Juniper Networks EX2500 Ethernet Switch Configuration Guide Release 3.0 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 408-745-2000 www.juniper.net Part Number: 530-029705-01, Revision 2...
Page 2
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Dynamic Host Configuration Protocol ... 4 Using Telnet ... 5 Using the EX2500 Web Device Manager ... 5 Configuring EX2500 Web Device Manager Access via HTTP ... 6 Configuring EX2500 Web Device Manager Access via HTTPS... 6 Using SNMP ... 7 SNMPv1, SNMPv2...
Page 4
Chapter 3 Table of Contents TACACS+ Authentication... 14 How TACACS+ Authentication Works ... 14 TACACS+ Authentication Features in the EX2500 Switch ... 14 Command Authorization and Logging ... 16 Configuring TACACS+ Authentication on the Switch ... 16 Secure Shell ... 17 Configuring SSH Features on the Switch ...
Page 5
PVRST Configuration Guidelines ... 38 Configuring PVRST ... 38 Multiple Spanning Tree Protocol ... 39 MSTP Region ... 39 Common Internal Spanning Tree... 39 MSTP Configuration Guidelines... 39 Multiple Spanning Tree Groups Configuration Example ... 40 Fast Uplink Convergence ... 41 Configuration Guidelines ...
Page 6
EX2500 Ethernet Switch Configuration Guide Chapter 7 Chapter 8 Part 2 Appendix A Part 3 Table of Contents History MIB Object ID... 67 Configuring RMON History ... 67 RMON Group 3—Alarms ... 68 Alarm MIB Objects... 68 Configuring RMON Alarms ... 68 RMON Group 9—Events...
List of Technical Publications on page xiii Documentation Feedback on page xiii Requesting Technical Support on page xiii Objectives This guide describes how to configure and use the software on the EX2500 Ethernet Switch. This guide documents Release 3.0 of the EX2500 Ethernet Switch. For NOTE: additional information—either corrections to or information that might have been...
EX2500 Ethernet Switch Configuration Guide Documentation Conventions Table 1 describes the notice icons used in this manual. Table 2 describes the EX2500 text and syntax conventions. Table 1: Notice Icons Icon Table 2: EX2500 Text and Syntax Conventions Convention Usage...
EX2500 Ethernet Switch Web Device Manager Guide EX2500 Ethernet Switch Configuration Guide Describes how to configure and use the software on the EX2500 Ethernet Switch. EX2500 Ethernet Switch Command Reference Describes how to configure and use the software with your EX2500 Ethernet EX2500 Ethernet Switch 3.0 Release Notes...
EX2500 Ethernet Switch Configuration Guide Self-Help Online Tools and Resources For quick and easy problem resolution, the Juniper Networks online self-service portal—the Customer Support Center (CSC)—provides the following features: To verify service entitlement by product and serial number, use our Serial Number Entitlement (SNE) Tool at http://tools.juniper.net/SerialNumber/EntitlementSearch/ .
Part 1 EX2500 Ethernet Switch Applications This configuration guide will help you plan, implement, and administer EX2500 software. Where possible, each chapter provides feature overviews, usage examples, and configuration instructions. “Accessing the Switch” on page 3 describes how to access the switch to perform administration tasks.
Chapter 1 Accessing the Switch The EX2500 software provides a means for accessing, configuring, and viewing information and statistics about the EX2500 Ethernet Switch. This chapter discusses different methods of accessing the switch and ways to secure the switch for remote administrators:...
EX2500 Ethernet Switch Configuration Guide 3. Configure the management IP address, subnet mask, and default gateway. Once you configure the IP address for your switch, you can connect to the management port and use the Telnet program from an external management station to access and control the switch.
IP address: telnet <switch IP address> Using the EX2500 Web Device Manager The EX2500 Web Device Manager is a Web-based management interface for interactive switch access through your Web browser. The Web Device Manager provides access to the common configuration, management and operation features of the switch through your Web browser.
EX2500 Web Device Manager access on the switch via HTTP: ex2500(config)# [no] access http enable The default HTTP Web server port to access the EX2500 Web Device Manager is port 80. However, you can change the default Web server port with the following command: ex2500(config)# access http port <TCP port number>...
