***JNCIS-SP Study Guide—Part 1*** This first part is equal to JNCIS-ENT Fasttrack Routing Guide ***JNCIS-SP Study Guide—Part 2*** Chapter 1:Carrier Ethernet Metro Ethernet Forum Nonprofit internationali industry consortium MEF Attributes Standardized services: E-Line,E-LAN and E-Tree Wide choice of granularity of bandwidth and quality of service options Scalability: Spans access, metropolitan, national, and global networks Reliability:Rapid recovery time Quality of Service Service Management: Carrier class OAM Check the specificaions at http://metroethernetforum.org MEF Program (since 2005 to verify compliance of vendor equipment and service-provider services to MEF technical specifications) Establishes a solid foundation for carrier Ethernet interoperability Accelerates carrier Ethernet deployment at reduced costs MEF 9 Certification The MEF 9 certification tests for compliance with MEF 6.1, 10, an d 11. This test ensures the meeting of all requirements at the user-to-network interface (UNI). Some of the tests include: • Non-looping frame delivery; • Single copy broadcast and multicast delivery; and • Customer VLAN (C-VLAN) ID preservation. MEF 14 Certification The MEF 14 certification tests for compliance with MEF 9 and 10. This test ensures the meeting of all requirements for traffic management. Some of the tests include: • Frame delay service performance; • Frame delay variation service performance; and • Frame loss ration service performance. Continued on next page. MEF 18 Certification The MEF 18 certification tests for compliance with MEF 8. This certification ensures the meeting of all requirements for reliable transport of time-division multiplexing (TDM) circuits. This certification includes some of the following tests: • Encapsulation layers; • Payload format; and •Defects. MEF 21 Certification The MEF 21 certification tests for compliance with MEF 20. This certification ensures the meeting of all requirements for UNI Type 2 and link OAM features. Carrier Ethernet Terms UNI Physical interface or port that is the demarcation between the customer and the service provider UNI Type 1:Compliant with MEF 13 and manually configurable UNI Type 2:Automatic service discovery through Ethernet-Local Management Interface:supports OAM UNI Type 3: Provides for dynamic EVC setup Networ-to-network interface Physical interface or port that is the demarcation between distinct carrier Ethernet networks,operated by one or more service providers CArrier Ethernet network An access,metropolitan, national, or global Ethernet transport network connecting user endpoints E-NNI= External NNI I-NNI= Internal NNI Ethernet Virtual Connection Connects two or more customer sites or UNIs Defined in MEF 6.1 and 10.2 Point-to-Point Multipoint-to-Multipoint Rooted multipoint E-Line Service EVC 2 types: Ethernet Private Line (port-based) Virtual Private Line (VLAN-based) Allow for communication between only 2 UNIs E-LAN Service EVC 2 types: Ethernet Private Line (port-based) Virtual Private Line (VLAN-based) Allow for communication between 2 or more UNIs ingress broacast/multicast frames at once UNI are forwarded to all other UNIs E-Tree Service EVCs 2 types: Ethernet Private Line (port-based) Virtual Private Line (VLAN-based) A root UNI can send ingress frames to one or all leaf UNIs A leaf UNI can exchange data only with the root UNI Useful for multicast video applicaitons Rooted multipoint EVCs are refered to as E-Tree EVCs MEFs Three-Layer Model Application Layer:End-user applications carrier by the Ethernet Services Layer Ethernet Services Layer:EVCs Transport Services Layer:Various networking and media types that deliver the Ethernet services IEEE Standards The IEEE Ethernet standards fall into the 802 category: IEEE 802.3 - Physical Layer and Data Link MAC sublayer for wired Ethernet IEEE 802.1 - Bridging and management 802.1D/802.1Q:Bridges and VLAN 802.1ad:Provider bridging 802.1ah:Provider backbone bridging 802.1ag:Connectivity fault management ITU-T Recommendations G series - Transmission systems and media, digital systems, and networks G.8010: Architecture of Ethernet Layer networks G.8011.1: Ethernet Private Line Service G.8011.2: Ethernet Vitual Private Line Service G.8032: Ethernet Ring Protection Y series - Global information infrastructure, IP aspect and next-generation networks Y.1739: Ethernet OAM requirements Y.1731: OAM mechanisms Chapter 2 Ethernet Switching and Virtual LANs Bridging Mechanics Learning Forwarding Flooding Filtering Aging Define a Bridge Domain On MXs we use bridge on interfaces set bridge-domains vlan_100 vlan-id 100 set bridge-domains vlan_200 vlan-id 200 set interfaces ge-0/0/0.0 family bridge interface-mode access set interfaces ge-0/0/0.0 family bridge vlan-id 100 set interfaces ge-0/0/3 native-vlan-id 100 set interfaces ge-0/0/3 vlan-tagging set interfaces ge-0/0/3.0 family bridge interface-mode trunk set interfaces ge-0/0/3.0 family bridge vlan-id-list [100 200] Os MXs suportam MVRP (IEEE replaced it from GVRP) IRB Allows for Bridging and Routing IRB allows for a both Layer 2 bridging and Layer 3 routing in a bridge domain set interfaces ge-1/0/0.0 family bridge interface-mode access set interfaces ge-1/0/0.0 family bridge vlan-id 100 set interfaces irb unit 0 family inet address 172.22.1.254/24 set interfaces irb unit 1 family inet address 172.22.2.254/24 set bridge-domains vlan_100 vlan-id 100 routing-interface irb.0 set bridge-domains vlan_200 vlan-id 200 routing-interface irb.1 show interfaces terse irb* It allows change the default layer 2 learning globally, per virtual switch, per bridge domain, and per interface level show bridge mac-table extensive Global Level and Switch Level Settings Parameters apply to all virtual switches or bridge domains lab@mxD-1# set protocols l2-learning ? Possible completions: + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups global-le-aging-time Set LE aging time (120..1000000 seconds) global-le-bridge-domain-aging-time Set LE bridge-domain aging time (seconds) > global-mac-limit System level MAC limit options global-mac-statistics Enable MAC address statistics at system level global-mac-table-aging-time System level MAC table aging time (seconds) global-no-mac-learning Disable dynamic MAC address learning at system level Switch Level Settings lab@mxD-1# set switch-options ? Possible completions: + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups > interface Interface for configuring bridge-options > interface-mac-limit Maximum MAC