Juniper Networks EX2500 - Manual

List of Figures „ vii List of Figures Figure 1: Default VLAN Settings .................................................................... 24Figure 2: Port-Based VLAN Assignment ........................................................ 25Figure 3: 802.1Q Tagging (after Port-Based VLAN Assignment) ......

List of Tables „ ix List of Tables Table 1: Notice Icons ................................................................................... xii Table 2: EX2500 Text and Syntax Conventions ........................................... xii Table 3: EX2500 Ethernet Switch Documentation ....................

Objectives „ xi About This Guide This preface provides the following guidelines for using the Juniper Networks EX2500 Ethernet Switch Configuration Guide : „ Objectives on page xi „ Audience on page xi „ Supported Platforms on page xi „ Documentation Conventions on page xii „ List of Technical Publi...

EX2500 Ethernet Switch Configuration Guide xii „ Documentation Conventions Documentation Conventions Table 1 describes the notice icons used in this manual. Table 2 describes the EX2500 text and syntax conventions. Table 1: Notice Icons Icon Meaning Description Informational note Indicates important...

List of Technical Publications „ xiii About This Guide List of Technical Publications Table 3 lists the documentation supporting the EX2500 Ethernet Switch. All documentation for EX Series Ethernet Switches is available at http://www.juniper.net/techpubs/ . Documentation Feedback We encourage you to...

EX2500 Ethernet Switch Configuration Guide xiv „ Requesting Technical Support Self-Help Online Tools and Resources For quick and easy problem resolution, the Juniper Networks online self-service portal—the Customer Support Center (CSC)—provides the following features: „ Find CSC offerings: http://ww...

EX2500 Ethernet Switch Applications „ 1 Part 1 EX2500 Ethernet Switch Applications This configuration guide will help you plan, implement, and administer EX2500 software. Where possible, each chapter provides feature overviews, usage examples, and configuration instructions. „ “Accessing the Switch”...

Configuring the Management Interface „ 3 Chapter 1 Accessing the Switch The EX2500 software provides a means for accessing, configuring, and viewing information and statistics about the EX2500 Ethernet Switch. This chapter discusses different methods of accessing the switch and ways to secure the sw...

EX2500 Ethernet Switch Configuration Guide 4 „ Dynamic Host Configuration Protocol 3. Configure the management IP address, subnet mask, and default gateway. ex2500(config)# interface ip-mgmt address 10.10.10.2 ex2500(config)# interface ip-mgmt netmask 255.255.255.0 ex2500(config)# interface ip-mgmt ...

Using Telnet „ 5 Chapter 1: Accessing the Switch DHCP is an extension of another network IP management protocol, Bootstrap Protocol (BOOTP), with an additional capability of being able to allocate reusable network addresses and configuration parameters for client operation. Built on the client/serve...

EX2500 Ethernet Switch Configuration Guide 6 „ Using the EX2500 Web Device Manager By default, EX2500 Web Device Manager access is enabled on the switch. Configuring EX2500 Web Device Manager Access via HTTP By default, EX2500 Web Device Manager access via HTTP is enabled . Use the following command...

Using SNMP „ 7 Chapter 1: Accessing the Switch The EX2500 Web Device Manager is organized at a high level as follows: Context tabs —These tabs allow you to select the type of action you wish to perform. The Configure tab provides access to the configuration elements for the entire switch. The Monito...

EX2500 Ethernet Switch Configuration Guide 8 „ Using SNMP SNMPv3 SNMPv3 is an enhanced version of the Simple Network Management Protocol, approved by the Internet Engineering Steering Group in March, 2002. SNMPv3 contains additional security and authentication features that provide data origin authe...

Using SNMP „ 9 Chapter 1: Accessing the Switch 2. Configure a user access group, along with the views the group may access. Use the access table to configure the group’s access level. Because the read view, write view, and notify view are all set to iso , the user type has access to all private and ...

EX2500 Ethernet Switch Configuration Guide 10 „ Securing Access to the Switch SNMPv3 Trap Host Configuration To configure a user for SNMPv3 traps, you can choose to send the traps with both privacy and authentication, with authentication only, or without privacy or authentication. This is configured...