HP-OpenView. SNMPv1, SNMPv2 To access the SNMP agent on the EX2500 switch, the read and write community strings on the SNMP manager should be configured to match those on the switch. The default read community string on the switch is public, and the default write community string is private.
EX2500 Ethernet Switch Command Reference. Default Configuration The EX2500 switch has two SNMPv3 users by default. Both of the following users have access to all the MIBs supported by the switch: 1. username 1: adminmd5 (password adminmd5). Authentication used is MD5.
The SNMPv2 trap host configuration is similar to the SNMPv1 trap host configuration. Wherever you specify the model, use snmpv2 instead of snmpv1. ex2500(config)# snmp-server read-community public ex2500(config)# snmp-server target-address 1 name v2trap2 address 10.70.70.190 ex2500(config)# snmp-server target-address 1 parameters-name v2param2 ex2500(config)# snmp-server target-address 1 taglist v2param2...
RADIUS Authentication and Authorization The EX2500 switch supports the RADIUS (Remote Authentication Dial-in User Service) method the switch. This method is based on a client/server model. The Remote Access Server (RAS)—the switch—is a client to the back-end database server. A remote user (the remote administrator) interacts only with the RAS, not the back-end server and database.
4. Configure the number of retry attempts for contacting the RADIUS server, and RADIUS Authentication Features in the EX2500 Switch The EX2500 switch supports the following RADIUS authentication features: Securing Access to the Switch RADIUS. The well-known port for RADIUS is 1812.
RADIUS servers cannot be reached. You always can access the switch via the console port, by using noradius and the administrator password, whether secure backdoor is enabled or not. To obtain the RADIUS backdoor password for your EX2500 switch, contact NOTE: technical support.
The EX2500 switch supports ASCII inbound login to the device. PAP, CHAP, and ARAP login methods; TACACS+ change password requests; and one-time password authentication are not supported.
It follows the authentication and authorization actions. If the authentication and authorization are not performed via TACACS+, no TACACS+ accounting messages are sent out. The EX2500 switch supports the following TACACS+ accounting attributes: (console, telnet, ssh, or http)
TACACS+ server. Use the following command to enable TACACS+ Command Logging: ex2500(config) The following examples illustrate the format of EX2500 commands sent to the TACACS+ server: authorization request, cmd=shell, cmd-arg=interface ip accounting request, cmd=shell, cmd-arg=interface ip...
To support the SSH server feature, two sets of RSA keys (host and server keys) are required. The host key is 1024 bits and is used to identify the EX2500 switch. The server key is 768 bits and is used to make it impossible for someone to decipher a captured session by breaking into the EX2500 switch at a later time.
SSH clients. End User Access Control The EX2500 switch allows an administrator to define end user accounts that permit end users to perform operation tasks via the switch CLI commands. Once end user accounts are configured and enabled, the switch requires username-password authentication.
Web Device Manager, and SSHv1 or SSHv2 access to the switch. If RADIUS authentication is used, the user password on the RADIUS server will override the user password on the EX2500 switch. Also note that the password change command on the switch only modifies the use switch password and has no effect on the user password on the RADIUS server.
EX2500 Ethernet Switch Configuration Guide Listing Current Users The following command displays defined user accounts and whether or not each user is currently logged in to the switch. ex2500# show access user Usernames: user oper admin Current User ID table:...
VLANs and Port VLAN ID Numbers VLAN Numbers The EX2500 switch supports up to 1024 VLANs per switch. Even though the maximum number of VLANs supported at any given time is 1024, each can be identified with any number between 1 and 4094. VLAN 1 is the default VLAN for the data ports.
VLAN Tagging EX2500 software supports 802.1Q VLAN tagging, providing standards-based VLAN support for Ethernet systems. Tagging places the VLAN identifier in the frame header of a packet, allowing each port to belong to multiple VLANs. When you add a port to multiple VLANs, you also must enable tagging on that port.
