 01m06s 9995 oa-i 01m06s 9996 oa-i 01m07s 9997 oa-i 01m08s 9998 oa-i 01m09s 9999 oa-i 01m10s IP Address Model MAC Address Radio 1 Radio 2

--------------- ------------ ----------------- ------- ------10.10.28.56 10.10.28.54 10.10.28.52 10.10.28.57 10.10.28.53 10.10.28.58 10.10.28.55 10.10.28.59 MP-522 MP-522 MP-522 MP-522 MP-522 MP-522 MP-522 MP-522 00:26:3e:e3:e5:80 E 00:26:3e:e5:59:c0 E 6/18 W 36/10 6/12 W 44/10

00:26:3e:e5:19:00 E 11/12 W 44/10 00:26:3e:e3:e5:c0 E 11/12 W 36/10 00:26:3e:e5:1e:80 E 11/12 W 44/10 00:26:3e:e4:8d:00 E 1/14 W 36/10

00:26:3e:e3:e2:40 E 11/12 W 44/10 00:26:3e:e5:57:40 E 11/12 W 36/10

6. Set up a cluster.

To enable clustering, you need to create a mobility domain on the primary seed controller and then add the secondary seed to that cluster.
a. Create a mobility domain.

The first line sets up the domain xyzcompany. The second line adds a secondary to the cluster on the primary seed controller. This example uses the IP address 10.10.28.101, which we will configure later.
WLC-1# set mobility-domain mode seed domain-name xyzcompany set mobility-domain member 10.10.28.101
b. Enable clustering.

72

Copyright 2012, Juniper Networks, Inc.

Chapter 4: Wireless Deployment

When you enable clustering, you receive a warning message that this action will overwrite the configuration of other devices.
WLC-1# set cluster mode enable WLC-1# set cluster mode enable This will cause loss of configuration on member devices. Are you sure? (y/n) [n]y
c. Save your configuration.

WLC-1# save config

This will cause the access points to reboot. You will see messages on the console.

Configuring the Secondary WLC


The configuration steps for the secondary WLC are similar to that of the primary WLC. This section covers only those configuration steps that are essential to the secondary WLC. Refer to the previous section if you have any questions while configuring the secondary WLC. To configure wireless services on the secondary WLC:
1.

Run Quick Start. The Quick Start configuration script guides you through the initial setup of WLC-2.
a. Connect to the console port of the WLC using the settings: 9600, 8, N, 1, None. b. Press the Enter key a few times until you get a prompt. c. Log in without providing a username or password. d. Type enable at the prompt.

Because no password is configured by default, just press the Enter key when you are prompted for a password.
e. Type quickstart at the prompt. MXR-2-5BF3A6# quickstart This will erase any existing config. Continue? [n]: y Answer the following questions. Enter '?' for help. ^C to break out System Name [MXR-2]: WLC-2 Country Code [US]: System IP address []: 10.10.28.101 System IP address netmask []: 255.255.255.0 Default route []: 10.10.28.1 Do you need to use 802.1Q tagged ports for connectivity on the default VLAN? [n]: Enable Webview [y]: Admin username [admin]: admin Admin password [mandatory]: Enable password [optional]: Do you wish to set the time? [y]: y Enter the date (dd/mm/yy) []: 15/06/11 Is daylight saving time (DST) in effect [n]: y Enter the time (hh:mm:ss) []: 12:27:00 Enter the timezone []: PST Enter the offset (without DST) from GMT for PST in hh:mm [0:0]: -08:00

Copyright 2012, Juniper Networks, Inc.

73

Juniper Networks Horizontal Campus Validated Design Guide

Do you wish to configure wireless? [y]: n success: created keypair for ssh success: Type "save config" to save the configuration f.

Save your configuration.


WLC-2# save config

g. Connect port 8 on WLC-2 to EX4542-vc1 port ge-2/0/1. 2. Configure VLANs and 802.1q trunking.

You need to configure the VLANs and enable them on the trunk port. The WLCs are configured as part of the VLANs. We need to configure the following VLANs on WLC-2

Management: vlan-id 28 Data_Wireless_1: vlan-id 18 Guest_Wireless: vlan-id 32

a. Create VLANs.

WLC-2# set vlan 28 name Management set vlan 18 name Data_Wireless_1 set vlan 32 name Guest_Wireless
b. Assign VLANs to ports.

WLC-2# set vlan Management port 8 tag 28 set vlan Data_Wireless_1 port 8 tag 18 set vlan Guest_Wireless port 8 tag 32
c. Assign IP interfaces to VLANs.

When you use the Quick Start script, the system IP address is automatically assigned to VLAN 1 . In this case, this needs to be VLAN 28, the Management VLAN, so you need to first delete the IP address association with VLAN 1 and then add it to VLAN 28.

NOTE: This is still the system IP address, which is the source IP address it uses to communicate with the APs and WLCs.

WLC-2# clear interface 1 ip WLC-2# set interface Management ip 10.10.28.101/24 set interface Data_Wireless_1 ip 10.10.18.101/24 set interface Guest_Wireless ip 10.10.32.101/24
d. Save your configuration.

WLC-2# save config


e. You should now be able to ping the IP address of the EX4542-vc1 on the

Management VLAN.

74

Copyright 2012, Juniper Networks, Inc.

Chapter 4: Wireless Deployment

WLC-2# ping 10.10.28.1


f.

Join a mobility domain. When you enable cluster mode, the system displays a warning that this will overwrite the configuration.
WLC-2# set mobility-domain mode secondary-seed domain-name xyzcompany seed-ip 10.10.28.100 set cluster mode enable

g. Save your configuration.

WLC-2# save config

At this point the secondary WLC automatically copies the remaining configuration from the primary WLC, except for user information. You need to add the users to the secondary WLC so that it can also authenticate users for the access points it manages. You can do this by adding users with the process described in the next section.

NOTE: We recommend that you only use local authentication to verify initial operation and for last-resort authentication. Use a RADIUS server as the preferred method for user authentication.

3. Add local users for wireless services.

NOTE: When you add users to the secondary WLC, we recommend that you copy the user information from the configuration file of the primary WLC. This eliminates the possibility of errors that may prevent users from getting access because of mismatching user/password/VLAN information.

If user information is changed later, it must be changed on both devices to keep them in sync.

a. Copy user information from the primary WLC to the secondary WLC.

On the primary WLC, type show configuration. Find the lines associated with the users you have created, in this case bob and guest are the users you had created previously and each one has two lines. You need to copy that information from the primary WLC to the secondary WLC.

NOTE: This example has only one attribute associated with the users, but you may have several in a production environment. Make sure you copy all of theattributes associated with each user.

WLC-1# set user bob password encrypted 06160e325f59060b01 set user bob attr ssid Data_Wireless_1 set user guest password encrypted 12090404011c03162e

Copyright 2012, Juniper Networks, Inc.

75

Juniper Networks Horizontal Campus Validated Design Guide

set user guest attr ssid Guest_Wireless


b. Paste the information into the Secondary WLC.

WLC-2# set user bob password encrypted 06160e325f59060b01 set user bob attr ssid Data_Wireless_1 set user guest password encrypted 12090404011c03162e set user guest attr ssid Guest_Wireless
c. Save the configuration.

WLC-2# save config

All users should now be able to access the wireless network.

76

Copyright 2012, Juniper Networks, Inc.

CHAPTER 5

SRX Deployment

Prerequisites on page 77 Configuring the SRX Series Cluster on page 78

Prerequisites
Figure 17: The SRX Series Services Gateway Cluster

Before you begin configuring the SRX Series Services Gateway for the validated network design, ensure the following:

That all of the SRX Series devices to be configured in the cluster are of the same model and comprise the same modules. That all of the SRX Series devices have the same version of Junos OS installed.

The configuration procedure provided in this section is for the SRX650. Although most of the steps are common across all SRX Series Services Gateways, the ports used to connect the SRX Series devices together to form a cluster may vary across SRX Series

Copyright 2012, Juniper Networks, Inc.

77

Juniper Networks Horizontal Campus Validated Design Guide

models. See the Juniper Networks support site for clustering details on your specific model of SRX Series Services Gateway.

Figure 18: SRX Series Cluster Setup

Figure 18 on page 78 shows the SRX Series cluster setup for the validated network. To keep it simple, each device identifies the fabric and control links as local physical ports, because these are connected before configuring the SRX Series cluster (After the SRX Series cluster is configured, SRX650-2 will see these ports as ge-9/0/2 and 9/0/1). The remaining port identifiers are listed in the clustering context.

Configuring the SRX Series Cluster


To configure the SRX Series Gateway devices for the validated network, you need to first perform the following initial setup procedure for both SRX Series devices that will make up the cluster.

78

Copyright 2012, Juniper Networks, Inc.

Chapter 5: SRX Deployment

To perform the initial setup for the SRX650 devices:


1.

Unpack the SRX650 and connect a console cable to the serial port with the following settings: 9600, 8, 1 and none.

2. To access the SRX650 using the Junos OS CLI: a. Connect one end of the console cable to the serial port adapter, plug the adapter

into a serial port on the PC or laptop, and plug the other end of the cable into the console port on the SRX Series device.
b. Start the terminal emulation program on the PC or laptop, select the COM port,

and configure the following port settings: 9600 (bits per second), 8 (data bits), none (parity), 1 (stop bits), and none (flow control).
c. Press the POWER button on the router, and verify that the POWER LED turns green. d. Log in as root, and press Enter at the Password prompt. (When booting the factory

default configuration, you do not need to enter a password.)


e. Enter the UNIX shell after you are authenticated through the CLI:

Amnesiac (ttyu0) login: root Password: - - - JUNOS 10.0R1.8 built 2009-08-01 09:23:09 UTC
f.

At the % prompt, type cli to start the CLI and press Enter. The prompt changes to an angle bracket (>) when you enter CLI operational mode.
root@% cli root>

g. At the (>) prompt, type configure and press Enter. The prompt changes from > to

# when you enter configuration mode.


root> configure Entering configuration mode [edit] root#
h. Create a password for the root user to manage the SRX Series device.

root# set system root authentication plain-text-password (will prompt for password)
i.

Remove some default configuration items from the SRX devices. This is done to make later configuration simpler.

NOTE: Not all of these settings may actually be configured on your device, but we include all these items for completeness.

root# delete interfaces delete protocols delete vlans

Copyright 2012, Juniper Networks, Inc.

79

Juniper Networks Horizontal Campus Validated Design Guide

delete system services dhcp delete system services web-management http interface delete system services web-management https interface delete security zones delete security policies delete security nat
j.

Use the commit command at the CLI prompt to activate the configuration.
commit

Now repeat this process with the other SRX650.


3. Connect the two SRX devices.

NOTE: The following process is for the SRX650. If you use another SRX model, the ports used to connect the two SRXs will be different than the process described below. Please see the Juniper Networks support site for clustering details on your specific model of SRX.

a. On the SRX650, connect ge-0/0/1 on device A to ge-0/0/1 on device B. The

ge-0/0/1 interface on device B will change to ge-9/0/1 after clustering happens.

TIP: To connect the devices, it is helpful to know that after we create the cluster, the following interface assignments will occur:

ge-0/0/0 will be used as fxp0 for individual management of each of the devices ge-0/0/1 will become fxp1 and used as the control link between the two devices (This is also documented inKB15356.). This is not configurable.

The other interfaces are also renamed on the secondary device. For example, on a SRX 650 device, the ge-0/0/0 interface is renamed to ge-9/0/0 on the secondary node 1. Refer to the complete mapping for each SRX Series device: Node Interfaces on Active SRX Series Chassis Clusters.

NOTE: The interfaces used for the control link, in this example ge-0/0/1, must be connected with a cable. A switch cannot be used for the control link connection. Also, you will need to decide on a third link to connect the devices, which will be used for the fabric link between the devices. In this case we will use ge-0/0/2, but you could use any other open port either onboard or on a gPIM.

80

Copyright 2012, Juniper Networks, Inc.

Chapter 5: SRX Deployment

b. Now connect ge-0/0/2 on SRX650-1 to ge-0/0/2 on SRX650-2. 4. Enable clustering on the SRX devices. a. Set the devices in cluster mode with the following command and reboot the devices.

NOTE: This is an operational mode command.

root> set chassis cluster cluster-id 0-15 node 0-1 reboot

For example:
root> set chassis cluster cluster-id 1 node 0 reboot root> set chassis cluster cluster-id 1 node 1 reboot

The cluster ID is the same on both devices, but the node ID should be different, with the node ID as node0 on one device, at node1 on the other device . This command should be issued on both devices at the same time so that they boot up together. The range for the Cluster ID is 015. Setting it to 0 effectively disables cluster mode. After rebooting, the ge-0/0/0 and ge-0/0/1 interfaces become as fxp0 and fxp1, respectively.
b. Check both SRX Series devices to ensure that the cluster is active and that the

primary and secondary devices are both active.

NOTE: It may take a minute or two for the status to complete after booting, so you may need to enter this command more than once. The prompt on each SRX Series device displays the status and node information for the respective device.

{primary:node0} root> show chassis cluster status Cluster ID: 1 Node Priority

Status

Preempt

Manual failover

Redundancy group: 0 , Failover count: 1 node0 1 primary node1 1 secondary {secondary:node1} root> show chassis cluster status Cluster ID: 1 Node Priority

no no

no no

Status

Preempt

Manual failover

Redundancy group: 0 , Failover count: 0 node0 1 primary node1 1 secondary

no no

no no

Copyright 2012, Juniper Networks, Inc.

81

Juniper Networks Horizontal Campus Validated Design Guide

When the primary and secondary status is confirmed, move to the next step. If you encounter any problems during this step, the following KB articles may be of use in diagnosing clustering problems. KB15503, KB20672 and KB20641.
5. Configure the SRX Series cluster.

NOTE: The following steps are all performed on the primary SRX Series device. The configuration is automatically copied over to the secondary SRX Series device when a configuration is committed.

We use the Junos OS group configuration feature for this operation. For more information on the group configuration feature, see the Day One book, Configuring Junos Basics, at www.juniper.net/us/en/community/junos/training-certification/day-one. Configuring device-specific properties using the group command Set up device-specific settings such as hostnames and management IP addresses. This is specific to each device and is the only part of the configuration that is unique to specific nodes. This is done by entering the following commands (all on the primary node):

a. On device srx650-1: Enter configuration mode

root# config root# set group node0 system host-name srx650-1 set group node0 interfaces fxp0 unit 0 family inet address 10.94.188.103/24 set group node1 system host-name srx650-2 set group node1 interfaces fxp0 unit 0 family inet address 10.94.188.104/24

NOTE: The apply groups command is set so that the individual configs for each node set by the above commands applies only to that node.

root@srx650-1# set apply-groups [ node0 node1 ]


b. Commit the configuration

root@srx650-1# commit

You should see the configuration applied to node0 and node1 when you issue a commit
{primary:node0}[edit] root# commit node0: configuration check succeeds node1: commit complete node0: commit complete c. Configure the Fabric Link

82

Copyright 2012, Juniper Networks, Inc.

Chapter 5: SRX Deployment

Create FAB links (data plane links for RTO sync, etc). You need to first delete any specific configuration related to the interfaces. Iin this case ge-0/0/2 has an address assigned by default so we will delete it.
root@srx650-1# set interfaces fab0 fabric-options member-interfaces ge-0/0/2 set interfaces fab1 fabric-options member-interfaces ge-9/0/2
d. Configuring redundancy groups

Set up the Redundancy Group 0 for the Routing Engine failover properties. Also setup Redundancy Group 1 (all the interfaces will be in one Redundancy Group in this example) to define the failover properties for the Reth interfaces.

