book

JUNOS Enterprise Switching

by Harry Reynolds, Doug Marschke

July 2009

Intermediate to advanced

752 pages

23h 19m

English

O'Reilly Media, Inc.

Read now

Unlock full access

JUNOS Enterprise Switching
SPECIAL OFFER: Upgrade this ebook with O’Reilly
Foreword
Evolution of the Bridging World
What Is the Big Deal About Switching Anyway?
How This Book Will Help You (a.k.a. What’s in It for Me?)
Preface
What Is JUNOS Enterprise Switching?
The Juniper Networks Technical Certification Program (JNTCP)
How to Use This Book
What’s in This Book?
Topology of This Book
Conventions Used in This Book

Using Code Examples
Safari® Books Online
Comments and Questions
About Scott Morris, Lead Tech Reviewer
Acknowledgments
From Doug MarschkeFrom Harry Reynolds
1. LAN and Internetworking Overview
What Is a Network?The OSI ModelLayer functionsNetwork Types and Communication ModesCommunication modesSo, Where Did We LANd?
Ethernet Technologies
A Brief Look BackEthernet or 802.3, That Is the QuestionThe MAC LayerCSMA/CDThe shift away from shared mediaMAC addressingEthernet Standards Wrap-UpA word on auto-negotiationEthernet Technology Summary
The TCP/IP Suite
Enter OSIExit OSI, Enter IPThe IP Stack, in a NutshellThe network that lies beneathARP me, AmadeusIP, freelyIP addressingHierarchicalClassless is the norm (or, how we learned to subnet)ICMP, the bad news protocolUDP, multiplexing, and not much elseTCP, a transport for all seasonsWhat’s this Internet thing for again, eh, sonny?IP encapsulation exampleInternet Protocol Summary
LAN Interconnection
RepeatersBridgesProtocol-agnosticLoops are bad, really, really badBridge processing in detailSo much for the 80/20 ruleRoutersMulti-Protocol RoutingOne protocol to rule them allLAN Interconnect Summary
Conclusion
Chapter Review Questions
Chapter Review Answers
2. EX Platform Overview
EX Hardware OverviewThe EX8200 SeriesSeparate Control and Forwarding: It’s a Good ThingEX Hardware: The NumbersEX Feature SupportLayer 2 featuresLayer 3 and general system featuresEX Hardware Summary
EX Series Architecture
The EX-PFE ASICEX3200 ArchitectureEX4200 ArchitectureFront-panel LEDsA Day in the Life of a PacketLayer 2 switchingOutput processing: Layer 2 switchingLayer 3 routingEX Series Architecture Summary
JUNOS Software Overview
JUNOS Software Summary
CLI Overview
J-Web and EZSetupEZSetupCLI Operational Modes and General FeaturesOperational modeCommand completionEmacs keysThe pipeConfiguration ModeNavigating the configuration hierarchyActive and candidate configurations, commits, and rollbacksCommit confirmedLoading and saving configurationsThe JUNOS CLI Summary
Advanced CLI and Other Cool Stuff
SOSScheduled Commits and WildcardsWildcards and regular expressionsCopying, Renaming, and Inserting
Conclusion
Chapter Review Questions
Chapter Review Answers
3. Initial Configuration and Maintenance
The Factory-Default Configuration and EZSetupFactory-Default ConfigurationEZSetupFactory-Default Configuration and EZSetup Summary
Initial Configuration Using the CLI
CLI Configuration Summary
Secondary Configuration
Customized User Accounts, Authentication, and AuthorizationUser authentication case studyOut of Band NetworkRemote AccessDynamic Host Configuration ProtocolDHCP server configuration in JUNOSDHCP relay configuration in JUNOSSecondary Configuration Summary
EX Interfaces
Permanent InterfacesNetwork InterfacesNetwork interface namingLogical unitsInterface ConfigurationPhysical propertiesLogical propertiesEX Interface Configuration ExamplesLayer 2 interfaceLayer 3 interfaceInterface TroubleshootingJUNOS troubleshooting toolsSyslogMonitor interfaceMonitor trafficOperational mode show commandsEthernet OAMDiagnostic commandsLoopbacksHard loopsEX Interface Summary
Basic Switch Maintenance
Chassis Health CheckSyslogSyslog case studySNMPNTPIs NTP really working?Rescue ConfigurationPassword RecoverySwitch Maintenance Summary
Conclusion
Chapter Review Questions
Chapter Review Answers
4. EX Virtual Chassis
The EX Virtual ChassisVirtual Chassis OverviewVirtual Chassis Control ProtocolMember roles within a VCMember IDMastership priorityDefault election algorithmVirtual Chassis IdentifierVirtual Chassis Design and Deployment OptionsVCP topologiesVCP single rack ringsVCP multiple rack ringsVCP serial chainVCE topologiesExtending the VCPacket Flow in a Virtual ChassisVirtual chassis topology discoveryThe SPF calculationA bifurcated VC: It’s a bad thingVirtual chassis packet walk-throughIntersystem packet flowsVirtual Chassis Summary
Configuration, Operation, and Maintenance
Virtual Chassis Configuration ModesHot or cold insertion: when does a VC addition become a VC merge?Virtual Chassis ConfigurationVirtual management addressVirtual chassis member parametersVCEsVirtual chassis configuration summaryVirtual Chassis Operation and MaintenanceOperational mode commands with member contextVC monitoring commandsMonitor the VC control protocolVC tracingVC maintenanceVC adds, moves, and changesConnecting to non-master membersUsing the no-management-vlan optionConfiguration, Operation, and Maintenance Summary
Virtual Chassis Case Study
Prepare for the MergeConfigure VC ParametersConfirm initial VC operationExpand the VC with VCE LinksPrepare the new switchConfigure the VCE portsCase Study Summary
Conclusion
Chapter Review Questions
Chapter Review Answers
5. Virtual LANs and Trunking