(see Figure 2 through Figure 5). The default configuration settings for the EX2500 switch have all ports set as untagged members of VLAN 1 with all ports configured as PVID = 1. In the default configuration example shown in Figure 1, all incoming packets are assigned to VLAN 1 by the default port VLAN identifier (PVID =1).
As shown in Figure 3, the untagged packet is marked (tagged) as it leaves the switch through port 5, which is configured as a tagged member of VLAN 2. The untagged packet remains unchanged as it leaves the switch through port 7, which is configured as an untagged member of VLAN 2.
Outgoing untagged packet changed (tag removed) By default, the EX2500 software is configured so that tagging is disabled on all ports. By default, the EX2500 software is configured so that all data ports are members of VLAN 1. By default, the EX2500 software is configured so that the management port is a member of VLAN 4095 (the management VLAN).
Uplink ports are members of all three VLANs, with VLAN tagging enabled. Server 1 This server is a member of VLAN 1 and has presence in only one IP subnet. The associated switch port is only a member of VLAN 1, so tagging is disabled.
Page 42
EX2500 Ethernet Switch Configuration Guide Table 8: Components of Sample Network with Multiple VLANs (2 of 2) Component Description Server 5 A member of VLAN 1 and VLAN 2, this server can communicate only with Server 1, Server 2, and Server 3.
Private VLANs Private VLANs provide Layer 2 isolation between the ports within the same broadcast domain. Private VLANs can control traffic within a VLAN domain, and provide port-based security for host servers. Use private VLANs to partition a VLAN domain into sub-domains. Each sub-domain is comprised of one primary VLAN and one or more secondary VLANs, as follows: Primary VLAN—Carries unidirectional traffic downstream from promiscuous ports.
EX2500 Ethernet Switch Configuration Guide Private VLAN Configuration Guidelines The following guidelines apply when configuring private VLANs: Private VLAN Configuration Example Follow this procedure to configure a private VLAN. 1. Select a VLAN and define the private VLAN type as primary.
Spanning Tree Protocol (STP) detects and eliminates logical loops in a bridged or switched network. When multiple paths exist, Spanning Tree configures the network so that a switch uses only the most efficient path. If that path fails, Spanning Tree automatically sets up another active path on the network to sustain network operations.
When determining which port to use for forwarding and which port to block, the EX2500 switch uses information in the BPDU, including each bridge ID. A technique based on the “lowest root cost” is then computed to determine the most efficient path for forwarding.
Use the following command to configure the spanning-tree port priority (Interface Port mode): ex2500(config-if)# spanning-tree stp 1 priority <0-240, in steps of 16> Port Path Cost The port path cost assigns lower values to high-bandwidth ports, such as 10 Gigabit Ethernet, to encourage their use.
For example, assume that VLAN 2 belongs to STG 2. You add an untagged port (port 5) that belongs to STG 2 to VLAN 2. The port becomes a member of STG 2, and the switch displays a message to inform you that the PVID changed from 1 to 2:...
RSTP, and some values to existing parameters are different. RSTP is compatible with devices that run 802.1D (1998) Spanning Tree Protocol. If the switch detects 802.1D (1998) BPDUs, it responds with 802.1D (1998)-compatible data units. RSTP is not compatible with Per VLAN Spanning Tree (PVST+) protocol.
This section provides important information about configuring Rapid Spanning Tree Groups: RSTP Configuration Example This section provides steps to configure Rapid Spanning Tree on the EX2500 switch, using the command-line interface (CLI). Rapid Spanning Tree Protocol is the default setting on the EX2500 switch.
Spanning Tree Groups (STGs). PVRST+ is based on IEEE 802.1w Rapid Spanning Tree Protocol. In PVRST mode, the EX2500 switch supports a maximum of 128 Spanning Tree Groups (STGs). Multiple STGs provide multiple data paths, which can be used for load balancing and redundancy.
VLAN 2, STG 2 By default, STGs 2 through 128 are empty, and STG 1 contains all configured VLANs until individual VLANs are assigned to other STGs. The EX2500 switch allows only one VLAN per STG, except for STG 1.
