Chapter 2 Advanced Ethernet Switching Filter-Based VLAN Assignment Nao suportado quando usado 802.1x numa access port [edit protocols dot1x] user@switch# commit error: Dot1x: Authenticator can't be configured on mapping "policy" enabled interface error: configuration check-out failed !Layer 2 Filter para uma Secondary VLAN set firewall family ethernet-switching filter vlan-assign term match-subnet from source-address 172.23.20.0/24 set firewall family ethernet-switching filter vlan-assign term match-subnet then vlan vlan-20 set firewall family ethernet-switching filter vlan-assign term then-else then accept set interfaces ge-0/0/6.0 family ethernet-switching filter input vlan-assign Permite fazer o forwarding do tráfego para um VLAN diferente (vlan-20) com origem pexemplo na vlan-10 Associating Port with Secondary VLAN A secondary VLAN definida e condicional por natureza, pois e necessário existir um match no firewall filter !Conditional Association set vlan vlan-20 vlan-id 20 interface ge-0/0/6.0 mapping policy lab@exA-1# run show vlans detail VLAN: default, 802.1Q Tag: Untagged, Admin State: Enabled VLAN: vlan-10, 802.1Q Tag: 10, Admin State: Enabled Number of interfaces: 2 (Active = 2) Untagged interfaces: ge-0/0/6.0* Tagged interfaces: ge-0/0/8.0* VLAN: vlan-20, 802.1Q Tag: 20, Admin State: Enabled Number of interfaces: 2 (Active = 2) Tagged interfaces: ge-0/0/8.0* Mapping policy interfaces: ge-0/0/6.0* srxA-1---trunk---exA-1(ge-0/0/6.0)--access---exA-2 lab@srxA-1# run show ethernet-switching table Ethernet-switching table: 10 entries, 2 learned VLAN MAC address Type Age Interfaces default * Flood - All-members v10 * Flood - All-members v10 00:26:88:02:74:90 Static - Router v10 2c:6b:f5:33:3a:01 Learn 0 ge-0/0/8.0 v20 * Flood - All-members v20 00:26:88:02:74:90 Static - Router v20 2c:6b:f5:33:3a:01 Learn 0 ge-0/0/8.0 lab@exA-1# run show ethernet-switching table Ethernet-switching table: 6 entries, 3 learned VLAN MAC address Type Age Interfaces vlan-20 * Flood - All-members vlan-20 00:26:88:02:74:90 Learn 0 ge-0/0/8.0 vlan-20 2c:6b:f5:33:3a:01 Learn 0 ge-0/0/6.0 vlan-20 2c:6b:f5:33:5f:81 Static - Router vlan-10 * Flood - All-members vlan-10 2c:6b:f5:33:3a:01 Learn 0 ge-0/0/6.0 Private VLAN Fazer split de um broadcast domain em multiplos subdomains isolados Nao e suportado em todos os modelos EX Nao e possível ter simultaneamente o voice VLAN em PVLAN Primary VLAN Secondary VLAN pode ser community ou isolated. A secondary nao requer 802.1q tag a menos que a PVLAN exista em múltiplos switches Tipos de Secondary VLAN: community VLAN isolated VLAN Inter-switch isolated VLAN - Secondary VLAN (internal) usado para forwarding isolated traffic entre switches usando portas pvlan-trunk PVLAN trunk ports sao membros de todas as VLANs (primary, community,isolated, e inter-switch) Primary and Isolation Configuration isolated_host--(ge-0/0/8.0)-SW1--trunk---SW2-(ge-0/0/10.0)--R1 !Aplicado no SW1 set vlans pvlan-100 vlan-id 100 interface ge-0/0/12.0 pvlan-trunk set vlans pvlan-100 vlan-id 100 interface ge-0/0/8.0 !Activar a feature PVLAN na VLAN set vlans pvlan-100 vlan-id 100 no-local-switching set vlans pvlan-100 vlan-id 100 isolation-id 30 !Aplicado no SW2 set vlans pvlan-100 vlan-id 100 interface ge-0/0/12.0 pvlan-trunk set vlans pvlan-100 vlan-id 100 interface ge-0/0/10.0 !Activar a feature PVLAN na VLAN set vlans pvlan-100 vlan-id 100 no-local-switching set vlans pvlan-100 vlan-id 100 isolation-id 30 O isolation-id e necessário quando o PVLAN e usado em múltiplos switches Todas as access ports configuradas (ge-0/0/8.0 neste exemplo) definidas na primary VLAN sao consideradas como isolation ports. Primary and Community Configuration !aplicado SW1 set vlans v10 vlan-id 10 interface ge-0/0/6.0 set vlans v10 vlan-id 10 primary-vlan pvlan-100 !aplicado SW2 set vlans v20 vlan-id 20 interface ge-0/0/7.0 set vlans v20 vlan-id 20 primary-vlan pvlan-100 user@AS-2> show vlans Name Tag Interfaces __pvlan_pvlan-100_isiv__ 30 ge-0/0/10.0*, ge-0/0/12.0* default None finance 20 ge-0/0/7.0*, ge-0/0/10.0*, ge-0/0/12.0* pvlan-100 100 ge-0/0/6.0*, ge-0/0/7.0*, ge-0/0/10.0*, ge-0/0/12.0* sales 10 ge-0/0/6.0*, ge-0/0/10.0*, ge-0/0/12.0* !Permite identificar se o PVLAN existe em mais do que um switch através da presença de Inter-switch-isolated e pvlan-trunk show vlans extensive Introducing MVRP Multiple VLAN Registration Protocol (MVRP) definido no IEEE 802.1ak, tem as mesmas funcoes do Generic Attribute Registration Protocol (GARP) e GARP VLAN Registration Protocol (GVRP) Activo apenas em trunk ports Os timers sao definidos per-interface, quando sao enviados PDUs e quando a info pode ser atualizada no switch By default o MVRP esta desativado nos EX Suporta Pruning VLAN Dynamic VLAN configuration sob MVRP e activado by default quando o MVRP e activado MVRP nao suporta VLAN Spanning Tree Protocol (VSTP) MVRP Operations: Join - Controls the interval for the next MVRP PDU transmit opportunity. Leave - Controls the period of time that an interface on the switch waits in the Leave state before changing to the unregistered state. LeaveAll - Controls the frequency with which the interface generates LeaveAll messages. MVRP Messages: Empty - VLAN information is not being declared and is not registered. In - VLAN information is not being declared but is registered. JoinEmpty - VLAN information is being declared but not registered. JoinIn - VLAN information is being declared and is registered. Leave - VLAN information that was previously registered is being withdrawn. LeaveAll - All registrations will be de-registered. Participants that want to participate in MVRP will need to re-register. New - VLAN information is new and possibly not previously registered. Enabling MVRP As portas continuam a ter que ser configuradas em Trunk mode (sem VLANs associadas), mas o protocolo ira associa-las automaticamente !Activar MVRP nas Trunk Ports set protocols mvrp interface ge-0/0/14.0 set protocols mvrp interface ge-0/0/16.0 !Desativar o Dynamic VLAN set protocols mvrp no-dynamic-vlan user@AS-1# set protocols mvrp interface ge-0/0/14.0 ? Possible completions: <[Enter]> Execute this command + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups disable Disable MVRP on this interface join-timer Join timer interval (200..4294967295 milliseconds) leave-timer Leave timer interval (600..4294967295 milliseconds) leaveall-timer LeaveAll timer interval (10000..4294967295 milliseconds) registration Registration mode | Pipe through a command user@AS-1# run show mvrp statistics MVRP statistics Interface name : ge-0/0/12.0 MRPDU received : 133 Invalid PDU received : 0 New received : 0 Join Empty