Configuring Enhanced Switching Mode Features on the J Series Services Router
This section describes how to configure enhanced switching mode features on J Series devices.
Before You Begin |
|---|
This section covers:
- Configuring VLANs—Quick Configuration
- Configuring a Spanning Tree—Quick Configuration
- Configuring LACP in J-Web
- Configuring 802.1x—Quick Configuration
- Configuring IGMP Snooping—Quick Configuration
- Configuring GVRP—Quick Configuration
Configuring VLANs—Quick Configuration
Each VLAN is a collection of network nodes that are grouped together to form separate broadcast domains. On an Ethernet network that is a single LAN, all traffic is forwarded to all nodes on the LAN. On VLANs, frames whose origin and destination are in the same VLAN are forwarded only within the local VLAN. Frames that are not destined for the local VLAN are the only ones forwarded to other broadcast domains. VLANs thus limit the amount of traffic flowing across the entire LAN, reducing the possible number of collisions and packet retransmissions within a VLAN and on the LAN as a whole.
On an Ethernet LAN, all network nodes must be physically connected to the same network. On VLANs, the physical location of the nodes is not important, so you can group network devices in any way that makes sense for your organization, such as by department or business function, by types of network nodes, or even by physical location. Each VLAN is identified by a single IP subnetwork and by standardized IEEE 802.1Q encapsulation.
You can use the J-Web Quick Configuration to add a new VLAN or to edit or delete an existing VLAN.
To access the VLAN Quick Configuration:
- In the J-Web user interface, select Configure>Switching>VLAN.
The VLAN Configuration page displays a list of existing VLANs. If you select a specific VLAN, the specific VLAN details are displayed in the Details section.
- Click one:
- Add—Creates a VLAN.
- Edit—Edits an existing VLAN configuration.
- Delete—Deletes an existing VLAN.
Note: If you delete a VLAN, the VLAN configuration for all the associated interfaces is also deleted.
When you are adding or editing a VLAN, enter information as described in Table 127.
- Click one:
- To apply changes to the configuration, click OK.
- To cancel the configuration without saving changes, click Cancel.
Table 127: VLAN Configuration Details
Field | Function | Action |
|---|---|---|
General tab | ||
VLAN Name | Specifies a unique name for the VLAN. | Enter a name. |
VLAN ID/Range | Specifies the identifier or range for the VLAN. | Select one:
|
Description | Describes the VLAN. | Enter a brief description for the VLAN. |
MAC-Table-Aging-Time | Specifies the maximum time that an entry can remain in the forwarding table before it ages out. | Type the number of seconds from 60 through 1000000. |
Input Filter | Specifies the VLAN firewall filter that is applied to incoming packets. | To apply an input firewall filter, select the firewall filter from the list. |
Output Filter | Specifies the VLAN firewall filter that is applied to outgoing packets. | To apply an output firewall filter, select the firewall filter from the list. |
Ports tab | ||
Ports | Specifies the ports to be associated with this VLAN for data traffic. You can also remove the port association. | Click one:
|
IP Address tab | ||
Layer 3 Information | Specifies IP address options for the VLAN. | Select to enable the IP address options. |
IP Address | Specifies the IP address of the VLAN. | Enter the IP address. |
Subnet Mask | Specifies the range of logical addresses within the address space that is assigned to an organization. | Enter the address, for example, 255.255.255.0. You can also specify the address prefix. |
Input Filter | Specifies the VLAN interface firewall filter that is applied to incoming packets. | To apply an input firewall filter to an interface, select the firewall filter from the list. |
Output Filter | Specifies the VLAN interface firewall filter that is applied to outgoing packets. | To apply an output firewall filter to an interface, select the firewall filter from the list. |
ARP/MAC Details | Specifies the details for configuring the static IP address and MAC. | Click the ARP/MAC Details button. Enter the static IP address and MAC address in the window that is displayed. |
VoIP tab | ||
Ports | Specifies the ports to be associated with this VLAN for voice traffic. You can also remove the port association. | Click one:
|
Configuring a Spanning Tree—Quick Configuration
Juniper devices provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). You can configure bridge protocols data unit (BPDU) protection on interfaces to prevent them from receiving BPDUs that could result in STP misconfigurations, which could lead to network outages.
You can use the J-Web Quick Configuration to add a spanning tree or to edit or delete an existing spanning tree.
To access the Spanning Tree Quick Configuration:
- In the J-Web user interface, select Configure>Switching>Spanning Tree.