When MSTP is turned on, the switch automatically moves all VLANs to the CIST. When MSTP is turned off, the switch moves all VLANs from the CIST to STG 1. When enabling MSTP, you must configure a Region Name, and a default version number of 0 (zero) is configured automatically.
Server 1 VLAN 2 Multiple Spanning Tree Groups Configuration Example This configuration shows how to configure MSTP Groups on the switch, as shown in Figure 9. 1. Configure port membership and define the Spanning Tree Groups (STGs) for Multiple Spanning Tree Protocol...
NOTE: Fast Uplink Convergence Fast Uplink Convergence enables the EX2500 switch to recover quickly from the failure of the primary link or trunk group in a Layer 2 network using Spanning Tree Protocol. Normal recovery can take as long as 50 seconds, while the backup link transitions from Blocking to Listening to Learning and then Forwarding states.
Sets the bridge priority to 61440 so that it does not become the root switch. Increases the cost of all ports by 30000, across all VLANs and Spanning Tree Groups. This ensures that traffic never flows through the EX2500 switch to get to another switch unless there is no other path.
45, you can create a virtual link between the switches, operating at up to 120 gigabits per second, depending on how many physical ports are combined. Each EX2500 switch supports up to 12 static trunk groups (portchannels) and up to 24 Link Aggregation Control Protocol (LACP trunk groups, consisting of 1 to 12 ports in each group.
Before Configuring Static Trunks When you create and enable a static trunk, the trunk members (switch ports) take on certain settings necessary for correct operation of the trunking feature. Before you configure your trunk, you must consider these settings, along with specific configuration rules, as follows: 1.
You must first connect to the each switch’s command line interface (CLI) as the administrator. For details about accessing and using any of the menu commands NOTE: described in this example, see the EX2500 Ethernet Switch Command Reference. Chapter 4: Ports and Trunking TRUNK 3: PORTS 2, 9, AND 16 EX2500...
Page 60
1 member 1,11,18 ex2500(config)# portchannel 1 enable ex2500(config)# show portchannel 1 Trunk group 3 (on the EX2500 switch) is now connected to trunk group 1 (on the other switch). In this example, two EX2500 switches are used. If a third-party device...
You can select a minimum of one or a maximum of two parameters to create one of the following configurations: Source MAC (SMAC): ex2500(config)# portchannel hash source-mac-address Destination MAC (DMAC): ex2500(config)# portchannel hash destination-mac-address Source MAC (SMAC) + Destination MAC (DMAC):...
The Link Aggregation ID (LAG ID) is constructed mainly from the system ID and the port’s admin key, as follows: For example, consider two switches, an Actor (the EX2500 switch) and a Partner (another switch), as shown in Table 11.
Optionally Reducing LACP Timeout The LACP timeout period is the number of seconds that elapse before the switch invalidates LACP data from a remote partner. The default LACP timeout value is (90 seconds). long...
Page 64
We recommend that you use the default long timeout to reduce LAPDU processing. If the CPU utilization rate of your switch remains at 100% for periods of 90 seconds or more, consider using static trunks instead of LACP. However, if CPU use is low, you can set the LACP timeout value on the switch to short (3 seconds), instead.
QoS features allow you to prioritize network traffic, thereby providing better service for selected applications. Figure 11 on page 52 shows the basic QoS model used by the switch. QoS Overview...
ACLs are used to control whether packets are forwarded or blocked at the switch ports. ACLs can provide basic security for access to the network. For example, you can use an ACL to permit one host to access a part of the network, and deny another host access to the same area.
If the packet matches the ACL’s rules, the ACL performs its configured action: either permit or deny the packet. The EX2500 switch supports the following ACL types: MAC Extended ACLs IP Standard ACLs...
EX2500 Ethernet Switch Configuration Guide IP Extended ACLs The switch supports up to 128 IP ACLs (standard and extended), numbered from 128 through 254. Use IP Extended ACLs to filter traffic using the following criteria: To create an IP Extended ACL:...
ACL’s configured action takes place. The other assigned ACLs are considered in numeric order, from lowest to highest. In the following example, the switch considers ACL 128 before ACL 130 because ACL 128 has a higher priority. The order in which the ACLs are assigned to a port does not affect their priority.