NOTE: If you want to use multiple Redundancy Groups for the interfaces, refer to the Security Configuration Guide. For more information, see the Security Configuration Guide .

root@srx650-1# set chassis cluster redundancy-group 0 node 0 priority 100 set chassis cluster redundancy-group 0 node 1 priority 1 set chassis cluster redundancy-group 1 node 0 priority 100 set chassis cluster redundancy-group 1 node 1 priority 1
e. Configuring interface monitoring

Set up the Interface monitoring. Monitoring the health of the interfaces is one way to trigger Redundancy group failover.

NOTE: Interface monitoring is not recommended for redundancy-group 0.

root@srx650-1# set chassis cluster redundancy-group 1 interface-monitor ge-2/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor ge-11/0/0 weight 255
f.

Set up the reth interface Setup the Redundant Ethernet interfaces (reth interface) and assign the Redundant interface to a zone. Make sure that you setup your redundant interfaces as follows:
root@srx650-1# {primary:node0} set chassis cluster reth-count 1 set interfaces ge-2/0/0 gigether-options redundant-parent reth0 set interfaces ge-11/0/0 gigether-options redundant-parent reth0 set interfaces reth0 redundant-ether-options redundancy-group 1

g. Configure VLANs and IP interfaces on the reth interface

root@srx650-1# set interfaces reth0 vlan-tagging set interfaces reth0 unit 0 description "Unit 0 must be given a VLAN tag so using a dummy tag to align units to tags" set interfaces reth0 unit 0 vlan-id 1 set interfaces reth0 unit 22 description "Internet Edge" set interfaces reth0 unit 22 vlan-id 22

Copyright 2012, Juniper Networks, Inc.

83

Juniper Networks Horizontal Campus Validated Design Guide

set interfaces reth0 unit 22 family inet address 10.10.22.254/24 set interfaces reth0 unit 28 description Management set interfaces reth0 unit 28 vlan-id 28 set interfaces reth0 unit 28 family inet address 10.10.28.254/24 set interfaces reth0 unit 30 description "Guest Wired" set interfaces reth0 unit 30 vlan-id 30 set interfaces reth0 unit 30 family inet address 10.10.30.254/24 set interfaces reth0 unit 32 description "Guest Wireless" set interfaces reth0 unit 32 vlan-id 32 set interfaces reth0 unit 32 family inet address 10.10.32.254/24

Commit the configuration to activate it.


h. Configure the Internet connections

root@srx650-1# set interfaces ge-2/0/1 description "primary internet connection" set interfaces ge-2/0/1 unit 0 family inet address 10.94.191.233/24 set interfaces ge-11/0/2 description "Backup Internet Connection" set interfaces ge-11/0/2 unit 0 family inet address 10.94.194.56/24
i.

Commit the configuration. The configuration is copied to the secondary node srx650-2
root@srx650-1# commit

NOTE: Even though we have configured interfaces, we will not have reachability because no security polices are in place yet.

6. Configuring Security Zones

The SRX Series Services Gateways use a zone-based model for security. The most basic configurations typically have just two zones: Trust (the inside) and Untrust (the outside). In our case we have four: Untrust, Guest, Management, and Internet_Edge.
a. Configure the Untrust security zone.

The Untrust zone is where the SRX Series devices connect to the Internet. This is considered the least trusted zone. We have configured our internet-facing ports in this zone.
root@srx650-1# set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust interfaces ge-11/0/2.0 set security zones security-zone untrust interfaces ge-2/0/1.0
b. Configure the Guest security zone.

root@srx650-1# set security zones security-zone Guest address-book address Guest_Wired 10.10.30.0/24 set security zones security-zone Guest address-book address Guest_Wireless 10.10.32.0/24 set security zones security-zone Guest host-inbound-traffic system-services ping set security zones security-zone Guest host-inbound-traffic system-services traceroute set security zones security-zone Guest interfaces reth0.30 host-inbound-traffic system-services dhcp

84

Copyright 2012, Juniper Networks, Inc.

Chapter 5: SRX Deployment

set security zones security-zone Guest interfaces reth0.30 host-inbound-traffic system-services bootp set security zones security-zone Guest interfaces reth0.32 host-inbound-traffic system-services dhcp set security zones security-zone Guest interfaces reth0.32 host-inbound-traffic system-services bootp
c. Configure the Management security zone.

root@srx650-1# set security zones security-zone Management host-inbound-traffic system-services ssh set security zones security-zone Management host-inbound-traffic system-services http set security zones security-zone Management host-inbound-traffic system-services https set security zones security-zone Management host-inbound-traffic system-services ping set security zones security-zone Management host-inbound-traffic system-services snmp set security zones security-zone Management host-inbound-traffic system-services traceroute set security zones security-zone Management interfaces reth0.28
d. Configure the Internet Edge security zone.

The majority of the networks are contained in the Internet_Edge zone. We use a feature called address-book to map our networks in this zone to user-friendly names for easier management. That should be easier to understand when we configure our policies that just use subnet designations. We also need to allow OSPF in this zone, because we will communicate routing information with the EX series switch in this zone.
root@srx650-1# set security zones security-zone Internet_Edge address-book address Data_Wired_1 10.10.10.0/24 set security zones security-zone Internet_Edge address-book address Data_Wired_2 10.10.12.0/24 set security zones security-zone Internet_Edge address-book address VOIP_Wired_1 10.10.14.0/24 set security zones security-zone Internet_Edge address-book address VOIP_Wired_2 10.10.16.0/24 set security zones security-zone Internet_Edge address-book address Data_Wireless_1 10.10.18.0/24 set security zones security-zone Internet_Edge address-book address Servers 10.10.24.0/24 set security zones security-zone Internet_Edge address-book address Access_Points 10.10.26.0/24 set security zones security-zone Internet_Edge address-book address Management 10.10.28.0/24 set security zones security-zone Internet_Edge address-book address Guest_Wired 10.10.30.0/24 set security zones security-zone Internet_Edge address-book address Guest_Wireless 10.10.32.0/24 set security zones security-zone Internet_Edge host-inbound-traffic system-services ping set security zones security-zone Internet_Edge host-inbound-traffic system-services traceroute

Copyright 2012, Juniper Networks, Inc.

85

Juniper Networks Horizontal Campus Validated Design Guide

set security zones security-zone Internet_Edge host-inbound-traffic protocols ospf set security zones security-zone Internet_Edge interfaces reth0.22
7. Configuring Security Policies. a. Configure Guest user policy.

root@srx650-1# set security policies from-zone Guest to-zone untrust policy allow-guest-to-internet match source-address Guest_Wireless set security policies from-zone Guest to-zone untrust policy allow-guest-to-internet match source-address Guest_Wired set security policies from-zone Guest to-zone untrust policy allow-guest-to-internet match destination-address any set security policies from-zone Guest to-zone untrust policy allow-guest-to-internet match application any set security policies from-zone Guest to-zone untrust policy allow-guest-to-internet then permit
b. Configure Internet Edge security policy.

root@srx650-1# set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address Data_Wired_1 set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address Data_Wired_2 set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address Data_Wireless_1 set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address Servers set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address VOIP_Wired_1 set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address VOIP_Wired_2 set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match destination-address any set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match application any set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet then permit
8. Configuring routing and OSPF. a. Configure routes.

root@srx650-1# set routing-options static route 0.0.0.0/0 qualified-next-hop 10.94.194.254 preference 20 set routing-options static route 0.0.0.0/0 qualified-next-hop 10.94.191.254 preference 10
b. Configure OSPF.

root@srx650-1# set protocols ospf area 0.0.0.0 interface reth0.22


c. Commit the configuration.

root@srx650-1# commit
d. You can see the internal networks advertised by OSPF by using the show route

command.

86

Copyright 2012, Juniper Networks, Inc.

Chapter 5: SRX Deployment

{primary:node0} root@srx650-1> show route


inet.0: 27 destinations, 29 routes (27 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/10] 00:05:35 > to 10.94.191.254 via ge-2/0/1.0 [Static/20] 00:05:35 > to 10.94.194.254 via ge-11/0/2.0 *[OSPF/10] 00:05:20, metric 1 > to 10.10.22.1 via reth0.22 *[OSPF/10] 00:05:20, metric 2 > to 10.10.22.1 via reth0.22 *[OSPF/10] 00:05:20, metric 2 > to 10.10.22.1 via reth0.22 *[OSPF/10] 00:05:20, metric 2 > to 10.10.22.1 via reth0.22 *[OSPF/10] 00:05:20, metric 2 > to 10.10.22.1 via reth0.22 *[OSPF/10] 00:05:20, metric 2 > to 10.10.22.1 via reth0.22 *[OSPF/10] 00:05:20, metric 2 > to 10.10.22.1 via reth0.22 *[Direct/0] 00:27:10

10.0.0.4/32 10.10.10.0/24 10.10.12.0/24 10.10.14.0/24 10.10.16.0/24 10.10.18.0/24 10.10.20.0/24 10.10.22.0/24

9. Verifying internal reachability.

After configuring the zones and policies you can reach your internal interfaces and external gateways. Use the ping command to verify basic reachability.
10. Configuring NAT a. Configure the Guest NAT policy.

root@srx650-1# set security nat source rule-set Guest-to-untrust from zone Guest set security nat source rule-set Guest-to-untrust to zone untrust set security nat source rule-set Guest-to-untrust rule Guest-source-nat match source-address 0.0.0.0/0 set security nat source rule-set Guest-to-untrust rule Guest-source-nat then source-nat interface
b. Configure the Internet Edge NAT policy.

root@srx650-1# set security nat source rule-set Internet_Edge-to-untrust from zone Internet_Edge set security nat source rule-set Internet_Edge-to-untrust to zone untrust set security nat source rule-set Internet_Edge-to-untrust rule Internet_Edge-source-nat match source-address 0.0.0.0/0 set security nat source rule-set Internet_Edge-to-untrust rule Internet_Edge-source-nat then source-nat interface
11. Configuring DHCP services for guest VLANs

To configure DHCP services for guest VLANS:


root@srx650-1# set system services dhcp pool 10.10.30.0/24 address-range low 10.10.30.11 set system services dhcp pool 10.10.30.0/24 address-range high 10.10.30.250

Copyright 2012, Juniper Networks, Inc.

87

Juniper Networks Horizontal Campus Validated Design Guide

set system services dhcp pool 10.10.30.0/24 domain-name xyzcompany.com set system services dhcp pool 10.10.30.0/24 name-server 208.67.220.220 set system services dhcp pool 10.10.30.0/24 name-server 208.67.222.222 set system services dhcp pool 10.10.30.0/24 router 10.10.30.254 set system services dhcp pool 10.10.32.0/24 address-range low 10.10.32.11 set system services dhcp pool 10.10.32.0/24 address-range high 10.10.32.250 set system services dhcp pool 10.10.32.0/24 domain-name xyzcompany.com set system services dhcp pool 10.10.32.0/24 name-server 208.67.220.220 set system services dhcp pool 10.10.32.0/24 name-server 208.67.222.222 set system services dhcp pool 10.10.32.0/24 router 10.10.32.254

Commit the configuration.


12. Verifying NAT.

You are now configured to be able to access the Internet from your internal user networks. When connecting to the internet from inside the network traffic will be NATed. To view the network sessions and verify that NAT is taking place properly you can issue the command show security flow session nat (To see all flows, remove the keyword nat). The following example shows NAT performed for a session. Source address 10.10.10.52 is translated to an external address of 10.94.191.233 and the destination address is 173.194.79.104.
root@srx650-1> show security flow session nat node0: -------------------------------------------------------------------------Session ID: 15945, Policy name: allow-Internet_Edge-to-internet/5, State: Active, Timeout: 1798, Valid In: 10.10.10.52/3296 --> 173.194.79.104/80;tcp, If: reth0.22, Pkts: 0, Bytes: 0 Out: 173.194.79.104/80 --> 10.94.191.233/60064;tcp, If: ge-2/0/1.0, Pkts: 36, Bytes: 37380 Total sessions: 1 13. Configuring General Settings.

Set the date and time in the format: YYYYMMDDhhmm.ss


root@srx650-1> set date 201201220830.00

Enter configuration mode Configure the time zone.


root@srx650-1# set system time-zone America/Los_Angeles

Configure DNS.
root@srx650-1# set system name-server 10.10.24.100 set system domain-name xyzcompany.com

Configure management access.


root@srx650-1# set system services web-management https system-generated-certificate set system services ssh delete system services telnet delete system services web-management http

88

Copyright 2012, Juniper Networks, Inc.

Chapter 5: SRX Deployment

Configure LLDP.
root@srx650-1# set protocols lldp interface ge-2/0/0.0 set protocols lldp interface ge-11/0/0.0

Commit the configuration.


root@srx650-1# commit

Figure 19: Deployment Complete

Copyright 2012, Juniper Networks, Inc.

89

Juniper Networks Horizontal Campus Validated Design Guide

90

Copyright 2012, Juniper Networks, Inc.

PART 3

Appendix

Next Steps on page 93 Virtual Chassis on page 95 Configuring DHCP on EX Series Ethernet Switches on page 103 Configurations Used in This Guide on page 105 Bill of Materials on page 161

Copyright 2012, Juniper Networks, Inc.

91

Juniper Networks Horizontal Campus Validated Design Guide

92

Copyright 2012, Juniper Networks, Inc.

APPENDIX A

Next Steps

Next Steps on page 93

Next Steps
The base network infrastructure is now in place and ready for site-specific customization. Some of the common items you will likely want to configure are listed below. We have also identified some additional reading materials that may be helpful.

Set up RADIUS server and configure wireless LAN controllers to use RADIUS authentication of wireless users. (See the Juniper Networks Mobility System Software Configuration Guide). Configure NTP for all devices to keep network devices in sync. Configure QoS. Configure additional security policies.

Additional documentation and support:


Juniper Networks support website www.Juniper Networks.net/support. Product manuals


Juniper Networks Mobility System Software Configuration Guide. Complete Software Guide for Junos OS for EX Series Ethernet Switches: Release 11.4. Junos OS for SRX Series: Release 11.4.

Day One Books


Configuring EX Series Ethernet Switches. Deploying Basic QoS. Deploying SRX Series Services Gateways.

Copyright 2012, Juniper Networks, Inc.

93

Juniper Networks Horizontal Campus Validated Design Guide

94

Copyright 2012, Juniper Networks, Inc.

APPENDIX B

Virtual Chassis

Virtual Chassis Advantage on page 95 Types of Virtual Chassis on page 95 Pre-Provisioning the Virtual Chassis on page 98 Virtual Chassis Base Configuration on page 101 Layer 3 Configuration on page 101

Virtual Chassis Advantage


Using the Virtual Chassis flexible scaling solution, you can connect two or more individual switches together to form one unit and manage the unit as a single chassis. Virtual Chassis is supported on the Juniper Networks EX3300, EX4200, EX4500, and EX8200 Series Ethernet Switches. In this guide, however, we discuss only the EX4500 and EX4200 switches. You can interconnect EX4200 and EX4500 Series switches in a Virtual Chassis using the dedicated Virtual Chassis ports (VCPs) on the rear panel of the EX4200 switches, and the dedicated VCPs on the Virtual Chassis modules in the EX4500 switches. You can easily expand the Virtual Chassis configuration to include more member switches. Simply add member switches to an EX4200 or EX4500 Virtual Chassis by cabling together the dedicated VCPs. You can also expand a Virtual Chassis configuration beyond a single wiring closet. Interconnect switches located in multiple wiring closets or in multiple data center racks by installing SFP, SFP+, or XFP uplink modules and connecting the uplink module ports on EX4200 member switches or by connecting the 10-Gigabit Ethernet SFP+ network interfaces on the EX4500 member switches.

Types of Virtual Chassis


We assume that you are configuring at least two or more EX Series switches as a single Virtual Chassis. If you are configuring a standalone EX Series switch, then you can perform

Copyright 2012, Juniper Networks, Inc.

95

Juniper Networks Horizontal Campus Validated Design Guide

the basic setup as listed in the Quick Start guide that comes with the switch. After setup, go to the section Global Setup for EX Series Switches.