Securing Access to the Switch „ 11 Chapter 1: Accessing the Switch RADIUS Authentication and Authorization The EX2500 switch supports the RADIUS (Remote Authentication Dial-in User Service) method to authenticate and authorize remote administrators for managing the switch. This method is based on a ...

EX2500 Ethernet Switch Configuration Guide 12 „ Securing Access to the Switch 3. If desired, you may change the default UDP port number used to listen to RADIUS. The well-known port for RADIUS is 1812. ex2500(config)# radius-server port <UDP port number> 4. Configure the number of retry attemp...

Securing Access to the Switch „ 13 Chapter 1: Accessing the Switch Switch User Accounts The user accounts listed in Table 4 can be defined in the RADIUS server dictionary file. RADIUS Attributes for EX2500 User Privileges When the user logs in, the switch authenticates his or her level of access by ...

EX2500 Ethernet Switch Configuration Guide 14 „ Securing Access to the Switch TACACS+ Authentication The EX2500 switch supports authentication and authorization with networks using the TACACS+ protocol. The EX2500 switch functions as the Network Access Server (NAS) by interacting with the remote cli...

Securing Access to the Switch „ 15 Chapter 1: Accessing the Switch The default mapping between TACACS+ authorization levels and EX2500 management access levels is shown in Table 6. The authorization levels must be defined on the TACACS+ server. Alternate mapping between TACACS+ authorization levels ...

EX2500 Ethernet Switch Configuration Guide 16 „ Securing Access to the Switch Command Authorization and Logging When TACACS+ Command Authorization is enabled, EX2500 configuration commands are sent to the TACACS+ server for authorization. Use the following command to enable TACACS+ Command Authoriza...

Securing Access to the Switch „ 17 Chapter 1: Accessing the Switch Secure Shell Secure Shell (SSH) uses secure tunnels to encrypt and secure messages between a remote administrator and the switch. Telnet does not provide this level of security. The Telnet method of managing an EX2500 switch does not...

EX2500 Ethernet Switch Configuration Guide 18 „ Securing Access to the Switch When the SSH server is first enabled and applied, the switch automatically generates the RSA host and server keys, which are stored in the Flash memory. To configure RSA host and server keys, enter the following commands t...

Securing Access to the Switch „ 19 Chapter 1: Accessing the Switch Considerations for Configuring End User Accounts „ A maximum of 10 user IDs are supported on the switch. „ The EX2500 switch supports end user support for console, Telnet, EX2500 Web Device Manager, and SSHv1 or SSHv2 access to the s...

EX2500 Ethernet Switch Configuration Guide 20 „ Securing Access to the Switch Listing Current Users The following command displays defined user accounts and whether or not each user is currently logged in to the switch. ex2500# show access user Usernames: user - Enabled - offline oper - Disabled - o...

VLAN Overview „ 21 Chapter 2 VLANs This chapter describes network design and topology considerations for using Virtual Local Area Networks (VLANs). VLANs commonly are used to split up groups of network users into manageable broadcast domains, to create logical segmentation of workgroups, and to enfo...

EX2500 Ethernet Switch Configuration Guide 22 „ VLANs and Port VLAN ID Numbers VLANs and Port VLAN ID Numbers VLAN Numbers The EX2500 switch supports up to 1024 VLANs per switch. Even though the maximum number of VLANs supported at any given time is 1024, each can be identified with any number betwe...

VLAN Tagging „ 23 Chapter 2: VLANs VLAN Tagging EX2500 software supports 802.1Q VLAN tagging, providing standards-based VLAN support for Ethernet systems. Tagging places the VLAN identifier in the frame header of a packet, allowing each port to belong to multiple VLANs. When you add a port to multip...

EX2500 Ethernet Switch Configuration Guide 24 „ VLAN Tagging Figure 1: Default VLAN Settings When a VLAN is configured, ports are added as members of the VLAN, and the ports are defined as either tagged or untagged (see Figure 2 through Figure 5). The default configuration settings for the EX2500 sw...