128 in ex2500(config-if)# exit To delete an ACL from a port: ex2500(config)# interface port 1 ex2500(config-if)# no ip access-group 128 in ex2500(config-if)# exit Viewing ACL Statistics ACL statistics display how many packets hit (matched) each ACL. Use ACL statistics to check filter performance, and debug the ACL filters.
Use this configuration to block HTTP traffic on a port. 1. Configure an Access Control List. ex2500(config)# access-list ip 170 extended ex2500(config-ext-nacl)# deny tcp any any eq 80 ex2500(config-ext-nacl)# exit 2. Add the ACL to a port. ex2500(config)# interface port 12...
3. Configure one MAC ACL for each type of traffic that you want to permit (ARP). 4. Assign the ACLs to a port. Using ACL Filters ex2500(config)# access-list ip 200 extended ex2500(config-ext-nacl)# permit tcp any any eq 80 ex2500(config-ext-nacl)# exit ex2500(config)# access-list ip 210 extended ex2500(config-ext-nacl)# permit tcp any any eq 443...
Using Storm Control Filters The EX2500 switch provides filters that can limit the number of the following packet types transmitted by switch ports: Broadcast packets Multicast packets Unknown unicast packets (destination lookup failure) Broadcast Storms Excessive transmission of broadcast or multicast traffic can result in a broadcast storm.
DSCP is a measure of the Quality of Service (QoS) level of the packet. The switch can classify traffic by reading the DiffServ Code Point (DSCP) or IEEE 802.1p priority value, or by using filters to match specific criteria. When network traffic attributes match those specified in a traffic pattern, the policy instructs the switch to perform specified actions on each packet that passes through it.
Per Hop Behavior The DSCP value determines the Per Hop Behavior (PHB) of each packet. The PHB is the forwarding treatment given to packets at each hop. QoS policies are built by the application of a set of rules to packets, based on the DSCP value, as they hop through the network.
Silver Bronze Standard DSCP Mapping The switch can use the DSCP value of ingress packets to set the COS queue. Use the following command to view the default settings: ex2500(config)# show qos dscp -------- Use the following command to turn on DSCP re-marking globally:...
Using 802.1p Priority to Provide QoS The EX2500 switch provides Quality of Service (QoS) functions based on the priority bits in a packet’s VLAN header. (The priority bits are defined by the 802.1p standard within the IEEE 802.1Q VLAN header.) The 802.1p bits, if present in the packet, specify the priority that should be given to packets during forwarding.
EX2500 Ethernet Switch Configuration Guide Queuing and Scheduling The EX2500 switch has eight output Class of Service (COS) queues per port, into which each packet is placed. Each packet’s 802.1p priority determines its COS queue. Higher COS queue numbers provide forwarding precedence.
RMON Group 9—Events on page 69 RMON Overview RMON allows the switch to track events and trigger alarms when a threshold is reached and to notify administrators by issuing a syslog message or SNMP trap. The RMON MIB provides an interface between the RMON agent on the switch and an RMON management application.
You must configure RMON statistics for the port before you can view ex2500(config)# interface port 1 ex2500(config-if)# rmon enable ex2500(config)# interface port 1 ex2500(config-if)# rmon collection-stats 1 ex2500(config-if)# rmon collection-stats owner “port 1 rmon” This configuration enables RMON statistics on port 1. (config)# ex2500 show rmon statistics...
2. Configure the RMON History parameters for a port. ex2500(config-if)# rmon collection-history 1 buckets 30 ex2500(config-if)# rmon collection-history 1 interval 120 ex2500(config-if)# rmon collection-history 1 owner “rmon port 1 history” This configuration enables RMON History collection on port 1. Chapter 6: Remote Monitoring...
When an alarm is generated, it triggers a corresponding event notification. Use the following commands to correlate an Event index to an alarm: ex2500(config)# rmon alarm <alarm number> rise-event <event number> ex2500(config)# rmon alarm <alarm number> fall-event <event number> RMON events use SNMP and syslogs to send notifications. Therefore, an SNMP trap host must be configured for trap event notification to work properly.
