Juniper Network and Security Manager (NSM) Admin Guide

Network and Security Manager

NSM Configuration Guide for EX Series Devices

Release

2012.2

Published: 2013-01-10

Revision 1

Copyright © 2013, Juniper Networks, Inc.

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, California 94089

USA

408-745-2000 www.juniper.net

This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright © 1986-1997,

Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain.

This product includes memory allocation software developed by Mark Moraes, copyright © 1988, 1989, 1993, University of Toronto.

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright ©

1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.

GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’s

HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright © 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright © 1991, D.

L. S. Associates.

This product includes software developed by Maker Communications, Inc., copyright © 1996, 1997, Maker Communications, Inc.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United

States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,

6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Network and Security Manager NSM Configuration Guide for EX Series Devices


All rights reserved.

Revision History

January 2013— Revision 1

The information in this document is current as of the date on the title page.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.juniper.net/support/eula.html

. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.

ii Copyright © 2013, Juniper Networks, Inc.

Table of Contents

Part 1

Chapter 1

Chapter 2

Chapter 3

Chapter 4

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Managing EX Series Switches with NSM

Configuring User Access and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Configuring RADIUS Authentication (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . 3

Configuring TACACS+ Authentication (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . 4

Configuring Authentication Order (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . 5

Configuring User Access (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Configuring Login Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Configuring User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Configuring Template Accounts (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 9

Creating a Remote Template Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Creating a Local Template Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Configuring Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Configuring Aggregated Devices (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 13

Configuring Chassis Alarms (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Configuring Routing Engine Redundancy (NSM Procedure) . . . . . . . . . . . . . . . . . . 15

Configuring Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Configuring CoS Classifiers (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Configuring CoS Code Point Aliases (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . 19

Configuring CoS Drop Profile (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Configuring CoS Forwarding Classes (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . 23

Configuring CoS Interfaces (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Configuring CoS Rewrite Rules (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 30

Configuring CoS Schedulers (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Configuring CoS and Applying Scheduler Maps (NSM Procedure) . . . . . . . . . . . . 34

Configuring Ethernet Switching Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Configuring Port Mirroring to Analyze Traffic on EX Series Switches (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Configuring Redundant Trunk Links (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . 38

Configuring Port Security (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39


iii

EX Series Devices iv

Chapter 5

Chapter 6

Chapter 7

Chapter 8

Configuring Static IP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Configuring VoIP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Configuring Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Configuring a Firewall Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Configuring a Policer for a Firewall Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Configuring Policy Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Configuring an AS Path in a BGP Routing Policy (NSM Procedure) . . . . . . . . . . . . 51

Configuring an AS Path Group in a BGP Routing Policy (NSM Procedure) . . . . . . 52

Configuring a Community for use in BGP Routing Policy Conditions (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Configuring a BGP Export Policy Condition (NSM Procedure) . . . . . . . . . . . . . . . . 54

Configuring Flap Damping to Reduce the Number of BGP Update Messages(NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Configuring a Routing Policy Statement (NSM Procedure) . . . . . . . . . . . . . . . . . . 57

Configuring Prefix List (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Configuring Routing Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Configuring Maximum Prefixes (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Configuring Multicast (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Configuring Multipath (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Configuring Options (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Configuring Route Resolution (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Configuring Routing Table Groups (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . 69

Configuring Routing Tables (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Configuring Source Routing (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Configuring Static Routes (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Configuring Generated Routes (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Configuring Graceful Restart (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Configuring Forwarding Table (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Configuring Flow Route (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Configuring Fate Sharing (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Configuring Martian Addresses (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 82

Configuring Interface Routes (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Configuring Instance Export (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Configuring Instance Import (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Configuring Confederation (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Configuring Maximum Paths (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Configuring Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Configuring the BFD Protocol (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Configuring BGP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Configuring 802.1X Authentication (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . 93

Configuring 802.1X Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Configuring Static MAC Bypass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Configuring GVRP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Configuring IGMP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Configuring IGMP Snooping on EX Series Switches (NSM Procedure) . . . . . . . . . 98

Configuring LLDP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99


Table of Contents

Chapter 9

Chapter 10

Chapter 11

Chapter 12

Part 2

Configuring LLDP-MED (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Configuring MSTP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Configuring OSPF (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Configuring RIP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Configuring RSTP on EX Series Switches (NSM Procedure) . . . . . . . . . . . . . . . . 108

Configuring STP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Configuring VSTP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Configuring VRRP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Configuring PoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Configuring Power over Ethernet (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . 115

Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Configuring Basic System Identification for SNMP (NSM Procedure) . . . . . . . . . . 117

Configuring Client Lists (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Configuring SNMP Health Monitoring (NSM Procedure) . . . . . . . . . . . . . . . . . . . 120

Configuring the Interfaces on Which SNMP Requests Can Be Accepted (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Configuring the SNMP Local Engine ID (NSM Procedure) . . . . . . . . . . . . . . . . . . 123

Configuring the SNMP Commit Delay Timer (NSM Procedure) . . . . . . . . . . . . . . 124

Configuring SNMP RMON Alarms and Events (NSM Procedure) . . . . . . . . . . . . . 125

Enabling SNMP Access over Routing Instances (NSM Procedure) . . . . . . . . . . . 129

Configuring SNMPv3 (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Configuring Tracing of SNMP Activity (NSM Procedure) . . . . . . . . . . . . . . . . . . . . 137

Configuring SNMP Views (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Configuring SNMP Communities (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . 140

Configuring SNMP Trap Options (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . 142

Configuring SNMP Trap Groups (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . 144

Configuring Virtual LANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Configuring VLANs (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Configuring a Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Configuring a Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Configuring a Virtual Chassis with a Preprovisioned Configuration File . . . . 149

Add a Member to a Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155


v

EX Series Devices vi Copyright © 2013, Juniper Networks, Inc.

About This Guide

•

Objectives on page vii

•

Audience on page vii

•

Conventions on page vii

•

Documentation on page ix

•

Requesting Technical Support on page x

Objectives

Juniper Networks Network and Security Manager (NSM) is a software application that centralizes control and management of your Juniper Networks devices. With NSM, Juniper

Networks delivers integrated, policy-based security and network management for all devices.

NSM uses the technology developed for Juniper Networks ScreenOS to enable and simplify management support for previous and future versions of ScreenOS. By integrating management of all Juniper Networks security devices, NSM enhances the overall security of the Internet gateway.

This guide explains how to configure EX Series devices. Use this guide in conjunction with the NSM Online Help, which provides step-by-step instructions for many of the processes described in this document.

NOTE: If the information in the latest NSM Release Notes differs from the information in this guide, follow the NSM Release Notes.

Audience

This guide is intended for system administrators responsible for the security infrastructure of their organization. Specifically, this book discusses concepts of interest to firewall and

VPN administrators, network/security operations center administrators; and system administrators responsible for user permissions on the network.

Conventions

The sample screens used throughout this guide are representations of the screens that appear when you install and configure the NSM software. The actual screens may differ.


vii

EX Series Devices

All examples show default file paths. If you do not accept the installation defaults, your paths will vary from the examples.

Table 1 on page viii

defines notice icons used in this guide.

Table 1: Notice Icons

Icon Meaning

Informational note

Description

Indicates important features or instructions.

Caution Indicates a situation that might result in loss of data or hardware damage.

Warning

Laser warning

Alerts you to the risk of personal injury or death.

Alerts you to the risk of personal injury from a laser.

Table 2 on page viii

defines text conventions used in this guide.

Table 2: Text Conventions

Convention Description Examples

Bold typeface like this

The angle bracket (>)

•

•

•

Represents commands and keywords in text.

Represents keywords

Represents UI elements

Represents text that the user must type.

•

•

•

Issue the clock source command.

Specify the keyword exp-msg.

Click User Objects user input Bold typeface like this fixed-width font Represents information as displayed on the terminal screen.

host1# show ip ospf

Routing Process OSPF 2 with Router

ID 5.5.0.250

Router is an area Border Router

(ABR)

Key names linked with a plus (+) sign Indicates that you must press two or more keys simultaneously.

Ctrl + d

Italics

•

•

Emphasizes words

Identifies variables

•

•

The product supports two levels of access, user and privileged.

clusterID, ipAddress.

Indicates navigation paths through the UI by clicking menu options and links.

Object Manager > User Objects > Local

Objects viii Copyright © 2013, Juniper Networks, Inc.

About This Guide

Table 3 on page ix

defines syntax conventions used in this guide.

Table 3: Syntax Conventions

Convention Description Examples

Words in plain text

Words in italics

Represent keywords

Represent variables terminal length

mask, accessListName

Words separated by the pipe ( | ) symbol

Represent a choice to select one keyword or variable to the left or right of this symbol. The keyword or variable can be optional or required.

diagnostic | line

Represent optional keywords or variables.

[ internal | external ] Words enclosed in brackets ( [ ] )

Words enclosed in brackets followed by and asterisk ( [ ]*)

Represent optional keywords or variables that can be entered more than once.

[ level1 | level2 | 11 ]*

Words enclosed in braces ( { } ) Represent required keywords or variables.

{ permit | deny } { in | out } { clusterId

| ipAddress }

Documentation

Table 4 on page ix

describes documentation for the NSM.

Table 4: Network and Security Manager Publications

Book Description

Network and Security

Manager Installation Guide

Describes the steps to install the NSM management system on a single server or on separate servers. It also includes information on how to install and run the NSM user interface. This guide is intended for IT administrators responsible for the installation or upgrade of

NSM.


Manager Administration

Guide

Describes how to use and configure key management features in the NSM. It provides conceptual information, suggested workflows, and examples. This guide is best used in conjunction with the NSM

Online Help, which provides step-by-step instructions for performing management tasks in the NSM UI.

This guide is intended for application administrators or those individuals responsible for owning the server and security infrastructure and configuring the product for multi-user systems.

It is also intended for device configuration administrators, firewall and VPN administrators, and network security operation center administrators.


Manager Configuring

ScreenOS and IDP Devices

Guide

Provides details about configuring the device features for all supported ScreenOS and IDP platforms.


ix

EX Series Devices

Table 4: Network and Security Manager Publications (continued)

Book Description


Manager Online Help

Provides procedures for basic tasks in the NSM user interface. It also includes a brief overview of the NSM system and a description of the GUI elements.

Provides complete syntax and description of the SOAP messaging interface to NSM.


Manager API Guide


Manager Release Notes

Provides the latest information about features, changes, known problems, resolved problems, and system maximum values. If the information in the Release Notes differs from the information found in the documentation set, follow the Release Notes.

Release notes are included on the corresponding software CD and are available on the Juniper Networks Website.

Provides details about configuring the device features for all supported Infranet Controllers.

Configuring Infranet

Controllers Guide

Configuring Secure Access

Devices Guide

Provides details about configuring the device features for all supported Secure Access Devices.

NSM Configuration Guide for EX Series Devices

Provides details about configuring the device features for all supported EX Series platforms .

Configuring J-series Services

Routers and SRX-series

Services Gateways Guide

Provides details about configuring the device features for all supported J-series Services Routers and SRX-series Services

Gateways.

M-series and MX-series

Devices Guide

Provides details about configuring the device features for M-series and MX-series platforms.

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance

Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need postsales technical support, you can access our tools and resources online or open a case with JTAC.

•

JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf

.

• Product warranties—For product warranty information, visit http://www.juniper.net/support/warranty/ .

• JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.

x Copyright © 2013, Juniper Networks, Inc.

About This Guide

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

• Find CSC offerings: http://www.juniper.net/customers/support/

• Find product documentation: http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

• Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications: https://www.juniper.net/alerts/

•

Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/

•

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial Number Entitlement

(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

•

Use the Case Management tool in the CSC at http://www.juniper.net/cm/

.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, visit us at http://www.juniper.net/support/requesting-support.html


xi

EX Series Devices xii Copyright © 2013, Juniper Networks, Inc.

PART 1

Managing EX Series Switches with NSM

The chapters in Part 1 of the Release 2009.1 version of the NSM Configuration Guide for

EX Series Devices provide an overview of the management system and describe how to configure features for EX Series devices.

NOTE: Because the NSM device-side configuration guides are not updated on the same release schedule as the JUNOS releases, consult the JUNOS

Software Documentation for information about configuration settings that might occur in NSM and not in the device-side configuration guides or vice versa.

Part 1 contains the following chapters:

•

Configuring User Access and Authentication on page 3

•

Configuring Chassis on page 13

•

Configuring Class of Service on page 17

•

Configuring Ethernet Switching Options on page 37

•

Configuring Firewall Filters on page 45

•

Configuring Policy Options on page 51

•

Configuring Routing Options on page 61

•

Configuring Protocols on page 89

•

Configuring PoE on page 115

•

Configuring SNMP on page 117

•

Configuring Virtual LANs on page 147

•

Configuring a Virtual Chassis on page 149


1

EX Series Devices

2 Copyright © 2013, Juniper Networks, Inc.

CHAPTER 1

Configuring User Access and

Authentication

This section contains the following:

•

Configuring RADIUS Authentication (NSM Procedure) on page 3

•

Configuring TACACS+ Authentication (NSM Procedure) on page 4

•

Configuring Authentication Order (NSM Procedure) on page 5

•

Configuring User Access (NSM Procedure) on page 6

•

Configuring Template Accounts (NSM Procedure) on page 9

Configuring RADIUS Authentication (NSM Procedure)

To use RADIUS authentication, you must configure at least one RADIUS server. Configuring

RADIUS authentication involves identifying the RADIUS server, specifying the secret

(password) of the RADIUS server, and setting the source address of the device's RADIUS requests to the loopback address of the device.

To configure RADIUS authentication:

1.

In the NSM navigation tree, select Device Manager > Devices.

2.

Click the Device Tree tab, and then double-click the device for which you want to configure RADIUS authentication.

3.

Click the Configuration tab. In the configuration tree, select System > Radius Server.

4.

Add or modify Radius settings as specified in

Table 5 on page 4 .

5.

Click one:

• New —Adds a new RADIUS server.

• OK —Saves the changes.

• Cancel —Cancels the modifications.


3

EX Series Devices

Table 5: RADIUS Authentication Configuration Details

Option Function Your Action

Name

Secret

Source

Address

Specifies the IP address of the RADIUS server.

Enter the IP address of the

RADIUS server.

Specifies the shared secret (password) of the

RADIUS server. The secret is stored as an encrypted value in the configuration database.

Enter the shared secret of the

RADIUS server.

Specifies the source address to be included in the RADIUS server requests by the device. In most cases, you can use the loopback address of the device.

Enter the loopback address of the device.

Related

Documentation

•


•


•


Configuring TACACS+ Authentication (NSM Procedure)

To use TACACS+ authentication, you must configure at least one TACACS+ server.

Configuring TACACS+ authentication involves identifying the TACACS+ server, specifying the secret (password) of the TACACS+ server, and setting the source address of the device's TACACS+ requests to the loopback address of the device.

To configure TACACS+ authentication:

1.


2.