address learned per interface mac-statistics Enable MAC address statistics > mac-table-size Size of MAC address forwarding table no-mac-learning Disable dynamic MAC address learning service-id Service ID required if multi-chassis AE is part of a bridge-domain Bridge Domain Level Settings lab@mxD-1# set switch-options ? Possible completions: + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups > interface Interface for configuring bridge-options > interface-mac-limit Maximum MAC address learned per interface mac-statistics Enable MAC address statistics > mac-table-size Size of MAC address forwarding table no-mac-learning Disable dynamic MAC address learning service-id Service ID required if multi-chassis AE is part of a bridge-domain Interface Level lab@mxD-1# set bridge-domains bd bridge-options interface ge-1/0/0 ? Possible completions: <[Enter]> Execute this command + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups > interface-mac-limit Maximum number of MAC addresses learned on the interface no-mac-learning Disable dynamic MAC address learning > static-mac Static MAC addresses assigned to this interface | Pipe through a command Specify the max-mac-size number option to limit number of learned MACs. Optionally specify packet-action drop to discard frames with unknow MAC addresses when MAC table is full Layer 2 Firewall Filters Filters can accept or discard packets based on Address fields Protocol type VLAN ID 802.1p bits Others Layer 2 firewall filters are defined under [edit firewall family bridge] Filter can be applied to individual interface, a bridge domain or both Interface level:Apply a chain of filters using the input-list or output-list Bridge domain level: you can apply a single filter for each bridge domain (input only) Interface and bridge domain at the same time (input only), interface filter is processed first, followed by the bridge domain filter set interfaces ge-1/0/0.0 family bridge interface-mode access set interfaces ge-1/0/0.0 filter input example set bridge-domains forwarding-options filter input example Routing Instance Types Virtual-router: the default instance is default each has its owns routing tables,link-state database and protocols Virtual-switch: the default instance is default-switch each has its owns MAC tables, VLAN ID space and spanning-tree domains set routing-instances vr1 instance-type virtual-router set routing-instances vr1 interface ge-1/1/5.0 set routing-instances vr1 protocols ospf area 0 interface ge-1/1/5.0 show route table vr1.inet.0 Each virtual-switch routing instance operates independently of the other virtual switches Routes associated with IRB interfaces area placed in inet.0 regardless of the virtual switch to which they belong set routing-instances virtual-sw-1 instance-type virtual-switch set routing-instances virtual-sw-1 bridge-domains vlan_100 vlan-id 100 set routing-instances virtual-sw-1 bridge-domains vlan_200 vlan-id 200 set interfaces irb unit 0 family inet address 172.22.1.254/24 set interfaces irb unit 1 family inet address 172.22.2.254/24 set bridge-domains vlan_100 vlan-id 100 routing-interface irb.0 set bridge-domains vlan_200 vlan-id 200 routing-interface irb.1 Supported methods: Internal, logical tunnel interface (Layer 3 only) Two external, physically looped interfaces (1 cable) set chassis fpc 1 pic 0 tunnel-services bandwidth 1g Spanning-tree doesn´t work properly between virtual-switches because they share the same MAC-Address as part of their bridge ID in BPDUs You cannot change a virtual switchs MAC-address By default logical tunnel interfaces are placed in the default virtual router Chapter 4: Provider Bridging IEEE 802.1ad TAG Formats Challenges: Escalabilidade VLAN ID Limitacao MAC table Ethernet Virtual Connection (EVC) IEEE 802.1Q VLAN tagging nao e escalavel num Service Provider Q-in-Q S-VLAN - SP side C-VLAN - Customer side IEEE 802.1ad Na S-TAG o Tag Protocol Identifier (TPID) e 0x88A8 TAG Formats: S-VLAN tag Tag Protocol Identifier - 16 bits, default 0x88A8 Priority - 3 bits, 802.1p Drop Eligibility Indicator - 1 bit, default 0 VLAN Identifier - 12 bits C-VLAN tag Tag Protocol Identifier - 16 bits, default 0x8100 Priority - 3 bits, 802.1p Canonical Format Indicator - 1 bit, default 0 VLAN Identifier - 12 bits An trunk just understand 0x8100, so will be necessary define the interface trunk dotq tunneling where allow S-VLAN or manually change the dot1q tunneling ether-type {master:0}[edit ethernet-switching-options] user@Switch# set dot1q-tunneling ether-type ? Possible completions: 0x8100 Dot1q ether-type value 0x8100 0x88a8 Dot1q ether-type value 0x88a8 0x9100 Dot1q ether-type value 0x9100 Key Terminology Provider Bridged Network Provider Bridge Provider Edge Bridge Customer Edge Port Provider Network Port The Provider Bridges between do a MAC-Address lookup to determine the outgoing interface, or in last case flood Configuring Q-in-Q Tunneling C---SP(exA)-----SP(exB)---C Mapping of C-VLANs in S-VLANs can be done in 3 ways:: 1. Map all VLANs in just one S-VLAN 2. Define a group of C-VLAN and map them in a S-VLAN using customer-vlans 3. Define a S-VLAN in a C-VLAN in interface 1) set vlans v200 vlan-id 200 interface ge-0/0/8.0 set vlans v200 vlan-id 200 interface ge-0/0/12.0 lab@exA-1# run show ethernet-switching interfaces detail Interface: ge-0/0/8.0, Index: 66, State: up, Port mode: Access Ether type for the interface: 0x8100 VLAN membership: v200, 802.1Q Tag: 200, dot1q-tunneled, untagged, unblocked Number of MACs learned on IFL: 1 Interface: ge-0/0/12.0, Index: 65, State: up, Port mode: Trunk Ether type for the interface: 0x88a8 VLAN membership: v200, 802.1Q Tag: 200, dot1q-tunneled, tagged, unblocked Number of MACs learned on IFL: 1 lab@exA-1# run show ethernet-switching interfaces Interface State VLAN members Tag Tagging Blocking ge-0/0/8.0 up v200 200 untagged unblocked ge-0/0/12.0 up v200 200 tagged unblocked 2) set vlans v200 vlan-id 200 interface ge-0/0/8.0 set vlans v200 vlan-id 200 interface ge-0/0/12.0 set vlans v200 vlan-id 200 dot1q-tunneling customer-vlans [100 160] 3) set vlans v200 vlan-id 200 interface ge-0/0/8.0 set vlans v200 vlan-id 200 interface ge-0/0/12.0 set vlans v200 vlan-id 200 dot1q-tunneling customer-vlans [100 160] If multiple mappings exist the priority used is 3) 2) 1) lab@exA-1# run show ethernet-switching interfaces detail Interface: ge-0/0/8.0, Index: 66, State: up, Port mode: Access Ether type for the interface: 0x8100 VLAN membership: v200, 802.1Q Tag: 200, Mapped Tag: 