Virtual LANs and TrunkingPort ModesTagging User TrafficQinQ, a.k.a. provider bridgingThe Native and Default VLANsThe native VLANThe default VLANPutting it all togetherGeneric Attribute Registration ProtocolCisco and GVRPVLAN and Trunking Summary
EX to Catalyst VLAN Integration
Default VLAN/Trunking BehaviorDefine VLANsConfigure and confirm IOS VLANs and trunkingJUNOS VLAN and trunk configurationTroubleshoot a VLAN problemAdd Native VLAN SupportGetting Loopy with ItVLAN Integration Summary
Conclusion
Chapter Review Questions
Chapter Review Answers
6. Spanning Tree Protocol
Feeling a Little LoopyStupid Is As Stupid DoesLoop Issue Summary
Spanning Tree Protocol
STP BasicsCalculating and Maintaining the Spanning TreeBridge Protocol Data UnitsBPDU Learning and Port StatesProtocol TimersTable ageHello timeMessage ageForwarding delayPutting the Theory TogetherSTP IssuesSTP Summary
Rapid Spanning Tree Protocol
New BPDU Definition and FunctionInterface Types and StatesRSTP ConvergenceTopology changesLink failuresLink Cost in RSTPCompatibility with STPInteroperability Between Juniper and CiscoRSTP Summary
Spanning Tree Configuration
Failures with Default ParametersConfiguring RSTPWhen RSTP isn’t going to be rapidRSTP design considerationSpanning Tree Configuration Summary
Multiple Spanning Tree Protocol
MSTP ConfigurationMSTP Summary
Redundant Trunk Groups
RTG ConfigurationRTG Summary
Conclusion
Chapter Review Questions
Chapter Review Answers
7. Routing on the EX
EX Routing OverviewWhat Is Routing?Interior Gateway Protocol overviewEX Routing CapabilitiesWhat’s missing?Layer 3 scaling limitsJUNOS Routing ConceptsGlobal route preferenceRouting tables and RIB groupsThe inet.0 tableRouting policyRouter ID and Autonomous System NumberSummary of EX Routing Capabilities
Inter-VLAN Routing
A Router on a StickEnter the Routed VLAN InterfaceFull Layer 3 functionalityDeploy an RVIConfigure and test an RVIUse VRRP with an RVIRestricting RVI CommunicationsRVI and Layer 3 filtersRVI Summary
Static Routing
Next Hop TypesForwarding next hop qualifiersRoute Attributes and FlagsFloating Static RoutesEX Static Routing ScenarioStatic routing in the Internet routerEX static routingStatic Routing Summary
RIP Routing
RIP OverviewRIP stability and performance tweaksRIP and RIPv2RIP Deployment ScenarioConfigure RIPVodkila’s RIP configurationVerify RIPRIP Summary
Conclusion
Chapter Review Questions
Chapter Review Answers
8. Routing Policy and Firewall Filters
Routing PolicyWhat Is Routing Policy, and When Do I Need One?Where and How Is Policy Applied?Applying policy to link state routing protocolsApplying policy to RIPPolicy ComponentsLogical OR and AND functions within termsPolicy Match Criteria and ActionsPolicy match criteriaPolicy actionsRoute FiltersBinary treesRoute filters and match typesLongest match wins, but may not…Default PoliciesOSPF default policyIS-IS default policyRIP default policyBGP default policyTesting and Monitoring PolicyTesting policy resultsPolicy tracingPolicy Case StudyRouting Policy Summary
Firewall Filters
Types of FiltersFilter Term ProcessingFilter Match ConditionsFilter ActionsApplying a FilterApplying a filter at the port levelApplying a filter at the VLAN levelApplying a filter at the Layer 3 levelTransit Filter Case StudyLayer 3 filterVLAN filtersCase Study: Loopback FiltersPolicersBurst-size-limit mysteryPolicer actionsConfiguring and applying policersPolicer exampleStorm Control and Rate LimitingFilters and Policers Summary
Conclusion
Chapter Review Questions
Chapter Review Answers
9. Port Security and Access Control
Layer 2 Security OverviewEX Layer 2 Security Support
MAC Limiting, DHCP, and ARP
MAC LimitingLimiting MAC movesMAC limit actionsDeploy and verify MAC limitingDHCP Snooping and ARP InspectionSecuring DHCP and ARPDeploy DHCP snooping and ARP inspectionConfirm DHCP snooping and ARP inspectionMAC Limiting, DHCP, and ARP Summary
IEEE 802.1X Port-Based Authentication
Terminology and Basic OperationExtensible Authentication ProtocolJUNOS 802.1X Feature SupportAdministrative modesSupplicant modesAdditional capabilitiesDeploy and Verify 802.1XRADIUS server configurationEAP-MD5 supplicant configurationConfigure RADIUS parametersConfigure 802.1X authenticator propertiesVerify 802.1X authenticationConfigure MAC-based RADIUS authentication802.1X Port-Based Authentication Summary
Conclusion
Chapter Review Questions
Chapter Review Answers
10. IP Telephony
Deployment ScenariosQoS or CoS?Deployment Scenarios Summary
Power over Ethernet
JUNOS Support for PoEPoE Summary
Link Layer Discovery Protocol
JUNOS LLDPLLDP Summary
LLDP with Media Endpoint Discovery
LLDP-MED and JUNOSLLDP-MED Summary
Voice VLAN
Case Studies
Without LLDP-MED SupportPlug-and-play solution without LLDP-MEDVoice VLAN and IP phone configurationWith LLDP-MED SupportCase Study Summary
Conclusion
Chapter Review Questions
Chapter Review Answers
11. High Availability
Hardware RedundancyRouting Engine FailoverDefault Failover Layer 2Default Failover Layer 3Graceful Routing Engine SwitchoverGRES with Layer 2GRES with Layer 3Graceful RestartNon-Stop RoutingGRES, GR, NSR, Oh My!
VRRP
In-Service Software Upgrades
Aggregated Ethernet
LACP in ActionJUNOS ConfigurationAdditional configuration optionsLoad balancing over AE
Bidirectional Forwarding Detection (BFD)
High Availability Summary
Conclusion
Chapter Review Questions
Chapter Review Answers
Glossary
Index
About the Authors
Colophon
SPECIAL OFFER: Upgrade this ebook with O’Reilly