Click the Device Tree tab and then double-click the device for which you want to configure TACACS+ authentication.

3.

Click the Configuration tab. In the configuration tree, select System > TACACS+ Server.

4.

Add or modify TACACS+ settings as specified in

Table 6 on page 4

.

5.

Click one:

• New

—Adds a new TACACS+ server.

• OK

—Saves the changes.

• Cancel

—Cancels the modifications.

Table 6: TACACS+ Authentication Configuration Details


Name Specifies the IP address of the TACACS+ server.

Enter the IP address of the

TACACS+ server.


Chapter 1: Configuring User Access and Authentication

Table 6: TACACS+ Authentication Configuration Details (continued)


Secret

Source

Address

Specifies the shared secret (password) of the

TACACS+ server. The secret is stored as an encrypted value in the configuration database.

Enter the shared secret of the

TACACS+ server.

Specifies the source address to be included in the TACACS+ server requests by the device. In most cases, you can use the loopback address of the device.

Enter the loopback address of the device.

Related

Documentation

•


•


•


Configuring Authentication Order (NSM Procedure)

You can configure the device so that user authentication occurs with the local password first, then with the RADIUS server, and finally with the TACACS+ server.

To configure authentication order:

1.


2.

Click the Device Tree tab and then double-click the device for which you want to configure authentication order.

3.

Click the Configuration tab. In the configuration tree, select System > Authentication

Order

.

4.

In the Authentication Order workspace, click the New button. The New authentication-order list appears.

5.

To add RADIUS authentication to the authentication order, select radius from the

New authentication-order list.

6.

To add TACACS+ authentication to the authentication order, select tacplus from the

New authentication-order list.

7.

To add Password authentication to the authentication order, select password from the New authentication-order list.

• OK


• Cancel


Related

Documentation

•


•


•



5

EX Series Devices

Configuring User Access (NSM Procedure)

This section includes the following topics:

•

Configuring Login Classes on page 6

•

Configuring User Accounts on page 8

Configuring Login Classes

You can define any number of login classes and then apply one login class to an individual user account. All users who can log in to the router must be in a login class. With login classes, you define the following:

• Access privileges users have when they are logged in to the router

• Commands and statements that users can and cannot specify

•

How long a login session can be idle before it times out and the user is logged out

To configure login classes:

1.


2.

Click the Device Tree tab and then double-click the device for which you want to configure a login class.

3.

Click the Configuration tab. In the configuration tree, select System>Login>Class .

4.

Add or modify login class settings as specified in

Table 7 on page 6 .

5.

Click one:

• New

—Adds a new login class.

• OK


• Cancel


• Search

—Search a login class.

Table 7: Login Class Authentication Configuration Details


Class

Name

Comment

Access Start

Access End

Specifies a name for the login class.

Enter a name for the login class.

Specifies the comment added to the class.

Enter a comment.

Specifies the start time for remote access.

Specifies the end time for remote access.

Enter the start time for remote access in hh:mm format.

Enter the end time for remote access in hh:mm format.



Table 7: Login Class Authentication Configuration Details (continued)


Idle Timeout

Login Alarms

Login Script

Login Tip

Specifies the maximum idle time before logout.

Displays the system alarms when logging in.

Executes the login-script when logging in.

–

Displays tips when logging in.

–

Enter the maximum idle time before logout in minutes.

–

Allow Commands

Deny Commands

Allow Configuration

Deny Configuration

Specifies the operational mode commands that members of a login class can use.

Enter the command name enclosed in quotation marks. For example, “request system reboot” .

Specifies the regular expression for commands to deny explicitly.

Enter the command name enclosed in quotation marks. For example,

"(show system statistics)|(show bgp summary)"

.

Specifies the regular expression for configure to be allowed explicitly.

Enter the configuration in quotation marks. For example,

“regular expression 1” .

Specifies the regular expression for configure to be denied explicitly.

Enter the configuration in quotation marks. For example,

“system services”

.

Security Roles Specifies the common criteria for security role.

The options available are:

•

•

•

•

• none audit-administrator crypto-administrator ids-administrator security-administrator

Login > Class > Allow Configuration Regexps

Allow Configuration

Regexps

Specifies the object path regular expressions to be allowed.

Enter a regular expression string.

For example, “interfaces .* description .*” “interfaces .* unit .* description .*” "interfaces .* unit .* family inet address .* “interfaces .* disable”

.

Login > Class > Allowed Days

Allowed Days Specifies the day(s) of week when access is allowed.

Login > Class > Deny Configuration Regexps

Select the day(s) from the drop down box. For example,

Monday

.


7

EX Series Devices

Table 7: Login Class Authentication Configuration Details (continued)


Deny Configuration

Regular Expressions

Specifies the object path regular expressions to be denied.

.

Enter the regular expression string.

For example, “system” “protocols”

Login > Class > Permissions

Permissions Configures the login access privileges to be provided on the device.

Enter a new permission.

Configuring User Accounts

User accounts provide one way for users to access the device. (Users can access the router without accounts if you configured RADIUS or TACACS+ servers.) For each account, define the login name for the user and, optionally, information that identifies the user.

After you have created an account, a home directory is created for the user.

To configure user accounts:

1.


2.

Click the Device Tree tab and then double-click the device for which you want to configure login class.

3.

Click the Configuration tab. In the configuration tree, select System > Login > User.

4.


Table 8 on page 8 .

5.

Click one:

• New

—Adds a new user account.

• OK


• Cancel


• Search

—Search the available login classes.

Table 8: User Authentication Configuration Details


Name

Comment

Full Name

Identifies the user with a unique name.

Enter a unique name for the user.

Enter a comment.

Specifies the comment added to the login class.

Specifies the full name of the user.

Enter the full name.

Uid Specifies the user identifier.

Enter an user ID. For example,

100...64000

.



Table 8: User Authentication Configuration Details (continued)


Class Specifies the user's login class.

Select the class name.

Login > User > Authentication

Plain Text

Password Value

Specifies the user’s password.

Enter the plain text password for the user.

Login > User > Authentication > Ssh DSA

Ssh DSA Specifies the secure shell (ssh) DSA public key string.

Name

Comment

Enter a DSA public key string.

Specifies the name of the DSA public string.

Enter an unique name for the

DSA public string.

Specifies the comment added to the ssh data.

Enter a comment.

– From

Login > User > Authentication > Ssh Rsa

Ssh RSA Specifies the secure shell (ssh) RSA public key string.

Name Specifies the name of the RSA public string.

Comment

From

Specifies the pattern-list of hosts allowed.

Specifies the comment added to the

RSA data.

Specifies the pattern-list of hosts allowed.

Enter a RSA public key string.

Enter an unique name for the

RSA public string.

Enter a comment.

–

Related

Documentation

•


•


•


Configuring Template Accounts (NSM Procedure)

You can create template accounts that are shared by a set of users when you are using

RADIUS or TACACS+ authentication. When a user is authenticated by a template account,


9

EX Series Devices the CLI username is the login name, and the privileges, file ownership, and effective user

ID are inherited from the template account.

To configure template accounts, follow these procedures:

•

Creating a Remote Template Account on page 10

•

Creating a Local Template Account on page 11

Creating a Remote Template Account

You can create a remote template that is applied to users authenticated by RADIUS or

TACACS+ that do not belong to a local template account.

By default, Junos OS with enhanced services uses the remote template account when:

•

The authenticated user does not exist locally on the Services Router.

• The authenticated user's record in the RADIUS or TACACS+ server specifies local user, or the specified local user does not exist locally on the device.

The following procedure creates a sample user named remote that belongs to the operator login class.

To create a remote template account:

1.


2.

Click the Device Tree tab and then double-click the device for which you want to create a remote template account.

3.


4.


Table 9 on page 10 .

5.

Click one:

• New —Creates a new remote template account.



Table 9: Remote Template Account Details


Name

Uid

Class

Specifies a name for the user name.

Enter the user name. For example, type remote

.

Specifies the user identifier for a login account.

Enter the number associated with the login account.

Specifies the login class for the user.

Select the login class. For example, select operator .



Creating a Local Template Account

You can create a local template that is applied to users authenticated by RADIUS or

TACACS+ that are assigned to the local template account. You use local template accounts when you need different types of templates. Each template can define a different set of permissions appropriate for the group of users who use that template.

The following procedure creates a sample user named admin that belongs to the superuser login class.

To create a local template account:

1.


2.

Click the Device Tree tab and then double-click the device for which you want to create a local template account.

3.


4.



5.

Click one:

• New —Creates a new local template account.



Table 10: Local Template Account Details


Name

Uid

Class

Specifies a name for the user name.

Enter the user name. For example, type admin .

Specifies the user identifier for a login account.

Enter the number associated with the login account.

Specifies the login class for the user.

Select the login class. For example, select superuser

.

Related

Documentation

•


•


•



11

EX Series Devices


CHAPTER 2

Configuring Chassis


•

Configuring Aggregated Devices (NSM Procedure) on page 13

•

Configuring Chassis Alarms (NSM Procedure) on page 14

•

Configuring Routing Engine Redundancy (NSM Procedure) on page 15

Configuring Aggregated Devices (NSM Procedure)

The Junos OS supports the aggregation of physical devices into the defined virtual links, such as the link aggregation of Ethernet interfaces defined by the IEEE 802.3ad standard.

You can configure the properties for Ethernet and sonet aggregated devices on the router.

To configure the aggregated devices on the router:

1.


2.

Click the Device Tree tab, and then double-click the device to select it.

3.

Click the Configuration tab. In the configuration tree, expand Chassis > Aggregated

Devices .

4.

Add or modify the settings as specified in


5.

Click one:

• OK—Saves the changes.

• Cancel—Cancels the modifications.


13

EX Series Devices

Table 11: Aggregated Devices Configuration Details

Task Your Action

Configure properties for

Ethernet aggregated devices.

Configure properties for sonet aggregated devices.

1.

Click Ethernet next to Aggregated Devices.

2. Enter the number of aggregated logical devices available to the router.

Range: 1 through 256 devices

3. Click Lacp next to Ethernet.

4. In the

System Priority box, enter the priority for the aggregated

Ethernet system.

5. Click

Link Protection next to Lacp.

6. Select the Non Revertive check box if you want to disable the ability to switch to a better priority link (if one is available) once a link is established as active and a collection or distribution is enabled.

1.

Click

Sonet next to Aggregated Devices.

2. From the

Device Count list, select the number of aggregated logical devices available to the router.

Range: 1 through 16 Devices

Related

Documentation

•

Configuring Chassis Alarms (NSM Procedure) on page 14

•

Configuring a T640 Router on a Routing Matrix (NSM Procedure)

•


•

Configuring a Routing Engine to Reboot or Halt on Hard Disk Errors (NSM Procedure)

Configuring Chassis Alarms (NSM Procedure)

You can configure the chassis alarms for an interface type to trigger a red or yellow alarm or to ignore an alarm. Various conditions related to the chassis components trigger yellow and red alarms.

To configure chassis alarm on the router:

1.


2.


3.

Click the Configuration tab. In the configuration tree, expand Chassis > Alarm.

4.

Add or modify the alarm settings as specified in


5.

Click one:

•

OK—Saves the changes.



Chapter 2: Configuring Chassis

Table 12: Chassis Alarms Configuration Details

Task Your Action

Configuring the alarm type.

1.

Select the interface type listed next to Alarm.

2. Select the alarm type for the chassis condition for each interface type.

Related

Documentation

•


•

Configuring Chassis FPC (NSM Procedure)

•


Configuring Routing Engine Redundancy (NSM Procedure)

You can configure redundancy properties for routers that have multiple Routing Engines or these multiple switching control boards: Switching and Forwarding Modules (SFMs),

System and Switch Boards (SSBs), Forwarding Engine Boards (FEBs), or Compact

Forwarding Engine Boards (CFEBs).

To configure routing engine redundancy in NSM:

1.


2.


3.

Click the Configuration tab. In the configuration tree, select Chassis > Redundancy.

4.

Add or modify settings as specified in


5.

Click one:



Table 13: Chassis Redundancy Configuration Details

Task Your Action

Configure redundancy options.

1.

In the

Comment box, enter the comment.

2. From the keepalive list, select the time before the backup router takes mastership when it detects loss of the keepalive signal.

Range: 2 through 10,000

Instruct the backup router to take mastership if it detects hard disk errors or a loss of a keepalive signal from the master Routing Engine.

1.

Click Failover next to Redundancy.

2. In the

Comment box, enter the comment.

3. Select the type of failover.


15

EX Series Devices

Table 13: Chassis Redundancy Configuration Details (continued)

Task Your Action

For routing platforms with two Routing Engines, configure a master Routing

Engine to switch over gracefully to a backup

Routing Engine without interruption to packet forwarding.

1.

Click

2. In the

Graceful Switchover

Comment next to Redundancy.

box, enter the comment.

Sets the function of the

Routing Engine for the specified slot. By default, the

Routing Engine in slot 0 is the master Routing Engine and the Routing Engine in slot 1 is the backup Routing Engine.

1.

Click

Routing Engine next to Redundancy.

2. From the Name list, select the slot number.

3. In the Comment box, enter the comment.

4. Select the function of the Routing Engine for the specified slot.

5. Select one of the following:

•

•

• master

—To configure the routing engine to be the master.

backup —To configure the routing engine to be the backup.

disabled

—To disable the routing engine.

Related

Documentation

•


•

Configuring a T640 Router on a Routing Matrix (NSM Procedure)

•

Configuring a Routing Engine to Reboot or Halt on Hard Disk Errors (NSM Procedure)


CHAPTER 3

Configuring Class of Service


•

Configuring CoS Classifiers (NSM Procedure) on page 17

•

Configuring CoS Code Point Aliases (NSM Procedure) on page 19

•

Configuring CoS Drop Profile (NSM Procedure) on page 21

•

Configuring CoS Forwarding Classes (NSM Procedure) on page 23

•

Configuring CoS Interfaces (NSM Procedure) on page 24

•

Configuring CoS Rewrite Rules (NSM Procedure) on page 30

•

Configuring CoS Schedulers (NSM Procedure) on page 33

•

Configuring CoS and Applying Scheduler Maps (NSM Procedure) on page 34

Configuring CoS Classifiers (NSM Procedure)

Packet classification associates incoming packets with a particular class-of-service

(Cos) servicing level. Classifiers associate packets with a forwarding class and loss priority and, based on the associated forwarding class, assign packets to output queues. Junos

OS supports two general types of classifiers:

• Behavior aggregate or CoS value traffic classifiers—Examines the CoS value in the packet header. The value in this single field determines the CoS settings applied to the packet. BA classifiers allow you to set the forwarding class and loss priority of a packet based on the Differentiated Services code point (DSCP) value, IP precedence value, and IEEE 802.1p value. The default classifier is based on the DSCP value.

• Multifield traffic classifiers—Examines multiple fields in the packet such as source and destination addresses and source and destination port numbers of the packet. With multifield classifiers, you set the forwarding class and loss priority of a packet based on firewall filter rules.