The Spanning Tree Configuration page displays a list of existing spanning trees. If you select a specific spanning tree, the specific spanning tree details are displayed in the General and Interfaces tabs.
- Click one of the following:
- Add—Creates a spanning tree.
- Edit—Edits an existing spanning-tree configuration.
- Delete—Deletes an existing spanning tree.
When you are adding a spanning tree, select a protocol name:
- If you select STP, enter information as described in Table 128.
- If you select RSTP, enter information as described in Table 129.
- If you select MSTP, enter information as described in Table 130.
Select the Ports tab to configure the ports associated with this spanning tree. Click one of the following:
- Add—Creates a new spanning-tree interface configuration.
- Edit—Modifies an existing spanning-tree interface configuration.
- Delete—Deletes an existing spanning-tree interface configuration.
When you are adding or editing a spanning-tree port, enter information as described in Table 131.
- Click one:
- To apply changes to the configuration, click OK.
- To cancel the configuration without saving changes, click Cancel.
Table 128: STP Configuration Parameters
Field | Function | Action |
|---|---|---|
Protocol Name | Displays the spanning-tree protocol. | View only. |
Disable | Disables STP on the interface. | To enable this option, select the check box. |
BPDU Protect | Specifies that BPDU blocks are to be processed. | To enable this option, select the check box. |
Bridge Priority | Specifies the bridge priority. The bridge priority determines which bridge is elected as the root bridge. If two bridges have the same path cost to the root bridge, the bridge priority determines which bridge becomes the designated bridge for a LAN segment. | Select a value. |
Forward Delay | Specifies the number of seconds an interface waits before changing from spanning-tree learning and listening states to the forwarding state. | Enter a value from 4 through 30 seconds. |
Hello Time | Specifies time interval in seconds at which the root bridge transmits configuration BPDUs. | Enter a value from 1 through 10 seconds. |
Max Age | Specifies the maximum aging time in seconds for all MST instances. The maximum aging time is the number of seconds a switch waits without receiving spanning-tree configuration messages before attempting a reconfiguration. | Enter a value from 6 through 40 seconds. |
Table 129: RSTP Configuration Parameters
Field | Function | Action |
|---|---|---|
Protocol Name | Displays the spanning-tree protocol. | View only. |
Disable | Specifies whether RSTP must be disabled on the interface. | To enable this option, select the check box. |
BPDU Protect | Specifies that BPDU blocks are to be processed. | To enable this option, select the check box. |
Bridge Priority | Specifies the bridge priority. The bridge priority determines which bridge is elected as the root bridge. If two bridges have the same path cost to the root bridge, the bridge priority determines which bridge becomes the designated bridge for a LAN segment. | Select a value. |
Forward Delay | Specifies the number of seconds a port waits before changing from its spanning-tree learning and listening states to the forwarding state. | Enter a value from 4 through 30 seconds. |
Hello Time | Specifies the hello time in seconds for all MST instances. | Enter a value from 1 through 10 seconds. |
Max Age | Specifies the maximum aging time in seconds for all MST instances. The maximum aging time is the number of seconds a switch waits without receiving spanning-tree configuration messages before attempting a reconfiguration. | Enter a value from 6 through 40 seconds. |
Table 130: MSTP Configuration Parameters
Field | Function | Action |
|---|---|---|
Protocol Name | Displays the spanning-tree protocol. | View only. |
Disable | Specifies whether MSTP must be disabled on the interface. | To enable this option, select the check box. |
BPDU Protect | Specifies that BPDU blocks are to be processed. | To enable this option, select the check box. |
Bridge Priority | Specifies the bridge priority. The bridge priority determines which bridge is elected as the root bridge. If two bridges have the same path cost to the root bridge, the bridge priority determines which bridge becomes the designated bridge for a LAN segment. | Select a value. |
Forward Delay | Specifies the number of seconds a port waits before changing from its spanning-tree learning and listening states to the forwarding state. | Enter a value from 4 through 30 seconds. |
