Beruflich Dokumente
Kultur Dokumente
Table of Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
JUNOS Software Release 9.2 J Series Switching Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
JUNOS Software Release 9.2 Switching Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Enabling Enhanced Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Configuring Layer 2 Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Configuring Bridging Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Extending Bridging Domains and Configuring Tagged Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Configuring Integrated Routing and Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Configuring Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Simple LAN Switching Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Adding VLANS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Routing Traffic Between VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Adding a Tagged Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Increasing Capacity with Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
About Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Table of Figures
Figure 1: VLAN Tagging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Figure 2: Trunk and Access Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Figure 3: Integrated Routing and Bridging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Figure 4: Layer 2 Switching Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Figure 5: Adding Sales and Operations VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Figure 6: Adding Routing Between VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Figure 7: Adding a Tagged Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Figure 8: Increasing Capacity with Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
ii
Introduction
Juniper Networks J Series Services Routers provide high-performance networking for branch-office and regional
sites, integrating routing, WAN connectivity, security, LAN switching, VoIP/telephony and WAN optimization, which
effectively extends enterprise applications and services to remote locations. A new family of high-density Ethernet
Physical Interface Modules (PIMs) was introduced with Juniper Networks JUNOS Software release 8.5, which
allowed small branch offices to aggregate Ethernet connections directly onto J Series Services Routers, eliminating
the need for Layer 2 switches. In medium-sized branch offices, J Series routers could also now be used to aggregate
traffic from multiple Layer 2 access switches.
However, to more effectively collapse part of the switching infrastructure onto J Series routers, JUNOS Software
has to be able to provide additional functionality that is commonly offered at the switching layer. JUNOS Software
release 9.2 for J Series routers introduces much of this functionality by adding additional Layer 2 switching features,
integrated routing and bridging, and support of several Layer 2 protocols.
Scope
This application note provides an overview of the new JUNOS Software Layer 2 features for J Series routers. It
describes several common deployment scenarios, with detailed configurations for each scenario. When configuring
JUNOS Software advanced switching on J Series, please note the hardware and software requirements outlined below.
Hardware Requirements
J Series Services Routers (Juniper Networks J2320, J2350, J4350, or J6350 Services Routers)
- 8-port 10/100/1000BASE-T
- 16-port 10/100/1000BASE-T
- 6-port SFP (supporting T, LX, SX and LH SFPs)
Software Requirements
JUNOS Software with enhanced services release 9.2 or later for the J Series platform
Although advanced switching for the J Series is sourced from the EX Series product family, J Series features are a
subset of those offered in the EX Series. In particular, the following features are not included in JUNOS release 9.2
for the J Series:
Layer 2 access control lists (ACLs)
Layer 2 Quality of Service (QOS) for ports in switching mode
Internet Group Management Protocol (IGMP) snooping
Dynamic Host Configuration Protocol (DHCP) snooping
Address Resolution Protocol (ARP) inspection
MAC spoofing protection
SNMP MIB support (for the new Layer 2 features)
Virtual chassis
Future feature additions to EX Series platforms will not automatically be ported to JUNOS for J Series routers. Layer
2 features from earlier JUNOS releases continue to be supported for compatibility purposes.
In the current implementation, only one advanced switching uPIM is supported per J Series chassis (additional
uPIMs can operate in routed mode or in legacy Layer 2 mode). Although future versions of JUNOS may remove this
restriction, VLANs will not be able to cross uPIM boundaries as J Series routers do not have a fabric backplane,
which would allow the switching of traffic between different uPIMs without sending frames to the CPU. Additionally,
the designated advanced switching uPIM is able to support a combination of switched and routed ports as necessary.