To configure and apply behavior aggregate classifiers for the switch:

1.

In the navigation tree, select Device Manager > Devices.

2.

Click the Device Tree tab, and then double-click the device for which you want to configure and apply behavior aggregate classifiers.

3.

Click the Configuration tab. In the configuration tree expand Class of Service.


17

EX Series Devices

4.

Select Classifiers.

5.


Table 14 on page 18

.

6.

Click one:


•

Cancel—Cancels the modifications.

NOTE: After you make changes to a device configuration, you must push that updated device configuration to the physical security device for those changes to take effect. You can update multiple devices at one time. See the Network

and Security Manager Administration Guide for more information.

Table 14: Configuring and Applying Behavior Aggregate Classifiers

Task Action

Configure behavior aggregate classifiers for DiffServ CoS.

1.

Click Add new entry next to Dscp.

2. In the Name box, type the name of the behavior aggregate classifier—for example, ba-classifier.

3. In the Import box, type the name of the default DSCP map.

Configure a best-effort forwarding class classifier.

Configure an expedited forwarding class classifier.

1.

Click Add new entry next to Forwarding class.

2. In the Class name box, type the name of the previously configured best-effort forwarding class—for example, be-class

.

3. Click

Add new entry next to Loss priority.

4. From the Loss val list, select high

.

5. Click Add new entry next to Code points.

6. In the Value box, type the value of the high-priority code point for best-effort traffic—for example, 00001 .

7. Click

OK three times.

1.

Click

Add new entry next to Forwarding class.

2. In the Class name box, type the name of the previously configured expedited forwarding—for example, class-ef-class.

3. Click


4. From the Loss val list, select high .

5. Click

Add new entry next to Code points.

6. In the Value box, type the value of the high-priority code point for expedited forwarding traffic—for example,

101111

.

7. Click

OK three times.


Chapter 3: Configuring Class of Service

Table 14: Configuring and Applying Behavior Aggregate Classifiers (continued)

Task Action

Configure an assured forwarding class classifier.

1.


2. In the Class name box, type the name of the previously configured assured forwarding—for example, class-af-class

.

3. Click



5. Click Add new entry next to Code points.

6. In the Value box, type the value of the high-priority code point for assured forwarding traffic—for example,

001100

.

7. Click

OK three times.

Apply the behavior aggregate classifier to an interface.

1.

Click

Add new entry next to Interfaces.

2. In the Interface name box, type the name of the interface—for example, ge-0/0/0

.

3. Click Add new entry next to Unit.

4. In the Unit number box, type the logical interface unit number—for example, 0 .

5. Click

Configure next to Classifiers.

6. In the Classifiers box, under Dscp, type the name of the previously configured behavior aggregate classifier—for example, ba-classifier

.

7. Click OK .

Related

Documentation

•


•


•


•


•


•


•


Configuring CoS Code Point Aliases (NSM Procedure)

You can use code-point aliases to streamline the process of configuring CoS features on your device. A code-point alias assigns a name to a pattern of code-point bits. You can use this name instead of the bit pattern when you configure other CoS components such as classifiers, drop-profile maps, and rewrite rules.

To configure code-point aliases:


19

EX Series Devices

1.


2.

Click the Device Tree tab, and then double-click the device for which you want to configure CoS code point aliases.

3.

Click the Configuration tab. In the configuration tree, expand Class of Service.

4.

Select Code Point Aliases.

5.


Table 15 on page 20

6.

Click one:

•


•




Table 15: Configuring Code Point Aliases

Task Action

Assign an alias to the dscp code point.

1.

In the Configuration tree, expand

Code Point Aliases

.

2. Select Dscp .

3. Click the Add New icon.

4. In the Name box, type the alias that you want to assign to the code point—for example, my1 .

5. In the Bits box, type the code point—for example,

110001

.

6. Click

OK

.

Related

Documentation

•


•


•


•


•


•


•




Configuring CoS Drop Profile (NSM Procedure)

Drop profiles provide a congestion management mechanism that enables a switch or routing platform to drop the arriving packets when queue buffers become full or begin to overflow. Drop profiles define the meanings of loss priorities. When you configure drop profiles you are essentially setting the value for queue fullness. The queue fullness represents the percentage of the memory used to store packets in relation to the total amount of memory that has been allocated for that specific queue. The queue fullness defines the delay-buffer bandwidth, which provides packet buffer space to absorb burst traffic up to the specified duration of delay. Once the specified delay buffer becomes full, packets with 100 percent drop probability are dropped from the tail of the buffer.

You specify drop probabilities in the drop profile section of the CoS configuration hierarchy and reference them in each scheduler configuration. By default, if you do not configure any drop profile then the drop profile that is in effect functions as the primary mechanism for managing congestion. In the default tail drop profile, when the fill level is 0 percent, the drop probability is 0 percent. When the fill level is 100 percent, the drop probability is 100 percent.

To configure drop profiles in NSM:

1.


2.

Click the Device Tree tab, and then double-click the device for which you want to configure drop profiles.

3.


4.

Select Drop Profiles.

5.

Add or modify the drop profiles as specified in

Table 16 on page 21

.

6.

Click one:



NOTE: After you make changes to a device configuration, you must push that updated device configuration to the physical security device for those changes to take effect. You can update multiple devices at one time. See Updating

Devices section in the Network and Security Manager Administration Guide for more information.

Table 16: Drop Profile Configuration Fields

Option Function

Drop Profile

Your Action


21

EX Series Devices

Table 16: Drop Profile Configuration Fields (continued)

Option

Name

Comment

Function

Specifies the drop profile name.

Specifies the comment for the drop profile.

Your Action

1.

Click the New button or Edit button in the Drop Profile interface.

2. Enter the drop profile name in the

Name box.

1.

Click the New button or Edit button in the Drop Profile interface.

2. Enter the comment for the drop profile in the Comment box.

Fill Level

Name

Comment

Specifies the fill level for the drop profile.

1.

On Drop Profile interface click the

New button or select a profile and click the

Edit button.

2. Expand the Drop Profile tree and select Fill Level.

3. Click the

New button or select a fill level and click the Edit button.

4. Select a value from Name list.

Specifies the comment for the fill level 1.

On the Drop Profile interface click the

New button or select a profile and click the Edit button.

2. Expand the Drop Profile tree and select Fill Level.

3. Click the

New button or select a fill level and click the

Edit button.

4. Enter a comment in the Comment box.

Related

Documentation

•


•


•


•


•


•


•




Configuring CoS Forwarding Classes (NSM Procedure)

Forwarding classes allow you to group packets for transmission. Based on forwarding classes, you assign packets to output queues.

By default, four categories of forwarding classes are defined: best effort, assured forwarding, expedited forwarding, and network control.

NOTE: EX Series switches support up to 16 forwarding classes.

To configure CoS forwarding classes:

1.


2.

Click the Device Tree tab, and then double-click the device for which you want to configure CoS forwarding classes.

3.


4.

Select Forwarding Classes.

5.


Table 17 on page 23

.

6.

Click one:

•





Table 17: Assigning Forwarding Classes to Output Queues

Task Action

Assign best-effort traffic to queue 0.

1.

Select

Queue and click

Add new entry

.

2. In the Queue num box, type

0

.

3. In the Class name box, type the previously configured name of the best-effort class—for example, be-class .

4. Click OK .


23

EX Series Devices

Table 17: Assigning Forwarding Classes to Output Queues (continued)

Task Action

Assign expedited forwarding traffic to queue 1.

1.

Select Queue and click Add new entry .


1

.

3. In the Class name box, type the previously configured name of the expedited forwarding class—for example, ef-class

.

4. Click OK .

Configure an assured forwarding class classifier.

1.

Select

Queue and click

Add new entry

.

2. In the Queue num box, type 3 .

3. In the Class name box, type the previously configured name of the assured forwarding class—for example, af-class

.

4. Click

OK

.

Related

Documentation

•


•


•


•


•


•


•


Configuring CoS Interfaces (NSM Procedure)

An interface is configured for optimal performance in a high-traffic network. This feature enables you to configure interface-specific CoS properties for incoming packets.

To configure CoS interfaces in NSM:

1.


2.

Click the Device Tree tab, and then double-click the device for which you want to configure CoS interfaces.

3.


4.

Select Interfaces.

5.

Add or modify the interfaces as specified in

Table 18 on page 25

.

6.

Click one:


•






Table 18: Interfaces Configuration Fields

Option Function

Interface

Name

Your Action

Specifies the interface name.

1.

Expand the Interfaces tree and select

Interface

.

2. Click the

New button or select an interface and click the Edit button in

Interface.

3. Enter the interface name in the Name box.

Comment Specifies the comment for the interface.

1.

Expand the

Interfaces tree and select Interface .

2. Click the New button or select an interface and click the

Edit button in

Interface.

3. Enter the comment for the interface in the Comment box.

Scheduler Map

Scheduler Map Chassis

Specifies the scheduler configuration mapped to the forwarding class.

1.

Expand the

Interfaces tree and select

Interface

.

2. Click the

New button or select an interface and click the Edit button in

Interface.

3. Select the scheduler map from the list.

Specifies the scheduler configuration mapped to the forwarding class for the particular chassis in the chassis queue.

1.

Expand the Interfaces tree and select Interface .

2. Click the

New button or select an interface and click the

Edit button in

Interface.

3. Select the scheduler map chassis from the list.


25

EX Series Devices

26

Table 18: Interfaces Configuration Fields (continued)


Input Traffic Control Profile Applies an input traffic scheduling and shaping profile to the logical interface.

1.

Click the New button or select an interface and click the

Edit button in

Interface.

2. Expand the

Interface tree and select Input Traffic

Control Profile .

3. Specify the comment and the profile name.

4. Click

Ok

.

Input Traffic Control Profile

Remaining

Applies an input traffic scheduling and shaping profile for remaining traffic to the logical interface.

1.

Click the


Edit button in

Interface.

2. Expand the

Interface tree and select Input Traffic

Control Profile Remaining .

3. Specify a comment and a profile name.

4. Click

Ok

.

Output Traffic Control Profile Applies an output traffic scheduling and shaping profile to the logical interface.

1.

Click the


Edit button in

Interface.

2. Expand the

Interface tree and select Output Traffic

Control Profile .


4. Click

Ok

.

Output Traffic Control Profile

Remaining

Applies an output traffic scheduling and shaping profile for remaining traffic to the logical interface.

1.

Click the


Edit button in

Interface.

2. Expand the

Interface tree and select Output Traffic

Control Profile Remaining

.


4. Click

Ok

.





Shaping Rate Shapes the output of the physical interface, so that the interface transmits less traffic than it is physically capable of carrying.

1.


Edit button in

Interface.

2. Expand

Interface tree and select Shaping Rate .

3. Specify the comment and the rate

4. Click Ok .

Unit Sets the units that need to be allocated to the specific forwarding class and scheduling map.

1.


Edit button in

Interface.

2. Expand

Interface tree and select

Unit

.

3. Specify the Unit,

Classifiers, Output Traffic

Control Profile and

Shaping Rate.

4. Click Ok .

Interface Set

Name

Comment

Internal Node

Specifies the interface set name.

1.


Interface Set

.

2. Click the

New button or select an interface set and click the

Edit button.

3. Select the name from the list.

Specifies the comment for the interface.

1.

Expand the

Interfaces tree and select Interface Set .

2. Click the New button or select an interface set and click the

Edit button.

3. Enter the comment.

Sets the scheduler node as internal, allowing resource scheduling to be applied equally to interface sets that include child nodes and those that do not include child nodes.

1.


Interface Set

.

2. Click the

New button or select an interface set and click the Edit button.

3. Set the internal node.


27

EX Series Devices



Excess Bandwidth Share Sets the excess bandwidth sharing value.

1.


Interface Set

.

2. Click the


3. Expand interface—set tree and select Excess

Bandwidth Share

.

4. Specify the comment and proportion.

5. Click

Ok

.

Input Excess Bandwidth Share


Sets the excess input bandwidth sharing value.

1.

Expand the


Interface Set

.

2. Click the New button or select an interface set and click the Edit button.

3. Expand interface—set tree and select

Input Excess

Bandwidth Share

.

4. Specify the comment and proportion.

5. Click Ok .

Applies an input traffic scheduling and shaping profile to the logical interface.

1.

Expand the



Edit button.


Input Traffic

Control Profile .

4. Specify the comment and profile name.

5. Click Ok .






Remaining

Applies an input traffic scheduling and shaping profile for remaining traffic to the logical interface.

1.


Interface Set

.

2. Click the


3. Expand interface—set tree and select Input Traffic

Control Profile Remaining

.


5. Click

Ok

.

Output Traffic Control Profile Applies an output traffic scheduling and shaping profile to the logical interface.

1.

Expand the


Interface Set

.

2. Click the New button or select an interface set and click the Edit button.


Output Traffic

Control Profile

.


5. Click Ok .

Output Traffic Control Profile

Remaining

Applies an output traffic scheduling and shaping profile for remaining traffic to the logical interface.

1.

Expand the



Edit button.


Output Traffic

Control Profile Remaining .


5. Click Ok .

Related

Documentation

•


•


•


•


•


•



29

EX Series Devices

•


Configuring CoS Rewrite Rules (NSM Procedure)

You configure rewrite rules to alter CoS values in outgoing packets on the outbound interfaces of a device to match the policies of a targeted peer. Policy matching allows the downstream router in a neighboring network to classify each packet into the appropriate service group.

In addition, you often need to rewrite a given marker such as IP precedence, DSCP, or

IEEE 802.1p at the switch's inbound interfaces to accommodate behavior aggregate (BA) classification by core devices.

You do not need to explicitly apply rewrite rules to interfaces. By default, rewrite rules are applied to routed packets.

To configure CoS rewrite rules:

1.

In the navigation tree, select Device Manager > Devices

2.

Click the Device Tree tab, and then double-click the device for which you want to configure CoS rewrite rules.

3.

Click the Configuration tab. In the configuration tree, expand Class of Service

4.

Select Rewrite Rules.

5.


Table 19 on page 30

.

6.

Click one:


•




Table 19: Configuring and Applying Rewrite Rules

Task Action

Configure rewrite rules for DiffServ CoS.

1.

Click Configure next to Rewrite Rules.

2. Click Add new entry next to Dscp.

3. In the Name box, type the name of the rewrite rules—for example, rewrite-dscps

.



Table 19: Configuring and Applying Rewrite Rules (continued)

Task Action

Configure best-effort forwarding class rewrite rules.

1.



1

.

3. In the Class name box, type the name of the previously configured best-effort forwarding class—for example, be-class

.

4. Click Add new entry next to Loss priority.

5. From the Loss val list, select low .

6. In the Code point box, type the value of the low-priority code point for best-effort traffic—for example,

000000

.

7. Click

OK

.

8. Click



10. In the Code point box, type the value of the high-priority code point for best-effort traffic—for example,

000001

.

