Configuring Optional Add-Ins
This section shows how to configure the following features, which are optional add-ins to the Collapsed Core with EVPN Multihomed Campus Network.
How to Configure DHCP
Requirements
Configure DHCP on the following devices that you configured in the How to Configure a Campus Network using EVPN Multihoming configuration example:
Two EX4650 or QFX5120 switches as collapsed core devices. Software version: Junos OS Release 20.2R2 or later.
An external DHCP server.
Overview
Use this section to configure DHCP on the network. To avoid flooding the network with DHCP discover packets, configure DHCP on an interface in a VRF routing instance. The collapsed core devices act as a DHCP relay to a Layer 3 reachable external DHCP server.
Configuration
Procedure
Step-by-Step Procedure
Configure the collapsed core device to act as a DHCP relay only. It will not maintain a binding table.
set routing-instances JNPR_1_VRF forwarding-options dhcp-relay forward-only
Create a server group and specify the IP address of the DHCP server.
set routing-instances JNPR_1_VRF forwarding-options dhcp-relay server-group server_group_1 192.168.192.1
Specify the new server group as the active server group.
set routing-instances JNPR_1_VRF forwarding-options dhcp-relay group dhcp_relay_1 active-server-group server_group_1
Suppress the installation of access, access-internal, or destination routes during client binding during the JDHCPD process.
set routing-instances JNPR_1_VRF forwarding-options dhcp-relay group dhcp_relay_1 route-suppression destination
Always set the broadcast bit to one for all types of DHCP messages. If you do not configure this option, some clients will set the bit to zero before sending the message, which is not preferable.
set routing-instances JNPR_1_VRF forwarding-options dhcp-relay group dhcp_relay_1 overrides no-unicast-replies
Configure the IRBs to connect to the related VLANs and subnets and provide DHCP services to those clients.
set routing-instances JNPR_1_VRF forwarding-options dhcp-relay group Relay_Group1 interface irb.201 set routing-instances JNPR_1_VRF forwarding-options dhcp-relay group Relay_Group1 interface irb.202
Note:In this step, you can include any IRB that is part of the routing instance.
You will need to repeat this configuration on all the collapsed core devices in your network.
How to Configure the SRX Router
Configuration
CLI Quick Configuration
In this sample configuration, SRX is used to route user traffic from the Mist Access Points to the internet. Figure 1 shows the collapsed core network along with the SRX router. This example uses the following configuration settings:
-
VLAN 126 is used to forward traffic from the collapsed cores to the SRX and to internet.
-
VLAN 125 is used send management traffic for cloud registration and operation of the Mist AP’s.
-
VLAN 125 is also marked as a native VLAN in the trunk port where the access point is connected
-
Designate server_group_1 192.168.192.1 as the DHCP server.
For more information on configuring inter-vrf routing on the SRX router, see SRX Configuration
SRX Configuration
Configure the following settings on the SRX router.
set security zones security-zone trust interfaces irb.126 set interfaces irb unit 126 family inet address 192.168.3.1/24 set vlans mgmt1 l3-interface irb.126 set interfaces ae1 unit 0 family ethernet-switching interface-mode trunk set interfaces ae1 unit 0 family ethernet-switching vlan members mgmt1 set interfaces ge-0/0/4 unit 0 family inet address 10.204.37.175/20 set security nat source rule-set trust-to-untrust from zone trust set security nat source rule-set trust-to-untrust to zone untrust set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0 set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any set security policies from-zone trust to-zone trust policy trust-to-trust match application any set security policies from-zone trust to-zone trust policy trust-to-trust then permit set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces irb.126
Collapsed Core 1 Configuration
Configure the following settings on the collapsed core switch.