10, push, dot1q-tunneled, unblocked Number of MACs learned on IFL: 1 Interface: ge-0/0/12.0, Index: 65, State: up, Port mode: Trunk Ether type for the interface: 0x88a8 VLAN membership: v200, 802.1Q Tag: 200, dot1q-tunneled, tagged, unblocked Number of MACs learned on IFL: 1 The Q-in-Q config in a Trunk interface require all VLANs allowed to be ether-type 0x88a8, alternativamente a interface pode ser definida com o ether-type 0x8100 lab@exA-1# set ethernet-switching-options dot1q-tunneling ether-type ? Possible completions: 0x8100 Dot1q ether-type value 0x8100 0x88a8 Dot1q ether-type value 0x88a8 0x9100 Dot1q ether-type value 0x9100 lab@exA-1# set ethernet-switching-options dot1q-tunneling ether-type 0x8100 lab@exA-1# run show ethernet-switching interfaces detail Interface: ge-0/0/8.0, Index: 66, State: up, Port mode: Access Ether type for the interface: 0x8100 VLAN membership: v200, 802.1Q Tag: 200, Mapped Tag: 10, push, dot1q-tunneled, unblocked Number of MACs learned on IFL: 0 Interface: ge-0/0/12.0, Index: 65, State: up, Port mode: Trunk Ether type for the interface: 0x8100 VLAN membership: v200, 802.1Q Tag: 200, dot1q-tunneled, tagged, unblocked Number of MACs learned on IFL: 0 lab@exA-1# run show vlans v200 extensive VLAN: v200, Created at: Fri Jul 18 08:15:28 2014 802.1Q Tag: 200, Internal index: 10, Admin State: Enabled, Origin: Static Dot1q Tunneling status: Enabled Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 1 (Active = 1), Untagged 0 (Active = 0) ge-0/0/12.0*, tagged, trunk Number of mapping rules: Push 1 (Active = 1), Policy 0 (Active = 0), Swap 0 (Active = 0) ge-0/0/8.0*, 10, push By default it´s not tunneled Layer2 Protocols (L2TP) like: RSTP,MVRP,LLDP Protocols L2TP suportados nos EX: 802.1X authentication 802.3ah Operation, Administration, and Maintenance (OAM) link fault management (LFM) Cisco Discovery Protocol (CDP) Ethernet local management interface (E-LMI) GVRP Link Aggregation Control Protocol (LACP) Link Layer Discovery Protocol (LLDP) Multiple MAC Registration Protocol (MMRP) MVRP Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP) Unidirectional Link Detection (UDLD) VLAN Spanning Tree Protocol (VSTP) VLAN Trunking Protocol (VTP) lab@exA-2# set vlans v200 dot1q-tunneling layer2-protocol-tunneling ? Possible completions: 802.1x Tunnel 802.1X PDUs 802.3ah Tunnel 802.3AH (Ethernet Link OAM) PDUs all Tunnel all layer-2 protocol PDUs + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups cdp Tunnel CDP PDUs e-lmi Tunnel E-LMI PDUs gvrp Tunnel GVRP PDUs lacp Tunnel LACP PDUs lldp Tunnel LLDP PDUs mmrp Tunnel MMRP PDUs mvrp Tunnel MVRP PDUs stp Tunnel STP PDUs udld Tunnel UDLD PDUs vstp Tunnel VSTP PDUs vtp Tunnel VTP PDUs Possibility to define the threshold and action, the command clear ethernet-switching layer2-protocol-tunneling error allow reactivate again the interface lab@exA-2# set vlans v200 dot1q-tunneling layer2-protocol-tunneling stp ? Possible completions: <[Enter]> Execute this command + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups drop-threshold Drop threshold for the protocol (1..1000) shutdown-threshold Shutdown threshold for the protocol (1..1000) | Pipe through a command show ethernet-switching layer2-protocol-tunneling interfaces show ethernet-switching layer2-protocol-tunneling statistics show ethernet-switching layer2-protocol-tunneling vlan v200 PBN Terms The following terms are used in a PBN network: • PBN : A network of provider bridges that provide for transparent EVC service to the service provider’s customers. • Provider Bridge: A bridge in the service provider’s network that performs IEEE 802.1ad VLAN tagging and forwarding. These bridges learn and store the MAC addresses of the service provider’s customers. • Provider Edge Bridge (PEB): Accepts and forwards IEEE 802.1Q fram es to and from customers. PEBs also encapsulate the received customer frames using the IEEE 802.1ad format to forward customer frames across the PBN. • S-VLAN Bridge: A nonedge provider bridge that forwards frames based only on the S-VLAN tag. • Provider Network Port: A port on a provider bridge that fo rwards frames bas ed on the S-VLAN tag. • Customer Edge Port: A port on a PEB that connects to customer equipment that receives and transmits C-VLAN tagged frames. • Customer Network Port : A port on a PEB that receives and transmits S-VLAN tagged frames. VLAN Tag Operations push — A VLAN tag is added to the incoming untagged frame. pop — VLAN tag is removed from the outgoing frame. swap - Swap the outer tag with a new one push-push — An outer and inner VLAN tag are added to the incoming untagged frame. pop-pop — Both the outer and inner VLAN tags of the outgoing frame are removed. push-push - Add two tags swap-swap - Swap the inner and outer tags with new ones pop-swap - Pop the outer tag and swap the inner tag swap-push - Swap the inner tag and add an outer tag rewrite vlan and tag-protocol-id Bridge Domains can learn in two modes Independent VLAN learning -Learning domain for each VLAN Shared VLAN learning -Single learning domain shared by all VLANs in a bridge domain Bridge Domain Modes So far, we discussed config bridge domains in independent VLAN learning mode (IVL).In this mode, MAC learning occurs on a per VLAN basis The bridge domain shared VLAN learning mode (SVL), this allows for VLANs to share MAC learning.That means, the BUM traffic floods on all interfaces and all VLANs associated with a bridge domain New style of configuration Example od dual-stacked VLAN subinterfaces To config the outer-vlan specify a vlan-id at the unit level, to specify one or more inner VLANs use inner-vlan-id-list set interfaces ge-1/0/4 flex-vlan-tagging !Outer VLAN set interfaces ge-1/0/4.0 vlan-id 200 set interfaces ge-1/0/4.0 family bridge interface-mode trunk set interfaces ge-1/0/4.0 family bridge inner-vlan-id-list 111-114 S-VLAN Bridge Config Customer Bridge------PEB------ge-1/0/6-S-VLAN-Bridge-ge-1/0/4-----PEB------Customer Bridge set bridge-domains customer1 vlan-id 200 set interfaces ge-1/0/6 flexible-vlan-tagging set interfaces ge-1/0/6 encapsulation flexible-ethernet-services set interfaces ge-1/0/6.0 family bridge interface-mode trunk set interfaces ge-1/0/6.0 family bridge vlan-id-list 200 set interfaces ge-1/0/4 flexible-vlan-tagging set interfaces ge-1/0/4 encapsulation flexible-ethernet-services set interfaces ge-1/0/4.0 family bridge interface-mode trunk set interfaces ge-1/0/4.0 family bridge vlan-id-list 200 To allow the interfaces to support two VLAN