received : 96 Join In received : 124 Empty received : 15 In received : 111 Leave received : 0 LeaveAll received : 56 MRPDU transmitted : 143 MRPDU transmit failures : 0 New transmitted : 0 Join Empty transmitted : 0 Join In transmitted : 271 Empty transmitted : 0 In transmitted : 267 Leave transmitted : 0 LeaveAll transmitted : 56 user@AS-1# run show mvrp dynamic-vlan-memberships MVRP dynamic vlans for routing instance 'default-switch' (s) static vlan, (f) fixed registration VLAN ID Interfaces 1(s) ge-0/0/14.0(f) ge-0/0/16.0(f) 10(s) ge-0/0/14.0(f) ge-0/0/16.0(f) 20(s) ge-0/0/14.0(f) ge-0/0/16.0(f) 30(s) ge-0/0/14.0(f) ge-0/0/16.0(f) user@AS-2# run show mvrp dynamic-vlan-memberships MVRP dynamic vlans for routing instance 'default-switch' (s) static vlan, (f) fixed registration VLAN ID Interfaces 1(s) ge-0/0/14.0(f) ge-0/0/16.0(f) 10 ge-0/0/14.0 ge-0/0/16.0 20 ge-0/0/14.0 ge-0/0/16.0 30 ge-0/0/14.0 ge-0/0/16.0 user@AS-2# run show vlans Name Tag Interfaces __mvrp_10__ 10 ge-0/0/14.0*, ge-0/0/16.0* __mvrp_20__ 20 ge-0/0/14.0*, ge-0/0/16.0* __mvrp_30__ 30 ge-0/0/14.0*, ge-0/0/16.0* default 1 ge-0/0/14.0*, ge-0/0/16.0* Expanding a Bridged Network Challenges: Escalabilidade VLAN ID Limitacao MAC table Ethernet Virtual Connection (EVC) IEEE 802.1Q VLAN tagging nao e escalavel num Service Provider Q-in-Q IEEE 802.1ad. S-VLAN - controlado pelo SP C-VLAN - controlado pelo Customer IEEE 802.1ad has Na S-TAG o Tag Protocol Identifier (TPID) e 0x88A8 TAG Formats: S-VLAN tag Tag Protocol Identifier - 16 bits, default 0x88A8 Priority - 3 bits, 802.1p Drop Eligibility Indicator - 1 bit, default 0 VLAN Identifier - 12 bits C-VLAN tag Tag Protocol Identifier - 16 bits, default 0x8100 Priority - 3 bits, 802.1p Canonical Format Indicator - 1 bit, default 0 VLAN Identifier - 12 bits Um trunk apenas "entende" 0x8100, assim e preciso definir o dot1q tunneling dos trunks onde passa a S-VLAN ou definir manualmente o dot1q tunneling ether-type {master:0}[edit ethernet-switching-options] user@Switch# set dot1q-tunneling ether-type ? Possible completions: 0x8100 Dot1q ether-type value 0x8100 0x88a8 Dot1q ether-type value 0x88a8 0x9100 Dot1q ether-type value 0x9100 Key Terminology Provider Bridged Network Provider Bridge Provider Edge Bridge Customer Edge Port Provider Network Port As Provider Bridge intermedias fazem lookup do MAC Address para determinar a outgoing interface, ou em ultimo caso flood Configuring Q-in-Q Tunneling C---SP(exA)-----SP(exB)---C O mapeamento das C-VLANs nas S-VLANs pode ser feito de 3 formas: 1. Mapear todas as VLANs numa unica S-VLAN 2. Definir um conjunto de C-VLAN e mapea-las numa S-VLAN atraves da opcao customer-vlans 3. definir uma S-VLAN a uma C-VLAN numa interface 1) set vlans v200 vlan-id 200 interface ge-0/0/8.0 set vlans v200 vlan-id 200 interface ge-0/0/12.0 lab@exA-1# run show ethernet-switching interfaces detail Interface: ge-0/0/8.0, Index: 66, State: up, Port mode: Access Ether type for the interface: 0x8100 VLAN membership: v200, 802.1Q Tag: 200, dot1q-tunneled, untagged, unblocked Number of MACs learned on IFL: 1 Interface: ge-0/0/12.0, Index: 65, State: up, Port mode: Trunk Ether type for the interface: 0x88a8 VLAN membership: v200, 802.1Q Tag: 200, dot1q-tunneled, tagged, unblocked Number of MACs learned on IFL: 1 lab@exA-1# run show ethernet-switching interfaces Interface State VLAN members Tag Tagging Blocking ge-0/0/8.0 up v200 200 untagged unblocked ge-0/0/12.0 up v200 200 tagged unblocked 2) set vlans v200 vlan-id 200 interface ge-0/0/8.0 set vlans v200 vlan-id 200 interface ge-0/0/12.0 set vlans v200 vlan-id 200 dot1q-tunneling customer-vlans [100 160] 3) set vlans v200 vlan-id 200 interface ge-0/0/8.0 set vlans v200 vlan-id 200 interface ge-0/0/12.0 set vlans v200 vlan-id 200 dot1q-tunneling customer-vlans [100 160] Se existirem multiplos mappings a prioridade e feita usando 3) 2) 1) lab@exA-1# run show ethernet-switching interfaces detail Interface: ge-0/0/8.0, Index: 66, State: up, Port mode: Access Ether type for the interface: 0x8100 VLAN membership: v200, 802.1Q Tag: 200, Mapped Tag: 10, push, dot1q-tunneled, unblocked Number of MACs learned on IFL: 1 Interface: ge-0/0/12.0, Index: 65, State: up, Port mode: Trunk Ether type for the interface: 0x88a8 VLAN membership: v200, 802.1Q Tag: 200, dot1q-tunneled, tagged, unblocked Number of MACs learned on IFL: 1 A configuracao de Q-in-Q numa interface Trunk requer que todas as VLAN permitidas neste sejam do ether-type 0x88a8, alternativamente a interface pode ser definida com o ether-type 0x8100 lab@exA-1# set ethernet-switching-options dot1q-tunneling ether-type ? Possible completions: 0x8100 Dot1q ether-type value 0x8100 0x88a8 Dot1q ether-type value 0x88a8 0x9100 Dot1q ether-type value 0x9100 lab@exA-1# set ethernet-switching-options dot1q-tunneling ether-type 0x8100 lab@exA-1# run show ethernet-switching interfaces detail Interface: ge-0/0/8.0, Index: 66, State: up, Port mode: Access Ether type for the interface: 0x8100 VLAN membership: v200, 802.1Q Tag: 200, Mapped Tag: 10, push, dot1q-tunneled, unblocked Number of MACs learned on IFL: 0 Interface: ge-0/0/12.0, Index: 65, State: up, Port mode: Trunk Ether type for the interface: 0x8100 VLAN membership: v200, 802.1Q Tag: 200, dot1q-tunneled, tagged, unblocked Number of MACs learned on IFL: 0 lab@exA-1# run show vlans v200 extensive VLAN: v200, Created at: Fri Jul 18 08:15:28 2014 802.1Q Tag: 200, Internal index: 10, Admin State: Enabled, Origin: Static Dot1q Tunneling status: Enabled Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 1 (Active = 1), Untagged 0 (Active = 0) ge-0/0/12.0*, tagged, trunk Number of mapping rules: Push 1 (Active = 1), Policy 0 (Active = 0), Swap 0 (Active = 0) ge-0/0/8.0*, 10, push By default nao e feito Tunneling de Protocolos Layer2 (L2TP) tais como: RSTP,MVRP,LLDP Protocols L2TP suportados nos EX: 802.1X authentication 802.3ah Operation, Administration, and Maintenance (OAM) link fault management (LFM) Cisco Discovery Protocol (CDP) Ethernet local management interface (E-LMI) GVRP Link Aggregation Control Protocol (LACP) Link Layer Discovery Protocol (LLDP) Multiple MAC Registration Protocol (MMRP) MVRP Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP) Unidirectional Link Detection (UDLD) VLAN Spanning Tree Protocol (VSTP) VLAN Trunking Protocol (VTP) lab@exA-2# set vlans v200 dot1q-tunneling layer2-protocol-tunneling ? Possible completions: 802.1x Tunnel 802.1X PDUs 802.3ah Tunnel 802.3AH (Ethernet Link OAM) PDUs all Tunnel all layer-2 protocol PDUs + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups cdp Tunnel CDP PDUs e-lmi Tunnel E-LMI PDUs gvrp Tunnel GVRP PDUs