Dedicated Mode on page 96 Extended Mode on page 96 Mixed Mode on page 96

Dedicated Mode
The dedicated mode is the most common method of connecting adjacent EX4500 or EX4200 Series switches into a single Virtual Chassis. As mentioned earlier, dedicated mode involves interconnecting the switches using the special Virtual Chassis ports (VCPs) at the back of the switch. This is the most common type of EX Series Virtual Chassis configuration. There are two commonly used methods of cabling when connecting EX Series Switches togetherdaisy chained and braided ring.

NOTE: Although Juniper Networks recommends using one of these two switch topologies, other topologies are supported, but that is beyond the scope of this document.

Extended Mode
The Extended Virtual Chassis method enables switches to be part of a single Virtual Chassis even when the switches are far apart. You can use the optional uplink modules on the EX4200 switch to connect multiple switches, using 1-Gigabit Ethernet and 10-Gigabit Ethernet links, to provide great flexibility in how a network is configured. For example, you could have multiple wiring closets on a single floor managed as a single device. This simplifies many operational tasks, because this reduces the number of individual devices that must be managed.

Mixed Mode
The mixed mode Virtual Chassis enables you to interconnect more than one type of switch to act as a single Virtual Chassis. Currently only supported between the EX4500 and EX4200 Series switches, this provides the ability to have high-density 10-Gigabit Ethernet and 1-Gigabit Ethernet in the same Virtual Chassis. This topic provides configuration examples for each of these Virtual Chassis types.

96

Copyright 2012, Juniper Networks, Inc.

Appendix B: Virtual Chassis

NOTE: The Juniper Networks EX3300 Series switch and Juniper Networks EX8200 series switches also support the Virtual Chassis flexible scaling solution, but this information lies outside the scope of this document.
Other Virtual Chassis notes:

When you have a two-member Virtual Chassis, we recommend that you disable split detection. When you have three or more members in a Virtual Chassis, we recommend that you do not place uplinks on the master Routing Engine.

Copyright 2012, Juniper Networks, Inc.

97

Juniper Networks Horizontal Campus Validated Design Guide

Pre-Provisioning the Virtual Chassis


When you create a Virtual Chassis configuration with multiple members, you might want to deterministically control the role and member ID assigned to each member switch. You can do this by creating a pre-provisioned configuration. You can add switches to a pre-provisioned configuration by using the autoprovisioning feature to automatically configure the uplink ports as VCPs on the switches being added. Although it is not mandatory to pre-provision each Virtual Chassis, we recommend it, and this is the process we use in this guide.

NOTE: If you do not pre-provision the Virtual Chassis, the devices are numbered in the order in which they come up. For example, if you have five switches in a Virtual Chassis and you turn on the middle switch, say #3, this will be slot 0, then you turn on the top switch next, and that will be slot 1 and you turn on the other switches at about the same time the rest of the slots will be randomly filled so you may end up with chassis numbering something like this.
Slot1 Slot4 Slot0 Slot3 Slot2

This is quite confusing, but completely operational. You can re-assign slots later to make a more logical chassis, but it is easier to avoid this in the first place. If you do end up doing something like this or are just curious, see the instructions in Virtual Chassis on page 95.

Prerequisites: The switches need to be set at factory defaults to follow this process.
To pre-provision the Virtual Chassis:
1.

Understand what type of Virtual Chassis you will be setting up: Dedicated, Extended or Mixed. If you are unsure, see Dedicated Mode on page 96.

2. Unpack and power up the switch you intend to be Slot 0.

Go through the initial setup process for the switch as described in Virtual Chassis on page 95.
3. Identify the serial numbers of the other switches that will be part of this Virtual Chassis.

Then decide what their function will beeither Routing Engine or line card. You can only have two switches configured as Routing Engines and one will be slot 0 (the first device we booted up). You can change the roles for devices later if required. The following is a sample set of configuration statements for a four-member Virtual Chassis specifying each member role and slot by serial number.
root@EX4542-vc1> set virtual-chassis preprovisioned

98

Copyright 2012, Juniper Networks, Inc.

Appendix B: Virtual Chassis

set virtual-chassis member 0 role routing-engine set virtual-chassis member 0 serial-number GX0211411253 set virtual-chassis member 1 role routing-engine set virtual-chassis member 1 serial-number GX0211411250 set virtual-chassis member 2 role line-card set virtual-chassis member 2 serial-number FP0211333181 set virtual-chassis member 3 role line-card set virtual-chassis member 3 serial-number FP0211333260
4. Determine if you need to disable split detection.

If your Virtual Chassis has only two members, go to step 5, Disable split detection. If your Virtual Chassis has more than two members, go to Step 6, Step 7, and Step 8, as appropriate for the type of Virtual Chassis you want to set up (dedicated mode, extended mode, or mixed mode).

5. Disable split detection.

root@EX4542-vc1# set virtual-chassis no-split-detection

NOTE: Virtual Chassis Split Detection Split detection is designed to avoid a possible dual active-or split-brain condition where the chassis loses multiple Virtual Chassis connections and -becomes partitioned into two separate Virtual Chassis. The default behavior is for the primary Routing Engine to disable itself and the backup Routing Engine (RE) to promote itself to master. In a two-switch Virtual Chassis, however, this is not desirable. For example, if the backup RE is powered off, the master RE will stop forwarding traffic. Therefore we recommend disabling this feature in a two-switch configuration. For more information, read about Virtual Chassis in the Junos OS documentation for Juniper Networks EX Series Ethernet Switches The below command disables split detection.

6. Set up a dedicated mode Virtual Chassis.

If you have a dedicated Virtual Chassis (that is, if the members are all of the same type say all EX4200 or all EX4500 switches) no additional commands are necessary.
a. You can cable up the remaining members using the VCP ports on the back of the

units and power them up.


b. Verify that all members are active by running the show virtual-chassis command.

root@EX4542-vc1> show virtual-chassis


Preprovisioned Virtual Chassis Virtual Chassis ID: 762b.b071.4181 Virtual Chassis Mode: Mixed Mstr List Member ID 0 (FPC 0) Status Prsnt Mixed Neighbor

Serial No Model prio Role Mode ID Interface GX0211411253 ex4500-40f 129 Master* Y 3 vcp-1 1 vcp-0

Copyright 2012, Juniper Networks, Inc.

99

Juniper Networks Horizontal Campus Validated Design Guide

1 (FPC 1) 2 (FPC 2) 3 (FPC 3)

Prsnt Prsnt Prsnt

GX0211411250 ex4500-40f 129 FP0211333181 ex4200-48px FP0211333260 ex4200-48px

Backup 0 Linecard 0 Linecard

Y Y Y

0 2 1 3 2 0

vcp-1 vcp-0 vcp-0 vcp-1 vcp-0 vcp-1

c. Proceed to Virtual Chassis Base Configuration on page 101. 7. Set up an extended mode Virtual Chassis.

Some Virtual Chassis members are connected together using 1-Gigabit Ethernet or 10-Gigabit Ethernet ports configured as Virtual Chassis extended (VCe) ports.

NOTE: 10-Gigabit Ethernet uplink ports must be configured as VCe ports.

The following is an operational mode command that will not appear in the configuration. Once this is set, the option to configure these ports when in configuration mode will not appear.
request virtual-chassis vc-port set pic-slot pic-slot port port member-id memberid.
8. Set up a mixed mode Virtual Chassis.

(EX4500 and EX4200 combined chassis)


a. When setting up a combined EX4500 and EX4200 chassis, the chassis must be

specifically configured to support mixed mode operation. If not, the entire chassis will be active. The command to change modes is an operational command and therefore does not show up in the configuration.
request virtual-chassis mode mixed
b. To verify that the chassis is indeed in mixed mode, you can view the status by

issuing the operational command show virtual-chassis and look for line Virtual Chassis Mode:
root@EX4542-vc1> show virtual-chassis Preprovisioned Virtual Chassis Virtual Chassis ID: 762b.b071.4181 Virtual Chassis Mode: Mixed
c. You can now cable up the remaining members using the VCP ports on the back of

the units and power them up. Verify that all of the members are active by running the show virtual-chassis command.
root@EX4542-vc1> show virtual-chassis
Preprovisioned Virtual Chassis Virtual Chassis ID: 762b.b071.4181 Virtual Chassis Mode: Mixed Mstr List Member ID 0 (FPC 0) 1 (FPC 1) Status Prsnt Prsnt Mixed Neighbor

Serial No Model prio Role Mode ID Interface GX0211411253 ex4500-40f 129 Master* Y 3 vcp-1 1 vcp-0 GX0211411250 ex4500-40f 129 Backup Y 0 vcp-1

100

Copyright 2012, Juniper Networks, Inc.

Appendix B: Virtual Chassis

2 (FPC 2) 3 (FPC 3)

Prsnt Prsnt

FP0211333181 ex4200-48px FP0211333260 ex4200-48px

0 Linecard 0 Linecard

Y Y

2 1 3 2 0

vcp-0 vcp-0 vcp-1 vcp-0 vcp-1

d. To change a Virtual Chassis back to non-mixed mode issue the following command

request virtual-chassis mode mixed disable


e. Proceed to Virtual Chassis Base Configuration on page 101.

Virtual Chassis Base Configuration


Enter the following commands for all Virtual Chassis:
1.

commit synchronize

This ensures that whenever you issue a commit command, it is synchronized with all of the other members of the Virtual Chassis. Without this command in the configuration, you should issue a commit synchronize command after every change instead of just the commit command.
set system commit synchronize
2. non-stop bridging

This command replicates bridging protocol information between master and backup Routing Engines.
set ethernet-switching-options nonstop-bridging
3. graceful switchover

Graceful switchover should be configured on any multichassis Virtual Chassis to ensure that the master and backup Routing Engines are in sync.
root@EX4542-vc1# set chassis redundancy graceful-switchover

Layer 3 Configuration
To configure DHCP on a Virtual Chassis:
1.

Configure DHCP forwarding.


root@host# set forwarding-options helpers bootp dhcp-option82 set forwarding-options helpers bootp server server ip set forwarding-options helpers bootp interface ip interface

2. Configure DHCP services.

root@host# set system services dhcp pool network and subnet mask address range low starting ip address set system services dhcp pool network and subnet mask address range high ending ip address set system services dhcp pool network and subnet mask domain-name xyzcompany.com set system services dhcp pool network and subnet mask name-server name-server set system services dhcp pool network and subnet mask router def gw ip address

Copyright 2012, Juniper Networks, Inc.

101

Juniper Networks Horizontal Campus Validated Design Guide

3. Configure the default static route

root@host# set routing-options static route 0.0.0.0/0 next-hop et routing-options static route 0.0.0.0/0 next-hop ip address
4. Configure routing protocols

root@host# set protocols ospf area 0.0.0.0 interface interface


5. Configure nonstop active routing

root@host# set routing-options nonstop-routing

102

Copyright 2012, Juniper Networks, Inc.

APPENDIX C

Configuring DHCP on EX Series Ethernet Switches

Configuring EX Series Ethernet Switches to Provide DHCP on page 103

Configuring EX Series Ethernet Switches to Provide DHCP


If you do not have a central DHCP server or need a temporary DHCP solution, you can configure the EX Series Ethernet Switches to act as a DHCP server. In the validated network design presented in this document, the core switch would be used as a DHCP server because it has IP addresses on each of the subnets in the network. To enable the EX Series to act as a DHCP server you need the following:

IP interface configured on each VLAN to receive DHCP IP address pool and pool range to be allocated to users on each VLAN to receive DHCP Default gateway for users on each VLAN Domain name for users Name server for users

The sample that follows shows DHCP configured for the management VLAN presented in this guide. We already have the IP address configured as 10.10.28.1 for this VLAN. (See the core switch setup for more details. )
set system services dhcp pool 10.10.28.0/24 set system services dhcp pool 10.10.28.0/24 address-range low 10.10.28.11 high 10.10.28.250 set system services dhcp pool 10.10.28.0/24 router 10.10.28.1 set system services dhcp pool 10.10.28.0/24 domain-name xyzcompany.com set system services dhcp pool 10.10.28.0/24 name-server 10.10.24.100

To view statistics:
show system services dhcp statistics

To view DHCP bindings:


show system services dhcp binding

Copyright 2012, Juniper Networks, Inc.

103

Juniper Networks Horizontal Campus Validated Design Guide

104

Copyright 2012, Juniper Networks, Inc.

APPENDIX D

Configurations Used in This Guide


EX4200vc1 Set Commands on page 105 EX4200vc1 Configuration Statements on page 108 EX4200vc2 Set Commands on page 116 EX4200vc2 Configuration Statements on page 117 EX4200vc3 Set Commands on page 121 EX4200vc3 Configuration Statements on page 123 EX4542vc1 Set Commands on page 127 EX4542vc1 Configuration Statements on page 131 WLC-1 Configuration on page 147 WLC-2 Configuration on page 148 SRX650 Cluster Set Commands on page 149 SRX650 Cluster Configuration Statements on page 152

EX4200vc1 Set Commands


set version 11.4R1.6 set system host-name ex4200-vc1 set system domain-name xyxcompany.com set system root-authentication encrypted-password "$1$mPpJfHUh$TJPBhlJWIuQNFWBaR2LPY0" set system name-server 10.10.24.100 set system services ssh set system services web-management https system-generated-certificate set system syslog user * any emergency set system syslog file messages any notice set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands any set system commit synchronize set chassis redundancy graceful-switchover set chassis aggregated-devices ethernet device-count 2 set interfaces interface-range Wired_Data member-range ge-0/0/5 to ge-0/0/26 set interfaces interface-range Wired_Data member-range ge-1/0/5 to ge-1/0/26 set interfaces interface-range Wired_Data member-range ge-2/0/5 to ge-2/0/26 set interfaces interface-range Wired_Data member-range ge-3/0/5 to ge-3/0/26 set interfaces interface-range Wired_Data unit 0 family ethernet-switching port-mode access

Copyright 2012, Juniper Networks, Inc.