Additionally, you have to specify which interfaces will be part of the newly created domain. There are two ways to
allocate interfaces. (These ways are identical from a functional point of view; it is up to you to choose the method you
prefer). The first way, under the [interface <name> unit 0 family ethernet-switching] hierarchy, is to declare the VLAN
as part of an interface configuration.
interface {
ge-<slot number>/0/<port number> {
unit 0 {
family ethernet-switching {
vlan members <vlan name or id>
}
}
}
}
The second way, under the [vlan <name>interface] hierarchy, is to define VLAN member interfaces.
vlans {
<name> {
interfaces {
<interface name>;
<interface name>;
}
}
}
Both methods can be combined as long as no inconsistencies are introduced (for example, the same interface cannot
be defined as a member of two or more VLANs).
VLAN Orange
VLAN Blue
EX3200
Line
VLAN Orange
VLAN Blue
EX3200
Line
VLAN Orange
Floor 2
EX3200
Line
VLAN Blue
VLAN Orange
VLAN Blue
VLAN Orange
Floor 1
VLAN Blue
VLAN Orange
Floor 1
Floor 2
EX3200
Line
VLAN Blue
An interface can be configured as a trunk port by simply setting the port-mode value to trunk under the family
ethernet-switching line. A trunk port can then be defined as part of multiple VLANs, which allows a switching port
defined as a trunk port to be associated with more than one VLAN. Traffic forwarded from a trunk port will be tagged
using the VLAN ID of the originating VLAN, while received traffic will be forwarded to the appropriate VLAN for
distribution (Figure 2).
interface {
ge-*/*/* {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [<vlan name or id> <vlan name or id> ]
}
}
}
}
}
Layer 2
Intra-VLAN
trafc locally
switched in
the uPIM
VLAN
Orange
ge-4/0/0
Trunk
ge-4/0/1
Access
VLAN
Blue
VLAN
Red
ge-4/0/2
Access
ge-4/0/3
Access
interface vlan.0
interface vlan.1
interface vlan.2
VLAN
Blue
VLAN
Red
ge-4/0/2
Access
ge-4/0/3
Access
Layer 2
Intra-VLAN
trafc locally
switched in
the uPIM
VLAN
Orange
ge-4/0/0
Trunk
ge-4/0/1
Access
To add a Layer 3 interface to a bridging domain, a logical interface has to be created under the [interfaces
vlan] hierarchy. After the logical interface is created, it must be associated with a particular VLAN using the
l3-interface keyword.
interfaces {
vlan {
unit <unit number> {
family {
inet {
address <ip address>/<netmask>;
}
}
}
}
}
vlans {
<vlan name> {
l3-interface vlan.<unit of newly created vlan ifl>;
Layer 3 VLAN interfaces are no different than any other Layer 3 interface in JUNOS and thus require the same
configuration. In particular, these interfaces have to be assigned to a security zone, and security policies have to
explicitly allow traffic to be forwarded between these interfaces and any other configured Layer 3 interfaces.
Aggregate device count refers to the total number of aggregated interfaces in the system and not the number of
physical interfaces per aggregate bundle.
This configuration will create aggregate interfaces named ae0 to ae<device-count -1>. After these interfaces
are created, you have to associate physical interfaces with them, which you do under the gigabit-ethernetoptions hierarchy.
interface {
<interface name> {
gigabit-ethernet-options {
802.3ad {
<bndle interface name>;
}
}
}
}
LACP is not required, but, if supported and configured, it enables automatic traffic switchover when one or more
links fail. It also prevents common misconfiguration errors by confirming that both devices are set up for link
aggregation. LACP can be enabled under the aggregated-ethernet-options section of the aggregated interface (make
sure that at least one of the endpoints is configured as active).
interface {
<aggregate interface name> {
aggregated-ether-options {
After a bundle interface is created, it can be configured just like any other interface: for example, you can enable
switching, add the interface to a VLAN (or a group of VLANs), and enable VLAN tagging.
ge-3/0/0
ge-3/0/2
This example details the configuration needed to use a J Series router as a simple Layer 2 switch. Although not a
common deployment, it serves as a good starting point. The topology is illustrated in Figure 4.
ge-3/0/1
J Series
Figure 4: Layer 2 Switching Topology
Adding VLANS
Now suppose that this small branch office has two departments: sales and operations. To isolate the departments
and prevent traffic from leaking between domains, VLANS are added to the design, resulting in a new topology,
illustrated in Figure 5.