tags, include the stacked-vlan-tagging command or the flexible-vlan-tagging Tunnel All C-VLANs The bridge domain references only the outer VLAN ID Customer Bridge-----ge-1/0/1-PEB-ge-1/0/4-----ge-1/0/6-S-VLAN-Bridge-ge-1/0/4-----PEB------Customer Bridge !on PEB set bridge-domains bd vlan-id 200 set interfaces ge-1/0/4.0 family bridge interface-mode access set interfaces ge-1/0/4.0 family bridge vlan-id 200 Range of C-VLANs Configure the bridge domain with vlan-id-list -Creates a single logical interface and bridge domains for each C-VLAN - uses IVL -Adding a second customer requires config a virtual switch and S-VLAN (in the case of overlapping C-VLAN space) Customer Bridge-----ge-1/0/1-PEB-ge-1/0/4-----ge-1/0/6-S-VLAN-Bridge-ge-1/0/4-----PEB------Customer Bridge set interfaces ge-1/0/1.0 family bridge interface-mode trunk set interfaces ge-1/0/1.0 family bridge vlan-id-list 111-114 set interfaces ge-1/0/4 vlan-id 200 set interfaces ge-1/0/4.0 family bridge interface-mode trunk set interfaces ge-1/0/4.0 family bridge vlan-id-list 111-114 This approach creates one bridge domain for each C-VLAN! Configure the bridge domain with vlan-id none -Creates multiple logical interfaces and one bridge domain - uses SVL -Adding a second customer requires configuring only an S-VLAN Customer Bridge-----ge-1/0/0--PEB-ge-1/0/4------ge-1/0/6-S-VLAN-Bridge-ge-1/0/4-----PEB------Customer Bridge !On PEB set bridge-domains bd vlan-id none set bridge-domains bd interface ge-1/0/0.111 set bridge-domains bd interface ge-1/0/0.112 set bridge-domains bd interface ge-1/0/0.113 set bridge-domains bd interface ge-1/0/0.114 set interfaces ge-1/0/0 flexible-vlan-tagging set interfaces ge-1/0/0 encapsulation flexible-ethernet-services set interfaces ge-1/0/0.111 encapsulation vlan-bridge set interfaces ge-1/0/0.111 vlan-id 111 set interfaces ge-1/0/0.112 encapsulation vlan-bridge set interfaces ge-1/0/0.112 vlan-id 112 set interfaces ge-1/0/0.113 encapsulation vlan-bridge set interfaces ge-1/0/0.113 vlan-id 113 set interfaces ge-1/0/0.114 encapsulation vlan-bridge set interfaces ge-1/0/0.114 vlan-id 114 set interfaces ge-1/0/4 flexible-vlan-tagging set interfaces ge-1/0/4 encapsulation flexible-ethernet-services set interfaces ge-1/0/4.0 encapsulation vlan-bridge set interfaces ge-1/0/4.0 vlans-tags outer 200 inner 111 The best way to describe how this solution works is to discuss what happens to a customer frame as it traverses the PBN: 1. A frame with C-VLAN ID 112 arrives on ge-1/0/0.112 destined for a MAC address that exists on the remote side of the network. 2. Because the bridge domain is configured for vlan-id none, the C-VLAN tag pops before the MAC-table lookup. 3. If the destination MAC address is unknown, then the frame is flooded out of all interfac es that associate with the bridge domain, including the subinterfaces of ge-1/0/0 (because of SVL). If the destination MAC is known, the frame is forwarded out of the ge-1/0/4.0 interface with a C-VLAN of 111 (normalization) and an S-VLAN of 200. 4. Upon arriving at the remote PEB, assumi ng the bridge domain is configured for vlan-id none, the S-VLAN and the C-VLAN tags are popped before the MAC-table lookup. 5. If the destination MAC address is unknown, then the frame is flooded out of all interfac es that associate with the bridge domain, including the subinterfaces of customer-fac ing interfaces (because of SVL). If the destination MAC address is known, the frame is forwarded out of the appropriate subinterface using th e encapsulation specified on the interface. Explicit Configuration of Tag Operations Customer Bridge-----ge-1/0/0--PEB-ge-1/0/4------ge-1/0/6-S-VLAN-Bridge-ge-1/0/4-----PEB------Customer Bridge !On PEB set bridge-domains customer1 interface ge-1/0/0.111 set bridge-domains customer1 interface ge-1/0/4.0 set interfaces ge-1/0/0 vlan-tagging set interfaces ge-1/0/0 encapsulation flexible-ethernet-services set interfaces ge-1/0/0.111 encapsulation vlan-bridge set interfaces ge-1/0/0.111 vlan-id 111 set interfaces ge-1/0/0.111 input-vlan-map push vlan-id 200 set interfaces ge-1/0/4 stacked-vlan-tagging set interfaces ge-1/0/4 encapsulation flexible-ethernet-services set interfaces ge-1/0/4.0 encapsulation vlan-bridge set interfaces ge-1/0/4.0 vlans-tags outer 200 inner 111 PBN Network-to-Network Interface set interfaces ge-1/0/6 flexible-vlan-tagging set interfaces ge-1/0/6 encapsulation flexible-ethernet-services set interfaces ge-1/0/6.0 family bridge set interfaces ge-1/0/6.0 interface-mode trunk set interfaces ge-1/0/6.0 vlan-id-list 200 set interfaces ge-1/0/6.0 vlan-rewrite tranlate 300 200 set bridge-domains customer1 vlan-id 200 An alternative to Q-in-Q Tunneling To the customer in a VPLS environment, the providers entwork appears to function as a single LAN segment (act similarly to a learning bridge) MAC addresses are dynamically mapped to outbound MPLS LSPs and/or interfaces Chapter 5: Spanning Tree Protocols Same chapter as JNCIS-ENT Routing Study Guide "Chapter 3: Spanning Tree" http://www.cocheno.com/2014/10/notas-estudo-advanced-junos-enterprise-switching-ajex/ Chapter 6: Ethernet OAM OAM is a set of functions that allows network operators to monitor the health of the network -Determine fault conditions -Measures performance of the network -Allows for diagnosis testing (loopback and so forth) OAM Measurements Availability: The ratio of uptime over total time the measure takes; Frame delay: The time required to transmit a frame from one device to another; Frame delay variation: The variation in frame delay measurements between consecutive test frames; and Frame loss : The number of frames lost over time. Continuity Check Messages Unidirectional messages - sent at regular intervals by one endpoint, if the remote end does not receive the message within a certain interval, a fault is detected, potentially causing an alarm Indications Alarm indication signal and Forward Defect Indicator - notify downstream network nodes when a failure or defect occurs Backward Defect Indicator - notify upstream network nodes when a failure occurs in the reverse direction Loopback Messages Allow for detection of a defect between nodes Comprise two different types Nonintrusive loopback messages - do not cause disruption to service (like the ping facility) Intrusive loopback messages -signal a remote node to go into a special test mode (normal transit traffic cannot flow) Linktrace Messages Linktrace messages:Bidirectional continuity check (similar to traceroute for