105

Juniper Networks Horizontal Campus Validated Design Guide

set interfaces interface-range Wired_Voice member-range ge-0/0/27 to ge-0/0/47 set interfaces interface-range Wired_Voice member-range ge-1/0/27 to ge-1/0/47 set interfaces interface-range Wired_Voice member-range ge-2/0/27 to ge-2/0/47 set interfaces interface-range Wired_Voice member-range ge-3/0/27 to ge-3/0/47 set interfaces interface-range Wired_Voice unit 0 family ethernet-switching port-mode access set interfaces interface-range Access_Points member-range ge-0/0/0 to ge-0/0/4 set interfaces interface-range Access_Points member-range ge-1/0/0 to ge-1/0/4 set interfaces interface-range Access_Points member-range ge-2/0/0 to ge-2/0/4 set interfaces interface-range Access_Points member-range ge-3/0/0 to ge-3/0/4 set interfaces interface-range Access_Points unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/0 unit 0 family ethernet-switching set interfaces ge-0/0/1 unit 0 family ethernet-switching set interfaces ge-0/0/2 unit 0 family ethernet-switching set interfaces ge-0/0/3 unit 0 family ethernet-switching set interfaces ge-0/0/4 unit 0 family ethernet-switching set interfaces ge-0/0/5 unit 0 family ethernet-switching set interfaces ge-0/0/6 unit 0 family ethernet-switching set interfaces ge-0/0/7 unit 0 family ethernet-switching set interfaces ge-0/0/8 unit 0 family ethernet-switching set interfaces ge-0/0/9 unit 0 family ethernet-switching set interfaces ge-0/0/10 unit 0 family ethernet-switching set interfaces ge-0/0/11 unit 0 family ethernet-switching set interfaces ge-0/0/12 unit 0 family ethernet-switching set interfaces ge-0/0/13 unit 0 family ethernet-switching set interfaces ge-0/0/14 unit 0 family ethernet-switching set interfaces ge-0/0/15 unit 0 family ethernet-switching set interfaces ge-0/0/16 unit 0 family ethernet-switching set interfaces ge-0/0/17 unit 0 family ethernet-switching set interfaces ge-0/0/18 unit 0 family ethernet-switching set interfaces ge-0/0/19 unit 0 family ethernet-switching set interfaces ge-0/0/20 unit 0 family ethernet-switching set interfaces ge-0/0/21 unit 0 family ethernet-switching set interfaces ge-0/0/22 unit 0 family ethernet-switching set interfaces ge-0/0/23 unit 0 family ethernet-switching set interfaces ge-0/0/24 unit 0 family ethernet-switching set interfaces ge-0/0/25 unit 0 family ethernet-switching set interfaces ge-0/0/26 unit 0 family ethernet-switching set interfaces ge-0/0/27 unit 0 family ethernet-switching set interfaces ge-0/0/28 unit 0 family ethernet-switching set interfaces ge-0/0/29 unit 0 family ethernet-switching set interfaces ge-0/0/30 unit 0 family ethernet-switching set interfaces ge-0/0/31 unit 0 family ethernet-switching set interfaces ge-0/0/32 unit 0 family ethernet-switching set interfaces ge-0/0/33 unit 0 family ethernet-switching set interfaces ge-0/0/34 unit 0 family ethernet-switching set interfaces ge-0/0/35 unit 0 family ethernet-switching set interfaces ge-0/0/36 unit 0 family ethernet-switching set interfaces ge-0/0/37 unit 0 family ethernet-switching set interfaces ge-0/0/38 unit 0 family ethernet-switching set interfaces ge-0/0/39 unit 0 family ethernet-switching set interfaces ge-0/0/40 unit 0 family ethernet-switching set interfaces ge-0/0/41 unit 0 family ethernet-switching set interfaces ge-0/0/42 unit 0 family ethernet-switching set interfaces ge-0/0/43 unit 0 family ethernet-switching

106

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

set interfaces ge-0/0/44 unit 0 family ethernet-switching set interfaces ge-0/0/45 unit 0 family ethernet-switching set interfaces ge-0/0/46 unit 0 family ethernet-switching set interfaces ge-0/0/47 unit 0 family ethernet-switching set interfaces xe-0/1/0 unit 0 family ethernet-switching set interfaces xe-0/1/2 ether-options 802.3ad ae0 set interfaces ge-1/0/0 unit 0 family ethernet-switching set interfaces xe-2/1/2 ether-options 802.3ad ae0 set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 aggregated-ether-options lacp periodic slow set interfaces ae0 unit 0 family ethernet-switching port-mode trunk set interfaces ae0 unit 0 family ethernet-switching vlan members Data_Wired_1 set interfaces ae0 unit 0 family ethernet-switching vlan members VOIP_Wired_1 set interfaces ae0 unit 0 family ethernet-switching vlan members Management set interfaces ae0 unit 0 family ethernet-switching vlan members Guest_Wired set interfaces vlan unit 28 family inet address 10.10.28.244/24 set interfaces vme unit 0 family inet address 10.94.188.91/24 set routing-options static route 0.0.0.0/0 next-hop 10.10.28.1 set protocols igmp-snooping vlan all set protocols rstp interface ae0.0 disable set protocols lldp interface all set protocols lldp-med interface all set ethernet-switching-options secure-access-port vlan Data_Wired_1 arp-inspection set ethernet-switching-options secure-access-port vlan Data_Wired_1 examine-dhcp set ethernet-switching-options secure-access-port vlan Data_Wired_1 ip-source-guard set ethernet-switching-options secure-access-port vlan Guest_Wired arp-inspection set ethernet-switching-options secure-access-port vlan Guest_Wired examine-dhcp set ethernet-switching-options secure-access-port vlan Guest_Wired ip-source-guard set ethernet-switching-options secure-access-port vlan VOIP_Wired_1 arp-inspection set ethernet-switching-options secure-access-port vlan VOIP_Wired_1 examine-dhcp set ethernet-switching-options secure-access-port vlan VOIP_Wired_1 ip-source-guard set ethernet-switching-options nonstop-bridging set ethernet-switching-options storm-control interface all set vlans Data_Wired_1 vlan-id 10 set vlans Data_Wired_1 interface Wired_Data set vlans Guest_Wired vlan-id 30 set vlans Management vlan-id 28 set vlans Management interface Access_Points set vlans Management l3-interface vlan.28 set vlans VOIP_Wired_1 vlan-id 14 set vlans VOIP_Wired_1 interface Wired_Voice set poe interface all set virtual-chassis preprovisioned set virtual-chassis member 0 role routing-engine set virtual-chassis member 0 serial-number FP0211333190 set virtual-chassis member 1 role line-card set virtual-chassis member 1 serial-number FP0211333201 set virtual-chassis member 2 role routing-engine set virtual-chassis member 2 serial-number FP0211333173 set virtual-chassis member 3 role line-card set virtual-chassis member 3 serial-number FP0211333265 set virtual-chassis fast-failover xe

Copyright 2012, Juniper Networks, Inc.

107

Juniper Networks Horizontal Campus Validated Design Guide

EX4200vc1 Configuration Statements


## Last changed: 2011-12-18 13:35:19 UTC version 11.4R1.6; system { host-name ex4200-vc1; domain-name xyxcompany.com; root-authentication { encrypted-password "$1$mPpJfHUh$TJPBhlJWIuQNFWBaR2LPY0"; ## SECRET-DATA } name-server { 10.10.24.100; } services { ssh; web-management { https { system-generated-certificate; } } } syslog { user * { any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } commit synchronize; } chassis { redundancy { graceful-switchover; } aggregated-devices { ethernet { device-count 2; } } } interfaces { interface-range Wired_Data { member-range ge-0/0/5 to ge-0/0/26; member-range ge-1/0/5 to ge-1/0/26; member-range ge-2/0/5 to ge-2/0/26; member-range ge-3/0/5 to ge-3/0/26; unit 0 { family ethernet-switching { port-mode access;

108

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

} } } interface-range Wired_Voice { member-range ge-0/0/27 to ge-0/0/47; member-range ge-1/0/27 to ge-1/0/47; member-range ge-2/0/27 to ge-2/0/47; member-range ge-3/0/27 to ge-3/0/47; unit 0 { family ethernet-switching { port-mode access; } } } interface-range Access_Points { member-range ge-0/0/0 to ge-0/0/4; member-range ge-1/0/0 to ge-1/0/4; member-range ge-2/0/0 to ge-2/0/4; member-range ge-3/0/0 to ge-3/0/4; unit 0 { family ethernet-switching { port-mode access; } } } ge-0/0/0 { unit 0 { family ethernet-switching; } } ge-0/0/1 { unit 0 { family ethernet-switching; } } ge-0/0/2 { unit 0 { family ethernet-switching; } } ge-0/0/3 { unit 0 { family ethernet-switching; } } ge-0/0/4 { unit 0 { family ethernet-switching; } } ge-0/0/5 { unit 0 { family ethernet-switching; } } ge-0/0/6 {

Copyright 2012, Juniper Networks, Inc.

109

Juniper Networks Horizontal Campus Validated Design Guide

unit 0 { family ethernet-switching; } } ge-0/0/7 { unit 0 { family ethernet-switching; } } ge-0/0/8 { unit 0 { family ethernet-switching; } } ge-0/0/9 { unit 0 { family ethernet-switching; } } ge-0/0/10 { unit 0 { family ethernet-switching; } } ge-0/0/11 { unit 0 { family ethernet-switching; } } ge-0/0/12 { unit 0 { family ethernet-switching; } } ge-0/0/13 { unit 0 { family ethernet-switching; } } ge-0/0/14 { unit 0 { family ethernet-switching; } } ge-0/0/15 { unit 0 { family ethernet-switching; } } ge-0/0/16 { unit 0 { family ethernet-switching; } } ge-0/0/17 { unit 0 {

110

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

family ethernet-switching; } } ge-0/0/18 { unit 0 { family ethernet-switching; } } ge-0/0/19 { unit 0 { family ethernet-switching; } } ge-0/0/20 { unit 0 { family ethernet-switching; } } ge-0/0/21 { unit 0 { family ethernet-switching; } } ge-0/0/22 { unit 0 { family ethernet-switching; } } ge-0/0/23 { unit 0 { family ethernet-switching; } } ge-0/0/24 { unit 0 { family ethernet-switching; } } ge-0/0/25 { unit 0 { family ethernet-switching; } } ge-0/0/26 { unit 0 { family ethernet-switching; } } ge-0/0/27 { unit 0 { family ethernet-switching; } } ge-0/0/28 { unit 0 { family ethernet-switching;

Copyright 2012, Juniper Networks, Inc.

111

Juniper Networks Horizontal Campus Validated Design Guide

} } ge-0/0/29 { unit 0 { family ethernet-switching; } } ge-0/0/30 { unit 0 { family ethernet-switching; } } ge-0/0/31 { unit 0 { family ethernet-switching; } } ge-0/0/32 { unit 0 { family ethernet-switching; } } ge-0/0/33 { unit 0 { family ethernet-switching; } } ge-0/0/34 { unit 0 { family ethernet-switching; } } ge-0/0/35 { unit 0 { family ethernet-switching; } } ge-0/0/36 { unit 0 { family ethernet-switching; } } ge-0/0/37 { unit 0 { family ethernet-switching; } } ge-0/0/38 { unit 0 { family ethernet-switching; } } ge-0/0/39 { unit 0 { family ethernet-switching; }

112

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

} ge-0/0/40 { unit 0 { family ethernet-switching; } } ge-0/0/41 { unit 0 { family ethernet-switching; } } ge-0/0/42 { unit 0 { family ethernet-switching; } } ge-0/0/43 { unit 0 { family ethernet-switching; } } ge-0/0/44 { unit 0 { family ethernet-switching; } } ge-0/0/45 { unit 0 { family ethernet-switching; } } ge-0/0/46 { unit 0 { family ethernet-switching; } } ge-0/0/47 { unit 0 { family ethernet-switching; } } xe-0/1/0 { unit 0 { family ethernet-switching; } } xe-0/1/2 { ether-options { 802.3ad ae0; } } ge-1/0/0 { unit 0 { family ethernet-switching; } }

Copyright 2012, Juniper Networks, Inc.

113

Juniper Networks Horizontal Campus Validated Design Guide

xe-2/1/2 { ether-options { 802.3ad ae0; } } ae0 { aggregated-ether-options { lacp { active; periodic slow; } } unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ Data_Wired_1 VOIP_Wired_1 Management Guest_Wired ]; } } } } vlan { unit 28 { family inet { address 10.10.28.244/24; } } } vme { unit 0 { family inet { address 10.94.188.91/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 10.10.28.1; } } protocols { igmp-snooping { vlan all; } rstp { interface ae0.0 { disable; } } lldp { interface all; } lldp-med { interface all; }

114

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

} ethernet-switching-options { secure-access-port { vlan Data_Wired_1 { arp-inspection; examine-dhcp; ip-source-guard; } vlan Guest_Wired { arp-inspection; examine-dhcp; ip-source-guard; } vlan VOIP_Wired_1 { arp-inspection; examine-dhcp; ip-source-guard; } } nonstop-bridging; storm-control { interface all; } } vlans { Data_Wired_1 { vlan-id 10; interface { Wired_Data; } } Guest_Wired { vlan-id 30; } Management { vlan-id 28; interface { Access_Points; } l3-interface vlan.28; } VOIP_Wired_1 { vlan-id 14; interface { Wired_Voice; } } } poe { interface all; } virtual-chassis { preprovisioned; member 0 { role routing-engine; serial-number FP0211333190;

Copyright 2012, Juniper Networks, Inc.

115

Juniper Networks Horizontal Campus Validated Design Guide

} member 1 { role line-card; serial-number FP0211333201; } member 2 { role routing-engine; serial-number FP0211333173; } member 3 { role line-card; serial-number FP0211333265; } fast-failover { xe; } }

EX4200vc2 Set Commands


set version 11.4R1.6 set system host-name EX4200-vc2 set system domain-name xyxcompany.com set system time-zone America/Los_Angeles set system root-authentication encrypted-password "$1$gqkkDA9K$mm4F9rV/dCNDU4gJ8w0wE." set system name-server 10.10.24.100 set system services ssh set system services web-management https system-generated-certificate set system syslog file messages any any set system syslog file messages authorization info set system syslog file messages archive size 10m set system commit synchronize set chassis redundancy graceful-switchover set chassis aggregated-devices ethernet device-count 2 set interfaces interface-range Wired_Data member-range ge-0/0/5 to ge-0/0/26 set interfaces interface-range Wired_Data member-range ge-1/0/5 to ge-1/0/26 set interfaces interface-range Wired_Data unit 0 family ethernet-switching port-mode access set interfaces interface-range Wired_Voice member-range ge-1/0/27 to ge-1/0/47 set interfaces interface-range Wired_Voice member-range ge-0/0/27 to ge-0/0/47 set interfaces interface-range Wired_Voice unit 0 family ethernet-switching port-mode access set interfaces interface-range Access_Points member-range ge-1/0/0 to ge-1/0/4 set interfaces interface-range Access_Points member-range ge-0/0/0 to ge-0/0/4 set interfaces interface-range Access_Points unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode access set interfaces xe-0/1/0 ether-options 802.3ad ae0 set interfaces ge-1/0/0 unit 0 family ethernet-switching port-mode access set interfaces ge-1/0/1 unit 0 family ethernet-switching set interfaces xe-1/1/0 ether-options 802.3ad ae0 set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 aggregated-ether-options lacp periodic slow

116

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

set interfaces ae0 unit 0 family ethernet-switching port-mode trunk set interfaces ae0 unit 0 family ethernet-switching vlan members Data_Wired_2 set interfaces ae0 unit 0 family ethernet-switching vlan members VOIP_Wired_2 set interfaces ae0 unit 0 family ethernet-switching vlan members Management set interfaces ae0 unit 0 family ethernet-switching vlan members Guest_Wired set interfaces lo0 unit 0 family inet address 10.0.0.2/32 set interfaces vlan unit 28 family inet address 10.10.28.243/24 set interfaces vme unit 0 family inet address 10.94.188.95/24 set routing-options static route 0.0.0.0/0 next-hop 10.10.28.1 set protocols rstp interface ae0.0 disable set protocols lldp interface all set protocols lldp-med interface all set ethernet-switching-options secure-access-port vlan Data_Wired_2 arp-inspection set ethernet-switching-options secure-access-port vlan Data_Wired_2 examine-dhcp set ethernet-switching-options secure-access-port vlan Data_Wired_2 ip-source-guard set ethernet-switching-options secure-access-port vlan Guest_Wired arp-inspection set ethernet-switching-options secure-access-port vlan Guest_Wired examine-dhcp set ethernet-switching-options secure-access-port vlan Guest_Wired ip-source-guard set ethernet-switching-options secure-access-port vlan VOIP_Wired_2 arp-inspection set ethernet-switching-options secure-access-port vlan VOIP_Wired_2 examine-dhcp set ethernet-switching-options secure-access-port vlan VOIP_Wired_2 ip-source-guard set ethernet-switching-options nonstop-bridging set vlans Data_Wired_2 vlan-id 12 set vlans Data_Wired_2 interface Wired_Data set vlans Guest_Wired vlan-id 30 set vlans Management vlan-id 28 set vlans Management interface Access_Points set vlans Management l3-interface vlan.28 set vlans VOIP_Wired_2 vlan-id 16 set vlans VOIP_Wired_2 interface Wired_Voice set poe interface all set virtual-chassis preprovisioned set virtual-chassis no-split-detection set virtual-chassis member 0 role routing-engine set virtual-chassis member 0 serial-number FP0211333245 set virtual-chassis member 1 role routing-engine set virtual-chassis member 1 serial-number FP0211333274

EX4200vc2 Configuration Statements


## Last changed: 2012-03-21 13:26:09 PDT version 11.4R1.6; system { host-name EX4200-vc2; domain-name xyxcompany.com; time-zone America/Los_Angeles; root-authentication { encrypted-password "$1$gqkkDA9K$mm4F9rV/dCNDU4gJ8w0wE."; ## SECRET-DATA } name-server { 10.10.24.100; } services { ssh;

Copyright 2012, Juniper Networks, Inc.