ge-3/0/3
ge-3/0/0
J Series
ge-3/0/4
ge-3/0/1
SALES
OPERATIONS
ge-3/0/4.0;
10.1.1.0/24
Network
ge-3/0/3
ge-3/0/0
10.1.1.1
10.1.2.1
J Series
ge-3/0/4
ge-3/0/1
SALES
10.1.2.0/24
Network
OPERATIONS
The following configuration adds two Layer 3 interfaces, one for each VLAN, which will serve as default gateways
for the respective network segments. These new VLAN interfaces are then added to security zones, and security
policies are defined to allow traffic between the zones. In this example, two security zones, Sales and Operations, are
created, and FTP traffic is allowed between them.
chassis {
fpc 3 {
pic 0 {
ethernet {
pic-mode enhanced-switching;
}
}
}
}
interfaces {
ge-3/0/0 {
unit 0 {
family ethernet-switching;
}
}
ge-3/0/1 {
unit 0 {
family ethernet-switching;
}
}
ge-3/0/3 {
unit 0 {
family ethernet-switching;
}
}
ge-3/0/4 {
unit 0 {
family ethernet-switching;
}
}
vlan {
unit 10 {
Copyright 2009, Juniper Networks, Inc.
}
unit 11 {
family inet {
address 10.1.2.1/24;
}
}
}
}
security {
zones {
security-zone Sales {
interfaces {
vlan.10;
}
}
security-zone Operations {
interfaces {
vlan.11;
}
}
}
policies {
from-zone Sales to-zone Operations {
policy Allow_ftp {
match {
source-address any;
destination-address any;
application junos-ftp;
}
then {
permit;
}
}
}
}
}
vlans {
operations {
vlan-id 11;
interface {
ge-3/0/1.0;
ge-3/0/0.0;
}
l3-interface vlan.11;
}
sales {
vlan-id 10;
interface {
ge-3/0/3.0;
ge-3/0/4.0;
}
l3-interface vlan.10;
}
}
Although not required, the VLAN interface unit number matches the vlan-id for every Layer 3 interface created,
which helps make the configuration easier to read and debug if necessary.
10
10.1.1.0/24
Network
ge-3/0/3
ge-3/0/0
10.1.1.1
10.1.2.1
J Series
ge-3/0/4
ge-3/0/1
10.1.2.0/24
Network
OPERATIONS
SALES
As can be seen in Figure 7, the ge-3/0/7 interface is designed to transport traffic from both administrative domains.
To implement this design, VLAN tagging is configured on the ge-3/0/7 interface.
chassis {
fpc 3 {
pic 0 {
ethernet {
pic-mode enhanced-switching;
}
}
}
}
interfaces {
ge-3/0/0 {
unit 0 {
family ethernet-switching;
}
}
ge-3/0/1 {
unit 0 {
family ethernet-switching;
}
}
ge-3/0/3 {
unit 0 {
family ethernet-switching;
}
}
ge-3/0/4 {
unit 0 {
family ethernet-switching;
}
}
ge-3/0/7 {
unit 0 {
family ethernet-switching {
port-mode trunk;
}
}
}
Copyright 2009, Juniper Networks, Inc.