Hello Time | Specifies the hello time in seconds for all MST instances. | Enter a value from 1 through 10 seconds. |
Max Age | Specifies the maximum aging time for all MST instances. The maximum aging time is the number of seconds a switch waits without receiving spanning-tree configuration messages before attempting a reconfiguration. | Enter a value from 6 through 40 seconds. |
Configuration Name | MSTP region name carried in the MSTP bridge protocol data units (BPDUs). | Enter a name. |
Max Hops | Maximum number of hops a BPDU can be forwarded in the MSTP region | Enter a value from 1 through 255. |
Revision Level | Revision number of the MSTP region configuration. | Enter a value from 0 through 65535. |
MSTI tab | ||
MSTI Id | Specifies the multiple spanning-tree instance (MSTI) identifier. MSTI IDs are local to each region, so you can reuse the same MSTI ID in different regions. | Click one:
|
Bridge Priority | Specifies the bridge priority. The bridge priority determines which bridge is elected as the root bridge. If two bridges have the same path cost to the root bridge, the bridge priority determines which bridge becomes the designated bridge for a LAN segment. | Select a value. |
VLAN | Specifies the VLANs for the MSTI. | Click one:
|
Interfaces | Specifies the interface for the MSTP protocol. | Click one:
|
Table 131: Spanning-Tree Ports Configuration Details
Field | Function | Action |
|---|---|---|
Interface Name | Specifies the interface for the spanning-tree protocol type. | Select an interface. |
Cost | Specifies the link cost to control which bridge is the designated bridge and which interface is the designated interface. | Enter a value from 1 through 200,000,000. |
Priority | Specifies the interface priority to control which interface is elected as the root port. | Select a value. |
Disable Port | Disables the spanning-tree protocol type on the interface. | Select to disable the spanning-tree protocol type. |
Edge | Configures the interface as an edge interface. Edge interfaces immediately transition to a forwarding state. | Select to configure the interface as an edge interface. |
No Root Port | Specifies an interface as a spanning-tree designated port. If the bridge receives superior STP bridge protocol data units (BPDUs) on a root-protected interface, that interface transitions to a root-prevented STP state (inconsistency state) and the interface is blocked. This blocking prevents a bridge that should not be the root bridge from being elected the root bridge. When the bridge stops receiving superior STP BPDUs on the root-protected interface, interface traffic is no longer blocked. | Select to configure the interface as a spanning-tree designated port. |
Interface Mode | Specifies the link mode. | Select one:
|
BPDU Timeout Action | Specifies the BPDU timeout action for the interface. | Select one:
|
Configuring LACP in J-Web
Use the link aggregation feature to aggregate one or more Ethernet interfaces to form a virtual link or link aggregation group (LAG). The MAC client can treat this virtual link like a single link. Link aggregation increases bandwidth, provides graceful degradation as failure occurs, and increases availability.
You can use the J-Web interface to add a new LAG or to edit or delete an existing LAG.
| Note: The interfaces that are already configured with MTU, duplex, flow control, or logical interfaces are displayed. However, when you select an already configured interface, a warning message is displayed. |
To access the LACP Configuration:
- In the J-Web user interface, select Configure>Interfaces>Link Aggregation.
The Aggregated Interfaces list is displayed.
- Click one of the following:
- Device Count—Creates an aggregated Ethernet interface, or LAG. You can choose the number of device that you want to create. Information displayed on the link aggregation page are specified in Table 132 and the details of aggregation are specified in Table 133
- Add—Adds a new aggregated Ethernet Interface, or LAG. Enter information as specified in Table 134.
- Edit— Modifies a selected
LAG
- Aggregation—Modifies an selected LAG. Enter information as specified in Table 134.
- VLAN—Specifies VLAN options for the selected LAG. See Table 135 for details on the options.
- IP Option—Configuring IP address to LAG is not supported and when you try to configure the IP address an error message is displayed.
- Delete—Deletes the selected LAG.
- Disable Port or Enable Port—Disables or enables the administrative status on the selected interface.