117

Juniper Networks Horizontal Campus Validated Design Guide

web-management { https { system-generated-certificate; } } } syslog { file messages { any any; authorization info; archive size 10m; } } commit synchronize; } chassis { redundancy { graceful-switchover; } aggregated-devices { ethernet { device-count 2; } } } interfaces { interface-range Wired_Data { member-range ge-0/0/5 to ge-0/0/26; member-range ge-1/0/5 to ge-1/0/26; unit 0 { family ethernet-switching { port-mode access; } } } interface-range Wired_Voice { member-range ge-1/0/27 to ge-1/0/47; member-range ge-0/0/27 to ge-0/0/47; unit 0 { family ethernet-switching { port-mode access; } } } interface-range Access_Points { member-range ge-1/0/0 to ge-1/0/4; member-range ge-0/0/0 to ge-0/0/4; unit 0 { family ethernet-switching { port-mode access; } } } ge-0/0/0 { unit 0 { family ethernet-switching {

118

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

port-mode access; } } } ge-0/0/2 { unit 0 { family ethernet-switching { port-mode access; } } } xe-0/1/0 { ether-options { 802.3ad ae0; } } ge-1/0/0 { unit 0 { family ethernet-switching { port-mode access; } } } ge-1/0/1 { unit 0 { family ethernet-switching; } } xe-1/1/0 { ether-options { 802.3ad ae0; } } ae0 { aggregated-ether-options { lacp { active; periodic slow; } } unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ Data_Wired_2 VOIP_Wired_2 Management Guest_Wired ]; } } } } lo0 { unit 0 { family inet { address 10.0.0.2/32; } } }

Copyright 2012, Juniper Networks, Inc.

119

Juniper Networks Horizontal Campus Validated Design Guide

vlan { unit 28 { family inet { address 10.10.28.243/24; } } } vme { unit 0 { family inet { address 10.94.188.95/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 10.10.28.1; } } protocols { rstp { interface ae0.0 { disable; } } lldp { interface all; } lldp-med { interface all; } } ethernet-switching-options { secure-access-port { vlan Data_Wired_2 { arp-inspection; examine-dhcp; ip-source-guard; } vlan Guest_Wired { arp-inspection; examine-dhcp; ip-source-guard; } vlan VOIP_Wired_2 { arp-inspection; examine-dhcp; ip-source-guard; } } nonstop-bridging; } vlans { Data_Wired_2 { vlan-id 12;

120

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

interface { Wired_Data; } } Guest_Wired { vlan-id 30; } Management { vlan-id 28; interface { Access_Points; } l3-interface vlan.28; } VOIP_Wired_2 { vlan-id 16; interface { Wired_Voice; } } } poe { interface all; } virtual-chassis { preprovisioned; no-split-detection; member 0 { role routing-engine; serial-number FP0211333245; } member 1 { role routing-engine; serial-number FP0211333274; } }

EX4200vc3 Set Commands


set version 11.4R1.6 set system host-name EX4200-vc3 set system domain-name xyxcompany.com set system time-zone America/Los_Angeles set system root-authentication encrypted-password "$1$969yUWx3$TVCNJ5iVJbezE5uiau7a50" set system name-server 10.10.24.100 set system services ssh set system services web-management https system-generated-certificate set system syslog file messages any any set system syslog file messages authorization info set system syslog file messages archive size 10m set system commit synchronize set chassis redundancy graceful-switchover set chassis aggregated-devices ethernet device-count 2 set interfaces interface-range Wired_Data member-range ge-1/0/5 to ge-1/0/26

Copyright 2012, Juniper Networks, Inc.

121

Juniper Networks Horizontal Campus Validated Design Guide

set interfaces interface-range Wired_Data member-range ge-0/0/5 to ge-0/0/26 set interfaces interface-range Wired_Data unit 0 family ethernet-switching port-mode access set interfaces interface-range Wired_Voice member-range ge-0/0/27 to ge-0/0/47 set interfaces interface-range Wired_Voice member-range ge-1/0/27 to ge-1/0/47 set interfaces interface-range Wired_Voice unit 0 family ethernet-switching port-mode access set interfaces interface-range Access_Points member-range ge-0/0/0 to ge-0/0/4 set interfaces interface-range Access_Points member-range ge-1/0/0 to ge-1/0/4 set interfaces interface-range Access_Points unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/1 unit 0 family ethernet-switching set interfaces xe-0/1/0 ether-options 802.3ad ae0 set interfaces ge-1/0/0 unit 0 family ethernet-switching port-mode access set interfaces ge-1/0/2 unit 0 family ethernet-switching port-mode access set interfaces xe-1/1/0 ether-options 802.3ad ae0 set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 aggregated-ether-options lacp periodic slow set interfaces ae0 unit 0 family ethernet-switching port-mode trunk set interfaces ae0 unit 0 family ethernet-switching vlan members Data_Wired_2 set interfaces ae0 unit 0 family ethernet-switching vlan members VOIP_Wired_2 set interfaces ae0 unit 0 family ethernet-switching vlan members Management set interfaces ae0 unit 0 family ethernet-switching vlan members Guest_Wired set interfaces lo0 unit 0 family inet address 10.0.0.3/32 set interfaces vlan unit 28 family inet address 10.10.28.242/24 set interfaces vme unit 0 family inet address 10.94.188.97/24 set routing-options static route 0.0.0.0/0 next-hop 10.10.28.1 set protocols rstp interface ae0.0 disable set protocols lldp interface all set protocols lldp-med interface all set ethernet-switching-options secure-access-port vlan Data_Wired_2 arp-inspection set ethernet-switching-options secure-access-port vlan Data_Wired_2 examine-dhcp set ethernet-switching-options secure-access-port vlan Data_Wired_2 ip-source-guard set ethernet-switching-options secure-access-port vlan Guest_Wired arp-inspection set ethernet-switching-options secure-access-port vlan Guest_Wired examine-dhcp set ethernet-switching-options secure-access-port vlan Guest_Wired ip-source-guard set ethernet-switching-options secure-access-port vlan VOIP_Wired_2 arp-inspection set ethernet-switching-options secure-access-port vlan VOIP_Wired_2 examine-dhcp set ethernet-switching-options secure-access-port vlan VOIP_Wired_2 ip-source-guard set ethernet-switching-options nonstop-bridging set vlans Data_Wired_2 vlan-id 12 set vlans Data_Wired_2 interface Wired_Data set vlans Guest_Wired vlan-id 30 set vlans Management vlan-id 28 set vlans Management interface Access_Points set vlans Management l3-interface vlan.28 set vlans VOIP_Wired_2 vlan-id 16 set vlans VOIP_Wired_2 interface Wired_Voice set poe interface all set virtual-chassis preprovisioned set virtual-chassis no-split-detection set virtual-chassis member 0 role routing-engine set virtual-chassis member 0 serial-number FP0211333208 set virtual-chassis member 1 role routing-engine set virtual-chassis member 1 serial-number FP0211333280

122

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

EX4200vc3 Configuration Statements


## Last changed: 2012-03-21 13:27:29 PDT version 11.4R1.6; system { host-name EX4200-vc3; domain-name xyxcompany.com; time-zone America/Los_Angeles; root-authentication { encrypted-password "$1$969yUWx3$TVCNJ5iVJbezE5uiau7a50"; ## SECRET-DATA } name-server { 10.10.24.100; } services { ssh; web-management { https { system-generated-certificate; } } } syslog { file messages { any any; authorization info; archive size 10m; } } commit synchronize; } chassis { redundancy { graceful-switchover; } aggregated-devices { ethernet { device-count 2; } } } interfaces { interface-range Wired_Data { member-range ge-1/0/5 to ge-1/0/26; member-range ge-0/0/5 to ge-0/0/26; unit 0 { family ethernet-switching { port-mode access; } } } interface-range Wired_Voice { member-range ge-0/0/27 to ge-0/0/47; member-range ge-1/0/27 to ge-1/0/47;

Copyright 2012, Juniper Networks, Inc.

123

Juniper Networks Horizontal Campus Validated Design Guide

unit 0 { family ethernet-switching { port-mode access; } } } interface-range Access_Points { member-range ge-0/0/0 to ge-0/0/4; member-range ge-1/0/0 to ge-1/0/4; unit 0 { family ethernet-switching { port-mode access; } } } ge-0/0/0 { unit 0 { family ethernet-switching { port-mode access; } } } ge-0/0/1 { unit 0 { family ethernet-switching; } } xe-0/1/0 { ether-options { 802.3ad ae0; } } ge-1/0/0 { unit 0 { family ethernet-switching { port-mode access; } } } ge-1/0/2 { unit 0 { family ethernet-switching { port-mode access; } } } xe-1/1/0 { ether-options { 802.3ad ae0; } } ae0 { aggregated-ether-options { lacp { active; periodic slow;

124

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

} } unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ Data_Wired_2 VOIP_Wired_2 Management Guest_Wired ]; } } } } lo0 { unit 0 { family inet { address 10.0.0.3/32; } } } vlan { unit 28 { family inet { address 10.10.28.242/24; } } } vme { unit 0 { family inet { address 10.94.188.97/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 10.10.28.1; } } protocols { rstp { interface ae0.0 { disable; } } lldp { interface all; } lldp-med { interface all; } } ethernet-switching-options { secure-access-port { vlan Data_Wired_2 { arp-inspection; examine-dhcp;

Copyright 2012, Juniper Networks, Inc.

125

Juniper Networks Horizontal Campus Validated Design Guide

ip-source-guard; } vlan Guest_Wired { arp-inspection; examine-dhcp; ip-source-guard; } vlan VOIP_Wired_2 { arp-inspection; examine-dhcp; ip-source-guard; } } nonstop-bridging; } vlans { Data_Wired_2 { vlan-id 12; interface { Wired_Data; } } Guest_Wired { vlan-id 30; } Management { vlan-id 28; interface { Access_Points; } l3-interface vlan.28; } VOIP_Wired_2 { vlan-id 16; interface { Wired_Voice; } } } poe { interface all; } virtual-chassis { preprovisioned; no-split-detection; member 0 { role routing-engine; serial-number FP0211333208; } member 1 { role routing-engine; serial-number FP0211333280; } }

126

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

EX4542vc1 Set Commands


set version 11.4R1.6 set system host-name EX4542-vc1 set system domain-name xyzcompany.com set system time-zone America/Los_Angeles set system root-authentication encrypted-password "$1$EJ1MQEjU$OyN4dCFy5fUYYeegQcpwi/" set system name-server 10.10.24.100 set system services ssh set system services web-management https system-generated-certificate set system syslog user * any emergency set system syslog file messages any notice set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands any set system commit synchronize set chassis redundancy graceful-switchover set chassis aggregated-devices ethernet device-count 4 set interfaces ge-0/0/0 unit 0 family ethernet-switching set interfaces xe-0/0/0 ether-options 802.3ad ae0 set interfaces ge-0/0/1 unit 0 family ethernet-switching set interfaces xe-0/0/1 ether-options 802.3ad ae1 set interfaces ge-0/0/2 unit 0 family ethernet-switching set interfaces xe-0/0/2 ether-options 802.3ad ae2 set interfaces ge-0/0/3 unit 0 family ethernet-switching set interfaces xe-0/0/3 unit 0 family ethernet-switching set interfaces ge-0/0/4 unit 0 family ethernet-switching set interfaces xe-0/0/4 unit 0 family ethernet-switching set interfaces ge-0/0/5 unit 0 family ethernet-switching set interfaces xe-0/0/5 unit 0 family ethernet-switching set interfaces ge-0/0/6 unit 0 family ethernet-switching set interfaces xe-0/0/6 unit 0 family ethernet-switching set interfaces ge-0/0/7 unit 0 family ethernet-switching set interfaces xe-0/0/7 unit 0 family ethernet-switching set interfaces ge-0/0/8 unit 0 family ethernet-switching set interfaces xe-0/0/8 unit 0 family ethernet-switching set interfaces ge-0/0/9 unit 0 family ethernet-switching set interfaces xe-0/0/9 unit 0 family ethernet-switching set interfaces ge-0/0/10 unit 0 family ethernet-switching set interfaces xe-0/0/10 unit 0 family ethernet-switching set interfaces ge-0/0/11 unit 0 family ethernet-switching set interfaces xe-0/0/11 unit 0 family ethernet-switching set interfaces ge-0/0/12 unit 0 family ethernet-switching set interfaces xe-0/0/12 unit 0 family ethernet-switching set interfaces ge-0/0/13 unit 0 family ethernet-switching set interfaces xe-0/0/13 unit 0 family ethernet-switching set interfaces ge-0/0/14 unit 0 family ethernet-switching set interfaces xe-0/0/14 unit 0 family ethernet-switching set interfaces ge-0/0/15 unit 0 family ethernet-switching set interfaces xe-0/0/15 unit 0 family ethernet-switching set interfaces ge-0/0/16 unit 0 family ethernet-switching set interfaces xe-0/0/16 unit 0 family ethernet-switching set interfaces ge-0/0/17 unit 0 family ethernet-switching set interfaces xe-0/0/17 unit 0 family ethernet-switching

Copyright 2012, Juniper Networks, Inc.