IP) Identifies nodes along the path of the messages Linktrace messages are a feature of OAM that is similar to the nonintrusive loopback messages LFM Capabilities LFM is limited to a single Ethernet link Remote failure indication Remote loopback Link monitoring -Event notification -Device polling OAM capability discovery No AIS LFM is defined in IEEE 802.3, Clause 57. It specifies a method of OAM to be used on a single link. LFM Clients LFM clients communicate at the Ethernet layer No IP addressing is necessary Clients exchange OAM protocol data units OAMPDUs are sent with a source address of the outgoing port and a destination address of 01-80-c2-00-00-02 (multicast)(they are never flooded) LFM passive can be either active or passive, passive clients cannot initiate the discovery process or loopback control messages, at least on client must be in active mode The following events result in the setting of flags: • Link Fault: Signal loss is detected on the receive path. • Dying Gasp : An external failure condition occurred. A power failure is a good example of a Dying Gasp event. • Critical Event: An unspecified failure event. By configuring an action-profile (described on the following slides), an administrator can specify which events can cause the local switch to send OAMPDUs with the critical event bit set. Information OAMPDUs Discovery Heartbeat Critical Events Event Notification OAMPDUs Event notification OAMPDUs are used as BDIs. That is, they info rm the upstream client that errors have occurred on the local receive path. The slide lists the four different types of event notifications. Loopback Control OAMPDU The loopback control OAMPDU allows an LFM client to direct the remote clients to set or unset a loop on its interface. Reaction Events Reaction to events is locally configurable -Except for critical events (interface goes to link-down state automatically) -Possible actions:Syslog,Link Down,Begin sending OAMPDUs with a Critical Event bit set When an LFM client receives a critical event, it automatically places the interface in a down state (it removes routes and caus es spanning-tree recalculation). It does, however, continue to moni tor the interface for LFM messages in the event that the link becomes stable again. To specify the action to be performed for a particular event, you must create an action-profile and apply it toa an interface.Acti ons you can configure are generation of a syslog message, placement of the interface in a down state, or the sending of an OAMPDU to the remote peers with the critical event bit set. CFM Features Fault monitoring using continuity check Path discovery and fault verification using linktrace fault isolation suing a loopback protocol Frame delay measurement Maintenance Domains An end-to-end network is broken up into maintenance domains:Each maintenance domain is assigned a level (0 to 7) Level 5:Customer domain Level 4: Service Provider Domain Level 2: Operator 1 Domain A level can be in the range of 0 to 7. Level 5 through Level 7 are reserved for customers, Level 3 and Level 4 are reserved for providers, and Level 0 through Level 2 are reserved for operators Maintenance Points A maintenance poit is a port on a bridge Three types: -Maintenance association endpoint:at the edge of a domain -Maintenance association intermediate point:internal to a domain -Transparent point : does not respond to CFM messages A maintenance domain has at least two maintenance endpoints (MEPs). MEPs are interfaces found at the edge of the maintenance domain. A MEP forms a relationship with a single MEP or several MEPs that are in the same maintenance domain, and level, and that protect the same Ethernet virtual circuit (EVC) (also called a maintenance association Another type of maintenance point is a maintenance intermediate point (MIP). MIPs are completely optional. MIPs are used to expose some of the network at a lower maintenance domain level to an upper level. For example, consider the diagram where MIP functionality was configured on the Leve l 4 MEPs. A linktrace from the customer brid ge on the left side of the diagram at Level 5 shows three hops to the customer bridge on the right side. The two MIPs that were configured at Level 4 and the final MEP at Level 5 respond to the linktrace message. MIPs respond only to CFM messages that were received from a MEP at one higher level than their own. The final type of maintenance point is a transparent point. A transparent point is not configured for CFM messages and simply forwards them as regular data traffic. Maintenance Point Roles Each maintenance point as a role to perform Tasks|----------------------|MEP|----------------------|MIP|----------------------|Transparent Initiate CFM messages-------yes-------------------------yes-----------------------no Respond to loopback and linktrace messages--------------yes-----------------------no Track CC messages-----------yes-------------------------yes-----------------------no MEP-to-MEP Relationship A MEP forms a neighbot relationship with other MEPs in the same domain with the exchange of CC messages Two types of MEPs: Down MEP - A MEP (interface) that faces a neighboring down MEP Up MEP - A MEP (interface) that faces away from a neighboring up MEP To become neighbors, two MEPs must be configured with the same maintenance domain, maintenace association, level, and direction Each MEP is configured with a MEP ID (a number). The MEP ID must be unique among all MEPs in the network. Each MEP also is configured with a direction—either up or down. A down MEP expects to find neighboring MEPs downstream. An up MEP expects to find neighborin g MEPs upstream. To become neighbors, two MEPs must be configured with the same maintenance domain, maintenance association, level, and direction. This data is carried in each CFM message. Continuity Check Messages A MEP sends CC messages (using multicast) at regular intervals Contains several values: Maintenance domain ID Level Maintenance association ID MEP ID (unique among MEPs) Loss of 3 consecutive CC messages is a failure (by default), This loss threshold is configurable. MEPs use CC M group destination address, 01-80-C2-00-00-3y, for the destination MAC address in CCM frames. The maintenance domain level of the CCM is us ed for the “y” address bits. For example, if the maintenance domain level of the CCM is 0, then the CCM destination address is 01-80-C2-00-00-30. If the maintenance domain level of the CCM is 7, then the destination address is 