lacp Tunnel LACP PDUs lldp Tunnel LLDP PDUs mmrp Tunnel MMRP PDUs mvrp Tunnel MVRP PDUs stp Tunnel STP PDUs udld Tunnel UDLD PDUs vstp Tunnel VSTP PDUs vtp Tunnel VTP PDUs Possibilidade de definir threshold e respectiva accao, o comando clear ethernet-switching layer2-protocol-tunneling error permite reactivar novamente a interface lab@exA-2# set vlans v200 dot1q-tunneling layer2-protocol-tunneling stp ? Possible completions: <[Enter]> Execute this command + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups drop-threshold Drop threshold for the protocol (1..1000) shutdown-threshold Shutdown threshold for the protocol (1..1000) | Pipe through a command show ethernet-switching layer2-protocol-tunneling interfaces show ethernet-switching layer2-protocol-tunneling statistics show ethernet-switching layer2-protocol-tunneling vlan v200 ****Advanced Spanning-Tree***** By default o RSTP esta activo user@DS-1# set protocols rstp bridge-priority 4k user@DS-1> show spanning-tree bridge STP bridge parameters Context ID : 0 Enabled protocol : RSTP Root ID : 4096.00:26:88:02:74:90 Hello time : 2 seconds Maximum age : 20 seconds Forward delay : 15 seconds Message age : 0 Number of topology changes : 1 Time since last topology change : 2114 seconds Topology change initiator : ge-0/0/1.0 Topology change last recvd. from : 00:26:88:02:6b:81 Local parameters Bridge ID : 4096.00:26:88:02:74:90 Extended system ID : 0 Internal instance ID : 0 O VSTP e compativel com o PVST e RPVST da Cisco Multiple Spanning Tree Region Suporta até 64 instances, a info de todas a MSTP instances sao enviadas num unico BPDU MSTP Configuration set protocols mstp configuration-name set protocols mstp revision-level set protocols mstp bridge-priority set protocols mstp msti bridge-priority set protocols mstp msti vlan (vlan-id | vlan-name) show spanning-tree interface show spanning-tree mst configuration show spanning-tree bridge VLAN Spanning-tree Protocol Proprietario e interoperavel com o PVST e RapidPVST Suporta ate 253 topologias de spanning-tree São selecionadas as VLANs a participar no VSTP O RSTP e VSTP sao os unicos protocols a serem executados em paralelo VSTP Configuration By default é usado o RSTP Usar vlan-group quando usado vlan-range MVRP nao suporta VSTP, as VLANs devem ser definidas estaticamente no trunks set protocols vstp disable set protocols vstp force-version stp set protocols vstp vlan-group group vlan (vlan-id | vlan-id-range) set protocols vstp vlan-group group bridge-priority set protocols vstp vlan (all | vlan-id | vlan-name) max-age set protocols vstp vlan (all | vlan-id | vlan-name) forward-delay set protocols vstp vlan (all | vlan-id | vlan-name) interface (all | interface-name) cost set protocols vstp vlan (all | vlan-id | vlan-name) interface (all | interface-name) disable set protocols vstp vlan (all | vlan-id | vlan-name) interface (all | interface-name) mode set protocols vstp vlan (all | vlan-id | vlan-name) interface (all | interface-name) edge A option vlan all, faz com que as VLANs ate a 253 participam no VSTP set protocols vstp vlan-group group group-A vlan 10-19 set protocols vstp vlan-group group group-A bridge-priority 4k set protocols vstp vlan-group group group-B vlan 20-29 set protocols vstp vlan-group group group-B bridge-priority 8k Access Control and Authentication E possivel autenticar os users atraves de 802.1x, MAC Radius e Captive Portal, recorrendo a RADIUS 802.1x - IEEE standard para o access control e authentication. Inclui 3 elementos: 802.1x host (supplicant), switch (authenticator), e Radius server (authentication server). Usa o standard Extensible Authentication Protocol (EAP) EAPOL (EAP over Lan) mensagens trocadas entre o Suplicant e Authenticator Supplicant <-EAPOL messages-> Authenticator <-RAdius messages-> Authentication server Supplicant modes: Single (default) - autentica apenas o 1 supplicant, os restantes ligados na mesma porta sao autorizados sem autenticacao Single-secure - permite acesso apenas a 1 supplicant, todos os outros ligados a mesma porta sao negados Multiple - permite acesso a multiplos supplicants autenticando-os individualmente Periodic Reauthentication By default os switches forcam os supplicants a re-autenticar a cada intervalo de 3600 segundos O intervalo varia entre 1 e 65535 set protocols dot1x authenticator interface 802.1x and Mixed Environments 802.1x enable switch with Non 802.1x client - faz drop ao trafego Non 802.1x switch with 802.1x enabled client - o client assuma que está autenticado na ausância da resposta do switch O 802.1x pode dinamicamente associar os hosts à VLAN durante o processo de autenticaçao O Radius retorna o atributo VLAN no access-accept message, o switch deve ter pré-configurado as VLANs Também é possivel assignar dinamicamente firewall filters vendor-specific attributes (VSAs) estão descritos no RFC 2138 You can configure 802.1X, MAC RADIUS, and captive portal on the same interface and in any combination, except that you cannot configure MAC RADIUS and captive portal on an interface without also configuring 802.1X O fallback dos metodos acimas são também pela mesma forma,pex se o 802.1x falhar é usado o MAC Radius e assim e diante VSA Juniper Vendor ID 2636 Os VSAs são apenas suportados em 802.1x single/multiple supplicant configs Guest VLAN Quando um user falha a autenticação, é provisionado numa VLAN guest sendo dado apenas accesso á internet A access-reject message oriunda do Radius pode conter informacão sobre uma VLAN especifica diferente da Guest VLAN, permitindo o accesso a um share para efetuar download do software (supplicant) RADIUS Fail Fallback Se o Radius falhar na resposta ou autenticar um device, é possivel especificar uma das seguintes acções: Permit:Allow trafego dos devices se autenticados com sucesso pelo Radius Deny: Previne trafego dos devices (default) Move:Associa device a VLAN Sustain: Mantem autenticação para devices que já têm LAN access e deny para devices nao autenticados As opções de server fail fallback são aplicáveis ao 802.1x, MAC Radius, e captive portal Static MAC Bypass Excluir lista de MAC addresses no Radius server com acesso á LAN sem autenticação, tipicamente usado em printers/ip phones Caso seja usado o Static MAC deve ser usado o multiple supplicant mode [edit protocols dot1x] user@switch# commit [edit protocols dot1x authenticator static 00:26:88:02:6b:87/48 interface] 'interface ge-0/0/7.0' Static MAC cannot be configured on interface in single or single-secure mode error: commit failed: (statements constraint check failed) set access radius-server port set access radius-server secret set access radius-server