127

Juniper Networks Horizontal Campus Validated Design Guide

set interfaces ge-0/0/18 unit 0 family ethernet-switching set interfaces xe-0/0/18 unit 0 family ethernet-switching set interfaces ge-0/0/19 unit 0 family ethernet-switching set interfaces xe-0/0/19 unit 0 family ethernet-switching set interfaces ge-0/0/20 unit 0 family ethernet-switching set interfaces xe-0/0/20 unit 0 family ethernet-switching set interfaces ge-0/0/21 unit 0 family ethernet-switching set interfaces xe-0/0/21 unit 0 family ethernet-switching set interfaces ge-0/0/22 unit 0 family ethernet-switching set interfaces xe-0/0/22 unit 0 family ethernet-switching set interfaces ge-0/0/23 unit 0 family ethernet-switching set interfaces xe-0/0/23 unit 0 family ethernet-switching set interfaces ge-0/0/24 unit 0 family ethernet-switching set interfaces xe-0/0/24 unit 0 family ethernet-switching set interfaces ge-0/0/25 unit 0 family ethernet-switching set interfaces xe-0/0/25 unit 0 family ethernet-switching set interfaces ge-0/0/26 unit 0 family ethernet-switching set interfaces xe-0/0/26 unit 0 family ethernet-switching set interfaces ge-0/0/27 unit 0 family ethernet-switching set interfaces xe-0/0/27 unit 0 family ethernet-switching set interfaces ge-0/0/28 unit 0 family ethernet-switching set interfaces xe-0/0/28 unit 0 family ethernet-switching set interfaces ge-0/0/29 unit 0 family ethernet-switching set interfaces xe-0/0/29 unit 0 family ethernet-switching set interfaces ge-0/0/30 unit 0 family ethernet-switching set interfaces xe-0/0/30 unit 0 family ethernet-switching set interfaces ge-0/0/31 unit 0 family ethernet-switching set interfaces xe-0/0/31 unit 0 family ethernet-switching set interfaces ge-0/0/32 unit 0 family ethernet-switching set interfaces xe-0/0/32 unit 0 family ethernet-switching set interfaces ge-0/0/33 unit 0 family ethernet-switching set interfaces xe-0/0/33 unit 0 family ethernet-switching set interfaces ge-0/0/34 unit 0 family ethernet-switching set interfaces xe-0/0/34 unit 0 family ethernet-switching set interfaces ge-0/0/35 unit 0 family ethernet-switching set interfaces xe-0/0/35 unit 0 family ethernet-switching set interfaces ge-0/0/36 unit 0 family ethernet-switching set interfaces xe-0/0/36 unit 0 family ethernet-switching set interfaces ge-0/0/37 unit 0 family ethernet-switching set interfaces xe-0/0/37 unit 0 family ethernet-switching set interfaces ge-0/0/38 unit 0 family ethernet-switching set interfaces xe-0/0/38 unit 0 family ethernet-switching set interfaces ge-0/0/39 unit 0 family ethernet-switching set interfaces xe-0/0/39 unit 0 family ethernet-switching set interfaces ge-0/1/0 unit 0 family ethernet-switching set interfaces xe-0/1/0 unit 0 family ethernet-switching set interfaces ge-0/1/1 unit 0 family ethernet-switching set interfaces xe-0/1/1 unit 0 family ethernet-switching set interfaces ge-0/1/2 unit 0 family ethernet-switching set interfaces xe-0/1/2 unit 0 family ethernet-switching set interfaces ge-0/1/3 unit 0 family ethernet-switching set interfaces xe-0/1/3 unit 0 family ethernet-switching set interfaces ge-0/2/0 unit 0 family ethernet-switching set interfaces xe-0/2/0 unit 0 family ethernet-switching set interfaces ge-0/2/1 unit 0 family ethernet-switching set interfaces xe-0/2/1 unit 0 family ethernet-switching

128

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

set interfaces ge-0/2/2 unit 0 family ethernet-switching set interfaces xe-0/2/2 unit 0 family ethernet-switching set interfaces ge-0/2/3 unit 0 family ethernet-switching set interfaces xe-0/2/3 unit 0 family ethernet-switching set interfaces xe-1/0/0 ether-options 802.3ad ae0 set interfaces xe-1/0/1 ether-options 802.3ad ae1 set interfaces xe-1/0/2 ether-options 802.3ad ae2 set interfaces ge-2/0/1 unit 0 family ethernet-switching port-mode trunk set interfaces ge-2/0/1 unit 0 family ethernet-switching vlan members Data_Wireless_1 set interfaces ge-2/0/1 unit 0 family ethernet-switching vlan members Data_Wireless_2 set interfaces ge-2/0/1 unit 0 family ethernet-switching vlan members Management set interfaces ge-2/0/1 unit 0 family ethernet-switching vlan members Guest_Wireless set interfaces ge-2/0/5 unit 0 family ethernet-switching port-mode access set interfaces ge-2/0/9 unit 0 family ethernet-switching port-mode access set interfaces ge-2/0/9 unit 0 family ethernet-switching vlan members Servers set interfaces ge-2/0/47 unit 0 family ethernet-switching port-mode trunk set interfaces ge-2/0/47 unit 0 family ethernet-switching vlan members Internet_Edge set interfaces ge-2/0/47 unit 0 family ethernet-switching vlan members Management set interfaces ge-2/0/47 unit 0 family ethernet-switching vlan members Guest_Wired set interfaces ge-2/0/47 unit 0 family ethernet-switching vlan members Guest_Wireless set interfaces ge-3/0/1 unit 0 family ethernet-switching port-mode trunk set interfaces ge-3/0/1 unit 0 family ethernet-switching vlan members Data_Wireless_1 set interfaces ge-3/0/1 unit 0 family ethernet-switching vlan members Data_Wireless_2 set interfaces ge-3/0/1 unit 0 family ethernet-switching vlan members Management set interfaces ge-3/0/1 unit 0 family ethernet-switching vlan members Guest_Wireless set interfaces ge-3/0/5 unit 0 family ethernet-switching port-mode access set interfaces ge-3/0/9 unit 0 family ethernet-switching port-mode access set interfaces ge-3/0/9 unit 0 family ethernet-switching vlan members Servers set interfaces ge-3/0/47 unit 0 family ethernet-switching port-mode trunk set interfaces ge-3/0/47 unit 0 family ethernet-switching vlan members Internet_Edge set interfaces ge-3/0/47 unit 0 family ethernet-switching vlan members Management set interfaces ge-3/0/47 unit 0 family ethernet-switching vlan members Guest_Wired set interfaces ge-3/0/47 unit 0 family ethernet-switching vlan members Guest_Wireless set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 aggregated-ether-options lacp periodic slow set interfaces ae0 unit 0 family ethernet-switching port-mode trunk set interfaces ae0 unit 0 family ethernet-switching vlan members Data_Wired_1 set interfaces ae0 unit 0 family ethernet-switching vlan members VOIP_Wired_1 set interfaces ae0 unit 0 family ethernet-switching vlan members Management set interfaces ae0 unit 0 family ethernet-switching vlan members Guest_Wired set interfaces ae1 aggregated-ether-options lacp active set interfaces ae1 aggregated-ether-options lacp periodic slow set interfaces ae1 unit 0 family ethernet-switching port-mode trunk set interfaces ae1 unit 0 family ethernet-switching vlan members Data_Wired_2 set interfaces ae1 unit 0 family ethernet-switching vlan members VOIP_Wired_2 set interfaces ae1 unit 0 family ethernet-switching vlan members Management set interfaces ae1 unit 0 family ethernet-switching vlan members Guest_Wired set interfaces ae2 aggregated-ether-options lacp active set interfaces ae2 aggregated-ether-options lacp periodic slow set interfaces ae2 unit 0 family ethernet-switching port-mode trunk set interfaces ae2 unit 0 family ethernet-switching vlan members Data_Wired_2 set interfaces ae2 unit 0 family ethernet-switching vlan members VOIP_Wired_2 set interfaces ae2 unit 0 family ethernet-switching vlan members Management set interfaces ae2 unit 0 family ethernet-switching vlan members Guest_Wired set interfaces vlan unit 10 family inet address 10.10.10.1/24 set interfaces vlan unit 12 family inet address 10.10.12.1/24

Copyright 2012, Juniper Networks, Inc.

129

Juniper Networks Horizontal Campus Validated Design Guide

set interfaces vlan unit 14 family inet address 10.10.14.1/24 set interfaces vlan unit 16 family inet address 10.10.16.1/24 set interfaces vlan unit 18 family inet address 10.10.18.1/24 set interfaces vlan unit 20 family inet address 10.10.20.1/24 set interfaces vlan unit 22 family inet address 10.10.22.1/24 set interfaces vlan unit 24 family inet address 10.10.24.1/24 set interfaces vlan unit 28 family inet address 10.10.28.1/24 set interfaces vme unit 0 family inet address 10.94.188.101/24 set forwarding-options helpers bootp dhcp-option82 set forwarding-options helpers bootp description DHCP-SERVER set forwarding-options helpers bootp server 10.10.24.100 set forwarding-options helpers bootp interface vlan.24 set forwarding-options helpers bootp interface vlan.10 set forwarding-options helpers bootp interface vlan.12 set forwarding-options helpers bootp interface vlan.14 set forwarding-options helpers bootp interface vlan.16 set forwarding-options helpers bootp interface vlan.18 set forwarding-options helpers bootp interface vlan.20 set forwarding-options helpers bootp interface vlan.26 set forwarding-options helpers bootp interface vlan.28 set routing-options nonstop-routing set routing-options static route 0.0.0.0/0 next-hop 10.10.22.254 set protocols ospf area 0.0.0.0 interface vlan.22 set protocols ospf area 0.0.0.0 interface vlan.10 set protocols ospf area 0.0.0.0 interface vlan.12 set protocols ospf area 0.0.0.0 interface vlan.14 set protocols ospf area 0.0.0.0 interface vlan.16 set protocols ospf area 0.0.0.0 interface vlan.18 set protocols ospf area 0.0.0.0 interface vlan.20 set protocols ospf area 0.0.0.0 interface vlan.24 set protocols igmp-snooping vlan all set protocols dcbx interface all set protocols rstp bridge-priority 8k set protocols rstp interface ae0.0 disable set protocols rstp interface ae1.0 disable set protocols rstp interface ae2.0 disable set protocols lldp interface all set protocols lldp-med interface all set policy-options prefix-list test fd00::0214/128 set ethernet-switching-options secure-access-port vlan Data_Wireless_1 arp-inspection set ethernet-switching-options secure-access-port vlan Data_Wireless_1 examine-dhcp set ethernet-switching-options secure-access-port vlan Data_Wireless_1 ip-source-guard set ethernet-switching-options secure-access-port vlan Data_Wireless_2 arp-inspection set ethernet-switching-options secure-access-port vlan Data_Wireless_2 examine-dhcp set ethernet-switching-options secure-access-port vlan Data_Wireless_2 ip-source-guard set ethernet-switching-options secure-access-port vlan Guest_Wired arp-inspection set ethernet-switching-options secure-access-port vlan Guest_Wired examine-dhcp set ethernet-switching-options secure-access-port vlan Guest_Wired ip-source-guard set ethernet-switching-options secure-access-port vlan Guest_Wireless arp-inspection set ethernet-switching-options secure-access-port vlan Guest_Wireless examine-dhcp set ethernet-switching-options secure-access-port vlan Guest_Wireless ip-source-guard set ethernet-switching-options nonstop-bridging set ethernet-switching-options storm-control interface all set ethernet-switching-options bpdu-block interface ge-2/0/5.0 set vlans Data_Wired_1 vlan-id 10 set vlans Data_Wired_1 l3-interface vlan.10

130

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

set vlans Data_Wired_2 vlan-id 12 set vlans Data_Wired_2 l3-interface vlan.12 set vlans Data_Wireless_1 vlan-id 18 set vlans Data_Wireless_1 l3-interface vlan.18 set vlans Data_Wireless_2 vlan-id 20 set vlans Data_Wireless_2 l3-interface vlan.20 set vlans Guest_Wired vlan-id 30 set vlans Guest_Wireless vlan-id 32 set vlans Internet_Edge vlan-id 22 set vlans Internet_Edge l3-interface vlan.22 set vlans Management vlan-id 28 set vlans Management l3-interface vlan.28 set vlans Servers vlan-id 24 set vlans Servers interface ge-2/0/5.0 set vlans Servers interface ge-3/0/5.0 set vlans Servers l3-interface vlan.24 set vlans VOIP_Wired_1 vlan-id 14 set vlans VOIP_Wired_1 l3-interface vlan.14 set vlans VOIP_Wired_2 vlan-id 16 set vlans VOIP_Wired_2 l3-interface vlan.16 set poe interface all set virtual-chassis preprovisioned set virtual-chassis member 0 role routing-engine set virtual-chassis member 0 serial-number GX0211411253 set virtual-chassis member 1 role routing-engine set virtual-chassis member 1 serial-number GX0211411250 set virtual-chassis member 2 role line-card set virtual-chassis member 2 serial-number FP0211333181 set virtual-chassis member 3 role line-card set virtual-chassis member 3 serial-number FP0211333260

EX4542vc1 Configuration Statements


## Last changed: 2012-03-28 13:43:13 PDT version 11.4R1.6; system { host-name EX4542-vc1; domain-name xyzcompany.com; time-zone America/Los_Angeles; root-authentication { encrypted-password "$1$EJ1MQEjU$OyN4dCFy5fUYYeegQcpwi/"; ## SECRET-DATA } name-server { 10.10.24.100; } services { ssh; web-management { https { system-generated-certificate; } } } syslog { user * {

Copyright 2012, Juniper Networks, Inc.

131

Juniper Networks Horizontal Campus Validated Design Guide

any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } commit synchronize; } chassis { redundancy { graceful-switchover; } aggregated-devices { ethernet { device-count 4; } } } interfaces { ge-0/0/0 { unit 0 { family ethernet-switching; } } xe-0/0/0 { ether-options { 802.3ad ae0; } } ge-0/0/1 { unit 0 { family ethernet-switching; } } xe-0/0/1 { ether-options { 802.3ad ae1; } } ge-0/0/2 { unit 0 { family ethernet-switching; } } xe-0/0/2 { ether-options { 802.3ad ae2; } } ge-0/0/3 { unit 0 { family ethernet-switching;

132

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

} } xe-0/0/3 { unit 0 { family ethernet-switching; } } ge-0/0/4 { unit 0 { family ethernet-switching; } } xe-0/0/4 { unit 0 { family ethernet-switching; } } ge-0/0/5 { unit 0 { family ethernet-switching; } } xe-0/0/5 { unit 0 { family ethernet-switching; } } ge-0/0/6 { unit 0 { family ethernet-switching; } } xe-0/0/6 { unit 0 { family ethernet-switching; } } ge-0/0/7 { unit 0 { family ethernet-switching; } } xe-0/0/7 { unit 0 { family ethernet-switching; } } ge-0/0/8 { unit 0 { family ethernet-switching; } } xe-0/0/8 { unit 0 { family ethernet-switching; }

Copyright 2012, Juniper Networks, Inc.

133

Juniper Networks Horizontal Campus Validated Design Guide

} ge-0/0/9 { unit 0 { family ethernet-switching; } } xe-0/0/9 { unit 0 { family ethernet-switching; } } ge-0/0/10 { unit 0 { family ethernet-switching; } } xe-0/0/10 { unit 0 { family ethernet-switching; } } ge-0/0/11 { unit 0 { family ethernet-switching; } } xe-0/0/11 { unit 0 { family ethernet-switching; } } ge-0/0/12 { unit 0 { family ethernet-switching; } } xe-0/0/12 { unit 0 { family ethernet-switching; } } ge-0/0/13 { unit 0 { family ethernet-switching; } } xe-0/0/13 { unit 0 { family ethernet-switching; } } ge-0/0/14 { unit 0 { family ethernet-switching; } }

134

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

xe-0/0/14 { unit 0 { family ethernet-switching; } } ge-0/0/15 { unit 0 { family ethernet-switching; } } xe-0/0/15 { unit 0 { family ethernet-switching; } } ge-0/0/16 { unit 0 { family ethernet-switching; } } xe-0/0/16 { unit 0 { family ethernet-switching; } } ge-0/0/17 { unit 0 { family ethernet-switching; } } xe-0/0/17 { unit 0 { family ethernet-switching; } } ge-0/0/18 { unit 0 { family ethernet-switching; } } xe-0/0/18 { unit 0 { family ethernet-switching; } } ge-0/0/19 { unit 0 { family ethernet-switching; } } xe-0/0/19 { unit 0 { family ethernet-switching; } } ge-0/0/20 {

Copyright 2012, Juniper Networks, Inc.

135

Juniper Networks Horizontal Campus Validated Design Guide

unit 0 { family ethernet-switching; } } xe-0/0/20 { unit 0 { family ethernet-switching; } } ge-0/0/21 { unit 0 { family ethernet-switching; } } xe-0/0/21 { unit 0 { family ethernet-switching; } } ge-0/0/22 { unit 0 { family ethernet-switching; } } xe-0/0/22 { unit 0 { family ethernet-switching; } } ge-0/0/23 { unit 0 { family ethernet-switching; } } xe-0/0/23 { unit 0 { family ethernet-switching; } } ge-0/0/24 { unit 0 { family ethernet-switching; } } xe-0/0/24 { unit 0 { family ethernet-switching; } } ge-0/0/25 { unit 0 { family ethernet-switching; } } xe-0/0/25 { unit 0 {

136

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

family ethernet-switching; } } ge-0/0/26 { unit 0 { family ethernet-switching; } } xe-0/0/26 { unit 0 { family ethernet-switching; } } ge-0/0/27 { unit 0 { family ethernet-switching; } } xe-0/0/27 { unit 0 { family ethernet-switching; } } ge-0/0/28 { unit 0 { family ethernet-switching; } } xe-0/0/28 { unit 0 { family ethernet-switching; } } ge-0/0/29 { unit 0 { family ethernet-switching; } } xe-0/0/29 { unit 0 { family ethernet-switching; } } ge-0/0/30 { unit 0 { family ethernet-switching; } } xe-0/0/30 { unit 0 { family ethernet-switching; } } ge-0/0/31 { unit 0 { family ethernet-switching;

Copyright 2012, Juniper Networks, Inc.