01-80-C2-00-00-37. The frames are sent with sequence numbers and multicast frames reduce bandwidth requirements in a full mesh. In addition, they allow detec tion of accidentally cross-connected MEPs belonging to different service instances. The transmission rate for CCMs is configurable. Loopback Protocol Loopback initiator sends a loopback request to a specific MAC address, loopback responder sends a loopback response message An administrator can trig ger a MEP to send one or more loopback messages with an arbitrary amount of data. If the MEP does not receive a valid linktrace reply corresponding to the loopback messag e, the administrator knows a connectivity fault exists. The receiving MP turns the loopback message, at its maintenance domain level only, into a loopback reply (LBR) back toward the originating MEP Linktrace Protocol The administrator initiates the linktrace protocol, the linktrace initiator sends a linktrace message to a specific MAC address Each of the maintenance points along the path forwards the original linktrace message to the destination MAC address and also sends a linktrace reply listing their own MAC addresses -Responding bridges are configured at the same level as the initiator Each linktrace message has a linktrace message transaction identifier. Linktrace me ssage transaction id entifiers that are transmitted inside linktrace messages are unique for a MEP for at least five seco nds so that linktrace replies from slow MPs can be matched with the corresponding linktrace messages. Using the linktrace replies collected, the originating MEP builds the sequence of MPs traversed by the initial linktrace message. The administrator can then determine the path taken from the MEP to the destination MAC address by examining the sequence of MPs. The difference between the path taken by the linktrace message and the expected sequence helps pinpoint the location of a fault. Frame Delay Measurement The administrator initiates frame delay measurements: The initiator sends the delay measurement message The delay measurement responder sends a delay measurement reply message The initiator calculates the two-way delay (time reply received) - (Time message sent) = Delay Two types of delay tests exist: one-way and two-way. An MX Se ries router uses hardware-ass isted timestamping. When an administrator initiates a one-way frame delay test, a delay measurement message is sent to the remote MEP. The delay measurement message contains a timestamp. The remote MEP then calculates the delay from the time the frame was sent to the time it arrived. For the measurement to be accurate, both devices must have their clocks sy nchronized. A two-way test does not require the two devices to have their clocks synchronized . The slide shows the details of a two-way frame delay test. LFM Settings set protocols oam ethernet link-fault-management action-profile example event link-adjacency-loss set protocols oam ethernet link-fault-management action-profile example action link-down set protocols oam ethernet link-fault-management interface ge-1/3/6 apply-action-profile example set protocols oam ethernet link-fault-management interface ge-1/3/6 pdu-interval 100 set protocols oam ethernet link-fault-management interface ge-1/3/6 link-discovery active set protocols oam ethernet link-fault-management interface ge-1/3/6 pdu-threshold 10 set protocols oam ethernet link-fault-management interface ge-1/3/6 negotiation-options allow-remote-loopback Action Profile Action profiles specify how a switch should react to certain events Critical events cause the interface to go into link-down state automatically set protocols oam ethernet link-fault-management action-profile example event ? set protocols oam ethernet link-fault-management action-profile example action ? 1. link-adjacency-loss: Occurs when CC messages are no longer being received from the remote peer. 2. link-event-rate: Allows you to specify a rate of receiving di fferent types of event messages that cause an action to take place. 3. protocol-down : Allows the MEP to monitor when maintenanc e associations at higher levels go down. aphic shows the actions you can take when the events specified in the action profile occur. show oam ethernet link-fault-management Setting a Remote Loop set protocols oam ethernet link-fault-management interface ge-1/3/6 pdu-interval 100 set protocols oam ethernet link-fault-management interface ge-1/3/6 link-discovery active set protocols oam ethernet link-fault-management interface ge-1/3/6 pdu-threshold 10 set protocols oam ethernet link-fault-management interface ge-1/3/6 remote-loopback Down MEP Configuration Remote MEP must be configured similarly to the local MEP, with same maintenance domain,maintenance association, interval and level !On Customer switch set protocols oam ethernet link-fault-management action-profile evc1-profile event link-adjacency-loss set protocols oam ethernet link-fault-management action-profile example action interface-down set protocols oam ethernet link-fault-management maintenance-domain customer level 5 set protocols oam ethernet link-fault-management maintenance-domain customer maintenance-association evc1 continuity-check interval 100ms set protocols oam ethernet link-fault-management maintenance-domain customer maintenance-association evc1 mep 101 interface ge-1/3/6.116 vlan 116 set protocols oam ethernet link-fault-management maintenance-domain customer maintenance-association evc1 mep 101 direction down set protocols oam ethernet link-fault-management maintenance-domain customer maintenance-association evc1 mep 101 auto-discovery set protocols oam ethernet link-fault-management maintenance-domain customer maintenance-association evc1 mep 101 remote-mep 106 action-profile evc1-profile Up MEP Configuration !Config provider edge bridge as a MEP and also as a MIP !Its acts as a MIP only for a level 5 (level 4 +1) set protocols oam ethernet link-fault-management maintenance-domain provider level 4 set protocols oam ethernet link-fault-management maintenance-domain provider maintenance-association evc1 continuity-check interval 100ms set protocols oam ethernet link-fault-management maintenance-domain provider maintenance-association evc1 mip-half-function default set protocols oam ethernet link-fault-management maintenance-domain provider maintenance-association evc1 mep 102 interface ge-1/3/6.116 vlan 116 set protocols oam ethernet link-fault-management maintenance-domain provider maintenance-association