source-address !Definir authentication profile set access profile authentication-order radius set access profile radius authentication-server set protocols dot1x authenticator authentication-profile-name set protocols dot1x authenticator static vlan-assignment (vlan-name | vid) interface set protocols dot1x authenticator interface disable set protocols dot1x authenticator interface supplicant (single | single-secure | multiple) set protocols dot1x authenticator interface reauthentication seconds set protocols dot1x authenticator interface no-reauthentication set protocols dot1x authenticator interface guest-vlan (vlan-name | vid) |Definindo um range de MAC addresses [edit protocols dot1x] user@switch# show authenticator { static { 50:c5:8d:ba:62:05/48; 00:26:88:00:00:00/24; } } ... !Activar a opçao server fail fallback set protocols dot1x authenticator interface ge-0/0/15.0 server-fail (deny | permit | use-cache | vlan-name) show dot1x interface show dot1x static-mac-address show dot1x authentication-failed-users MAC Radius Autentica usando a db do Radius para devices sem 802.1x enabled Mais escalavel que o static MAC bypass A autenticação 802.1x e MAC Radius podem coexitir na mesma interface, permitindo clientes 802.1x e non-802.1x É possivel restringir que uma interface apenas use MAC Radius usando o comando mac-radius restrict Configurando MAC Radius set access radius-server port set access radius-server secret set access radius-server source-address !Definir authentication profile set access profile authentication-order radius set access profile radius authentication-server set protocols dot1.x authenticator authentication-profile-name profile-name set protocols dot1.x authenticator interface ge-0/0/14.0 mac-radius set protocols dot1.x authenticator interface ge-0/0/15.0 mac-radius restrict Mesmo com a opção restrict as Dynamic VLANs e Radius attributes continuam a funcionar show dot1x interface detail Captive Portal Permite via web autenticar no Radius. Existem 2 metodos: 1. Portal é processado localmente no switch e a autenticação no Radius 2. Usado o Pulse Access Control Service que faz o off load do portal e autenticação O processo de autenticação incluir um conjunto de requests inicialmente antes de o user ser autenticado, como DHCP, DNS request É possivel usar uma authentication whitelist de MAC permitindo fazer skip ao captive portal lab@exA-1# set system services web-management https ? Possible completions: <[Enter]> Execute this command + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups + interface Interfaces that accept HTTPS access local-certificate X.509 certificate to use (from configuration) pki-local-certificate X.509 certificate to use (from PKI local store) port TCP port for incoming HTTPS connections (1..65535) system-generated-certificate X.509 certificate generated automatically by system | Pipe through a command !Passos para gerar certificado user@switch> request security pki generate-key-pair size 1024 type rsa certificate-id my-cert user@switch> request security pki local-certificate generate-self-signed certificate-id my-cert domain-name juniper.net email user@juniper.net ip-address 10.210.14.131 subject "CN=BM0208124277, CN=system generated, CN=self-signed" user@switch# set system services web-management https pki-local-certificate my-cert !Gerando um certificado via 3party software user@server$openssl req -x509 -nodes -newkey rsa:1024 -keyout name-of-cert.pem -out name-of-cert.pemL user@server$cat name-of-cert.pem -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQCu5hAiBag2iezCVGE5dWoj4w1iJo1VdQNZvzMdCrmKHNrO8wnC ... vETZ/wtb8wL6kFskmoEC1mP3Vnz0tnhKo+sUmwDnXT1XgBYd3dgAdHfq8Y2Spmg= -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIICsDCCAhmgAwIBAgIJAJHTcY0ugTjqMA0GCSqGSIb3DQEBBAUAMEUxCzAJBgNV ... w5WoUn9IbiCpdzOeq53oCgIz01joCQpr6hFkTz1Kpz/mS4QX+Tgx4Qq7GNMUFL4= -----END CERTIFICATE----- !Após gerado o certificado copi´-lo para para o switch e associá-lo na config user@switch# set security certificates local name-of-cert load-key-file name-of-cert.pem user@switch# set system services web-management https local-certificate name-of-cert Configurando Captive Portal set access radius-server port set access radius-server secret set access radius-server source-address !Definir authentication profile set access profile authentication-order radius set access profile radius authentication-server !Config os paramentros para o Access Control Service MAG series user@switch# set ethernet-switching-options uac-policy [edit services unified-access-control] user@switch# show infranet-controller hostname { address ip-address; interface interface-name; password UAC-password; } timeout seconds; interval seconds; timeout-action action; !Definir authentication profile e interface set services captive-portal authentication-profile-name profile-name set services captive-portal interface ge-0/0/0.0 supplicant multiple set services captive-portal secure-authentication https O Captive Portal: pode ser apenas configurado em Layer 2 e é o fallback option para 802.1x; nao suporta Dynamic VLAN assignmentss; By default usa single supplicant mode, 3 authentication attempts, 60 segundos de holding após falhar o n previsto de tentativas, re-authenticatio a cada 3600 segundos (usar session-expiry) !Customizar o portal set services captive-portal custom-options !Definir uma MAC authentication whitelist set ethernet-switching-options authentication-whitelist 00:26:88:e1:45:00/48 interface ge-0/0/1.0 !Definir authentication profile e interface set services captive-portal authentication-profile-name profile-name set services captive-portal interface ge-0/0/1.0 supplicant multiple set services captive-portal secure-authentication https By default o Captive Portal funciona em single supplicant mode lab@exC-1> show captive-portal ? Possible completions: authentication-failed-users List users who have failed captive-portal authentication firewall Show captive-portal firewall statistics for an interface interface Show Captive Portal interface information lab@exC-1> clear captive-portal ? Possible completions: firewall Clear captive-portal firewall statistics for a counter interface Clear 802.1X session on an interface mac-address Clear 802.1X session on a MAC address Com os vários méodos de autenticação enabled, é seguido o Authentication Process Flow Authentication Process Flow This slide illustrates the authentication process. The authentication process resembles the following: 1. Authentication is initiated by an end device sending an EAP request or a data packet. 