11. Click

OK twice.

Configure expedited forwarding class rewrite rules.

1.

Click

Add new entry next to Forwarding class.

2. In the Class name box, type the name of the previously configured expedited forwarding class—for example, ef-class

.

3. Click Add new entry next to Loss priority.

4. From the Loss val list, select low .

5. In the Code point box, type the value of the low-priority code point for expedited forwarding traffic—for example,

101110

.

6. Click

OK

.

7. Click



9. In the Code point box, type the value of the high-priority code point for expedited forwarding traffic—for example, 101111 .

10. Click

OK twice.


31

EX Series Devices

Table 19: Configuring and Applying Rewrite Rules (continued)

Configure assured forwarding class rewrite rules.

1.


2. In the Class name box, type the name of the previously configured expedited forwarding class—for example, af-class .

3. Click


4. From the Loss val list, select low

.

5. In the Code point box, type the value of the low-priority code point for assured forwarding traffic—for example,

001010

.

6. Click OK .

7. Click


8. From the Loss val list, select high

.

9. In the Code point box, type the value of the high-priority code point for assured forwarding traffic—for example,

001100

.

10. Click OK twice.

Apply rewrite rules to an interface.

1.

Click

Add new entry next to Interfaces.

2. In the Interface name box, type the name of the interface—for example, ge-0/0/0 .

3. Click Add new entry next to Unit.

4. In the Unit number box, type the logical interface unit number—for example,

0

.

5. Click

Configure next to Rewrite rules.

6. In the Rewrite rules name box, under Dscp, type the name of the previously configured rewrite rules—for example, rewrite-dscps

.

7. Click OK .

Related

Documentation

•


•


•


•


•


•


•




Configuring CoS Schedulers (NSM Procedure)

Using schedulers, you can assign attributes to queues and thereby provide congestion control for a particular class of traffic. These attributes include the amount of interface bandwidth, memory buffer size, transmit rate, and schedule priority.

To configure CoS schedulers:

1.


2.

Click the Device Tree tab, and then double-click the device for which you want to configure CoS schedulers.

3.


4.

Select Schedulers.

5.


Table 20 on page 33

.

6.

Click one:

•


•




Table 20: Configuring Schedulers

Task Action

Specify the buffer size.

1.

Click the

Add New icon.

2. Expand Buffer Size .

3. Select Percent .

4. Under Percent, select the appropriate option:

•

•

To specify no buffer size, select

None

.

To specify buffer size as a percentage of the total buffer, select percent and type an integer from 1 through 100.

•

To specify buffer size as the remaining available buffer, select remainder .

5. Click

OK

.


33

EX Series Devices

Table 20: Configuring Schedulers (continued)

Task Action

Configure drop profile map.

1.

Click the Add New icon.

2. Select drop-profile-map

.

3. In the Loss Priority box, select the required loss priority—for example, high

.

4. In the Protocol box, select the type of protocol—for example, any .

5. In the Drop Profile box, select the previously configured drop profile.

6. Click OK .

Specify the transmit rate.

1.

Click the Add New icon.

2. Expand

Transmit Rate

.

3. Select

Rate

.

4. Under Rate, select the appropriate option:

•

•

To not specify transmit rate, select

None

.

To enforce a specific transmission rate, select rate and type the transmission rate that you want to enforce.

• To specify a percentage of transmission capacity, select percent and type an integer from 1 through 100.

•

To specify the remaining transmission capacity, select remainder .

5. Click

OK

.

Related

Documentation

•


•


•


•


•


•


•


Configuring CoS and Applying Scheduler Maps (NSM Procedure)

You associate the schedulers with forwarding classes by means of scheduler maps. You can then associate each scheduler map with an interface, thereby configuring the queues and packet schedulers that operate according to this mapping.

To configure CoS and apply scheduler maps:

1.


2.

Click the Device Tree tab, and then double-click the device for which you want to configure CoS and apply scheduler maps.



3.


4.

Select Scheduler Maps.

5.



6.

Click one:


•




Table 21: Assigning Forwarding Classes to Output Queues

Task Action

Configure a scheduler map for

DiffServ CoS.

1.

Click Add new entry .

2. In the Name box, type the name of the scheduler map—for example, diffserv-cos-map .

Configure a best-effort forwarding class and scheduler.

Configure an expedited forwarding class and scheduler.

1.

Select Forwarding Class and click Add new entry .

2. In the Name box, type the name of the previously configured best-effort forwarding class—for example, be-class

.

3. Select the previously configured best-effort scheduler—for example, be-scheduler

.

4. Click

OK

.

1.

Select

Forwarding Class and click

Add new entry

.

2. In the Name box, type the name of the previously configured expedited forwarding class—for example, ef-class .

3. Select the previously configured expedited forwarding scheduler—for example, ef-scheduler .

4. Click

OK

.

Configure an assured forwarding class and scheduler.

1.

Select

Forwarding Class and click

Add new entry

.

2. In the Name box, type the name of the previously configured assured forwarding class—for example, af-class

.

3. Select the previously configured assured forwarding scheduler—for example, af-scheduler

.

4. Click OK .


35

EX Series Devices

Table 21: Assigning Forwarding Classes to Output Queues (continued)

Task Action

Apply the scheduler map to an interface.

1.

Select Interfaces > Interface and click Add new entry .

2. In the Interface name box, type the name of the interface—for example, ge-0/0/0

.

3. Select

Unit and click

Add new entry

.

4. In the Unit name box, select the logical interface unit number—for example, 0 .

5. In the Scheduler map box, type the name of the previously configured scheduler map—for example, diffserv-cos-map .

6. Click

OK

.

Related

Documentation

•


•


•


•


•


•


•



CHAPTER 4

Configuring Ethernet Switching Options


•

Configuring Port Mirroring to Analyze Traffic on EX Series Switches (NSM

Procedure) on page 37

•

Configuring Redundant Trunk Links (NSM Procedure) on page 38

•

Configuring Port Security (NSM Procedure) on page 39

•

Configuring Static IP (NSM Procedure) on page 41

•

Configuring VoIP (NSM Procedure) on page 42

Configuring Port Mirroring to Analyze Traffic on EX Series Switches (NSM Procedure)

You configure port mirroring in order to copy packets so that you can analyze traffic using a protocol analyzer application. You can mirror traffic entering or exiting an interface, or entering a VLAN. You can send the mirrored packets to a local interface to monitor traffic locally or to a VLAN to monitor traffic remotely.

Mirroring a high volume of traffic can be performance intensive for the switch. Therefore, you should disable port mirroring when you are not using it and select specific input interfaces in preference to using the all keyword. You can also limit the amount of mirrored traffic by using a firewall filter or the ratio keyword to mirror only a selection of packets.

NOTE: Only one analyzer can be enabled on an EX Series switch. To create additional analyzers, first disable any existing analyzers.

NOTE: Interfaces used as input or output for a port mirror analyzer must be configured as family ethernet-switching.

To mirror interface traffic or VLAN traffic on the switch to an interface on the switch:

1.

In the navigation tree, select Device Manager > Devices. In Device Manager, select the device for which you want to configure a port mirror analyzer.

2.

In the Configuration tree, expand Ethernet Switching Options.


37

EX Series Devices

4.

Select Analyzer.

5.

Click the Add icon.

6.

Add/modify member settings for the interface as specified in


NOTE: After you make changes to a device configuration, you must push that updated device configuration to the physical security device for those changes to take effect. You can update multiple devices at one time. See Updating

Devices for more information.

Table 22: Analyzer Configuration Fields

Field Function

Input

Ingress

Egress

Your Action

Specifies interfaces or VLANs for which entering traffic is mirrored.

Click

Add and select Port or VLAN. Next, select the interfaces or VLANs.

Specifies interfaces for which traffic exiting the interfaces is mirrored.

Click

Add to add egress interfaces.

Output

Interface

Vlan

Specifies the interface on which traffic exiting is mirrored.

Select the interface.

Specifies the VLAN on which traffic exiting is mirrored.


Configuring Redundant Trunk Links (NSM Procedure)

Simplify the convergence configuration in a typical enterprise network by configuring a primary link and a secondary link on trunk ports. If the primary link fails, the secondary link automatically takes over without waiting for normal STP convergence.

To configure redundant trunk links:

1.

In the navigation tree, select Device Manager > Devices. In Device Manager, select the device for which you want to configure redundant trunk links.

2.


4.

Select Redundant Trunk Group > Group.

5.

Click the Add icon.

6.

Add/modify settings as specified in


Add/modify settings for the VLAN as specified in



Chapter 4: Configuring Ethernet Switching Options



Table 23: Redundant Trunk Group Settings

Option Function

Name

Interface

Your Action

Specifies the name for the redundant trunk group.

Enter the name.

Specifies the interface that must be part of the redundant trunk group.

1.

Select Interface .

2. Click

Add

.

3. Specify the interface.

4. Select

Primary if the interface must be the primary link.

5. Click OK .

Configuring Port Security (NSM Procedure)

Ethernet LANs are vulnerable to attacks such as address spoofing and Layer 2 denial of service (DoS) on network devices. Port security features such as DHCP snooping, DAI

(dynamic ARP inspection), MAC limiting, and MAC move limiting, as well as trusted DHCP server, help protect the access ports on your switch against the losses of information and productivity that can result from such attacks.

To configure port security:

1.

In the navigation tree, select Device Manager > Devices. In Device Manager, select the device for which you want to configure port security.

2.


4.

Select Secure Access Port > Interface or VLAN.

5.

Click the Add icon.

6.

Add/modify settings for the interface as specified in

Table 25 on page 40

.

Add/modify settings for the VLAN as specified in

Table 24 on page 40

.




39

EX Series Devices

Table 24: Port Security Settings on VLANs


Name Specifies the VLAN.

Enter the VLAN name.

DHCP Snooping Allows the switch to monitor and control DHCP messages received from untrusted devices connected to the switch. Builds and maintains a database of valid

IP addresses/MAC address bindings. (By default, access ports are untrusted and trunk ports are trusted.)

Select to enable DHCP snooping on a specified

VLAN or all VLANs.

ARP Inspection Uses information in the DHCP snooping database to validate ARP packets on the LAN and protect against

ARP cache poisoning.

Select to enable ARP inspection on a specified

VLAN or all VLANs. (Configure any port on which you do not want ARP inspection to occur as a trusted DHCP server port.)

MAC Move Limit Prevents hosts whose MAC addresses have not been learned by the switch from accessing the network.

Specifies the number of times per second that a MAC address can move to a new interface.

Select the MAC Move Limit Option. Select the required number.

MAC Movement

Action

Specifies the action to be taken if the MAC move limit is exceeded.

Select one:

•

•

•

•

Log—Generate a system log entry, an SNMP trap, or an alarm.

Drop—Drop the packets and generate a system log entry, an SNMP trap, or an alarm.

Shutdown—Block data traffic on the interface and generate an alarm.

None— No action to be taken.

Table 25: Port Security on Interfaces

Option Function

Interface Specifies trusting DHCP packets on the selected interface. By default trunk ports are dhcp-trusted

.

Allowed MAC List Specifies the MAC addresses that are allowed for the interface.

MAC Limit

Your Action

Select to enable DHCP trust.

To add a MAC address:

1.

Click

Add

.

2. Enter the MAC address.

3. Click

OK

.

Specifies the number of MAC addresses that can be learned on a single Layer 2 access port. This option is not valid for trunk ports.

Enter the required number.



Table 25: Port Security on Interfaces (continued)


MAC Limit Action Specifies the action to be taken if the MAC limit is exceeded. This option is not valid for trunk ports.

static ip Specifies the static ip address for the interface.

Select one:

•

•

•

•

Log—Generate a system log entry, an SNMP trap, or an alarm.

Drop—Drop the packets and generate a system log entry, an SNMP trap, or an alarm.

Shutdown—Block data traffic on the interface and generate an alarm.

None— No action to be taken.

Enter the following:

•

•

•

Name

Vlan

Mac

Configuring Static IP (NSM Procedure)

The static IP feature enables you to associate a fixed IP address and a static media access control (MAC) address or hardware address with a VLAN associated with an interface.

The VLAN and the MAC addresses are configured for the associated interface, which in turn is associated with a device.

To configure static IP in NSM:

1.

In the navigation tree select Device Manager > Devices .

2.

In the Devices list, double click the device to select it.

3.

Click the Configuration tab.

4.

In the configuration tree expand Static and select VLAN.

5.

Add/Modify as specified in

Table 26 on page 42

.

6.

Click one:

• OK—To save the changes.

• Cancel—To cancel the modifications.




41

EX Series Devices

Table 26: Static Configuration Fields

Option Function

VLAN

Your Action

Specifies the VLAN to be configured for static IP.

1.

Expand Static tree and select VLAN .

2. Click the New button or select a

VLAN and click Edit button in

VLAN interface.

3. Enter the name of the VLAN and the comment.

4. Click OK.

Mac Media access control (MAC) address, or hardware address, for the device connected to the specified interface.

1.

Expand

Static tree and select

VLAN

.

2. Click the New button or select a

VLAN and click Edit button in

VLAN interface.

3. Expand

VLAN tree and select

Mac

.

4. Click the New button or select a Mac and click Edit button in Mac interface.

5. Specify the name, comment and the next hop.

6. Click OK.

Configuring VoIP (NSM Procedure)

Voice over IP (VoIP) refers to voice communications over the internet or other packet switched networks. The VoIP feature enables you to configure voice over IP for interfaces.

To configure VoIP in NSM:

1.


2.

In the Devices list, double-click the device to select it.

3.


4.

In the configuration tree, expand Ethernet Switching Options and select VoIP.

5.

Expand VoIP tree and select Interfaces

6.

Add or modify as specified in


7.

Click one:

•

OK—To save the changes.






Table 27: VoIP Configuration Fields

Option

Name

Comment

VLAN

Forwarding Class

Function


Your Action

1.

Click the New button or select an interface and click on Edit button in

Interface .

2. Enter the interface name in the Name box or select from the list.

Specifies the comment for the interface to which the VoIP is assigned.

1.


Interface .

2. Enter the comment in the

Comment box.

Specifies the VLAN to be assigned to the interface.

1.


Interface

.

2. Enter the VLAN address in the

VLAN box.

Specifies the forwarding class to which the interface is assigned.

1.


Interface

.

2. Enter the forwarding class in the

Forwarding Class box.


43

EX Series Devices


CHAPTER 5

Configuring Firewall Filters


•

Configuring a Firewall Filter on page 45

•

Configuring a Policer for a Firewall Filter on page 48

Configuring a Firewall Filter

You configure firewall filters on EX Series switches to control traffic that enters ports on the switch or enters and exits VLANs on the network and Layer 3 (routed) interfaces. To configure a firewall filter you must configure the filter and then apply it to a port, VLAN, or Layer 3 interface.

To configure a firewall filter and apply it to an interface:

1.

In the navigation tree, select Device Manager > Devices. In Device Manager, select the device for which you want to configure firewall filters.