evc1 mep 102 direction up set protocols oam ethernet link-fault-management maintenance-domain provider maintenance-association evc1 mep 102 auto-discovery show oam ethernet connectivity-fault-management CC Status !View the status of the switchs MEP-neighbor relationships show oam ethernet connectivity-fault-management interface ge-1/3/6.116 vlan 116 show oam ethernet connectivity-fault-management interface ge-1/3/6.116 vlan 116 extensive CFM Loopback Use ping ethernet command to initiate a CFM loopback test ping ethernet maintenance-domain customer maintenance-association evc1 mep 106 ping ethernet maintenance-domain customer maintenance-association evc1 00:22:83:30:fc:8a Linktrace Use traceroute ethernet command to initiate a CFM linktrace test, intermediate MIPs respos traceroute ethernet maintenance-domain customer maintenance-association evc1 mep 106 Frame Delay Measurement monitor ethernet delay-measurement maintenance-domain customer maintenance-association evc1 mep 106 two-delay Save Frame Delay Measurements show oam ethernet connectivity-fault-management mep-statistics maintenance-domain customer maintenance-association evc1 Chapter 7: High Availability and Network Optimization Review the following info: JNCIS-ENT -Chapter 7: High Availability Features -Appendix A: Ethernet Ring Protection Switching Multichassis Link Aggregation Multichassis LAG enable: Node level redundancy Multihoming support The MC-LAG devices use Inter-Chassis Control Protocol (ICCP) to exchange the control information between two MC-LAG network devices Implementing LAGs !Create an aggregated Ethernet interface set aggregated-devices ethernet device-count 1 set interface ae0 unit 0 family bridge set interface ae0 aggregated-ether-options lacp active set interface ge-0/0/12 gigether-options 802.3ad ae0 set interface ge-0/0/13 gigether-options 802.3ad ae0 By default, the actor and partner send LACP packets every second . You can configure the interval at which the interfaces send LACP packets by including the periodic option at the [edit interfaces interface aggregated-ether-options lacp] hierarchy level. The interval can be fast (every second) or slow (every 30 seconds). You can configure different periodic rates on active and passive interfaces. When you configure the active and passive interfaces at different rates, the transmitter honors the receiver's rate. [edit interfaces ae0 aggregated-ether-options lacp] user@Switch-1# set periodic ? Possible completions: fast Transmit packets every second slow Transmit packets every 30 seconds Appendix 8:Deprecated Syntaxes Define Bridge domains New syntax set interfaces ge-1/0/0.0 family bridge interface-mode access set interfaces ge-1/0/0.0 family bridge vlan-id 100 set bridge-domains vlan-100 vlan-id 100 Old syntax set interfaces ge-1/0/0 encapsulation ethernet-bridge unit 0 set bridge-domains vlan-100 vlan-id 100 interface ge-1/0/0.0 Creating Dual-Stacked VLAN Subinterfaces and Bridge Domains !New Syntax set interfaces ge-1/0/4 flexible-vlan-tagging set interfaces ge-1/0/4.0 vlan-id 200 set interfaces ge-1/0/4.0 family bridge interface-mode trunk set interfaces ge-1/0/4.0 family bridge inner-vlan-id-list 111-114 !Old Syntax set interfaces ge-1/0/4 flexible-vlan-tagging set interfaces ge-1/0/4 encapsulation flexible-ethernet-services set interfaces ge-1/0/4.0 encapsulation vlan-bridge set interfaces ge-1/0/4.0 vlan-tags outer 200 inner-range 111-114 The following list briefly explains the different ways of configuring a bridge domain: • Default: You do not specify a VLAN ID for the bridge domain. The bridge domain is a single learning domain. You configure an input and output VLAN map to explicitly configure push, pop, swap, and other VLAN operations. • None: You specify vlan-id none for the bridge domain. The bridge domain is a single learning domain. In this case, all inbound frames have all VLAN IDs popped. All outb ound frames take on the VLAN settings of the outbound interfaces. • Single : You specify vlan-id number for the bridge domain. The bridge domain is a single learning domain. In this case, all inbound frames have all service VLAN (S-VLAN) IDs popped. All inbound customer VLAN (C-VLAN) IDs are normalized (translated) to the VLAN ID of the bridge domain. All outbound frames take on the VLAN settings of the outbound interface. • Double: You specify vlan-tags outer number inner number for the bridge domain. The bridge domain is a single learning domain. All incoming frames have their VLANs normalized (translated) to the outer and inner VLAN ID that is specified for the bridge domain. All outbound fr ames take on the VLAN settings of the outbound interface. • All: You specify vlan-id all for the bridge domain. The bridge domain has multiple learning domains. One learning domain exists for each C-VLAN configured on inte rfaces that are associated with the bridge domain. This type of configuration always results in independent VLAN learning mode (IVL). Inbound frames retain their VLAN tags. All outbound frames take on the VLAN settings of the outbound interface Most of these options listed cause a bridge domain to have a single learning domain. If the interfaces assigned to a bridge domain are configured for a unique C-VLAN ID, then the learning mode for the bridge domain will be IVL. If the interfaces assigned to a bridge domain are configured for multiple C-VLANs, then the learning mode for the bridge domain will be shared VLAN learning mode (SVL). When using the new style of configuration, IVL is the usual mode of operation. SVL can occur only with the new style of configuration when mixing both old style and new style configurations in a bridge domain. JNCIS-SP Study Guide—Part 3 ATM Switched Networks Benefits of ATM ATM switches offered performance and predictable behavior Virtual circuits (VCs) could be reengineered without physical network changes Traffic statistics on a per-VC basis Downsides of ATM Maintain separate infrastructure ATM cell overhead Scalability issues Not well integrated Downsides of ATM One of the downsides to running an ATM overlay network is that each of the different core technologies (ATM and IP) required separate expert engineers and support staff to address the problems in their platforms. Assuming 20% overhead for ATM running on a 2.488-Gbps OC-48 link, 1.99 Gbps is available for customer data,and 498 Mbps—almost a full OC-12—is required for the ATM overhead. On a 10-Gbps OC-192 interface, some 1.99 Gbps—almost a full OC-48 of the link’s