Table 132: LACP (Link Aggregation Control Protocol) Configuration
Field | Function |
|---|---|
Aggregated Interface | Indicates the name of the aggregated interface. |
Link Status | Indicates whether the interface is linked (Up) or not linked (Down). |
VLAN (VLAN ID) | Virtual LAN identifier value for IEEE 802.1Q VLAN tags (0.4094). |
Description | The description for the LAG. |
Table 133: Details of Aggregation
Field | Function |
|---|---|
Administrative Status | Displays if the interface is enabled (Up) or disabled (Down). |
Logical Interfaces | Shows the logical interface of the aggregated interface. |
Member Interfaces | Member interfaces hold all the aggregated interfaces of the selected interfaces. |
Port Mode | Specifies the mode of operation for the port: trunk or access. |
Native VLAN (VLAN ID) | VLAN identifier to associate with untagged packets received on the interface. |
IP Address/Subnet Mask | Specifies the address of the aggregated interfaces. |
IPV6 Address/Subnet Mask | Specifies the IPV6 address of the aggregated interfaces. |
Table 134: Aggregated Ethernet Interface Options
Field | Function | Action |
|---|---|---|
Aggregated Interface | Indicates the name of the aggregated interface. | Enter the aggregated interface name. If an aggregated interface already exists, then the field is displayed as read-only. |
LACP Mode | Specifies the mode in which LACP packets are exchanged between the interfaces. The modes are:
| Select from the drop-down list. |
Description | The description for the LAG. | Enter the description. |
Interface | Indicates that the interfaces available for aggregation. | Click Add to select the interfaces. Note: Only interfaces that are configured with the same speeds can be selected together for a LAG. |
Speed | Indicates the speed of the interface. | |
Enable Log | Specifies whether to enable generation of log entries for LAG. | Select to enable log generation. |
Table 135: Edit VLAN Options
Field | Function | Action |
|---|---|---|
Port Mode | Specifies the mode of operation for the port: trunk or access. | If you select Trunk, you can:
If you select Access, you can:
|
VLAN Options | For trunk interfaces, the VLANs for which the interface can carry traffic. | Click Add to select VLAN members. |
Native VLAN | VLAN identifier to associate with untagged packets received on the interface. | Select the VLAN identifier. |
Configuring 802.1x—Quick Configuration
Juniper devices use 802.1X authentication to implement access control in an enterprise network. Supplicants (hosts) are authenticated at the initial connection to your LAN. By authenticating supplicants before they receive an IP address from a DHCP server, unauthorized supplicants are prevented from gaining access to your LAN.
You can use the J-Web Quick Configuration to configure 802.1x authentication.
To access the 802.1x Quick Configuration:
- In the J-Web user interface, select Configure>Security>802.1x.
The 802.1x screen displays a list of interfaces, whether 802.1x security has been enabled on the interface, and the assigned port role.
When you select a particular interface, the Details section displays 802.1x details for the interface.
- Click one:
- RADIUS Servers—Specifies the RADIUS server to be used for authentication. Select the check box to select the required server. Click Add or Edit to add or modify the RADIUS server settings. Enter information as specified in Table 136.
- Exclusion List—Excludes hosts from the 802.1x authentication list by specifying the MAC address. Click Add or Edit in the Exclusion List to include or modify the MAC addresses. Enter information as specified in Table 137.
- Edit—Specifies 802.1x settings
for the selected interface
- Apply 802.1x Profile—Applies a predefined 802.1x profile based on the port role. If a message appears asking if you want to configure a RADIUS server, click Yes.
- 802.1x Configuration—Configures custom 802.1x settings for the selected interface. If a message appears asking if you want to configure a RADIUS server, click Yes. Enter information as specified in Table 136. To configure 802.1x settings, enter information as specified in Table 138.
- Delete—Deletes 802.1x authentication configuration on the selected interface.
- Click one:
- To apply changes to the configuration, click OK.
- To cancel the configuration without saving changes, click Cancel.
Table 136: RADIUS Server Settings
Field | Function | Action |
|---|---|---|
IP Address | Specifies the IP address of the server. | Enter the IP address in dotted decimal notation. |
Password | Specifies the login password. | Enter the password. |
Confirm Password | Verifies the login password for the server. | Reenter the password. |
Server Port Number | Specifies the port with which the server is associated. | Enter the port number. |
IP Address | Specifies the source address of the server. | Enter the server’s 32-bit IP address, in dotted decimal notation. |
Retry Attempts | Specifies the number of login retries allowed after a login failure. | Enter a value from 1 to 10. |
Timeout | Specifies the time, in seconds, before the connection to the server is closed. | Enter a value from 1 to 90 seconds. |
Table 137: 802.1x Exclusion List
Field | Function | Action |
|---|---|---|
MAC Address | Specifies the MAC address to be excluded from 802.1x authentication. | Enter the MAC address. |
Exclude if connected through port | Specifies that the host can bypass authentication if it is connected through a particular interface. | Select to enable the option. Select the port through which the host is connected. |
Move the host to VLAN | Specifies moving the host to a specific VLAN once the host is authenticated. | Select to enable the option. Select the VLAN from the list. |
Table 138: 802.1x Port Settings
Field | Function | Action |
|---|---|---|
Supplicant Mode | ||
Supplicant Mode | Specifies the mode to be adopted for supplicants:
| Select the required mode. |
Authentication | ||
Enable re-authentication | Specifies enabling reauthentication on the selected interface. |
|
Action on authentication failure | Specifies the action to be taken in case of an authentication failure. | Select one:
|
Timeouts | Specifies timeout values for each action. | Enter the value in seconds for:
|
Configuring IGMP Snooping—Quick Configuration
IGMP snooping regulates multicast traffic in a switched network. With IGMP snooping enabled, the Juniper device monitors the IGMP transmissions between a host (a network device) and a multicast router, keeping track of the multicast groups and associated member interfaces. The Juniper device uses that information to make intelligent multicast-forwarding decisions and forward traffic to the intended destination interfaces.