2. If the MAC address of the end device is in the static MAC bypass list or the authentication whitelist, the switch accepts the end device without querying the authentication server and allows the end device to access the LAN. 3. If the MAC address is not in the static MAC bypass list or the authentication whitelist, the switch checks whether an authenticator statement is configured on the interface. If an authenticator is not configured, the switch checks for captive portal configuration. If captive portal configuration exists for the interface, skip to Step 6. If an authenticator is configured: a. The switch checks whether the mac-radius restrict statement is configured on the interface. If mac-radius restrict is configured, the switch does not attempt 802.1X authentication and skips to Step 5. If it is configured, the switch moves to Step b. b. The switch sends either an EAP request (if the end device initiated contact with a data packet) or an EAP response (if th e end device initiated contact with an EAPOL-start message). c. If the switch receives no response, it tries sending an EAP request two more times (a total of three attempts by default). d. If the end device does not respond to the EAP messages sent by the switch, the switch checks for MAC RADIUS configuration. If MAC RADIUS configuration exists, the switch skips to Step 4. If the end device responds to the EAP messages, the switch proceeds to step 5. e. When an EAP request is received from the end device, the switch sends an authentication request message to the authentication server. If the authentication server does not respond, the switch checks whether a server fail VLAN is configured. If a server fail VLAN exists, the switch performs the configured server fail fallback operation. If no server fail VLAN is available, the switch skips to Step 6. f. The authentication server sends an access-accept or access-reject message. If the authentication server sends an access-reject message, the switch skips to Step 8. 4. If the end device does not respond to the EAP messages, the switch checks whether MAC RADIUS authentication is configured on the interface. If it is not configured, the switch skips to Step 6. 5. If MAC RADIUS authentication is configured on the interface: a. The switch sends a MAC RADIUS authentication request to the authentication server. The switch sends only one such request. If the authentication server does not respond, the switch checks whether a server fail VLAN is configured on the switch. If a server fail VLAN is available, the switch performs the configured server fail fallback operation. If no server fail VLAN is available, the switch skips to Step 8. b. The authentication server sends an access-accept or access-reject message. If the authentication server sends an access-reject message, the switch proceeds to Step 6. 6. If MAC RADIUS authentication is not configured on the interface or if the authentication server responds with an access-reject message for MAC RADIUS authentication, the switch checks whether captive portal is configured on the interface. If captive portal is not configured on the interface, the switch skips to Step 8. 7. If captive portal authentication is configured on the interface: a. The switch sends a request to the user on the end device for captive portal authentication information. b. The switch sends the captive portal authentication information to the authentication server. c. The authentication server sends an access-accept or access-reject message. If the server sends an access-reject message, the switch proceeds to Step 8. 8. The switch checks whether a guest VLAN is configured. If a guest VLAN is configured, the switch allows the end device limited access to the LAN. ************Class of Service (PDF)************** Match em valores CoS existentes - Behaviour Aggregate (BA) classification Match no protocol, port, address - Multifield (MF) classification Suporte para IEEE 802.1p, IP Precedence, DSCP, DSCP IPv6 Após o tráfego ser classificado é associado ás queues de output com base na forwarding class Caso o BA e MF sejam configurados em simultaneo, o BA e executado em primeiro, mas caso exista um conflito de resultado a classificação MF sobrepoem-se. "Note that when a source media access control (MAC) address is learned, the frame that contains the source MAC address is always sent out queue 0 on egress interfaces regardless of the classifier applied to the ingress interface." A BA classification é tipicamente usado no Core, 3 tipos de BA suportados nas plataformas EX: • DiffServ code point (DSCP) for IP DiffServ • IP precedence bits • 802.1p CoS bits Code Point Aliases Code-points aliases são: nomes assignados para padrões de code-point bits util quando configurado classifiers, drop-profile maps e rewrite rules lab@exC-1# run show class-of-service cod? Possible completions: code-point-aliases Show mapping of symbolic name to code point bit pattern Os code-point aliases estão disponiveis para DSCP, IP Precedence, e 802.1p. O mais comum é encontrar o aliase ef (expedited forwarding) [edit class-of-service] user@switch# set code-point-aliases dscp custom-ef 101110 [edit class-of-service] user@switch# run show class-of-service code-point-aliases dscp | match ef custom-ef 101110 ef 101110 Forwarding Classes EX suportam até 16 Forwarding classes e 8 output queues *As forwarding classes default e assignement queues variam entre versões de EX lab@exC-1# run show class-of-service forwarding-class Forwarding class ID Queue Policing priority best-effort 0 0 normal expedited-forwarding 1 5 normal assured-forwarding 2 1 normal network-control 3 7 normal Controlling Congestion Controlo através de Loss priority e drop profiles para quando existe congestion Shapers e policers para drop de excedente de tráfego (out of profile) Controlling Congestion Os EX suportam weighted tail drop (WTD) or weighted random early detection (WRED) WTD : faz drop de pacotes quando a queue atinge os 100%. WTD apenas suportado nos EX2200,EX3200 e EX4200 WRED : após atingir um determinado limite o junOS começa a descartar random os pacotes com um packet loss priority (PLP) low ou high Os pacotes com PLP high têm uma maior probabilidade de serem descartados Dropfirst: loss priority high Droplast: loss priority low O junOS suporta 2 métodos de implementação de WRED:segmented e interpolated O segmented é como um stair-step semelhante a um drop-profile, e o interpolated é um smother (curve) drop profile O WRED é suportado apenas nas linecards do EX8200 Loss Priority and Drop Profiles Loss priority é usada em conjunto com drop profiles, classifiers, e policers para identificar a prioridade do tráfego No WTD, todos os pacotes são