ca pacity—is consumed by ATM overhead! Frame-Relay Networks Benefits od using Frame-relay Uses VCs to move traffic Uses DLCIs to separate VCs Built in congestion Control Downsides of Frame Relay Maintain separate infraestructure MPLS Benefits of MPLS Increased scalability Addictional control over how traffic moves through the network using traffic engineering MPLS header - 4bytes An LSP is created by the concatenation of one or more label-switched hops that direct packets between LSRs to transit the MPLS domain. JunOS currently assigns MPLS label values on a per-router basis Label value 10234 can only be assigned onve by a given Juniper Networks router.JunOS does not support laaled multicast or IPv6, except in the context of a Layer 2 or Layer 3 VPN The MPLS Header (Label) Structure The 32-bit MPLS header consists of the following four fields: • 20-bit label : Identifies the packet to a particular LSP. This va lue changes as the packet flows on the LSP from LSR to LSR. • Class of service (CoS) (experimental): Indicates queuing priority through the ne twork. This field was initially just the CoS field, but lack of standard definit ions and use led to the current designat ion of this field as experimental. In other words, this field was always intended for CoS, but wh ich type of CoS is still experimental. At each hop along the way, the CoS value determines which packets re ceive preferential treatment within the tunnel. • Bottom of stack bit : Indicates whether this MPLS packet has more than one label associated with it. The MPLS implementation in the Junos OS supports unlimited label stack depths for transit LSR operations. At ingress up to three labels can be pushed onto a packet. The bottom of the stack of MPLS labels is indicated by a 1 bit in this field; a setting of 1 tells the LSR that after popping the label stack an unlabeled packet will remain. • Time to live (TTL): Contains a limit on the number of router hops this MPLS packet can travel through the network. It is decremented at each hop, and if the TTL value drops below 1, the packet is discarded. The default behavior is to copy the value of the IP packet into this field at the ingress router. Reserved MPLS Label values 0 = IPv4 Explicit NULL 1 = Router Alert Label 2 = IPv6 Explicit NULL 3 = Implicit NULL 4 through 15 = for future use A value of 0 represents the IP version 4 (IPv4) explicit null label . This label value is legal only when it is the sole label stack entry. It indicates that the label stack must be popped, and the forwarding of the packet must then be based on the IPv4 header. A value of 1 represents the router alert label. This label value is legal anywhere in the label stack except at the bottom. When a received packet contains this label value at the top of the label stack, it is delivered to a local software module for processing. The label beneath it in the stack determines the actual forwarding of the packet. However, if the packet is forwarded further, the router alert label should be pushed back onto the label stack before forwarding. The use of this label is analogous to the use of the router alert option in IP packets. Because this label cannot occur at the bottom of the stack, it is not associated with a particular network layer protocol. Essentially, label value 1 gives MPLS modules in different routers a way to communicate with each other A value of 2 represents the IP version 6 (IPv6) explicit null label. This label value is legal only when it is the sole label stack entry. It indicates that the label stack must be popped, and the forwarding of the packet then must be based on the IPv6 header. A value of 3 represents the implicit null label. This is a label that an LSR can assign and distribute, but it never actually appears in the encapsulation. When an LSR would otherwise replace the label at the top of the stack with a new label, but the new label is implicit null, the LSR po ps the stack instead of doing the replacement. Although this value might never appear in the encapsulation, it must be specified in the label signaling protocol, so a value is reserved. Values 4–15 are reserved for future use. Label Information Base LIB is stored in the mpls.0 table mpls.0 table is automatically created, with label values for 0, 1 and 2, when you configure the MPLS protocol mpls.0 table maps incoming labels with the outgoing label and next hop to forward the packets Label-Switched Path An LSP is a one-way (unidirectional) flow of traffic, carrying packets from beginning to end. Packets must enter the LSP at the beginning (ingress) of the path, and can only exit the LSP at the end (egress). Packets cannot be injected into an LSP at an intermediate hop. The Functions of the Ingress Router In some MPLS documents, this router is called the head-end router, or the label edge router (LER) for the LSP The Functions of the Transit Router Perform label swap operations The MPLS protocol enforces a maximum limit of 253 transit routers in a single path because of the 8 bit TTL field. The Function of the Penultimate Router Penultimate router Often called Second-to-last router Normally pops the label stack Unlabeled packets sent to egress Penultimate-hop popping (PHP) facilitates label stacking and can improve performance on so me platforms because it eliminates the need for two lookup operations on the egress router. Functions of the Egress Router Packet exit LSP at egress Also called tail-end router Downstream from other routers Forwards packets based on IP address At the end of an LSP, the egress router routes the packet based on the native information and forwards the packet toward its final destination using the normal IP forwarding table. Only one egress router can exist in a path. In many cases, the use of PHP eliminates the need for MPLS processing at the egress node. Interface config set interfaces ge-1/0/0.0 family inet address 172.120.100.21/30 set interfaces ge-1/0/0.0 family mpls In order for the interface to recognize and accept MPLS packets we have to also configure the MPLS protocol family under the interfaces that will be participating in your MPLS domain. set protocols mpls interface ge-1/0/0.0 !Excluding interfaces set protocols mpls interface all set protocols mpls interface ge-2/0/0.0 disable Configure a Static LSP to the Ingress Router set protocols mpls static-label-switched-path ingress next-hop
set protocols mpls static-label-switched-path ingress to
set protocols mpls static-label-switched-path ingress push