Page 84
EX2500 Ethernet Switch Configuration Guide RMON Group 9—Events...
This process is used to set up a client/server relationship between an IP Multicast source that provides the data streams and the clients that want to receive the data. The EX2500 switch can perform IGMP Snooping, and connect to static multicast routers (Mrouters). The following topics are discussed in this chapter:...
2. Hosts that want to receive the multicast data stream send Membership Reports 3. The switch sets up a path between the Mrouter and the host, and blocks all 4. Periodically, the Mrouter sends Membership Queries to ensure that the host 5.
Exclude list. To disable snooping on EXCLUDE mode reports, use the following command: ex2500(config) By default, the switch snoops the first eight sources listed in the IGMPv3 Group Record. Use the following command to change the number of snooping sources: ex2500(config) IGMPv3 Snooping is compatible with IGMPv1 and IGMPv2 Snooping.
), VLAN (1 through 4094), and version (1 through 3). po24 ex2500(config)# ip igmp mrouter 5 1 2 The IGMP version is set for each VLAN, and cannot be configured separately for each Mrouter. ex2500(config)# show ip igmp mrouter...
Pair (FDP) that consists of one LtM (Link to Monitor) and one LtD (Link to Disable). When the switch detects a link failure in the LtM, it disables the ports in the LtD. The servers detect the disabled ports, which triggers a NIC failover.
Failure Detection Pair consists of the following groups of ports: Spanning Tree Protocol with UFD If Spanning Tree Protocol (STP) is enabled on ports in the LtM, then the switch monitors the STP state and the link status on ports in the LtM. The switch automatically disables the ports in the LtD when it detects a link failure or STP BLOCKING state.
NIC 2 is a non-primary adapter. NIC 1 is connected to port 16, and NIC 2 is connected to port 17. Port 2 is connected to a Layer 2/3 routing switch. The following procedure pertains to the example shown in Figure 14: 1.
Part 2 Appendixes “Monitoring Ports with Port Mirroring” on page 81 discusses the main tool for troubleshooting your switch—monitoring ports. Appendixes...
As an example, an IDS server can be connected to the monitor port to detect intruders attacking the network. The EX2500 switch can mirror all types of Layer 2 and Layer 3 traffic. Up to four monitor ports can be configured. Each monitor port can receive mirrored traffic from multiple switch ports, but each specific switch port is permitted to be mirrored to only one monitor port.
As shown in Figure 15, port 2 is acting as a monitor port, receiving mirrored traffic from three other switch ports: ingress traffic from port 4, egress traffic from port 7, and both ingress and egress traffic from port 10. A sniffer could be attached to port 2 in order to monitor the mirrored traffic on ports 4, 7, and 10.
Per Hop Behavior edge ports ...36 end user access control EtherChannel as used with port trunking events, RMON EX2500 documentation EXCLUDE mode, IGMPv3 Failure Detection Pair Fast Uplink Convergence fault tolerance with port trunking filtering criteria ...27 filters. See ACLs frame tagging.
Page 100
EX2500 Ethernet Switch Configuration Guide help, requesting ... xiii high availability, overview ... 75 history, RMON ... 67 HP-OpenView ... 7 IBM Director ... 7 ICMP ... 54 icons, notice ... xii IEEE standards 802.1D ... 31 802.1p ... 63 802.1Q...
Page 101
802.1p priority ...63 ACLs ...52 COS queuing and scheduling ...64 DSCP ...60 DSCP mapping, viewing ...62 EX2500 QoS model ...52 overview ...51 QoS default service levels ...62 storm control filters ...59 Quality of Service. See QoS. RADIUS authentication ...11 port 1812 and 1645 ...55...
Page 102
EX2500 Ethernet Switch Configuration Guide ... 54 ... 75 configuration ... 77 configuration guidelines example ... 75 Failure Detection Pair ... 76 monitoring ... 77 overview ... 75 UFD with Spanning Tree Protocol Uplink Failure Detection. See UFD. user access control ...