droped quando o drop level é reached independentemente do valor do PLP fill level 0% a drop probability é 0% fill level 75% a drop probability é 75% - significa que quando a queue estiver a 75% começa a fazer droped do tráfego excedente Os drop profiles são mapeados a queues individuais lab@exA-2# set class-of-service drop-profiles fill-75 fill-level 75 Rate Limiting Traffic Usar Policers ou Shapers para fazer enforcing a um determinado rate Policers monitorizam no ingress interface Shapers monitorizam no egress interface ou queue Rate Limiting Traffic Os EX suportam 2 tipos de token-based rate limiting-policing e shaping. Os rate-limiters são baseados nos pacotes atuais (preamble e inter-frame gap são excluidos) O Policing pode fazer drop ou modificar o PLP dos pacotes incoming apenas, sendo configurado em [edit firewall] e aplicado diretamente na interface [edit interfaces] O Port shapping define a bandwidth de egress enquanto a queue shaping define o limite que a queue transmite os pacotes. P.ex o queue shaping pode fazer rate-limiting a uma strict-priority queue para que esta consuma toda a largura banda (starve) das low priority queuess A config de port e queue shaping é definida em [edit class-of-service] Allocating Resources CoS aloca resources para as queues usando scheddulers Componentes do scheduling incluem: Queue Priority Transmission rate Buffer size Drop profile maps A scheduler é associada com uma queue em particular e forwarding class via um scheduler map É definida a ordem que os pacotes devem ser transmitidos definindo uma prioridade e uma transmission rate para cada forwarding class. By default os EX assignam 95% da bandwidth á queue 0 (best-effort forwarding class) e 5% da bandwidth á queue 7 (network-control forwarding class).s O software assigna transmission rate 0 ás restantes queues, by default todas as queues podem exceder o transmission rate se as outras queues não estão a utilizar os seus assigned rates buffer size = size de cada queue By default o software assigna 95% do buffer space á queue 0 e 5% á queue 7, as restantes queue têm 0 buffer space. Caso sejam usadas outras queues além da 0 e 7 devem ser assigados buffers ás respectivas queues Queue Priority Queues recebem service de acordo com a priority assignada, priorities nos EX incluem: Strict High (SH) - A queue quando recebe priority strict high o tráfego tem preferência relativamente ás Queues em Low Tem unlimited bandwidth, as queues são scheduled de acordo com o queue numberm começando em 7 decrementando até 0. No caso de 2 queues com Strict High a queue com higher queue é processada primeiro Os pacotes na Low priority queue são processados apenas quando as stricth high queues estão vazias Low (L) - O sheduler determina se a queue tem bandwidth profile, este processo é reavaliado num ciclo regular comparando a quandtidade tráfego transmitida com a bandwidth alocada pelo sheduler. Caso o transmitido exceda é considerado out-of-profile. A queue out-of-profiel apenas transmite se existir bandwidth disponivel, de outra forma o tráfego associado a essa queue será buffered. Default Classifier Access ports usa ieee8021p-untrust classifier - classifica todo o tráfego como best effort Trunk ports usa ieee8021p-default classifier - classifica o tráfego como best effort ou network control baseado nos CoS bits lab@exA-2# run show class-of-service interface ge-0/0/6 Physical interface: ge-0/0/6, Index: 135 Queues supported: 8, Queues in use: 4 Scheduler map: , Index: 2 Congestion-notification: Disabled Logical interface: ge-0/0/6.0, Index: 66 Object Name Type Index Classifier ieee8021p-untrust untrust 16 lab@exA-2# run show class-of-service interface ge-0/0/12 Physical interface: ge-0/0/12, Index: 141 Queues supported: 8, Queues in use: 4 Scheduler map: , Index: 2 Congestion-notification: Disabled Logical interface: ge-0/0/12.0, Index: 65 Object Name Type Index Classifier ieee8021p-default ieee8021p 11 Os EX apenas servem as queues best-effort e network-control by default, além destes o EX8200 serve também multicast best-effort (queue 2) show interfaces ge-0/0/6 extensive ... Queue counters: Queued packets Transmitted packets Dropped packets 0 best-effort 0 0 0 1 assured-forw 0 0 0 5 expedited-fo 0 0 0 7 network-cont 0 0 0 ... CoS information: Direction : Output CoS transmit queue Bandwidth Buffer Priority Limit % bps % usec 0 best-effort 95 950000000 95 NA low none 7 network-control 5 50000000 5 NA low none By default, os EX não fazem rewrite dos CoS bits. Pode ser usada a default/custom rule. By default a rewirte rule não é aplicada nas interfaces {master:0} lab@exA-2> {master:0} lab@exA-2> show class-of-service rewrite-rule type dscp Rewrite rule: dscp-default, Code point type: dscp, Index: 31 Forwarding class Loss priority Code point best-effort low 000000 best-effort high 000000 expedited-forwarding low 101110 expedited-forwarding high 101110 assured-forwarding low 001010 assured-forwarding high 001100 network-control low 110000 network-control high 111000 lab@exA-2# set class-of-service interfaces ge-* unit * rewrite-rules dscp Possible completions: Name of rewrite rule to be applied default Apply default rewrite rule lab@exA-2# set class-of-service interfaces ge-* unit * rewrite-rules dscp default lab@exC-1# run show class-of-service interface ge-0/0/12 Physical interface: ge-0/0/12, Index: 141 Queues supported: 8, Queues in use: 4 Scheduler map: , Index: 2 Congestion-notification: Disabled Logical interface: ge-0/0/12.0, Index: 65 Object Name Type Index Rewrite dscp-default dscp 31 Classifier ieee8021p-default ieee8021p 11 Changing the Default Behavior Para usar forwarding classes e queues deve ser config o seguinte: 1. Ativar o BA classification nas respetivas interfaces 2. Definir os schedules e alocar os recursos 3. Associar os schedulers 'as forwarding classes usando scheduler-maps e aplicar as respetivas interfaces root@exC-2# set class-of-service ? Possible completions: ... > classifiers Classify incoming packets based on code point value > interfaces Apply class-of-service options to interfaces > scheduler-maps Mapping of forwarding classes to packet schedulers > schedulers Packet schedulers Enabling BA Classification set class-of-service classifiers dscp my-classifier import default set class-of-service classifiers dscp my-classifier forwarding-class expedited-forwarding loss-priority low code-points ef set class-of-service classifiers dscp my-classifier forwarding-class network-control loss-priority low code-points cs3 set class-of-service classifiers dscp my-classifier forwarding-class network-control loss-priority low code-points af31 set