2.

In the configuration tree, expand Firewall.

3.

Expand Ethernet Switching and click Filter.

4.

Click Add New Entry to add a firewall filter.

5.

Perform the configuration tasks described in

Table 28 on page 45

.



Table 28: Create a New Term

Option Function

Term Name Specifies the name of the term.

Your Action

Enter a name.


45

EX Series Devices

Table 28: Create a New Term (continued)

ICMP Type Specifies the ICMP packet type field.

Typically, you specify this match in conjunction with the protocol match to determine which protocol is being used on the port.

Select the option from the list.

ICMP Code

Fragment Flags

Specifies more specific information than icmp-type. Because the value’s meaning depends upon the associated icmp-type, you must specify icmp-type along with icmp-code. The keywords are grouped by the ICMP type with which they are associated.

Select one:

•

•

•

•

Parameter-problem

Redirect

Time-exceeded

Unreachable

Specifies the IP fragmentation flags.

NOTE: Fragment flags is supported on ingress ports, VLANs, and router interfaces.

Select either the option is-fragement or enter a combination of fragment flags.

TCP Flags

IP Precedence

Interface

Ether Type dot1q-tag

Specifies one or more TCP flags.

NOTE: TCP flags is supported on ingress ports, VLANs, and router interfaces.

Select either the option tcp-initial or enter a combination of TCP flags.

Specifies IP precedence. The options are: assured forwarding, best-effort, expedited-forwarding, network-control.


NOTE: IP precedence and DSCP number cannot be specified together for the same term.

Specifies the interface association.

Select the interface from the list.

Specifies the ethernet type field of a packet.

NOTE: This option is not applicable for a Routing filter.

Select one:

•

•

Arp

Dot 1q

Specifies the tag field in the Ethernet header. Values can be from 1 through

4095.


Enter the required number.


Chapter 5: Configuring Firewall Filters


Dot 1q User Priority Specifies the user-priority field of the tagged Ethernet packet. User-priority values can be 0–7.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed)

•

•

•

•

•

•

•

• background (1)—Background best-effort (0)—Best effort controlled-load (4)—Controlled load excellent-load (3)—Excellent load network-control (7)—Network control reserved traffic standard (2)—Standard or Spare video (5)—Video voice (6)—Voice


Enter a number or the corresponding text synonym.

DSCP Number

VLAN

Specifies the Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant six bits of this byte form the DSCP.

Select the DSCP number from the list.

Specifies the VLAN to be associated.


Enter the VLAN name

TTL Value

Packet Length

Specifies the time-to-live value.

NOTE: This option is applicable for a

Routing filter.

Specifies the length of the packet.

NOTE: This option is applicable for a

Routing filter.

Enter a value.

Enter a value.

Action

Counter Name Enter a value.

Specifies the count of the number of packets that pass this filter, term, or policer.


47

EX Series Devices


Forwarding Class Classifies the packet into one of the following forwarding classes:

•

•

•

•

• assured-forwarding best-effort expedited-forwarding network-control user-defined

Loss Priority


Specifies the Packet Loss Priority.

NOTE: Forwarding Class and Loss

Priority should be specified together for the same term.

Enter the value.

Analyzer Specifies whether to perform port-mirroring on packets. Port-mirroring copies all packets seen on one switch port to a network monitoring connection on another switch port.

Select the analyzer from the list.

Configuring a Policer for a Firewall Filter

You can configure policers to rate limit traffic on a device. After you configure a policer, you can include it in an ingress firewall filter configuration.

When you configure a firewall filter, you can specify a policer action for any term or terms within the filter. All traffic that matches a term that contains a policer action goes through the policer that the term references. Each policer that you configure includes an implicit counter. To get term-specific packet counts, you must configure a new policer for each filter term that requires policing.

The following policer limits apply on the switch:

• A maximum of 512 policers can be configured for port firewall filters.

•

A maximum of 512 policers can be configured for VLAN and Layer 3 firewall filters.

1.

In the navigation tree, select Device Manager > Devices. In Device Manager, select the device for which you want to configure a policer.

2.

In the configuration tree, expand Firewall.

3.

Perform the configuration tasks as described in





Chapter 5: Configuring Firewall Filters

Table 29: Configuring a Policer for a Firewall Filter

Task Action

Create the policer for expedited forwarding, and give the policer a name—for example, ef-policer.

Select Policer and click Add new entry .

In the Policer name box, type ef-policer .

Set the burst limit for the policer—for example, 2k.

Set the bandwidth limit or percentage for the bandwidth allowed for this type of traffic—for example, use a bandwidth percent of 10.

1.

Select If exceeding .

2. In the Burst Size Limit box, type a limit for the burst size allowed—for example, 2k.

3. Select

Bandwidth Limit

, select bandwidth-limit

.

4. In the box, type 10.

5. Click

OK

.

Enter the loss priority for packets exceeding the limits established by the policer—for example, high.

1.

Select

Then

.

2. In the

Comment field, enter high

.

3. Click

OK

.


49

EX Series Devices


CHAPTER 6

Configuring Policy Options


•

Configuring an AS Path in a BGP Routing Policy (NSM Procedure) on page 51

•

Configuring an AS Path Group in a BGP Routing Policy (NSM Procedure) on page 52

•

Configuring a Community for use in BGP Routing Policy Conditions (NSM


•

Configuring a BGP Export Policy Condition (NSM Procedure) on page 54

•



•

Configuring a Routing Policy Statement (NSM Procedure) on page 57

•

Configuring Prefix List (NSM Procedure) on page 58

Configuring an AS Path in a BGP Routing Policy (NSM Procedure)

An autonomous system (AS) path is a path to a destination. An AS path consists of the

AS numbers of all the network devices that a packet traverses if it takes the associated route to a destination. The AS numbers are assembled in a sequence, or path, that is read from right to left. For example, for a packet to reach a destination using a route with an AS path 5 4 3 2 1, the packet first traverses AS 1 and so on until it reaches AS 5, which is the last AS before its destination.

You can define a match condition based on all of or portions of the AS path. You can create a named AS path and then include it in a BGP routing policy.

To configure an AS path for a BGP routing policy in NSM:

1.


2.


3.


4.

In the configuration tree, expand Policy Options.

5.

Select As Path.

6.

Add or modify the parameters as specified in

Table 30 on page 52

.

7.

Click one:


51

EX Series Devices

•



• Apply — To apply the protocol settings.

NOTE: After you make changes to a device configuration, you must push that updated device configuration to the physical security device for those changes to take effect. You can update multiple devices at one time. See the Updating


Table 30: AS Path Configuration Details

Option Function

Name

Comment

Path

Your Action

Specifies the name of the AS path.

Enter a name.

Specifies the comment for the AS path.

Enters a comment.

Specifies the AS path (as an AS number) to be included in the routing policy.

Enter an AS path.

Configuring an AS Path Group in a BGP Routing Policy (NSM Procedure)

Autonomous System (AS) path group consists of multiple AS paths. You can define match conditions based on the AS path groups. You can create named AS paths under an AS path group and then include the AS path group in a routing policy.

To configure an AS path group for a BGP routing policy in NSM:

1.


2.


3.


4.


5.

Select As Path Group.

6.


Table 31 on page 53

.

7.

Click one:

• OK —To save the changes.

• Cancel —To cancel the modifications.



Chapter 6: Configuring Policy Options



Table 31: AS Path Group Configuration Details

Option Function

Name

Your Action

Specifies the name of the AS path group.

Enter a name.

Comment

As Path

Specifies the comment for the AS path group.

Enter a comment.

Specifies an AS path to be included in the AS path group. Specifies the name and comment for the AS path and specifies the path as an AS path number.

1.

Select As Path .

2. Click the New button or select an AS path and click the Edit button.

3. Specify the name, comment and path.

4. Click

OK

, then click

OK again.

Configuring a Community for use in BGP Routing Policy Conditions (NSM Procedure)

A community is a group of destinations that share a common property. You can define a community for use in a BGP routing policy match condition.

To configure a community for a BGP routing policy in NSM:

1.


2.


3.


4.


5.

Select Community.

6.



7.

Click one:





53

EX Series Devices



Table 32: Community Configuration Details

Option Function

Name

Your Action

Specifies the name of the community.

Enter the name.

Comment

Invert Match

Members

Specifies the comment for the community.

Enter the comment.

Enables you to invert the results for the community expression.

Select the check-box if you want to invert the results. Clear the check-box if you do not want to invert the results.

Specifies one or more community members.

1.

Select

Members

.

2. Click the New button or select a member and click the

Edit button.

3. Enter the member community.

4. Click

OK

, then click

OK again.

Configuring a BGP Export Policy Condition (NSM Procedure)

You can define a routing policy condition based on the existence of routes in specific tables for use in a BGP export policy.

To configure condition in NSM:

1.


2.


3.


4.


5.

Select Condition.

6.


Table 33 on page 55

.

7.

Click one:

• OK

—To save the changes.

• Cancel

—To cancel the modifications.

•

Apply

— To apply the protocol settings.





Table 33: Condition Configuration Details

Option

Name

Comment

Route Active On

Function

Specifies the name of the condition.

Your Action

Enter a name.

Specifies the comment for the condition.

Enter a comment.

Enables you to specify the policy condition based on the existing routes and the corresponding route tables.

1.

Select Route Active On .

2. Select one:

•

None

—No policy condition based on routes need to be specified.

• if-route-exists —Specify the policy condition based on the routes.

Enter the comment, route and the corresponding routing table.

3. Click

OK

.


Procedure)

To advertise network reachability information, BGP systems send an excessive number of update messages. You can use flap damping to reduce the number of update messages sent between BGP peers, thereby reducing the load on these peers without adversely affecting the route convergence time. Damping reduces the number of update messages by marking these routes as ineligible, so that they cannot be selected as active or preferable routes. Applying damping leads to some delay, or suppression, in the propagation of route information, but the result is increased network stability. You can define actions by creating a named set of damping parameters and including the set in a routing policy.

To configure damping for a BGP routing policy in NSM:

1.


2.


3.


4.


5.

Select Damping.


55

EX Series Devices

6.



7.

Click one:



• Apply —To apply the protocol settings.



Table 34: Damping Configuration Details

Option Function

Name

Comment

Disable

Half Life

Your Action

Specifies the name of the damping parameter setting.

Enter a name.

Specifies the comment for the damping parameter setting.

Enter a comment.

Enables you to disable damping on a per-prefix basis. Any damping state that is present in the routing table for a prefix is deleted if damping is disabled.

Select the check-box to disable damping. Clear the check-box to enable damping.

Indicates the time in minutes interval after which the accumulated figure-of-merit value is reduced by half if the route remains stable.

Figure-of-merit values correlate to the probability of future instability of a device. Routes with higher figure-of-merit values are suppressed for longer periods of time.

Enter the time limit in minutes or select it from the list.

Reuse

Suppress

Max Suppress

Indicates the figure-of-merit value below which a suppressed route can be used again.

Enter the value or select it from the list.

Indicates the figure-of-merit value above which a route is suppressed for use or inclusion in advertisements.

Enter the value or select it from the list.

Indicates the maximum time in minutes that a route can be suppressed no matter how unstable it has been.

1.

Enter the time limit or select it from the list.

2. Click

OK

.



Configuring a Routing Policy Statement (NSM Procedure)

You can configure policy statements for routing policies. Each policy statement is composed of from criteria, to criteria and then criteria. The from and to criteria comprise a set of match conditions for the routing policy. The then criteria specify the action to be taken when the from and to criteria are matched and when they are not matched.

To configure a routing policy statement in NSM :

1.


2.


3.


4.


5.

Select Policy statement.

6.

Add/Modify the parameters as specified in

Table 35 on page 57

.

7.

Click one:

•


•

Cancel—To cancel the modifications.




Table 35: Configuring Policy Statement Fields

Option

Name

Comment

Function

Specifies the name of the policy statement.

Specifies the comment for the policy statement.

Your Action

1.

Click the New button or select a policy statement and click Edit button.

2. Select policy-statement .

3. Specify the name.

1.


2. Select policy-statement .

3. Specify the comment.


57

EX Series Devices

Table 35: Configuring Policy Statement Fields (continued)

Option Function

From

Your Action

Enables you to define the criteria that an incoming route must match. You can specify one or more match conditions. If you specify more than one, all conditions must match the route for a match to occur.

1.


2. Expand policy-statement tree and select

From

.

3. Enter the From criteria.

4. Expand

From tree and specify the match conditions.

Term

Then

Indicates the term to be configured for the routing policy. You can create one or more terms for a routing policy. Each term comprises of match conditions and the corresponding actions.

1.



Term

.

3. Click the New button or select a term and click Edit button.

4. Enter the term name, comment and the match conditions and actions.

Enables you to define the action to be taken in the case of a match or mismatch between the packets and

From and To conditions.

1.


2. Expand policy-statement tree and select Then .

3. Specify the parameters for Then criteria.

4. Expand Then tree and specify the actions for each match condition.

To Enables you to define the criteria that an outgoing route must match. You can specify one or more match conditions. If you specify more than one, all conditions must match the route for a match to occur.

1.



To

.

3. Enter the To criteria.

4. Expand

To tree and specify the match conditions.

Configuring Prefix List (NSM Procedure)

A prefix list is a named list of IP addresses. You can specify an exact match with incoming routes and apply a common action to all matching prefixes in the list. This feature enables you to create a named prefix list and include it in a routing policy.

To configure prefix list in NSM:



1.

In the navigation tree select Device Manager > Devices and select the device from the list.

2.


3.

Select Prefix List.

4.



5.

Click one:

•


•





Table 36: Configuring Prefix List Fields

Field

Name

Comment

Apply Path

Prefix List Item

Function

Specifies the name of the prefix list.

Your Action

1.

Click the New button or select a prefix list and click Edit button.

2. Select prefix-list .

3. Specify the name.

Specifies the comment for the prefix list.

1.



3. Specify the comment.

Indicates that the prefix list should include all IP prefixes pointed to by a defined path.

Specifies the prefix list item.

1.



3. Specify the path.

1.


2. Expand prefix-list tree and select

Prefix List Item .

3. Specify the name and comment.


59

EX Series Devices


CHAPTER 7

Configuring Routing Options


•

Configuring Maximum Prefixes (NSM Procedure) on page 61

•

Configuring Multicast (NSM Procedure) on page 63

•

Configuring Multipath (NSM Procedure) on page 66

•

Configuring Options (NSM Procedure) on page 67

•

Configuring Route Resolution (NSM Procedure) on page 68

•

Configuring Routing Table Groups (NSM Procedure) on page 69

•

Configuring Routing Tables (NSM Procedure) on page 71

•

Configuring Source Routing (NSM Procedure) on page 73

•

Configuring Static Routes (NSM Procedure) on page 74

•

Configuring Generated Routes (NSM Procedure) on page 75

•

Configuring Graceful Restart (NSM Procedure) on page 76

•

Configuring Forwarding Table (NSM Procedure) on page 77

•

Configuring Flow Route (NSM Procedure) on page 79

•

Configuring Fate Sharing (NSM Procedure) on page 81

•

Configuring Martian Addresses (NSM Procedure) on page 82

•

Configuring Interface Routes (NSM Procedure) on page 84

•

Configuring Instance Export (NSM Procedure) on page 85

•

Configuring Instance Import (NSM Procedure) on page 85

•

Configuring Confederation (NSM Procedure) on page 86

•

Configuring Maximum Paths (NSM Procedure) on page 87

Configuring Maximum Prefixes (NSM Procedure)

You can configure a limit for the number of routes installed in a routing table based upon the number of route prefixes in the table. .