EX2500 Ethernet Switch Configuration Guide 26 „ VLAN Topologies and Design Considerations As shown in Figure 5, the tagged packet remains unchanged as it leaves the switch through port 5, which is configured as a tagged member of VLAN 2. However, the tagged packet is stripped (untagged) as it leaves...

VLAN Topologies and Design Considerations „ 27 Chapter 2: VLANs „ All ports that are involved in port mirroring must have memberships in the same VLANs. If a port is configured for port mirroring, the port’s VLAN membership cannot be changed. For more information on configuring port mirroring, see “...

EX2500 Ethernet Switch Configuration Guide 28 „ VLAN Topologies and Design Considerations Use the following procedure to configure the sample network shown in Figure 6. 1. Enable VLAN tagging on server ports that support multiple VLANs. ex2500(config)# interface port 5 ex2500(config-if)# tagging ex2...

Private VLANs „ 29 Chapter 2: VLANs Private VLANs Private VLANs provide Layer 2 isolation between the ports within the same broadcast domain. Private VLANs can control traffic within a VLAN domain, and provide port-based security for host servers. Use private VLANs to partition a VLAN domain into su...

EX2500 Ethernet Switch Configuration Guide 30 „ Private VLANs Private VLAN Configuration Guidelines The following guidelines apply when configuring private VLANs: „ The default VLAN 1 cannot be a private VLAN. „ The management VLAN 4095 cannot be a private VLAN. The management port cannot be a membe...

Spanning Tree Overview „ 31 Chapter 3 Spanning Tree Protocol When multiple paths exist on a network, Spanning Tree Protocol configures the network so that a switch uses only the most efficient path. The following topics are discussed in this chapter: „ Spanning Tree Overview on page 31 „ Rapid Spann...

EX2500 Ethernet Switch Configuration Guide 32 „ Spanning Tree Overview The relationship between port, trunk groups, VLANs, and spanning trees is shown in Table 9. Bridge Protocol Data Units (BPDUs) To create a spanning tree, the switch generates a configuration Bridge Protocol Data Unit (BPDU), whic...

Spanning Tree Overview „ 33 Chapter 3: Spanning Tree Protocol Port Priority The port priority helps determine which bridge port becomes the root or designated port. The case for the root port is when 2 switches are connected using a minimum of two links with the same path-cost. The case for the desi...

EX2500 Ethernet Switch Configuration Guide 34 „ Spanning Tree Overview „ Each STG must have a VLAN assigned to it before it becomes functional. You cannot configure other STG settings until the VLAN is assigned. If the STG VLAN is unassigned, other configuration settings are cleared. Assign a VLAN a...

Rapid Spanning Tree Protocol „ 35 Chapter 3: Spanning Tree Protocol „ When you remove a port from a VLAN that belongs to an STG, that port is removed from the STG. However, if that port belongs to another VLAN in the same STG, the port remains in the STG. As an example, assume that port 1 belongs to...

EX2500 Ethernet Switch Configuration Guide 36 „ Rapid Spanning Tree Protocol Port Type and Link Type Spanning tree configuration includes the following parameters to support RSTP and MSTP: edge port and link type. Edge Port A port that does not connect to a bridge is called an edge port . Edge ports...

Per VLAN Rapid Spanning Tree „ 37 Chapter 3: Spanning Tree Protocol Per VLAN Rapid Spanning Tree Per VLAN Rapid Spanning Tree Plus Protocol (PVRST+) enhances the RSTP protocol by adding the ability to have multiple Spanning Tree Groups (STGs). PVRST+ is based on IEEE 802.1w Rapid Spanning Tree Proto...

EX2500 Ethernet Switch Configuration Guide 38 „ Per VLAN Rapid Spanning Tree In Figure 8, VLAN 1 and VLAN 2 belong to different Spanning Tree Groups. The two instances of Spanning Tree separate the topology without forming a loop. Both VLANs can forward packets between the switches without losing co...