137

Juniper Networks Horizontal Campus Validated Design Guide

} } xe-0/0/31 { unit 0 { family ethernet-switching; } } ge-0/0/32 { unit 0 { family ethernet-switching; } } xe-0/0/32 { unit 0 { family ethernet-switching; } } ge-0/0/33 { unit 0 { family ethernet-switching; } } xe-0/0/33 { unit 0 { family ethernet-switching; } } ge-0/0/34 { unit 0 { family ethernet-switching; } } xe-0/0/34 { unit 0 { family ethernet-switching; } } ge-0/0/35 { unit 0 { family ethernet-switching; } } xe-0/0/35 { unit 0 { family ethernet-switching; } } ge-0/0/36 { unit 0 { family ethernet-switching; } } xe-0/0/36 { unit 0 { family ethernet-switching; }

138

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

} ge-0/0/37 { unit 0 { family ethernet-switching; } } xe-0/0/37 { unit 0 { family ethernet-switching; } } ge-0/0/38 { unit 0 { family ethernet-switching; } } xe-0/0/38 { unit 0 { family ethernet-switching; } } ge-0/0/39 { unit 0 { family ethernet-switching; } } xe-0/0/39 { unit 0 { family ethernet-switching; } } ge-0/1/0 { unit 0 { family ethernet-switching; } } xe-0/1/0 { unit 0 { family ethernet-switching; } } ge-0/1/1 { unit 0 { family ethernet-switching; } } xe-0/1/1 { unit 0 { family ethernet-switching; } } ge-0/1/2 { unit 0 { family ethernet-switching; } }

Copyright 2012, Juniper Networks, Inc.

139

Juniper Networks Horizontal Campus Validated Design Guide

xe-0/1/2 { unit 0 { family ethernet-switching; } } ge-0/1/3 { unit 0 { family ethernet-switching; } } xe-0/1/3 { unit 0 { family ethernet-switching; } } ge-0/2/0 { unit 0 { family ethernet-switching; } } xe-0/2/0 { unit 0 { family ethernet-switching; } } ge-0/2/1 { unit 0 { family ethernet-switching; } } xe-0/2/1 { unit 0 { family ethernet-switching; } } ge-0/2/2 { unit 0 { family ethernet-switching; } } xe-0/2/2 { unit 0 { family ethernet-switching; } } ge-0/2/3 { unit 0 { family ethernet-switching; } } xe-0/2/3 { unit 0 { family ethernet-switching; } } xe-1/0/0 {

140

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

ether-options { 802.3ad ae0; } } xe-1/0/1 { ether-options { 802.3ad ae1; } } xe-1/0/2 { ether-options { 802.3ad ae2; } } ge-2/0/1 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ Data_Wireless_1 Data_Wireless_2 Management Guest_Wireless ]; } } } } ge-2/0/5 { unit 0 { family ethernet-switching { port-mode access; } } } ge-2/0/9 { unit 0 { family ethernet-switching { port-mode access; vlan { members Servers; } } } } ge-2/0/47 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ Internet_Edge Management Guest_Wired Guest_Wireless ]; } } } } ge-3/0/1 { unit 0 { family ethernet-switching { port-mode trunk; vlan {

Copyright 2012, Juniper Networks, Inc.

141

Juniper Networks Horizontal Campus Validated Design Guide

members [ Data_Wireless_1 Data_Wireless_2 Management Guest_Wireless ]; } } } } ge-3/0/5 { unit 0 { family ethernet-switching { port-mode access; } } } ge-3/0/9 { unit 0 { family ethernet-switching { port-mode access; vlan { members Servers; } } } } ge-3/0/47 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ Internet_Edge Management Guest_Wired Guest_Wireless ]; } } } } ae0 { aggregated-ether-options { lacp { active; periodic slow; } } unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ Data_Wired_1 VOIP_Wired_1 Management Guest_Wired ]; } } } } ae1 { aggregated-ether-options { lacp { active; periodic slow; } } unit 0 {

142

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

family ethernet-switching { port-mode trunk; vlan { members [ Data_Wired_2 VOIP_Wired_2 Management Guest_Wired ]; } } } } ae2 { aggregated-ether-options { lacp { active; periodic slow; } } unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ Data_Wired_2 VOIP_Wired_2 Management Guest_Wired ]; } } } } vlan { unit 10 { family inet { address 10.10.10.1/24; } } unit 12 { family inet { address 10.10.12.1/24; } } unit 14 { family inet { address 10.10.14.1/24; } } unit 16 { family inet { address 10.10.16.1/24; } } unit 18 { family inet { address 10.10.18.1/24; } } unit 20 { family inet { address 10.10.20.1/24; } } unit 22 {

Copyright 2012, Juniper Networks, Inc.

143

Juniper Networks Horizontal Campus Validated Design Guide

family inet { address 10.10.22.1/24; } } unit 24 { family inet { address 10.10.24.1/24; } } unit 28 { family inet { address 10.10.28.1/24; } } } vme { unit 0 { family inet { address 10.94.188.101/24; } } } } forwarding-options { helpers { bootp { dhcp-option82; description DHCP-SERVER; server 10.10.24.100; interface { vlan.24; vlan.10; vlan.12; vlan.14; vlan.16; vlan.18; vlan.20; vlan.26; vlan.28; } } } } routing-options { nonstop-routing; static { route 0.0.0.0/0 next-hop 10.10.22.254; } } protocols { ospf { area 0.0.0.0 { interface vlan.22; interface vlan.10; interface vlan.12; interface vlan.14;

144

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

interface vlan.16; interface vlan.18; interface vlan.20; interface vlan.24; } } igmp-snooping { vlan all; } dcbx { interface all; } rstp { bridge-priority 8k; interface ae0.0 { disable; } interface ae1.0 { disable; } interface ae2.0 { disable; } } lldp { interface all; } lldp-med { interface all; } } policy-options { prefix-list test { fd00::0214/128; } } ethernet-switching-options { secure-access-port { vlan Data_Wireless_1 { arp-inspection; examine-dhcp; ip-source-guard; } vlan Data_Wireless_2 { arp-inspection; examine-dhcp; ip-source-guard; } vlan Guest_Wired { arp-inspection; examine-dhcp; ip-source-guard; } vlan Guest_Wireless { arp-inspection; examine-dhcp;

Copyright 2012, Juniper Networks, Inc.

145

Juniper Networks Horizontal Campus Validated Design Guide

ip-source-guard; } } nonstop-bridging; storm-control { interface all; } bpdu-block { interface ge-2/0/5.0; } } vlans { Data_Wired_1 { vlan-id 10; l3-interface vlan.10; } Data_Wired_2 { vlan-id 12; l3-interface vlan.12; } Data_Wireless_1 { vlan-id 18; l3-interface vlan.18; } Data_Wireless_2 { vlan-id 20; l3-interface vlan.20; } Guest_Wired { vlan-id 30; } Guest_Wireless { vlan-id 32; } Internet_Edge { vlan-id 22; l3-interface vlan.22; } Management { vlan-id 28; l3-interface vlan.28; } Servers { vlan-id 24; interface { ge-2/0/5.0; ge-3/0/5.0; } l3-interface vlan.24; } VOIP_Wired_1 { vlan-id 14; l3-interface vlan.14; } VOIP_Wired_2 { vlan-id 16;

146

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

l3-interface vlan.16; } } poe { interface all; } virtual-chassis { preprovisioned; member 0 { role routing-engine; serial-number GX0211411253; } member 1 { role routing-engine; serial-number GX0211411250; } member 2 { role line-card; serial-number FP0211333181; } member 3 { role line-card; serial-number FP0211333260; } }

WLC-1 Configuration
# Configuration nvgen'd at 2012-3-21 09:57:49 # Image 7.6.1.3.0 # Model MX-8 # Last change occurred at 2012-3-13 12:27:32 set ip route default 10.10.28.1 1 set system name WLC-1 set system ip-address 10.10.28.9 set system countrycode US set timezone pst -8 0 set service-profile Secure-802.1X ssid-name Data_Wireless_1 set service-profile Secure-802.1X rsn-ie cipher-ccmp enable set service-profile Secure-802.1X rsn-ie enable set service-profile Secure-802.1X attr vlan-name Data_Wireless_1 set service-profile Web-Portal ssid-name Guest_Wireless set service-profile Web-Portal ssid-type clear set service-profile Web-Portal auth-fallthru web-portal set service-profile Web-Portal web-portal-acl portalacl set service-profile Web-Portal wpa-ie auth-dot1x disable set service-profile Web-Portal rsn-ie auth-dot1x disable set service-profile Web-Portal attr vlan-name Guest_Wireless set enablepass password 28358f9656229c67a90632e745efe4a11b48 set authentication web ssid Guest_Wireless ** local set authentication dot1x ssid Data_Wireless_1 ** peap-mschapv2 local set user admin password encrypted 044b0a151c36435c0d set user bob password encrypted 08314d5d1a0e0a0516 set user bob attr ssid Data_Wireless_1 set user guest password encrypted 044b0a151c36435c0d

Copyright 2012, Juniper Networks, Inc.

147

Juniper Networks Horizontal Campus Validated Design Guide

set user guest attr ssid Guest_Wireless set radio-profile default service-profile Secure-802.1X set radio-profile default service-profile Web-Portal set ap auto mode enable set ip telnet server enable set vlan 1 port 1 set vlan 1 port 2 set vlan 1 port 3 set vlan 1 port 4 set vlan 1 port 5 set vlan 1 port 6 set vlan 1 port 7 set vlan 1 port 8 set vlan 28 name Management set vlan 28 port 8 tag 28 set vlan 18 name Data_Wireless_1 set vlan 18 port 8 tag 18 set vlan 32 name Guest_Wireless set vlan 32 port 8 tag 32 set interface 28 ip 10.10.28.9 255.255.255.0 set interface 32 ip 10.10.32.9 255.255.255.0 set mobility-domain mode seed domain-name xyzcompany set mobility-domain member 10.10.28.10 set security acl name portalacl permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67 set security acl name portalacl deny 0.0.0.0 255.255.255.255 capture commit security acl portalacl set cluster mode enable

WLC-2 Configuration
# Configuration nvgen'd at 2012-3-21 09:59:08 # Image 7.6.1.3.0 # Model MX-8 # Last change occurred at 2012-3-13 12:28:17 set ip route default 10.10.28.1 1 set system name WLC-2 set system ip-address 10.10.28.10 set system countrycode US set timezone pst -8 0 set service-profile Secure-802.1X ssid-name Data_Wireless_1 set service-profile Secure-802.1X rsn-ie cipher-ccmp enable set service-profile Secure-802.1X rsn-ie enable set service-profile Secure-802.1X attr vlan-name Data_Wireless_1 set service-profile Web-Portal ssid-name Guest_Wireless set service-profile Web-Portal ssid-type clear set service-profile Web-Portal auth-fallthru web-portal set service-profile Web-Portal web-portal-acl portalacl set service-profile Web-Portal wpa-ie auth-dot1x disable set service-profile Web-Portal rsn-ie auth-dot1x disable set service-profile Web-Portal attr vlan-name Guest_Wireless set enablepass password 0a8eaea60ebf415168c5f6b0fbaa524fe17c set authentication web ssid Guest_Wireless ** local set authentication dot1x ssid Data_Wireless_1 ** peap-mschapv2 local set user admin password encrypted 140713181f13253920

148

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

set user bob password encrypted 15020a1f173d24362c set user bob attr ssid Data_Wireless_1 set user guest password encrypted 12090404011c03162e set user guest attr ssid Guest_Wireless set radio-profile default service-profile Secure-802.1X set radio-profile default service-profile Web-Portal set ap auto mode enable set vlan 1 port 1 set vlan 1 port 2 set vlan 1 port 3 set vlan 1 port 4 set vlan 1 port 5 set vlan 1 port 6 set vlan 1 port 7 set vlan 1 port 8 set vlan 28 name Management set vlan 28 port 8 tag 28 set vlan 18 name Data_Wireless_1 set vlan 18 port 8 tag 18 set vlan 32 name Guest_Wireless set vlan 32 port 8 tag 32 set interface 28 ip 10.10.28.10 255.255.255.0 set interface 32 ip 10.10.32.10 255.255.255.0 set mobility-domain mode secondary-seed domain-name xyzcompany seed-ip 10.10.28.9 set security acl name portalacl permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67 set security acl name portalacl deny 0.0.0.0 255.255.255.255 capture commit security acl portalacl set cluster mode enable

SRX650 Cluster Set Commands


set groups node0 system host-name srx650-1 set groups node0 interfaces fxp0 unit 0 family inet address 10.94.188.103/24 set groups node1 system host-name srx650-2 set groups node1 interfaces fxp0 unit 0 family inet address 10.94.188.104/24 set apply-groups node0 set apply-groups node1 set system domain-name xyxcompany.com set system time-zone America/Los_Angeles set system root-authentication encrypted-password "$1$/BmrTFS/$7BfLGntduS8.fj3BYVuuQ0" set system name-server 208.67.222.222 set system name-server 208.67.220.220 set system name-server 10.10.24.100 set system services ssh set system services xnm-clear-text set system services web-management https system-generated-certificate set system services dhcp pool 10.10.30.0/24 address-range low 10.10.30.11 set system services dhcp pool 10.10.30.0/24 address-range high 10.10.30.250 set system services dhcp pool 10.10.30.0/24 domain-name xyzcompany.com set system services dhcp pool 10.10.30.0/24 name-server 208.67.220.220 set system services dhcp pool 10.10.30.0/24 name-server 208.67.222.222 set system services dhcp pool 10.10.30.0/24 router 10.10.30.254 set system services dhcp pool 10.10.32.0/24 address-range low 10.10.32.11

Copyright 2012, Juniper Networks, Inc.