To configure maximum prefixes limit in NSM:


61

EX Series Devices

1.


2.


3.


4.

In the configuration tree, expand Routing Options.

5.

Select Maximum Prefixes.

6.

Enter the parameters as specified in


7.

Click one:


•


•

Apply—To apply the routing option settings.



Table 37: Configuring Maximum Prefixes Fields

Option Function

Comment

Limit

Log Interval

Your Action

Specifies the comment for the maximum prefix limit.

Enter the comment.

Indicates the maximum number of route prefixes. If this limit is reached, a warning is triggered and additional routes are rejected.

Enter limit value or select from the list.

Indicates the minimum time interval (in seconds) between log messages.

Enter the log interval value or select from the list.

Threshold Specifies what is to be done when the routing table reaches the maximum prefix value. The options are:

•

•

•

None—No action is to be taken.

threshold—You can configure a percentage for the maximum number of prefixes, which when installed, triggers the warning.

log-only—Sets the prefix limit as an advisory limit. An advisory limit triggers only a warning, and additional routes are not rejected.

1.

Expand the Maximum Prefixes tree and select Threshold .

2. Select the option button.


Chapter 7: Configuring Routing Options

Configuring Multicast (NSM Procedure)

You can configure generic multicast properties for routing instances. A routing instance is a collection of routing tables, interfaces, and routing protocol parameters. The routing protocol parameters control the information in the routing tables.

To configure generic multicast properties for routing instance in NSM:

1.


2.


3.


4.


5.

Select Multicast.

6.



7.

Click one:


•


•




Table 38: Configuring Multicast Fields

Option Function

Comment

Backup Pe Group

Your Action

Specifies the comment for the multicast configuration.

Enter the comment.

Enables you to configure a backup provider edge (PE) group for ingress PE device redundancy when point-to-multipoint label-switched paths (LSPs) are used for multicast distribution.

1.

Expand the

Multicast tree and select

Backup Pe Group .

2. Click the New button or select a group and click the Edit button.

3. Configure the PE group name, local address, and backup address.


63

EX Series Devices

Table 38: Configuring Multicast Fields (continued)

Option Function

Flow Map

Forwarding Cache

Your Action

Enables you to set up multicast flow maps to manage a subset of multicast forwarding table entries. For example, you can specify that certain forwarding cache entries be permanent or have a different timeout value than those of other multicast flows that are not associated with this flow map .

1.

Expand the Multicast tree and select

Flow Map

.

2. Click the New button or select a flow map and click the Edit button.

3. Configure the following to create and define a flow map:

•

•

•

•

•

Enter the flow map name and comment.

Bandwidth—Specify the bandwidth property of the multicast flow map.

Forwarding Cache—Specify the forwarding cache properties of entries defined by a flow map. You can specify a timeout of never to make the forwarding entries permanent, or you can specify a timeout from 1 through 720 minutes.

Policy—Specify the flow map policies.

Redundant Sources—Specify the addresses for use as backup sources for multicast flows defined by a flow map.

Enables you to configure multicast forwarding cache properties. These properties include threshold suppression and reuse limits, and timeout values.

You can specify a value for the threshold to suppress new multicast forwarding cache entries and an optional reuse value for the threshold at which the device begins to create new multicast forwarding cache entries. If you configure both reuse and suppression values, configure a reuse value that is less than the suppression value. The suppression value is mandatory. If you do not specify the optional reuse value, then the number of multicast forwarding cache entries is limited to the suppression value. A new entry is created as soon as the number of multicast forwarding cache entries falls below the suppression value. You can also specify a timeout value for all multicast forwarding cache entries.

1.


Forwarding Cache .

2. Configure the timeout and threshold values.




Option Function

Interface

Your Action

Enables you to configure the interfaces for multicast properties on which you plan to manage the maximum bandwidth.

1.


Interface

.

2. Configure the interface and the bandwidth.

Rpf Check Policy

Scope

Scope Policy

Ssm Groups

Multicast reverse path forwarding (RPF) checks are used to prevent multicast routing loops. Routing loops are particularly debilitating in multicast applications because packets are replicated with each pass around the routing loop.

1.

Expand the


Rpf Check Policy

.

2. Click the New button or select a policy and click the Edit button.

3. Enter the RPF check policy name.

You can apply policies for disabling reverse-path forwarding (RPF) checks on arriving multicast packets.

Enables you to configure multicast scoping to limit multicast traffic by configuring it to an administratively defined topological region. Multicast scoping controls the propagation of multicast messages—both multicast group joins upstream toward a source and data forwarding downstream.

Scoping can relieve stress on scarce resources, such as bandwidth, and improve privacy or scaling properties.

1.

Expand the

Scope

.


2. Configure the scope and the interface for the multicast.

Enables you to configure multicast scoping policy. A multicast scope policy contains a set of device interfaces on which you are configuring scoping and the scope's address range configured as a series of device filters.

1.

Expand the


Scope Policy

.

2. Specify the scope policy for the multicast group.

Enables you to configure source- specific multicast (SSM) groups. SSM is a service model that identifies session traffic by both source and group address. Using

SSM, a client can receive multicast traffic directly from the source. To deploy SSM successfully, you need an end-to-end multicast-enabled network and applications that use an Internet

Group Management Protocol version 3

(IGMPv3).

1.

Expand the


Ssm Groups

.


3. Specify the address range of the SSM group.


65

EX Series Devices


Option Function

Ssm Map

Your Action

SSM mapping translate IGMPv1 or

IGMPv2 membership reports to an

IGMPv3 report allowing you to support an SSM network without requiring all hosts to support IGMPv3.

1.


Ssm Map

.

2. Click the New button or select an

SSM map and click the Edit button.

3. Specify the SSM policy for the SSM map and the source address.

Traceoptions Defines tracing options for the multicast group. You can also set up the file management and access control parameters .

1.

Expand the

Multicast tree and select the

Traceoptions tab.

2. Set up the file and flag parameters.

Configuring Multipath (NSM Procedure)

You can configure protocol-independent load balancing for Layer 3 virtual private networks (VPNs) with load sharing among multiple external BGP paths and multiple internal BGP paths. You can use forwarding next hops for both the active route and alternative paths for load balancing.

To configure multipath load balancing in NSM:

1.


2.


3.


4.


5.

Select Multipath.

6.


Table 39 on page 67

.

7.

Click one:

•


•


• Apply—To apply the routing option settings.





Table 39: Configuring Multipath Fields

Option Function

Comment

Vpn Unequal Cost

Your Action

Specifies the comment for the multipath configuration.

Enter the comment.

Applies protocol-independent load balancing to VPN routes.

1.

Expand the

Multipath tree and select

Vpn Unequal Cost

.

2. Enter the comment for the vpn unequal cost configuration and specify whether both external and internal BGP paths should be selected for the multipath configuration by selecting the Equal

External Internal check box.

Configuring Options (NSM Procedure)

You can configure the types of system logging messages sent about the routing protocols process to the system log message file. These messages are also displayed on the system console. You can log messages at a particular level or up to and including a particular level.

To configure options in NSM:

1.


2.


3.


4.


5.

Select Options.

6.



7.

Click one:

•


•






67

EX Series Devices

Table 40: Configuring Options Fields

Option Function

Comment

Mark

Syslog

Your Action

Specifies the comment for the message option.

Enter the comment.

Specifies the mark for the option.

Enter the mark value or select from the list.

Enables you to configure the generation of system log messages for a particular severity level and all higher levels.

1.

Expand the

Options tree and select

Syslog

.

2. Select the severity levels for system log messages.

Configuring Route Resolution (NSM Procedure)

You can configure a routing table to accept routes from specific routing tables to enable the device to manage and route the traffic effectively between a source host and destination host. You can configure a routing table to use specific import policies to produce a route resolution table to resolve routes.

To configure a route resolution table in NSM:

1.


2.


3.


4.


5.

Select Resolution.

6.


Table 41 on page 69

.

7.

Click one:

•


•







Table 41: Route Resolution Fields

Option Function

Comment

Rib

Your Action

Specifies the comment for the route resolution.

Enter a comment.

Specifies the name of the routing table for which the import policies and the resolution routes are configured.

1.

Expand the

Resolution tree and select

Rib

.

2. Click the New button or select a routing table and click the Edit button.

3. Enter the name and comment for the routing table and specify the route import policies and the resolution routes.

Tracefilter Specifies the filter policy for the resolution routes.

Traceoptions Defines tracing options for route resolution.

1.

Expand the

Resolution tree and select

Tracefilter

.

2. Specify the filter policies for the routing table.

1.

Expand the

Resolution tree and select Traceoptions .

2. Expand the Traceoptions tree and set up the file and flag parameters.

Configuring Routing Table Groups (NSM Procedure)

You can group together one or more routing tables to form a routing table (RIB) group.

Within a group, a routing protocol can import routes into all the routing tables in the group and can export routes from a single routing table. Each routing table group contains one or more routing tables that the Junos OS uses when importing routes. In the same way, each routing table group optionally contains one routing table that the Junos OS uses when exporting routes to the routing protocols. You can also specify the import and the export route tables and the import policies for the routing table group.

To configure routing table groups in NSM:

1.


2.


3.


4.


5.

Select Rib Groups.

6.



7.

Click one:

•



69

EX Series Devices

Table 42: Rib Group Fields

Option

Name

•





Comment

Export Rib

Import Policy

Function Your Action

Specifies the unique name for the routing table group.

1.

Expand the Routing Options tree and select

Rib Group

.

2. Click the New button or select a routing table group and click the Edit button.

3. Enter the name for the routing table group.

Specifies the comment for the routing table group.

1.

Expand the

Routing Options tree and select

Rib Group

.


3. Enter the comment for the routing table group.

Specifies the routing table from which the Junos OS exports routing information.

1.

Expand the


Rib Group

.


3. Enter the name of the routing table.

Enables you to apply one or more policies to routes imported into the routing table group.

1.

Expand the rib-group tree and select

Import Policy .

2. Set up the import policies for the routing table group.



Table 42: Rib Group Fields (continued)

Option Function

Import Rib

Your Action

Specifies the name of the routing table into which the Junos OS is to import routing information. The first routing table name you enter is the primary routing table. Any additional names you enter identify secondary routing tables.

When a protocol imports routes, it imports them into the primary and any secondary routing tables.

1.

Expand the rib-group tree and select

Import Policy

.

2. Enter the name of the routing table.

Configuring Routing Tables (NSM Procedure)

This feature enables you to configure routing tables. You can also configure the static, martians, aggregate, maximum paths, maximum prefixes, multipath, or generated routes to the routing table. If you are not adding any of those routes, then the creation of the routing table is optional. The Junos OS uses its default routing tables, which are inet.0

for IPv4 unicast routes, inet6.0 for IPv6 unicast routes, inet.1 for the IPv4 multicast forwarding cache, and inet.3 for IPv4 MPLS.

To configure a routing table in NSM:

1.


2.


3.


4.


5.

Select Rib.

6.


Table 43 on page 72

.

7.

Click one:

•


•






71

EX Series Devices

Table 43: Rib Fields

Option

Name

Comment

Aggregate

Generate

Martians

Maximum Paths

Maximum Prefixes


Specifies the unique name for the routing table.

1.

Expand the Routing Options tree and select

Rib

.


3. Enter the name for the routing table.

Specifies the comment for the route resolution.

1.

Expand the


Rib

.


3. Enter the comment for the routing table.

Enables you to configure the aggregate routes for the routing table. Aggregation allows you to combine groups of routes with common addresses into a single entry in the routing table. This decreases the size of the routing table as well as the number of route advertisements sent by the router.

1.

Expand the

Rib tree and select

Aggregate

.

2. Select the global aggregate route options in Defaults and individual aggregate route options in Route .

Enables you to configure generated routes, which are used as routes of last resort in the routing table.

1.

Expand the

Rib tree and select

Generate .

2. Select the default route to the destination address in Defaults and individually generated route options in

Route

.

Enables you to configure martian addresses in the routing table.

1.

Expand the

Rib tree and select

Martian

.

2. Enter the martian addresses.

Enables you to configure a limit for the number of routes installed in a routing table.

1.

Expand the

Rib tree and select

Maximum Paths

.

2. Enter the Maximum Paths and the

Threshold .

Enables you to configure a limit for the number of routes installed in a routing table.

1.

Expand the Rib tree and select

Maximum Prefixes .

2. Set up the

Maximum Prefixes and the

Threshold

.



Table 43: Rib Fields (continued)

Option Function

Multipath

Static

Your Action

Enables you to configure the multipath option in the routing table for load sharing between external BGP and internal BGP.

1.

Expand the Rib tree and select

Multipath

.

2. Enter the multipath options.

Enables you to configure static routes to be installed in the routing table.

1.

Expand the

Rib tree and select

Static

.

2. Enter the global static route in

Defaults and destination address of the static route in Route .

Configuring Source Routing (NSM Procedure)

You can configure source routing to specify IP addresses of the devices along the path, that you want an IP packet to take on its way to its destination.

To configure source routing in NSM:

1.


2.


3.


4.


5.

Select Source Routing.

6.



7.

Click one:

•






Table 44: Source Routing Fields

Option Function

Comment Specifies the comment for the source routing configuration.

Your Action

Enter the comment.


73

EX Series Devices

Table 44: Source Routing Fields (continued)

Option Function

IP Specifies the IPv4/IPv6 addressing family for source routing.

Your Action

Select the check box.

Configuring Static Routes (NSM Procedure)

You can configure static routes for a routing table group. A router uses static routes in the following scenarios:

•

When it does not have a route to a destination that has a better (lower) preference value.

• When it cannot determine the route to a destination.

•

When it is forwarding unroutable packets.

A static route is installed in the routing table only when the route is active; that is, the list of next-hop routers configured for that route contains at least one next hop on an operational interface.

To configure static routes for a routing table group in NSM:

1.


2.


3.


4.


5.

Select Static.

6.


Table 45 on page 75

.

7.

Click one:

•


•







Table 45: Static Fields

Option

Comment

Rib Group

Defaults

Route


Specifies the comment for the static route.

Enter the comment.

Specifies the routing table group name for which the static route is configured.

Enter the name.

Enables you to configure the global static route options. These options only set the global defaults and apply to all the configured static routes.

1.

Expand the


Defaults

.