Multiple Spanning Tree Protocol „ 39 Chapter 3: Spanning Tree Protocol Multiple Spanning Tree Protocol Multiple Spanning Tree Protocol (MSTP) extends Rapid Spanning Tree Protocol through multiple Spanning Tree Groups, using multiple VLANs in each STG. MSTP supports up to 32 Spanning Tree instances, ...

EX2500 Ethernet Switch Configuration Guide 40 „ Multiple Spanning Tree Protocol Figure 9 shows how multiple spanning trees can provide redundancy without wasting any uplink ports. In this example, the server ports are split between two separate VLANs. Both VLANs belong to two different Multiple Span...

Fast Uplink Convergence „ 41 Chapter 3: Spanning Tree Protocol Add server ports 1 and 2 to VLAN 1. Add uplink ports 19 and port 20 to VLAN 1. ex2500(config)# vlan 1 ex2500(config-vlan)# enable ex2500(config-vlan)# member 1 ex2500(config-vlan)# member 2 ex2500(config-vlan)# member 19 ex2500(config-vl...

EX2500 Ethernet Switch Configuration Guide 42 „ Fast Uplink Convergence Configuration Guidelines When you enable Fast Uplink Convergence, the EX2500 switch automatically makes the following configuration changes: „ Sets the bridge priority to 61440 so that it does not become the root switch. „ Incre...

Trunking Overview „ 43 Chapter 4 Ports and Trunking Trunk groups can provide super-bandwidth, multi-link connections between switches or other trunk-capable devices. A trunk group is a group of ports that act together, combining their bandwidth to create a single, larger virtual link. This chapter p...

EX2500 Ethernet Switch Configuration Guide 44 „ Trunking Overview Each packet’s particular MAC or IP address information results in selecting one line in the trunk group for data transmission. The more data streams are feeding the trunk lines, the more evenly traffic is distributed. Built-In Fault T...

Port Trunking Configuration Example „ 45 Chapter 4: Ports and Trunking „ You cannot change the VLAN membership for a trunk group’s member port. You can change the VLAN membership of the trunk group. „ When an active port is configured in a trunk, the port becomes a trunk member when you enable the t...

Configurable Trunk Hash Algorithm „ 47 Chapter 4: Ports and Trunking Configurable Trunk Hash Algorithm This feature allows you to configure parameters for the trunk hash algorithm, instead of using the default values. Use the IP Trunk Hash commands to configure new default behavior for Layer 2 traff...

EX2500 Ethernet Switch Configuration Guide 48 „ Link Aggregation Control Protocol A port’s Link Aggregation Identifier (LAG ID) determines how the port can be aggregated. The Link Aggregation ID (LAG ID) is constructed mainly from the system ID and the port’s admin key , as follows: „ System ID —An ...

Link Aggregation Control Protocol „ 49 Chapter 4: Ports and Trunking When the system is initialized, all ports by default are in LACP off mode and are assigned unique admin keys. To make a group of ports aggregatable, you assign them all the same admin key. You must set the port’s LACP mode to activ...

EX2500 Ethernet Switch Configuration Guide 50 „ Link Aggregation Control Protocol We recommend that you use the default long timeout to reduce LAPDU processing. If the CPU utilization rate of your switch remains at 100% for periods of 90 seconds or more, consider using static trunks instead of LACP....

QoS Overview „ 51 Chapter 5 Quality of Service Quality of Service features allow you to allocate network resources to mission-critical applications at the expense of applications that are less sensitive to such factors as time delays or network congestion. You can configure your network to prioritiz...

EX2500 Ethernet Switch Configuration Guide 52 „ Using ACL Filters Figure 11: QoS Model The basic QoS model works as follows: „ Classify traffic: „ Read the DSCP value. „ Read the 802.1p priority value. „ Match ACL filter parameters. „ Perform actions: „ Permit packets. „ Deny packets. „ Map the 802....

Using ACL Filters „ 53 Chapter 5: Quality of Service Each ACL contains rules that define the matching criteria for data packets. The ACL checks each packet against its rules, to determine if there is a match. If the packet matches the ACL’s rules, the ACL performs its configured action: either permi...