Content preview from JUNOS Enterprise Switching

IEEE 802.1X Port-Based Authentication

The IEEE 802.1X standard defines port-based NAC. In English, this means the protocol authenticates users on a per-switch port (or Wireless Access Point [WAP]) basis, allowing access for valid users and effectively disabling the port when authentication fails. The 802.1X standard relies on EAP for its heavy lifting; EAP is currently defined in RFC 3748. 802.1X is most often associated with WAPs, for the obvious reason that a wireless infrastructure, by its very nature, opens itself up to any and all takers, and hence may want to authenticate users before allowing them in. That being said, there is no reason that what is good for a wireless network cannot also be a benefit for a wired infrastructure. For example, you may have wall jacks that are in an unsecured area in a public meeting room that is shared by internal users and external guests, and you would like to offer intranet and Internet access to the former, but only Internet access to the latter.

802.1X does not replace other security technologies. 802.1X works with port security features such as DHCP snooping, DAI, and MAC limiting to guard against DoS attacks and spoofing.

Terminology and Basic Operation

Before diving into the 802.1X configuration and verification lab, let’s review some basic terminology and operational concepts. Figure 9-3 illustrates basic 802.1X concepts and EAP operation.

Figure 9-3. IEEE 802.1X basics

An 802.1X authentication system contains three basic components:

Supplicant ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780596804244Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

JUNOS Enterprise Switching

by Harry Reynolds, Doug Marschke

IEEE 802.1X Port-Based Authentication

Terminology and Basic Operation

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.