2. Enter the default route to the destination address.

Enables you to configure the individual static routes options. These options apply to the individual destination only and override any options configured in the

Defaults section.

1.

Expand the


Route .

2. Enter the individual route.

Configuring Generated Routes (NSM Procedure)

Generated routes are used as routes of last resort. A packet is forwarded to the route of last resort when the routing tables have no information about how to reach that packet’s destination. One use of route generation is to create a default route to use if the routing table contains a route from a peer on a neighboring backbone network. A generated route becomes active when it has one or more contributing routes. A contributing route is an active route that is a specific match for the generated destination.

For example, for the destination 128.100.0.0/16, routes to 128.100.192.0/19 and

128.100.67.0/24 are contributing routes, but routes to 128.0.0.0./8, 128.0.0.0/16, and

128.100.0.0/16 are not. A route can contribute only to a single generated route. However, an active generated route can recursively contribute to a less specific matching generated route. For example, a generated route to the destination 128.100.0.0/16 can contribute to a generated route to 128.96.0.0/13. By default, when generated routes are installed in the routing table, the next hop device selects from the primary contributing route.

To configure generated routes in NSM:

1.

In the navigation tree, select Device Manager > Devices .

2.


3.


4.


5.

Select Generate.

6.



7.

Click one:


75

EX Series Devices

•






Table 46: Generated Routes Fields

Option Function

Comment

Defaults

Route

Your Action

Specifies the comment for the generated route.

Enter a comment.

Enables you to specify globally generated route options. These are treated as global defaults and apply to all the generated routes you configure.

1.

Expand the Generate tree and select

Defaults

.

2. Configure the default route options.

Enables you to configure individually generated routes. You can also configure globally generated route options. These options apply to the individual destination only and override any options you configured in Defaults.

1.

Expand the

Generate tree and select

Route

.

2. Configure the individual route options.

Configuring Graceful Restart (NSM Procedure)

Graceful restart allows a device undergoing a restart to inform its adjacent neighbors and peers of its condition. The restarting device requests a grace period from the neighbor or peer, which can then cooperate with the restarting device. With a graceful restart, the restarting device can still forward traffic during the restart period, and convergence in the network is not disrupted. The restart is not visible to the rest of the network, and the restarting device is not removed from the network topology.

The graceful restart request occurs only if the following conditions are met:

•

The network topology is stable.

•

The neighbor or peer cooperates.

• The restarting device is not already cooperating with another restart already in progress.

• The grace period does not expire.

To configure graceful restart in NSM:



1.


2.


3.


4.


5.

Select Graceful Restart.

6.



7.

Click one:


•


•




Table 47: Graceful Restart Fields

Option Function

Comment

Disable

Restart Duration

Your Action

Specifies the comment for the graceful restart.

Enter a comment.

Specifies whether graceful restart is enabled for the device.

• Select the check box to disable graceful restart.

•

Clear the check box to enable graceful restart.

Specifies the duration of the grace period for the device to restart.

Enter a value for the duration or select a value from the list.

Configuring Forwarding Table (NSM Procedure)

A forwarding table contains the routes actually used to forward packets through the device to their next-hop destination. This feature enables you to configure forwarding table in NSM.

To configure forwarding table in NSM:

1.


2.


3.



77

EX Series Devices

4.


5.

Select Forwarding Table.

6.



7.

Click one:


•


•




Table 48: Forwarding Table Fields

Option Function

Comment

None indirect-next-hop no-indirect-next-hop

Unicast Reverse Path

Export

Your Action

Specifies the comment for the forwarding table.

Specifies that no next- hop parameter is to be added to the forwarding table.

Enter a comment.

Select the option button.

Specifies that the forwarding table supports indirectly connected next hops.

Select the option button to enable indirect-next- hop

.

Specifies that the forwarding table does not support indirectly connected next hops.

Select the option button to enable no-indirect-next- hop .

Enables you to check path validity to protect the network from IP spoofing. A unicast reverse-path-forwarding (RPF) check performs a routing table lookup on an IP packet’s source address and checks the incoming interface. The device determines whether the packet is arriving from a path that the sender would use to reach the destination. If the packet is from a valid path, the device forwards the packet to the destination address. If it is not from a valid path, the device discards the packet.

Select the path from the drop-down list.

Enables you to apply one or more policies to routes being exported from the routing table into the forwarding table.

1.

Expand the

Forwarding Table tree and select

Export

.

2. Enter the export policies.



Configuring Flow Route (NSM Procedure)

Flow routes provide traffic filtering and rate-limiting capabilities much like firewall filters.

You can propagate flow routes across different autonomous systems. A flow route is an aggregation of match conditions for IP packets. Flow routes are propagated through the network using flow-specific network-layer reachability information (NLRI) messages and are maintained in the flow routing table. Packets can travel through flow routes only if specific match conditions are met. Flow routes and firewall filters are similar in that they filter packets based on packet components and perform an action on the packets that match.

To configure a flow route in NSM:

1.


2.


3.


4.


5.

Select Flow.

6.


Table 49 on page 79

.

7.

Click one:

•


•





Table 49: Flow Route Fields

Option

Comment

Function

Specifies the comment for the flow route.

Route

Your Action

Enter a comment.


79

EX Series Devices

Table 49: Flow Route Fields (continued)

Option

Name

Comment

Match

Then

Function

Specifies the name of the flow route.

Your Action

1.

Expand the Flow tree and select

Route

.

2. Click the New button or select a flow route and click the Edit button.

3. Enter the flow route name.

Specifies the comment for the flow route.

1.

Expand the

Flow tree and select

Route

.

2. Click the New button or select a flow route and click the Edit button.

3. Enter the comment for the flow route.

Specifies the conditions that the packet must match for the packet to be included in flow route. Match conditions are:

•

•

•

•

•

•

•

•

•

•

Destination Port

DSCP

Fragment

Icmp Code

Icmp Type

Packet Length

Port

Protocol

Source Port

Tcp Flag

1.

Expand the

Route tree and select

Match

.

2. Enter a comment for Comment , a destination address for Destination , and a source address for

Source

.

3. Configure the match conditions.

Enables you to specify the action to take if the packet matches the conditions you have configured in the flow route.

1.

Expand the

Route tree and select

Then .

2. Configure the then conditions for the packet.

Validation

Comment

Traceoptions

Specifies a comment for the validation procedure. Flow routes are installed into the flow routing table only if they have been validated using the validation procedure.

1.

Expand the Flow tree and select

Validation

.

2. Enter the comment for the validation procedure.

Enables you to define tracing operations that track all routing protocol functionality in the device and specify that tracing results be saved in a log file.

You can configure the tracing flag, filter, and the tracing policy.

1.

Expand the Validation tree and select

Traceoptions

.

2. Expand the

Traceoptions tree and configure the file and flag parameters, and the tracing policy.



Configuring Fate Sharing (NSM Procedure)

Fate sharing allows you to create a database of information that the constrained shortest path first (CSPF) algorithm uses to compute one or more backup routing paths to use in case the primary path becomes unstable. The database describes the relationships between elements of the network. Through fate sharing, you can configure backup paths that minimize the number of shared links and fiber optic cables, to ensure that in the event of damage to a fiber optic cable, only the minimum amount of data is lost and that a path still exists to the destination. For a backup path to work optimally, it must not share links or physical fiber optic cables with the primary path. This ensures that a single point of failure will not affect the primary and backup paths at the same time.

This feature enables you to specify groups of objects that share characteristics resulting in backup paths to be used if primary paths fail. All objects are treated as /32 host addresses. You can specify one or more objects within a group. The objects can be LAN interfaces, device IDs, or point-to-point links.

To configure fate sharing in NSM:

1.


2.


3.


4.


5.

Select Fate Sharing.

6.



7.

Click one:


•


•




Table 50: Fate Sharing Fields

Option

Comment

Function

Specifies the comment for the fate sharing.

Group

Your Action

Enter a comment.


81

EX Series Devices

Table 50: Fate Sharing Fields (continued)

Option Function

Name

Your Action

Specifies the name of the fate sharing group.

1.

Expand the Fate Sharing tree and select

Group

.


3. Enter the group name.

Comment

Cost

From

Specifies the comment for the fate sharing group.

1.

Expand the

Fate Sharing tree and select

Group

.



Specifies the configurable cost attributed to each group, which represents the level of impact this group has on CSPF computations. The higher the cost, the less likely a backup path will share any objects in the group with the primary path.

1.

Expand the

Fate Sharing tree and select

Group

.


3. Enter the cost or select a value from the list.

Specifies the from address and to address for point-to-point link objects.

1.

Expand the

Group tree and select

From .


3. Specify the From address.

Configuring Martian Addresses (NSM Procedure)

Martian addresses are host or network addresses about which all routing information is ignored. They commonly are sent by improperly configured systems on the network and have destination addresses that are obviously invalid. You can configure a particular martian address or a range of martian addresses as allowed or disallowed. You can use the match criteria to configure a range of martian addresses.

To configure a martian address in NSM:

1.


2.


3.


4.


5.

Select Martians.

6.


Table 51 on page 83

.

7.

Click one:



•






Table 51: Configuring Martian Address Fields

Option Function

Address

Your Action

Specifies the martian address or the destination prefix of a series of martian addresses that are to be allowed or disallowed.

1.

Click the New button or select a martian address and click the Edit button.

2. Enter the address.

Comment Specifies the comment for the martian address.

1.


2. Enter the comment for the martian address.

Allow

Exact

Enables you to explicitly allow a subset of a range of addresses that are to be disallowed.

1.


2. Select the check box to allow the disallowed address. Selecting the allow option deletes a particular martian address from the range of martian addresses.

3. Clear the check box to disallow the addresses and mark them as a martian address.

Specifies match criteria for the route’s mask length with the martian address.

The criteria are:

•

•

•

•

•

•

Exact

Longer

Orlonger

Upto

Through

Prefix Length Range

1.


2. Expand the Martian tree and select

Exact

.

3. Enter the match criteria.


83

EX Series Devices

Configuring Interface Routes (NSM Procedure)

You can associate a routing table group with the device’s interfaces and specify routing tables into which interface routes are imported. To define the routing tables into which interface routes are imported, you create a routing table group and associate it with the device’s interfaces.

To configure interface routes in NSM:

1.


2.


3.


4.


5.

Select Interface Routes.

6.



7.

Click one:

•


•





Table 52: Interface Routes Fields

Option Function

Comment

Family

Your Action

Specifies the comment for the interface route.

Enter a comment.

Specifies the address family as IPv4 or

IPv6.

1.

Expand the

Interface Routes tree and select

Family

.

2. Click the New button or select a family name and click the Edit button.

3. Enter the family name and comment.

4. Set up the export policy and import policy.



Table 52: Interface Routes Fields (continued)

Option Function

Rib Group Specifies the routing table groups to which interface routes are imported.

Your Action

1.

Expand the Interface Routes tree and select

Rib Group

.

2. Enter the comment and Inet.

Configuring Instance Export (NSM Procedure)

Current configurations that use routing table groups define a policy to select routes in an IGP export policy. However, no policy controls the export process itself. You can configure the instance export policy to control the export process. The policy model supports both interinstance route export and IGP export.

To configure an instance export policy in NSM:

1.


2.


3.


4.


5.

Select Instance Export and specify the export policies for routes being exported from a routing instance.

6.

Click one:

•






Configuring Instance Import (NSM Procedure)

You can apply one or more policies to routes being imported into a routing instance.

To configure instance import in NSM:

1.


2.


3.



85

EX Series Devices

4.


5.

Select Instance Import and specify the import policies to be applied to the routes that are imported to a routing instance.

6.

Click one:


•


•




Configuring Confederation (NSM Procedure)

Grouping autonomous systems (ASs) into confederations reduces the number of BGP connections required to interconnect ASs. If you administer multiple ASs that contain many BGP systems, you can group them into one or more confederations. Each confederation is identified by its own AS number, which is called a confederation AS number. To external ASs, a confederation appears to be a single AS. Thus, the internal topology of the ASs (members) making up the confederation is hidden. Because each confederation is treated as if it were a single AS, you can apply the same routing policy to all the ASs that make up the confederation.

To configure a confederation in NSM:

1.


2.


3.


4.


5.

Select Confederation.

6.


Table 53 on page 87

.

7.

Click one:


•


•






Table 53: Confederation Fields

Option Function

Comment Specifies the comment for the confederation.

Confederation As

Members

Your Action

Enter a comment.

Specifies the confederation AS number.

Enter a number from 1 through 65535.

Specifies the AS number of the confederation member, allowing you to add members to the confederation.

1.

Expand the Confederation tree and select

Members

.

2. Click the New button or select a member and click the Edit button.

3. Enter the AS number of the member.

Configuring Maximum Paths (NSM Procedure)

You can configure a limit for the number of routes installed in a routing table based upon the number of route paths in the table.

To configure a maximum paths limit in NSM:

1.


2.


3.


4.


5.

Select Maximum Paths.

6.


Table 54 on page 88

.

7.

Click one:

•


•




87

EX Series Devices



Table 54: Configuring Maximum Paths Fields

Option Function

Comment

Your Action

Specifies the comment for the maximum path limit.

Enter the comment.

Limit

Log Interval

Threshold

Indicates the maximum number of routes. If this limit is reached, a warning is triggered and additional routes are rejected.

Enter limit value or select a value from the list.

Indicates the minimum time interval (in seconds) between log messages.

Enter the log interval value or select a value from the list.

Specifies what is to be done when the routing table reaches the maximum path value. The options are:

•

•

•

None threshold—Percentage of the maximum number of routes when installed, starts triggering the warning.

You can configure a percentage of the

Limit value that when reached starts triggering the warnings.

log-only—Sets the route limit as an advisory limit. An advisory limit triggers only a warning, and additional routes are not rejected.

1.

Expand the

Maximum Paths tree and select

Threshold

.

2. Select the option button.


CHAPTER 8

Configuring Protocols


•

Configuring the BFD Protocol (NSM Procedure) on page 89

•

Configuring BGP (NSM Procedure) on page 90

•

Configuring 802.1X Authentication (NSM Procedure) on page 93

•

Configuring GVRP (NSM Procedure) on page 95

•

Configuring IGMP (NSM Procedure) on page 96

•

Configuring IGMP Snooping on EX Series Switches (NSM Procedure) on page 98

•

Configuring LLDP (NSM Procedure) on page 99

•

Configuring LLDP-MED (NSM Procedure) on page 100

•

Configuring MSTP (NSM Procedure) on page 101

•

Configuring OSPF (NSM Procedure) on page 103

•

Configuring RIP (NSM Procedure) on page 106

•

Configuring RSTP on EX Series Switches (NSM Procedure) on page 108

•

Configuring STP (NSM Procedure) on page 109

•

Configuring VSTP (NSM Procedure) on page 111

•

Configuring VRRP (NSM Procedure) on page 113

Configuring the BFD Protocol (NSM Procedure)

The Bidirectional Forwarding Detection (BFD) protocol is used to detect the failures in a network. The BFD protocol is independent of the underlying transport mechanisms and layers; hence the failure detection timers for BFD have shorter time limits than the failure detection mechanisms of other protocols like OSPF and IS-IS. Each session of the BFD operates in two modes, asynchronous mode and demand mode. In asynchronous mode, both endpoints periodically send Hello packets to each other. If a number of those packets are not received, the session is considered down. In demand mode, no Hello packets are exchanged after the session is established; it is assumed that the endpoints have another way to verify connectivity to each other.