EX2500 Ethernet Switch Configuration Guide 54 „ Using ACL Filters IP Extended ACLs The switch supports up to 128 IP ACLs (standard and extended), numbered from 128 through 254. Use IP Extended ACLs to filter traffic using the following criteria: „ Source IP address or network mask „ Destination IP a...

Using ACL Filters „ 55 Chapter 5: Quality of Service Understanding ACL Priority Each ACL has a unique priority value, based on its number. The lower the ACL number, the higher the priority, so ACL 1 has the highest priority. The priority value is used to decide which ACL rule to apply when a packet ...

EX2500 Ethernet Switch Configuration Guide 56 „ Using ACL Filters Assigning ACLs to a Port Once you configure an ACL, you must assign the ACL to a port. Each port can accept multiple ACLs. Note that higher-priority ACLs are considered first, and their action takes precedence over lower-priority ACLs...

Using ACL Filters „ 57 Chapter 5: Quality of Service 3. Verify the configuration. ex2500# show access-lists 1 Standard IP Access List 1---------------------------- Source IP address : 0.0.0.0 Source IP address mask : 0.0.0.0 Destination IP address : 100.10.1.1 Destination IP address mask : 255.255.2...

EX2500 Ethernet Switch Configuration Guide 58 „ Using ACL Filters ACL Example 4—Blocking All Except Certain Packets Use this configuration to block all traffic except traffic of certain types. HTTP/HTTPS, DHCP, and ARP packets are permitted on the port. All other traffic is denied. 1. Configure one ...

Using Storm Control Filters „ 59 Chapter 5: Quality of Service Using Storm Control Filters The EX2500 switch provides filters that can limit the number of the following packet types transmitted by switch ports: „ Broadcast packets „ Multicast packets „ Unknown unicast packets (destination lookup fai...

EX2500 Ethernet Switch Configuration Guide 60 „ Using DSCP Values to Provide QoS Using DSCP Values to Provide QoS The switch uses the Differentiated Services (DiffServ) architecture to provide QoS functions. DiffServ is described in IETF RFCs 2474 and 2475. The six most significant bits in the ToS b...

Using DSCP Values to Provide QoS „ 61 Chapter 5: Quality of Service Per Hop Behavior The DSCP value determines the Per Hop Behavior (PHB) of each packet. The PHB is the forwarding treatment given to packets at each hop. QoS policies are built by the application of a set of rules to packets, based on...

EX2500 Ethernet Switch Configuration Guide 62 „ Using DSCP Values to Provide QoS QoS Levels Table 16 shows the default service levels provided by the switch, listed from highest to lowest importance. DSCP Mapping The switch can use the DSCP value of ingress packets to set the COS queue. Use the foll...

Using 802.1p Priority to Provide QoS „ 63 Chapter 5: Quality of Service Using 802.1p Priority to Provide QoS The EX2500 switch provides Quality of Service (QoS) functions based on the priority bits in a packet’s VLAN header. (The priority bits are defined by the 802.1p standard within the IEEE 802.1...

EX2500 Ethernet Switch Configuration Guide 64 „ Queuing and Scheduling Queuing and Scheduling The EX2500 switch has eight output Class of Service (COS) queues per port, into which each packet is placed. Each packet’s 802.1p priority determines its COS queue. Higher COS queue numbers provide forwardi...

RMON Overview „ 65 Chapter 6 Remote Monitoring Remote Monitoring (RMON) allows network devices to exchange network monitoring data. The following topics are discussed in this chapter: „ RMON Overview on page 65 „ RMON Group 1—Statistics on page 66 „ RMON Group 2—History on page 67 „ RMON Group 3—Ala...

EX2500 Ethernet Switch Configuration Guide 66 „ RMON Group 1—Statistics RMON Group 1—Statistics The switch supports collection of Ethernet statistics as outlined in the RMON statistics MIB, in reference to etherStatsTable . You can configure RMON statistics on a per-port basis. RMON statistics are s...