149

Juniper Networks Horizontal Campus Validated Design Guide

set system services dhcp pool 10.10.32.0/24 address-range high 10.10.32.250 set system services dhcp pool 10.10.32.0/24 domain-name xyzcompany.com set system services dhcp pool 10.10.32.0/24 name-server 208.67.220.220 set system services dhcp pool 10.10.32.0/24 name-server 208.67.222.222 set system services dhcp pool 10.10.32.0/24 router 10.10.32.254 set system syslog user * any emergency set system syslog file messages any critical set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands error set system max-configurations-on-flash 5 set system max-configuration-rollbacks 5 set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set chassis cluster reth-count 1 set chassis cluster redundancy-group 0 node 0 priority 100 set chassis cluster redundancy-group 0 node 1 priority 1 set chassis cluster redundancy-group 1 node 0 priority 100 set chassis cluster redundancy-group 1 node 1 priority 1 set chassis cluster redundancy-group 1 interface-monitor ge-2/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor ge-11/0/0 weight 255 set interfaces ge-2/0/0 gigether-options redundant-parent reth0 set interfaces ge-2/0/1 description "primary internet connection" set interfaces ge-2/0/1 unit 0 family inet address 10.94.191.233/24 set interfaces ge-11/0/0 gigether-options redundant-parent reth0 set interfaces ge-11/0/2 description "Backup Internet Connection" set interfaces ge-11/0/2 unit 0 family inet address 10.94.194.56/24 set interfaces fab0 fabric-options member-interfaces ge-0/0/2 set interfaces fab1 fabric-options member-interfaces ge-9/0/2 set interfaces reth0 vlan-tagging set interfaces reth0 redundant-ether-options redundancy-group 1 set interfaces reth0 unit 0 description "Unit 0 must be given a VLAN tag so using a dummy tag to align units to tags" set interfaces reth0 unit 0 vlan-id 1 set interfaces reth0 unit 22 description "Internet Edge" set interfaces reth0 unit 22 vlan-id 22 set interfaces reth0 unit 22 family inet address 10.10.22.254/24 set interfaces reth0 unit 28 description Management set interfaces reth0 unit 28 vlan-id 28 set interfaces reth0 unit 28 family inet address 10.10.28.254/24 set interfaces reth0 unit 30 description "Guest Wired" set interfaces reth0 unit 30 vlan-id 30 set interfaces reth0 unit 30 family inet address 10.10.30.254/24 set interfaces reth0 unit 32 description "Guest Wireless" set interfaces reth0 unit 32 vlan-id 32 set interfaces reth0 unit 32 family inet address 10.10.32.254/24 set routing-options static route 0.0.0.0/0 qualified-next-hop 10.94.194.254 preference 20 set routing-options static route 0.0.0.0/0 qualified-next-hop 10.94.191.254 preference 10 set protocols ospf area 0.0.0.0 interface reth0.22 set protocols lldp interface ge-2/0/0.0 set protocols lldp interface ge-11/0/0.0 set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200

150

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security nat source rule-set Guest-to-untrust from zone Guest set security nat source rule-set Guest-to-untrust to zone untrust set security nat source rule-set Guest-to-untrust rule Guest-source-nat match source-address 0.0.0.0/0 set security nat source rule-set Guest-to-untrust rule Guest-source-nat then source-nat interface set security nat source rule-set Internet_Edge-to-untrust from zone Internet_Edge set security nat source rule-set Internet_Edge-to-untrust to zone untrust set security nat source rule-set Internet_Edge-to-untrust rule Internet_Edge-source-nat match source-address 0.0.0.0/0 set security nat source rule-set Internet_Edge-to-untrust rule Internet_Edge-source-nat then source-nat interface set security policies from-zone Guest to-zone untrust policy allow-guest-to-internet match source-address Guest_Wireless set security policies from-zone Guest to-zone untrust policy allow-guest-to-internet match source-address Guest_Wired set security policies from-zone Guest to-zone untrust policy allow-guest-to-internet match destination-address any set security policies from-zone Guest to-zone untrust policy allow-guest-to-internet match application any set security policies from-zone Guest to-zone untrust policy allow-guest-to-internet then permit set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address Data_Wired_1 set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address Data_Wired_2 set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address Data_Wireless_1 set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address Data_Wireless_2 set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address Servers set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address VOIP_Wired_1 set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address VOIP_Wired_2 set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match destination-address any set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match application any set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet then permit set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust interfaces ge-11/0/2.0 set security zones security-zone untrust interfaces ge-2/0/1.0 set security zones security-zone Guest address-book address Guest_Wired 10.10.30.0/24 set security zones security-zone Guest address-book address Guest_Wireless 10.10.32.0/24 set security zones security-zone Guest host-inbound-traffic system-services ping set security zones security-zone Guest host-inbound-traffic system-services traceroute set security zones security-zone Guest interfaces reth0.30 host-inbound-traffic system-services dhcp

Copyright 2012, Juniper Networks, Inc.

151

Juniper Networks Horizontal Campus Validated Design Guide

set security zones security-zone Guest interfaces reth0.30 host-inbound-traffic system-services bootp set security zones security-zone Guest interfaces reth0.32 host-inbound-traffic system-services dhcp set security zones security-zone Guest interfaces reth0.32 host-inbound-traffic system-services bootp set security zones security-zone Management host-inbound-traffic system-services ssh set security zones security-zone Management host-inbound-traffic system-services http set security zones security-zone Management host-inbound-traffic system-services https set security zones security-zone Management host-inbound-traffic system-services ping set security zones security-zone Management host-inbound-traffic system-services snmp set security zones security-zone Management host-inbound-traffic system-services traceroute set security zones security-zone Management interfaces reth0.28 set security zones security-zone Internet_Edge address-book address Data_Wired_1 10.10.10.0/24 set security zones security-zone Internet_Edge address-book address Data_Wired_2 10.10.12.0/24 set security zones security-zone Internet_Edge address-book address VOIP_Wired_1 10.10.14.0/24 set security zones security-zone Internet_Edge address-book address VOIP_Wired_2 10.10.16.0/24 set security zones security-zone Internet_Edge address-book address Data_Wireless_1 10.10.18.0/24 set security zones security-zone Internet_Edge address-book address Data_Wireless_2 10.10.20.0/24 set security zones security-zone Internet_Edge address-book address Servers 10.10.24.0/24 set security zones security-zone Internet_Edge address-book address Access_Points 10.10.26.0/24 set security zones security-zone Internet_Edge address-book address Management 10.10.28.0/24 set security zones security-zone Internet_Edge address-book address Guest_Wired 10.10.30.0/24 set security zones security-zone Internet_Edge address-book address Guest_Wireless 10.10.32.0/24 set security zones security-zone Internet_Edge host-inbound-traffic system-services ping set security zones security-zone Internet_Edge host-inbound-traffic system-services traceroute set security zones security-zone Internet_Edge host-inbound-traffic protocols ospf set security zones security-zone Internet_Edge interfaces reth0.22

SRX650 Cluster Configuration Statements


## Last changed: 2012-03-21 10:56:20 PDT version 11.4R1.6; groups { node0 { system { host-name srx650-1; } interfaces { fxp0 { unit 0 { family inet { address 10.94.188.103/24;

152

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

} } } } } node1 { system { host-name srx650-2; } interfaces { fxp0 { unit 0 { family inet { address 10.94.188.104/24; } } } } } } apply-groups [ node0 node1 ]; system { domain-name xyxcompany.com; time-zone America/Los_Angeles; root-authentication { encrypted-password "$1$/BmrTFS/$7BfLGntduS8.fj3BYVuuQ0"; ## SECRET-DATA } name-server { 208.67.222.222; 208.67.220.220; 10.10.24.100; } services { ssh; xnm-clear-text; web-management { https { system-generated-certificate; } } dhcp { pool 10.10.30.0/24 { address-range low 10.10.30.11 high 10.10.30.250; domain-name xyzcompany.com; name-server { 208.67.220.220; 208.67.222.222; } router { 10.10.30.254; } } pool 10.10.32.0/24 { address-range low 10.10.32.11 high 10.10.32.250; domain-name xyzcompany.com; name-server {

Copyright 2012, Juniper Networks, Inc.

153

Juniper Networks Horizontal Campus Validated Design Guide

208.67.220.220; 208.67.222.222; } router { 10.10.32.254; } } } } syslog { user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } chassis { cluster { reth-count 1; redundancy-group 0 { node 0 priority 100; node 1 priority 1; } redundancy-group 1 { node 0 priority 100; node 1 priority 1; interface-monitor { ge-2/0/0 weight 255; ge-11/0/0 weight 255; } } } } interfaces { ge-2/0/0 { gigether-options { redundant-parent reth0; } } ge-2/0/1 { description "primary internet connection"; unit 0 { family inet {

154

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

address 10.94.191.233/24; } } } ge-11/0/0 { gigether-options { redundant-parent reth0; } } ge-11/0/2 { description "Backup Internet Connection"; unit 0 { family inet { address 10.94.194.56/24; } } } fab0 { fabric-options { member-interfaces { ge-0/0/2; } } } fab1 { fabric-options { member-interfaces { ge-9/0/2; } } } reth0 { vlan-tagging; redundant-ether-options { redundancy-group 1; } unit 0 { description "Unit 0 must be given a VLAN tag so using a dummy tag to align units to tags"; vlan-id 1; } unit 22 { description "Internet Edge"; vlan-id 22; family inet { address 10.10.22.254/24; } } unit 28 { description Management; vlan-id 28; family inet { address 10.10.28.254/24; } } unit 30 {

Copyright 2012, Juniper Networks, Inc.

155

Juniper Networks Horizontal Campus Validated Design Guide

description "Guest Wired"; vlan-id 30; family inet { address 10.10.30.254/24; } } unit 32 { description "Guest Wireless"; vlan-id 32; family inet { address 10.10.32.254/24; } } } } routing-options { static { route 0.0.0.0/0 { qualified-next-hop 10.94.194.254 { preference 20; } qualified-next-hop 10.94.191.254 { preference 10; } } } } protocols { ospf { area 0.0.0.0 { interface reth0.22; } } lldp { interface ge-2/0/0.0; interface ge-11/0/0.0; } } security { screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; }

156

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

land; } } } nat { source { rule-set Guest-to-untrust { from zone Guest; to zone untrust; rule Guest-source-nat { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } rule-set Internet_Edge-to-untrust { from zone Internet_Edge; to zone untrust; rule Internet_Edge-source-nat { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone Guest to-zone untrust { policy allow-guest-to-internet { match { source-address [ Guest_Wireless Guest_Wired ]; destination-address any; application any; } then { permit; } } } from-zone Internet_Edge to-zone untrust { policy allow-Internet_Edge-to-internet { match { source-address [ Data_Wired_1 Data_Wired_2 Data_Wireless_1 Data_Wireless_2 Servers VOIP_Wired_1 VOIP_Wired_2 ]; destination-address any; application any;

Copyright 2012, Juniper Networks, Inc.

157

Juniper Networks Horizontal Campus Validated Design Guide

} then { permit; } } } } zones { security-zone untrust { screen untrust-screen; interfaces { ge-11/0/2.0; ge-2/0/1.0; } } security-zone Guest { address-book { address Guest_Wired 10.10.30.0/24; address Guest_Wireless 10.10.32.0/24; } host-inbound-traffic { system-services { ping; traceroute; } } interfaces { reth0.30 { host-inbound-traffic { system-services { dhcp; bootp; } } } reth0.32 { host-inbound-traffic { system-services { dhcp; bootp; } } } } } security-zone Management { host-inbound-traffic { system-services { ssh; http; https; ping; snmp; traceroute; } }

158

Copyright 2012, Juniper Networks, Inc.

Appendix D: Configurations Used in This Guide

interfaces { reth0.28; } } security-zone Internet_Edge { address-book { address Data_Wired_1 10.10.10.0/24; address Data_Wired_2 10.10.12.0/24; address VOIP_Wired_1 10.10.14.0/24; address VOIP_Wired_2 10.10.16.0/24; address Data_Wireless_1 10.10.18.0/24; address Data_Wireless_2 10.10.20.0/24; address Servers 10.10.24.0/24; address Access_Points 10.10.26.0/24; address Management 10.10.28.0/24; address Guest_Wired 10.10.30.0/24; address Guest_Wireless 10.10.32.0/24; } host-inbound-traffic { system-services { ping; traceroute; } protocols { ospf; } } interfaces { reth0.22; } } } }

Copyright 2012, Juniper Networks, Inc.

159

Juniper Networks Horizontal Campus Validated Design Guide

160

Copyright 2012, Juniper Networks, Inc.

APPENDIX E

Bill of Materials
The tables in this Appendix list the hardware required to assemble and deploy the validated network.

Table 6: Hardware List for the Network Core


Network Core (resides in closet 1.1) WLCs, Firewalls, Switching/Routing Hardware
EX4500-40F-FB-C

Quantity
2

Description
40-port 1-Gigabit Ethernet or 10-Gigabit Ethernet SFP/SFP+ front-toback airflow, hardware support for Data Center Bridging, and support for eight PFC (802.1Qbb) queues 48-port 10/100/1000BASE-T (48 PoE+ ports) + 930 W AC PSU. Includes 50cm Virtual Chassis cable. SFP+ 10GBASE-SR; LC connector; 850nm; 300m reach on 50 microns multimode fiber; 33m on 62.5 microns multimode fiber. SRX650 Services Gateway with SRE 6, 645 W AC PoE PSU; includes 4 onboard 10/100/1000BASE-T ports, 2 GB DRAM, 2 GB CF, 247 W PoE power, fan tray, power cord and rack-mount kit. 16-port 10/100/1000BASE-T XPIM. Wireless LAN controller with 8 x 10/100BASE-T ports (6 PoE), dual integrated PSU and support for 12 access points.

EX4200-48PX

EX-SFP-10GE-SR

40

SRX650-BASE-SRE6-645AP

SRX-GP-16GE WLC8R

2 2

Table 7: Hardware List for Closet 1.1


Closet 1.1 Access Switches and WLAN Hardware
EX4200-48PX

Quantity
2

Description
48-port 10/100/1000BASE-T (48 PoE+ ports) + 930 W AC PSU. Includes 50cm Virtual Chassis cable. 2-port 10G SFP+ / 4-port 1G SFP Uplink Module

EX-UM-2X4SFP

Copyright 2012, Juniper Networks, Inc.

161

Juniper Networks Horizontal Campus Validated Design Guide

Table 7: Hardware List for Closet 1.1 (continued)


Closet 1.1 Access Switches and WLAN Hardware
EX-SFP-10GE-SR

Quantity
3

Description
SFP+ 10GBASE-SR; LC connector; 850nm; 300m reach on 50 microns multimode fiber; 33m on 62.5 microns multimode fiber Access point with dual radios 802.11a/b/g/n 2x2 MIMO (2SS), single 1000BASE-T 802.3af PoE Ethernet port, 4 internal antennas. Not rated for plenum use. Ceiling/wall mount bracket included. Required for operation in USA.

WLA522-US

Table 8: Hardware List for Closet 1.2


Closet 1.2 Access Switches and WLAN Hardware
EX4200-48PX

Quantity
2

Description
48-port 10/100/1000BASE-T (48 PoE+ ports) + 930 W AC PSU. Includes 50cm Virtual Chassis cable. 2-port 10G SFP+ / 4-port 1G SFP Uplink Module SFP+ 10GBASE-SR; LC connector; 850nm; 300m reach on 50 microns multimode fiber; 33m on 62.5 microns multimode fiber Access point with dual radios 802.11a/b/g/n 2x2 MIMO (2SS), single 1000BASE-T 802.3af PoE Ethernet port, 4 internal antennas. Not rated for plenum use. Ceiling/wall mount bracket included. Required for operation in USA.

EX-UM-2X4SFP EX-SFP-10GE-SR

2 3

WLA522-US

Table 9: Hardware List for Closet 2.1


Closet 2.1 Access Switches and WLAN Hardware
EX4200-48PX

Quantity
2

Description
48-port 10/100/1000BASE-T (48 PoE+ ports) + 930 W AC PSU. Includes 50cm Virtual Chassis cable. 2-port 10G SFP+ / 4-port 1G SFP Uplink Module SFP+ 10GBASE-SR; LC connector; 850nm; 300m reach on 50 microns multimode fiber; 33m on 62.5 microns multimode fiber Access point with dual radios 802.11a/b/g/n 2x2 MIMO (2SS), single 1000BASE-T 802.3af PoE Ethernet port, 4 internal antennas. Not rated for plenum use. Ceiling/wall mount bracket included. Required for operation in USA.

EX-UM-2X4SFP EX-SFP-10GE-SR

2 3

WLA522-US

162

Copyright 2012, Juniper Networks, Inc.

Appendix E: Bill of Materials

Table 10: Hardware List for Closet 2.2


Closet 2.2 Access Switches and WLAN Hardware
EX4200-48PX

Quantity
2

Description
48-port 10/100/1000BASE-T (48 PoE+ ports) + 930 W AC PSU. Includes 50cm Virtual Chassis cable. 2-port 10G SFP+ / 4-port 1G SFP Uplink Module SFP+ 10GBASE-SR; LC connector; 850nm; 300m reach on 50 microns multimode fiber; 33m on 62.5 microns multimode fiber. Access point with dual radios 802.11a/b/g/n 2x2 MIMO (2SS), single 1000BASE-T 802.3af PoE Ethernet port, 4 internal antennas. Not rated for plenum use. Ceiling/wall mount bracket included. Required for operation in USA.

EX-UM-2X4SFP EX-SFP-10GE-SR

2 3

WLA522-US

Copyright 2012, Juniper Networks, Inc.

163

Juniper Networks Horizontal Campus Validated Design Guide

164

Copyright 2012, Juniper Networks, Inc.