11
{
10.1.1.1/24;
{
10.1.2.1/24;
}
security {
zones {
functional-zone management {
interfaces {
ge-0/0/0.0;
}
host-inbound-traffic {
system-services {
all;
}
}
}
security-zone Sales {
interfaces {
vlan.10;
}
}
security-zone Operations {
interfaces {
vlan.11;
}
}
}
policies {
from-zone Sales to-zone Operations {
policy Allow_ftp {
match {
source-address any;
destination-address any;
application junos-ftp;
}
then {
permit;
}
}
}
}
}
vlans {
operations {
vlan-id 11;
interface {
ge-3/0/1.0;
ge-3/0/0.0;
ge-3/0/7.0;
}
l3-interface vlan.11;
12
}
sales {
vlan-id 10;
interface {
ge-3/0/3.0;
ge-3/0/4.0;
ge-3/0/7.0;
}
l3-interface vlan.10;
}
10.1.1.0/24
Network
ge-3/0/7
ge-3/0/3
ge-3/0/0
10.1.1.1
10.1.2.1
J Series
ge-3/0/4
SALES
ge-3/0/1
10.1.2.0/24
Network
OPERATIONS
13
}
ge-3/0/4 {
unit 0 {
family ethernet-switching;
}
}
ge-3/0/6 {
gigether-options {
802.3ad ae0;
}
}
ge-3/0/7 {
gigether-options {
802.3ad ae0;
}
}
ae0 {
aggregated-ether-options {
minimum-links 1;
link-speed 1g;
lacp {
active;
}
}
unit 0 {
family ethernet-switching {
port-mode trunk;
}
}
}
vlan {
unit 10 {
family inet {
address 10.1.1.1/24;
}
}
unit 11 {
family inet {
address 10.1.2.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 172.19.101.1;
}
}
security {
zones {
functional-zone management {
interfaces {
ge-0/0/0.0;
}
host-inbound-traffic {
system-services {
all;
14
}
security-zone Sales {
interfaces {
vlan.10;
}
}
security-zone Operations {
interfaces {
vlan.11;
}
}
}
policies {
from-zone Sales to-zone Operations {
policy Allow_ftp {
match {
source-address any;
destination-address any;
application junos-ftp;
}
then {
permit;
}
}
}
}
}
vlans {
operations {
vlan-id 11;
interface {
ge-3/0/1.0;
ge-3/0/0.0;
ae0.0;
}
l3-interface vlan.11;
}
sales {
vlan-id 10;
interface {
ge-3/0/3.0;
ge-3/0/4.0;
ae0.0;
}
l3-interface vlan.10;
}
}
15
Monitoring
Verifying and troubleshooting the configurations presented is easily accomplished by first looking at the interface-toVLAN mapping and then the MAC address table as necessary.
#run show ethernet-switching interfaces
Interface
State
VLAN members
ae0.0
up
operations
sales
ge-3/0/0.0 up
operations
ge-3/0/1.0 up
operations
ge-3/0/3.0 up
sales
ge-3/0/4.0 up
sales
Blocking
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
Age
0
-
Interfaces
All-members
Router
ge-3/0/0.0
Router
Both commands shown here include a detailed output option that displays additional information. Tracing can be
enabled from the [ethernet-switching-options] hierarchy.
Summary
The J Series Services Routers are a complete branch-office solution that blends sophisticated local Ethernet
connectivity with the capability to extend enterprise applications and services to remote locations. Built on
JUNOS Software, the J Series use the Juniper Networks extended product and partner portfolio to consolidate
essential security, connectivity, application optimization, and VoIP capabilities. To ensure network integrity, the
J Series Services Routers inseparably integrate high-performance routing with security for predictable, secure
performance. Should onsite demand for Ethernet ports exceed the capacity of the J Series, the EX Series Ethernet
Switches (also based on JUNOS Software) can meet growth needs while preserving the lower management costs
of a single operating system. When demanding application performance is the issue, remote users will appreciate
the application acceleration offered by the integrated technology of the Juniper Networks WX Series Application
Acceleration Platforms. For survivable voice, J Series routers support an integrated voice gateway solution from
Avaya. For additional information, please refer to J Series and JUNOS Software documentation.
APAC Headquarters
Juniper Networks (Hong Kong)
26/F, Cityplaza One
1111 Kings Road
Taikoo Shing, Hong Kong
Phone: 852.2332.3636
Fax: 852.2574.7803
16
EMEA Headquarters
Juniper Networks Ireland
Airside Business Park
Swords, County Dublin,
Ireland
Phone: 35.31.8903.600
Fax: 35.31.8903.601