RMON Group 2—History „ 67 Chapter 6: Remote Monitoring RMON Group 2—History The RMON History Group allows you to sample and archive Ethernet statistics for a specific interface during a specific time interval. History sampling is done per port. Data is gathered during discreet sampling intervals and...

EX2500 Ethernet Switch Configuration Guide 68 „ RMON Group 3—Alarms 3. View RMON history for the port. ex2500(config)# show rmon history RMON is enabled Index IFOID Interval Rbnum Gbnum------ ---------- -------- ----- ----- 1 ifEntry.1.7 120 30 30 History Ether table is empty RMON Group 3—Alarms The...

RMON Group 9—Events „ 69 Chapter 6: Remote Monitoring RMON Group 9—Events The RMON Event Group allows you to define events that are triggered by alarms. An event can be a log message, an SNMP trap, or both. When an alarm is generated, it triggers a corresponding event notification. Use the following...

IGMP Snooping „ 71 Chapter 7 IGMP Internet Group Management Protocol (IGMP) is used by IP Multicast routers to learn about the existence of host group members on their directly attached subnet (see RFC 2236). The IP Multicast routers get this information by broadcasting IGMP Membership Queries and l...

EX2500 Ethernet Switch Configuration Guide 72 „ FastLeave The client-server path is set up as follows: 1. An IP Multicast router (Mrouter) sends Membership Queries to the switch, which forwards them to all ports in a given VLAN. 2. Hosts that want to receive the multicast data stream send Membership...

IGMPv3 Snooping „ 73 Chapter 7: IGMP IGMPv3 Snooping IGMPv3 includes new membership report messages to extend IGMP functionality. The switch provides snooping capability for all types of IGMP version 3 (IGMPv3) Membership Reports. IGMPv3 supports Source-Specific Multicast (SSM). SSM identifies sessi...

EX2500 Ethernet Switch Configuration Guide 74 „ Static Multicast Router 4. Enable IGMPv3 Snooping (optional). ex2500(config)# ip igmp snoop igmpv3 enable 5. View dynamic IGMP information. ex2500# show ip igmp groups Note: Local groups (224.0.0.x) are not snooped/relayed and will not appear. Source G...

High Availability Overview „ 75 Chapter 8 High Availability Through Uplink Failure Detection This chapter describes how to use Uplink Failure Detection (UFD) to ensure that network resources remain available if one switch is removed for service. The following topics are discussed in this chapter: „ ...

EX2500 Ethernet Switch Configuration Guide 76 „ Failure Detection Pair Figure 14: Uplink Failure Detection Example Failure Detection Pair To use UFD, you must configure a Failure Detection Pair and then turn UFD on. A Failure Detection Pair consists of the following groups of ports: „ Link to Monito...

UFD Configuration Example „ 77 Chapter 8: High Availability Through Uplink Failure Detection „ Ports that are already members of a trunk group are not allowed to be assigned to an LtM. „ A port cannot be added to a trunk group if it already belongs to an LtM. „ An LtD can contain one or more ports, ...

Port Mirroring Overview „ 81 Appendix A Monitoring Ports with Port Mirroring This appendix explains port mirroring to help you monitor ports and troubleshoot common problems on the EX2500 switch. The following topics are discussed in this appendix: „ Port Mirroring Overview on page 81 „ Configuring ...

EX2500 Ethernet Switch Configuration Guide 82 „ Configuring Port Mirroring As shown in Figure 15, port 2 is acting as a monitor port, receiving mirrored traffic from three other switch ports: ingress traffic from port 4, egress traffic from port 7, and both ingress and egress traffic from port 10. A...

Index „ 85 Index Numerics 802.1p priority for QoS ................................................ 63 802.1Q VLAN tagging ................................................... 23 A Access Control Lists. See ACLs. accessing the switch management interface ............................................. 3...

88 „ Index EX2500 Ethernet Switch Configuration Guide U UDP ................................................................................. 54 UFD ................................................................................. 75 configuration .......................................................