class-of-service classifiers dscp my-classifier forwarding-class assured-forwarding loss-priority low code-points af41 set class-of-service interfaces ge-* unit * classifiers dscp my-classifier lab@exC-1# run show class-of-service interface ge-0/0/6 Physical interface: ge-0/0/6, Index: 135 Queues supported: 8, Queues in use: 4 Scheduler map: , Index: 2 Congestion-notification: Disabled Logical interfacsh e: ge-0/0/6.0, Index: 66 Object Name Type Index Classifier my-classifier dscp 13741 lab@exC-1# set class-of-service schedulers expedited-forwarding priority strict-high buffer-size percent 20 lab@exC-1# set class-of-service schedulers network-control priority strict-high buffer-size percent 10 lab@exC-1# set class-of-service schedulers assured-forwarding priority low transmit-rate percent 70 lab@exC-1# set class-of-service schedulers assured-forwarding buffer-size percent 20 lab@exC-1# set class-of-service schedulers best-effort priority low transmit-rate percent 30 lab@exC-1# set class-of-service schedulers best-effort buffer-size percent 50 As queues com strict-high sem transmit-rate tem a bandwidth que necessitarem, podendo consumir toda a bandwidth disponivel levando outras queues ao estado de "starving". Como medida preventiva para prevenir o "starving", pode ser configurado queue shaping nas low priority queues. Configuring Scheduler Maps lab@exC-1# set class-of-service interfaces ge-* scheduler-map my-scheduler-map lab@exC-1# set class-of-service scheduler-maps my-scheduler-map forwarding-class best-effort scheduler best-effort lab@exC-1# set class-of-service scheduler-maps my-scheduler-map forwarding-class expedited-forwarding scheduler expedited-forwarding lab@exC-1# set class-of-service scheduler-maps my-scheduler-map forwarding-class assured-forwarding scheduler assured-forwarding lab@exC-1# set class-of-service scheduler-maps my-scheduler-map forwarding-class network-control scheduler network-control Os scheduler-maps associam as forwarding classes as respectivas queues lab@exC-1# run show interfaces ge-0/0/12 extensive ... Egress queues: 8 supported, 4 in use Queue counters: Queued packets Transmitted packets Dropped packets 0 best-effort 0 2556 0 1 assured-forw 0 0 0 5 expedited-fo 0 0 0 7 network-cont 0 335 0 Queue number: Mapped forwarding classes 0 best-effort 1 assured-forwarding 5 expedited-forwarding 7 network-control ... CoS information: Direction : Output CoS transmit queue Bandwidth Buffer Priority Limit % bps % usec 0 best-effort 30 300000000 50 NA low none 1 assured-forwarding 70 700000000 20 NA low none 5 expedited-forwarding r r 20 NA strict-high none 7 network-control r r 10 NA strict-high none Using QoS Template lab@exC-1#set apply-groups ezqos-voip lab@exC-1#set class-of-service interface ge-* scheduler-map ezqos-voip-sched-maps lab@exC-1#set class-of-service interface ge-* unit * classifiers dscp ezqos-dscp-classifier lab@exC-1#set groups ezqos-voip class-of-service classifiers dscp ezqos-dscp-classifier import default lab@exC-1#set groups ezqos-voip class-of-service classifiers dscp ezqos-dscp-classifier forwarding-class ezqos-voice-fc loss-priority low code-points 101110 lab@exC-1#set groups ezqos-voip class-of-service classifiers dscp ezqos-dscp-classifier forwarding-class ezqos-control-fc loss-priority low code-points [110000 011000 011010 111000] lab@exC-1#set groups ezqos-voip class-of-service classifiers dscp ezqos-dscp-classifier forwarding-class ezqos-video-fc loss-priority low code-points 100010 lab@exC-1#set groups ezqos-voip class-of-service forwarding-classes class ezqos-best-effort queue-num 0 lab@exC-1#set groups ezqos-voip class-of-service forwarding-classes class ezqos-video-fc queue-num 4 lab@exC-1#set groups ezqos-voip class-of-service forwarding-classes class ezqos-voice-fc queue-num 5 lab@exC-1#set groups ezqos-voip class-of-service forwarding-classes class ezqos-control-fc queue-num 7 lab@exC-1# set groups ezqos-voip class-of-service schedulers ezqos-voice-fc priority strict-high buffer-size percent 20 lab@exC-1# set groups ezqos-voip class-of-service schedulers ezqos-control-fc priority strict-high buffer-size percent 10 lab@exC-1# set groups ezqos-voip class-of-service schedulers ezqos-video-fc priority low transmit-rate percent 70 lab@exC-1# set groups ezqos-voip class-of-service schedulers ezqos-video-fc buffer-size percent 20 lab@exC-1# set groups ezqos-voip class-of-service scheduler-maps ezqos-voip-sched-maps forwarding-class ezqos-voice-fc scheduler ezqos-voice-scheduler lab@exC-1# set groups ezqos-voip class-of-service scheduler-maps ezqos-voip-sched-maps forwarding-class ezqos-control-fc scheduler ezqos-control-scheduler lab@exC-1# set groups ezqos-voip class-of-service scheduler-maps ezqos-voip-sched-maps forwarding-class ezqos-video-fc scheduler ezqos-video-scheduler lab@exC-1# set groups ezqos-voip class-of-service scheduler-maps ezqos-voip-sched-maps forwarding-class ezqos-best-effort scheduler ezqos-data-scheduler Os scheduler-maps sao aplicados a interfaces fisicas, e os classifiers e rewrite rules as logicas show interfaces ge-0/0/10 extensive | find "CoS inform" show interfaces queue ge-0/0/10 egress Deploying IP Telephony Features Os EX suportam Link Layer Discovery Protocol-Media En dpoint Discovery (LLDP-MED) PoE IEEE 802.3af PD - Powered Device (ex. tlf) PSE - Power Sourcing Equipment (ex switch) PoE e PoE+ PoE IEEE 802.3af até 15.4 watts PoE+ IEEE 802.3at até 30 watts PoE+ devices interoperavel com legacy PoE devices PSUs - Power Supply Units O Power budget é quandtidade de power alocável aos devices, este depende do modelo de switch e PSUs capacity Por ex um EX switch com 320 W de power supply tem um PoE budget de 130 W Power Management Modes Static mode:Definir manualmente o Maximum Power Class mode:Maximum power determinado pela class do device conectado Class Maximum-Power Power Range of PD 0 15.4 W 0.44 até 12.95 W 1 4 W 0.44 até 3.84 W 2 7 W 3.84 até 6.49 W 3 15.4 W 6.49 até 12.95 W 4 30 W 12.95 até 25.5 W É usada by default a class 0 caso o device não indique a class information Config PoE set poe management class | static set poe management guard-band watts set poe management interface {all | interface-id} disable set poe management interface {all | interface-id} priority high | low set poe management interface {all | interface-id} maximum-power watts set poe management interface {all | interface-id} telemetries disable set poe management interface {all | interface-id} telemetries interval minutes set poe management interface {all | interface-id} telemetries duration hours guard-band - reserva uma quantidade de power fora do power budget disponivel em caso