set interfaces irb unit 126 family inet address 192.168.3.2/24 set vlans mgmt1 vxlan vni 1000126 set vlans mgmt1 vlan-id 126 set vlans mgmt1 l3-interface irb.126 set interfaces irb unit 125 family inet address 192.168.2.2/24 set vlans mgmt vlan-id 125 set vlans mgmt l3-interface irb.125 set vlans mgmt vxlan vni 1000125 set interfaces ae31 unit 0 family ethernet-switching vlan members mgmt1 set interfaces ae22 unit 0 family ethernet-switching vlan members mgmt set groups dhcp-mist-relay forwarding-options dhcp-relay forward-only routing-instance default set groups dhcp-mist-relay forwarding-options dhcp-relay forward-only-replies set groups dhcp-mist-relay forwarding-options dhcp-relay server-group server_group_1 192.168.192.1 set groups dhcp-mist-relay forwarding-options dhcp-relay group dhcp_mist active-server-group server_group_1 set groups dhcp-mist-relay forwarding-options dhcp-relay group dhcp_mist route-suppression destination set groups dhcp-mist-relay forwarding-options dhcp-relay group dhcp_mist interface irb.125 set apply-groups dhcp-mist-relay
Collapsed Core 2 Configuration
Configure the following settings on the collapsed core switch.
set interfaces irb unit 126 family inet address 192.168.3.3/24 set vlans mgmt1 vxlan vni 1000126 set vlans mgmt1 vlan-id 126 set vlans mgmt1 l3-interface irb.126 set interfaces irb unit 125 family inet address 192.168.2.3/24 set vlans mgmt vlan-id 125 set vlans mgmt l3-interface irb.125 set vlans mgmt vxlan vni 1000125 set interfaces ae31 unit 0 family ethernet-switching vlan members mgmt1 set interfaces ae22 unit 0 family ethernet-switching vlan members mgmt set groups dhcp-mist-relay forwarding-options dhcp-relay forward-only routing-instance default set groups dhcp-mist-relay forwarding-options dhcp-relay forward-only-replies set groups dhcp-mist-relay forwarding-options dhcp-relay server-group server_group_1 192.168.192.1 set groups dhcp-mist-relay forwarding-options dhcp-relay group dhcp_mist active-server-group server_group_1 set groups dhcp-mist-relay forwarding-options dhcp-relay group dhcp_mist route-suppression destination set groups dhcp-mist-relay forwarding-options dhcp-relay group dhcp_mist interface irb.125 set apply-groups dhcp-mist-relay
Access Switch Configuration for Mist AP
Configure the following settings on the access switch.
set poe interface ge-0/0/4 set poe interface ge-0/0/5 set interfaces ae22 unit 0 family ethernet-switching vlan members mgmt set interfaces ge-0/0/4 native-vlan-id 125 set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members 125 set interfaces ge-0/0/5 native-vlan-id 125 set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members 125
Access Switch Configuration for 802.1X
We recommend that you enable 802.1x port-based network access control (PNAC) authentication for wired clients on the switches to authenticate the clients that connect to the switch ports.
There are three ways you can do this:
-
Authenticate the first end device (supplicant) on an authenticator port, and allow all other connecting end devices to also have access to the LAN
-
Authenticate a single end device on an authenticator port at one time
-
Authenticate multiple end devices on an authenticator port (this is typically used in VoIP configurations
For this example, we will configure the switch to accept multiple supplicants.
set groups dot1x access radius-server 192.168.10.1 secret "$9$8.s7b2ZGi.mTZUqf5QCA" set groups dot1x access radius-server 192.168.10.1 source-address 192.168.10.200 set groups dot1x protocols dot1x authenticator authentication-profile-name pdt_profile_1 set groups dot1x protocols dot1x authenticator no-mac-table-binding set groups dot1x protocols dot1x authenticator interface ge-1/0/12.0 supplicant multiple set groups dot1x protocols dot1x authenticator interface ge-1/0/12.0 mac-radius set groups dot1x access profile pdt_profile_1 authentication-order radius set groups dot1x access profile pdt_profile_1 radius authentication-server 192.168.10.1
What's Next
Juniper’s Campus solution, based on a VXLAN overlay with EVPN control plane, is an efficient and scalable way to build and interconnect multiple campuses across a core network. With a robust BGP/EVPN implementation Juniper is well-positioned to harness the full potential of EVPN technology.
For more information on available EVPN features and how to configure them, see EVPN User Guide.