You can use the J-Web Quick Configuration to add a new IGMP snooping configuration or to edit or delete an existing configuration.
To access the IGMP Snooping Quick Configuration:
- In the J-Web user interface, select Configure>Switching>IGMP Snooping.
The VLAN Configuration page displays a list of existing IGMP snooping configurations.
- Click one:
- Add—Creates an IGMP snooping configuration for the VLAN.
- Edit—Edits an existing IGMP snooping configuration for the VLAN.
- Delete—Deletes member settings for the interface.
Note: If you delete a configuration, the VLAN configuration for all the associated interfaces is also deleted.
- Disable Vlan—Disables IGMP snooping on the selected VLAN.
When you are adding or editing a VLAN, enter information as described in Table 139.
- Click one:
- To apply changes to the configuration, click OK.
- To cancel the configuration without saving changes, click Cancel.
Table 139: IGMP Snooping Configuration Fields
Field | Function | Action |
|---|---|---|
VLAN Name | Specifies the VLAN on which to enable IGMP snooping. | Select the VLAN from the list. |
Immediate Leave | Immediately removes a multicast group membership from an interface when it receives a leave message from that interface and suppresses the sending of any group-specific queries for the multicast group | To enable the option, select the check box. To disable the option, clear the check box. |
Query Interval | Configures how frequently the switch sends host-query timeout messages to a multicast group. | Enter a value from 1 through 1024 seconds. |
Query Last Member Interval | Configures the interval between group-specific query timeout messages sent by the switch. | Enter a value from 1 through 1024 seconds. |
Query Response Interval | Configures the length of time the switch waits to receive a response to a specific query message from a host. | Enter a value from 1 through 25 seconds. |
Robust Count | Specifies the number of timeout intervals the switch waits before timing out a multicast group. | Enter a value from 2 through 10. |
Interfaces List | Statically configures an interface as a switching interface toward a multicast router (the interface to receive multicast traffic). |
|
Configuring GVRP—Quick Configuration
As a network expands and the number of clients and VLANs increases, VLAN administration becomes complex, and the task of efficiently configuring VLANs on multiple EX Series switches becomes increasingly difficult. To automate VLAN administration, you can enable GARP VLAN Registration Protocol (GVRP) on the network.
GVRP learns VLANs on a particular 802.1Q trunk port, and adds the corresponding trunk interface to the VLAN if the advertised VLAN is preconfigured or existing already on the switch. For example, a VLAN named “sales” is advertised to trunk interface 1 on the GVRP-enabled switch. The switch adds trunk interface 1 to the sales VLAN if the sales VLAN already exists on the switch.
As individual interfaces become active and send requests to join a VLAN, the VLAN configuration is updated and propagated among the switches. Limiting the VLAN configuration to active participants reduces the network overhead. GVRP also provides the benefit of pruning VLANs to limit the scope of broadcast, unknown unicast, and multicast (BUM) traffic to interested network devices only.
You can use the J-Web Quick Configuration to enable or disable GVRP on an interface.
To access the GVRP Quick Configuration:
- In the J-Web user interface, select Configure>Switching>GVRP.
The GVRP Configuration page displays a list of interfaces on which GVRP is enabled.
- Click one:
- Global Settings—Modifies GVRP timers. Enter the information as described in Table 140.
- Add—Enables GVRP on an interface.
- Disable Port—Disables an interface.
- Delete—Deletes an interface.
- Click one:
- To apply changes to the configuration, click OK.
- To cancel the configuration without saving changes, click Cancel.
Table 140: GVRP Global Settings
Field | Function | Action |
|---|---|---|
Disable GVRP | Disables GVRP on all the interfaces. | Click to select. |
Join Timer | Specifies the number of milliseconds an interface must wait before sending VLAN advertisements. | Enter a value from 0 through 4294967295 milliseconds. |
Leave Timer | Specifies the number of milliseconds an interface must wait after receiving a leave message to remove itself from the VLAN specified in the message. | Enter a value from 0 through 4294967295 milliseconds. |
Leave All Timer | Specifies the interval in milliseconds at which Leave All messages are sent on interfaces. Leave All messages help to maintain current GVRP VLAN membership information in the network. | Enter a value from 0 through 4294967295 milliseconds. |