de pico de consumo de PoE show chassis hardware show poe controller show poe interface Link Layer Discovery Protocol (LLDP) IEEE 802.1ab Funciona em Layer 2 e Layer 3, não interessa se a porta está em access outr trunk uma vez que as frames são enviadas untagged LLDP frames usam TLV Tuples Os Mandatory TLVs estão presentes em todos os LLDPUs: Chassis ID (MAC address) Port ID TimetoLive TLV (tempo da informção válida, o valor 0 indica como expired sendo removida) End of LLDPDU TLV (Indica o fim de TLVs no LLDPDU) Outros TLVs: Port description System name System description System capabilities Management address LLDP Updates Quando um valor é modificado é despoletado um triger de update LLDP Stateless, sem autenticação, enviado a cada 30s (default) com TTL 120s (4 intervals), expirado o TTL a info é descartada Os valores são definidos através dos comandos advertisement-interval e hold-multiplier O agent LLDP transmite um ultimo LLPDU ao neighbor antes de uma interface se tornar inoperacional ou quando o LLDP e desativado nessa interface. LLDP Media Endpoint Discovery O LLDP-MED é uma extensão ao LLDP quer permite fazer o discovery entre voip e network devices LLDP-MED desenvolvido pela Telecommunications Industry Association (TIA) e definido como standard American National Standards Institute (ANSI)/TIA-1057 Policy Distribution - Permite ao switch entregar ao ip phone a VLAN e CoS Location services - identifica a switch port onde o ip phone se encontra Power Negotiation - permite ao switch e telefone a negociação dos requisitos de energia O LLDP-MED troca algumas TLVs entre os switches e os ip phones, alguns do TLVs suportados pelos EX: Network Policy - This TLV advertises the port VLAN configuration and associated Layer 2 and Layer 3 attributes. Attributes include the policy identifier, application types, such as voice or streaming video, 802.1Q VLAN tagging, and CoS values. Endpoint Location - This TLV advertises the physical location of the endpoint and is used for emergency location services. Extended Power through MDI - This TLV advertises the power type, power source, power priority, and power value of the port. It is the responsibility of the PSE device to advertise the power priority on a port. LLDP-MED determina as capacidades dos neighboring devices usando as classificações: Class 1 - End-point LLDP-MED genérico Class 2 - Media endpoints tais como media gateways e conference bridges Class 3 - IP Telephones e soft phones Class 4 - switches Caso o switch receba na porta um LLDP-MED do device troca o protocolo usado na porta de LLDP para LLDP-MED Nota:By default os EX têm o LLDP e LLDP-MED ativado nas interfaces LLDP e 802.1x Considerations Quando o 802.1x está ativado na porta nâo sâo transmitidas,recebidas frames LLDP, só após autenticaçâo No caso de o ip phone/user usarem a mesma porta do switch, podem ser autenticados separadamente usando o multiple supplicant mode. Configuring LLDP and LLDP-MED set protocols lldp disable set protocols lldp advertisement-interval seconds set protocols lldp hold-multiplier number set protocols lldp interface [all | interface-name] disable set protocols lldp-med disable set protocols lldp interface [all | interface-name] disable show lldp details show lldp neighbors show lldp local-info show lldo statistics Voice VLAN Configuration set ethernet-switching-options voip interface (access-ports | interface-name) set ethernet-switching-options voip interface (access-ports | interface-name) vlan (vlan-name |vid) forwarding-class class set ethernet-switching-options voip inteface ge-0/0/6.0 vlan voice forwarding-class expedited-forwarding set vlan data vlan-id 10 set vlan voice vlan-id 20 set interface ge-0/0/6.0 family ethernet-switching port-mode access vlan members data O LLDP, LLDP-MED e POE estão activos by default nos EX lab@exA-2# run show poe interface ge-0/0/6 PoE interface status: PoE interface : ge-0/0/6 Administrative status : Disabled Operational status : Disabled Power limit on the interface : 0.0W Priority : Low Power consumed : 0.0W Class of power device : not-applicable ****Monitoring and Troubleshooting********* Troubleshooting Steps 1 - Gather information 2 - Create an action plan 3 - Test possible solutions Definir uma baseline, usar tools como sflow e SNMP para coletar tráfego Hardware Troubleshooting show chassis alarms show chassis led show log messages show log chassisd monitor start [messages | chassisd] show chassis hardware show fpcshow interfaces terse show interfaces interface detail show log log-file-name Software Troubleshooting show log log-file-name monitor start log-file-name monitor traffic interfaces show system processes show system connections file show /etc/services show system core-dumps file list /var/tmp/*core* file list /var/crash/*core* Key processes> chassisd,pfem,dcd,sfid,eswd,rpd Using System Logging and Traceoptions set system syslog file messages any ctitical set system syslog file messages authorization info set protocols rstp traceoptions file rstp-trace-file set protocols rstp traceoptions flag all-features Routing Engine show chassis routing-engine A falha de processos geram core files, estes são guardados em /var/tmp. Contactar o JTAC para conseguir descodificar os core files Formato process-name.core-tarball.core-number.tgz Working with JTAC request support information | no-more show log messages show log chassisd set cli timestamp SNMP Usar o health-monitor para monitorizar a percentagem: File Storage RE CPU RE memory System process memory sFlow Monitoring sFlow (RFC 3176) O sFlow é tipicamente um agente embebido no ASIC, que faz collect de samples numa base regular. Usada a porta 6343 UDP, a comunicação entre o agent e collector é bi-direcional. Os EX suportam até 4 collectors, e cada 1 destes consegue receber os mesmos set de sflows.O polling interval pode ser entre 0 e 3600 e o sampled entre 100 e 1 milhão Apenas podem ser exportado tráfego das interfaces a Giga e 10Gig, pex não é possivel exportar das management (me0) e virtual management (vmeo0) set protocols sflow polling-interval 20 sample-rate 100 collector 10.10.10.254 udp-port 5343 set protocols sflow interface ge-0/0/1.0 Port Mirroring Port mirror de TX e/ou RX Pacotes (in) na VLAN nos EX 2200,3200,4200,4500 Pacotes (out) na VLAN nos EX 8200 É possivel fazer mirror até 256 VLans, incluindo PVLANs em todas as plataformas EX set ethernet-switching-options analyzer employer-monitor input ingress interface ge-0/0/0.0 set ethernet-switching-options analyzer employer-monitor input ingress interface ge-0/0/1.0 set ethernet-switching-options analyzer employer-monitor output interface ge-0/0/10.0