To configure BFD:


89

EX Series Devices

1.


2.

In the configuration tree, expand Protocols.

3.

Select Bfd.

4.

Add/Modify the parameters under the respective tabs as specified in


5.

Click one:

•






Table 55: Configuring Bfd Fields

Field Function

Comment

Traceoptions

Your Action

Specifies the comment for Bfd.

Enter the comment.

Enables you to define tracing operations that track all routing protocol functionality in the device. You can configure the tracing flag, filter, and the tracing policy.

1.

Expand the Bfd tree and select

Traceoptions

.

2. Expand the

Traceoptions tree and set up the file and flag parameters.

Configuring BGP (NSM Procedure)

Border Gateway Protocol (BGP) is used for exchanging routing information between gateway hosts/internet service providers. The routing information refers to the routing tables containing information about the list of known devices, the addresses they can reach, and a cost metric associated with the path to each device so that the best available route is chosen. The primary function of a BGP speaking system is to exchange network reachability information with other BGP systems. This feature enables you to configure

BGP peering sessions.

To configure BGP in NSM:

1.


2.



Chapter 8: Configuring Protocols

3.

Select BGP.

4.


Table 56 on page 91

.

5.

Click one:

•


•





Table 56: BGP Configuration Fields

Field Function

General

Your Action

The general parameters to be set up for applying BGP.

1.

Expand the

Protocol tree.

2. Select

BGP and select

General tab.

3. Specify the general parameters like comment, description, local address, hold time, etc.

Path Selection

Traceoptions

Enables you to specify the path selection criteria.

1.

Expand the

Protocol tree.

2. Select

BGP and select

Path Selection tab.

3. Set up the path selection parameters and med plus IGP.

Defines trace options for IGMP monitoring.

1.

Expand the

Protocol tree.

2. Select BGP and select Traceoptions tab.


Metric Out

Multihop

Enables you to specify the metric value to add to the routes transmitted to the neighbor.

1.

Expand the Protocol tree.

2. Select BGP and select Metric Out tab.

3. Set up the metric value and minimum

IGP.

If an EBGP peer is more than one hop away from the local router, you must specify the next hop to the peer so that the two systems can establish a BGP session. This type of session is called a multihop BGP session.

1.


2. Select BGP and select Multihop tab.

3. Set up the comment, Ttl and specify whether the next hop has to be changed.


91

EX Series Devices

Table 56: BGP Configuration Fields (continued)

Field Function

Advertise

Your Action

Enables you to specify whether BGP should advertise the best route even if the routing table did not select it to be an active route.

1.


2. Select

BGP and select

Advertise tab.

3. Specify whether Advertise has to be inactivated and set up the Advertise

Peer As.

Import

Family

Authentication Settings

Export

Local As

Graceful Restart

Enables you to apply one or more routing policies to routes being imported into the Junos OS routing table from BGP .

1.

Expand the

Protocol tree.

2. Select

BGP and select

Import tab.

3. Specify the export policies configured on the peer.

Enables you to configure protocol family information for the logical interface.

1.

Expand the

Protocol tree.

2. Select

BGP and select

Family tab.

3. Specify the Family and Inet parameters.

4. Expand the Inet tree and set up the parameters.

Enables you to specify the authentication settings for BGP.

1.


2. Select BGP and select Authentication

Settings tab.

3. Specify the authentication key, algorithm and key chain.

Enables you to apply one or more routing policies to routes being exported from the Junos OS routing table from BGP .

1.


2. Select

BGP and select

Export tab.

3. Specify the export policies configured on the peer.

Enables you to configure BGP with a different local autonomous session (AS) number for each BGP session

1.

Expand the

Protocol tree.

2. Select

BGP and select

Local As tab.

3. Enter the comment, as number, loop and specify whether it is private.

Enables you to specify the graceful restart parameters.

1.

Expand the

Protocol tree.

2. Select

BGP and select

Graceful

Restart tab.

3. Specify the graceful restart parameters.



Table 56: BGP Configuration Fields (continued)

Field Function

Bfd Liveness Detection Enables you to configure bidirectional forwarding detection (BFD) timers.

Group Enables you to configure BGP group.

Your Action

1.


2. Select

BGP and select

Bfd Liveness

Detection tab.

3. Specify the Bfd Liveness Detection parameters, Detection Time and

Transmit Interval.

1.

Expand the

Protocol tree.

2. Select

BGP and select

Group tab.

3. Click the New button or select a group and click Edit button.

4. Enter all the group parameters.

Configuring 802.1X Authentication (NSM Procedure)

IEEE 802.1X authentication provides network edge security, protecting Ethernet LANs from denial-of-service (DoS) attacks and preventing unauthorized user access.

802.1X works by using an Authenticator Port Access Entity (the device) to block all traffic to and from a supplicant (client) at the interface until the supplicant's credentials are presented and matched on the Authentication server (a RADIUS server). When authenticated, the switch stops blocking and opens the interface to the supplicant.

To configure 802.1X authentication:

•

Specify 802.1X interface settings on the switch.

• Specify the 802.1X exclusion list, used to specify which supplicants can bypass 802.1X

authentication and be automatically connected to the LAN.

1.

Configuring 802.1X Interface Settings on page 93

2.

Configuring Static MAC Bypass on page 95

Configuring 802.1X Interface Settings

To configure 802.1X interface settings:

1.

In the navigation tree, select Device Manager > Devices. In Device Manager, select the device for which you want to configure 802.1X settings.

2.

In the Configuration tree, expand Protocols > Dot1x.

4.

Select Authenticator > Interface.

5.

Click the Add icon.

6.




93

EX Series Devices



Table 57: 802/1X Authentication for an Interface

Option Function

Specifies the name for the profile.

Authentication Profile

Name

Interface

Name

Disable

Supplicant

Retries

Quiet Period

Transmit Period

Supplicant Timeout

Your Action

Enter the name

Specifies the interface for which 802.1X authentication is being configured.


Disables 802.1X authentication on the interface.

Select Interface .

Click the Add icon.

Enter the interface name.

Select to disable authentication.

Specifies the mode to be adopted for supplicants:

•

•

Single — allows only one host for authentication.

Multiple — allows multiple hosts for authentication. Each host is checked before being admitted to the network.

•

Single authentication for multiple hosts — Allows multiple hosts but only the first is authenticated.

Select the required mode.

Maximum number of retries Select a value from the list.

Specifies the port waiting time after an authentication failure.

Select a value from the list.

Specifies the retransmit interval.

Port timeout value for the response from the supplicant.



Server Timeout

Maximum Requests

Guest Vlan

Reauthentication

Port timeout value for the response from the RADIUS server Select a value from the list.

Specifies the maximum number of authentication requests to be made to the server.


Specifies the guest VLAN to move the interface to in case of an authentication failure.

Enter the VLAN name.

Specifies enabling reauthentication on the selected interface.

Select

Reauthentication

.

Select one:

•

•

• none reauthentication no-reauthentication



Configuring Static MAC Bypass

Configure any MAC addresses, supplicants, or interfaces to be excluded from 802.1X

authentication—that is, they will be authenticated.

To configure the 802.1X exclusion:

1.

Specify a MAC address to be excluded from 802.1X authentication in the field Name.

2.

Specify the interface for the supplicant to bypass authentication if connected through that interface.

3.

Specify the VLAN to move the supplicant to once it is authenticated.



Configuring GVRP (NSM Procedure)

As a network expands and the number of clients and VLANs increases, VLAN administration becomes complex, and the task of efficiently configuring VLANs on multiple switches becomes increasingly difficult. To automate VLAN administration, you can enable GARP VLAN Registration Protocol (GVRP) on the network.

GVRP learns VLANs on a particular 802.1Q trunk port, and adds the corresponding trunk port to the VLAN if the advertised VLAN is preconfigured or existing already on the switch.

For example, a VLAN named “sales” is advertised to trunk port 1 on the GVRP-enabled device. The device adds trunk port 1 to the sales VLAN if the sales VLAN already exists on the switch.

As individual ports become active and send a request to join a VLAN, the VLAN configuration is updated and propagated among the switches. Limiting the VLAN configuration to active participants reduces the network overhead. GVRP also provides the benefit of pruning VLANs to limit the scope of broadcast, unknown unicast, and multicast (BUM) traffic to interested devices only.

To configure GVRP:

1.

In the navigation tree, select Device Manager > Devices. In Device Manager, select the device.

2.


3.

Select GVRP.

4.

Click the Add icon.

5.

Add/modify GVRP settings for the interface as specified in

Table 58 on page 96

.


95

EX Series Devices



Table 58: GVRP Configuration Fields

Option Function

Disable

Join Timer

Leave Times

Leaveall Times

Your Action

Select this option to disable GVRP on the interface.

Click to select.

Specifies the maximum number of milliseconds the interfaces wait before sending VLAN advertisements.

Select a value.

Specifies the number of milliseconds an interface must wait after receiving a leave message to remove the interface from the VLAN specified in the message.

Select a value.

Specifies the interval at which Leave All messages are sent on interfaces.

Leave All messages help to maintain current GVRP VLAN membership information in the network.

Select a value.

Configuring IGMP (NSM Procedure)

Internet Group Management Protocol (IGMP) is an Internet protocol that provides a way for an IP host to report its multicast group membership to adjacent devices. This feature enables you to associate the IGMP with an interface and allocate it to a multicast group.

To configure IGMP in NSM:

1.


2.


3.


4.

In the configuration tree, expand Protocols and select IGMP.

5.



6.

Click one:


•


•

Apply — To apply the protocol settings.





Table 59: IGMP Configuration Fields

Option Function

IGMP

Comment

Query Interval

Query Response Interval

Your Action

Specifies the comment for IGMP.

Defines how often the device sends general host-query messages. .

Enter a comment.

Select the query interval.

Defines how long the query router/switch waits to receive a response to a host-query message from a host.

Enter the query response interval.

Query Last Member Interval

Robust Count

Accounting

Interfaces

Traceoptions

Defines how often the device sends group-specific query messages.

Enter the query last member interval.

Defines the number of intervals the device waits before removing a multicast group from the multicast forwarding table.

Select the robust count.

Specifies whether accounting is enabled for IGMP.

Select to enable accounting.

Specifies the interface and the multicast group that has to be associated with

IGMP.

1.

Expand the

IGMP tree and select

Interfaces

.

2. Click the New button or select an interface and click Edit button.

3. Select Disable to disable IGMP on the interface.

4. Select the version.

5. Specify the Ssm Map .

6. You can enable

Immediate Leave and

Promiscuous Mode

.

7. You can enable accounting on the interface.

8. Select the option Interface > Static to configure the multicast group to be associated with the interface.

Defines trace options for IGMP .

1.

Expand

IGMP tree and select

Traceoptions .

2. Enter a comment for traceoptions.

3. Expand the

Traceoptions tree, select

File and set up the file parameters.

4. In the

Traceoptions tree select

Flag and set up or edit the file parameters.


97

EX Series Devices

Configuring IGMP Snooping on EX Series Switches (NSM Procedure)

IGMP snooping regulates multicast traffic in a network. With IGMP snooping enabled, a

LAN switch monitors the IGMP transmissions between a host (a network device) and a multicast router, keeping track of the multicast groups and associated member ports.

The switch uses that information to make intelligent multicast-forwarding decisions and forward traffic to the intended destination interfaces.

You can configure IGMP snooping on one or more VLANs to allow the switch to examine

IGMP packets and make forwarding decisions based on packet content. By default, IGMP snooping is disabled on a device.

NOTE: When IGMP snooping is enabled on a VLAN, traffic for a given group is flooded to all member ports until IGMP snooping discovers at least one member of the group in the given VLAN.

To enable IGMP snooping and configure individual options:

1.


2.

In the Configuration tree, expand Protocols.

3.

Select IGMP Snooping > Vlan.

4.

Click the Add icon.

5.





Table 60: IGMP Snooping Configuration Fields

Option

Name

Query Interval

Query Last Member Interval

Query Response Interval

Function

Specifies the VLAN for which IGMP snooping is being enabled.

Your Action

Click

Add and select Port or VLAN. Next, select the interfaces or VLANs.

Specifies the query interval on the VLAN.

Select a value.

Specifies the last member query interval on the VLAN.

Select a value.

Specifies the query response interval on the VLAN.

Select a value.



Table 60: IGMP Snooping Configuration Fields (continued)

Option Function

Robust Count

Immediate Leave

Interface

Your Action

Specifies the number of timeout intervals the switch waits before timing out a multicast group.

Select a value.

Immediately removes a multicast group membership from an interface when it receives a leave message from that interface and suppress the sending of any group-specific queries for the multicast group

Select the option to enable it.

Statically configure an interface as a switching interface toward a multicast router (the interface to receive multicast traffic).

1.

Select the VLAN.

2. Select the option

Multicast Router

Interface

.

3. Select Static > Group .

4. Specify the group name to configure

IGMP group membership on a port.

Configuring LLDP (NSM Procedure)

EX Series switches use Link Layer Discovery Protocol (LLDP) and Link Layer Discovery

Protocol Media Endpoint Discovery (LLDP-MED) to learn and distribute device information on network links. The information allows the switch to quickly identify a variety of devices, resulting in a LAN that interoperates smoothly and efficiently.

To configure LLDP:

1.


2.

In the configuration tree, expand Protocols > LLDP.

3.

Add/modify LLDP settings as specified in




Table 61: LLDP Configuration Fields

Option Function

Disable Specifies whether LLDP must be disabled on the port.

Your Action

Click to select the option.


99

EX Series Devices

Table 61: LLDP Configuration Fields (continued)

Option Function

Advertisement Interval

Transmit Delay

Hold Multiplier

Ptopo Configuration Trap Interval

Your Action

Specifies the frequency of outbound

LLDP advertisements. You can increase or decrease this interval.

Select a value.

Specifies a delay-interval setting that the switch uses to delay transmitting successive advertisements. You can increase this interval to reduce the frequency of successive advertisements.

Select a value.

Specifies the multiplier factor to be used by an LLDP-enabled switch to calculate the time-to-live (TTL) value for the LLDP advertisements it generates and transmits to LLDP neighbors.

Select a value.

Specifies the transmission of ptopo notifications..

Select a value.

Ptopo Configuration Maximum Hold Time Specifies the desired time interval an agent maintains dynamic ptopo connection entries.

Interface

Select a value.

Specifies LLDP settings for the interface.

1.


2. Select the option Multicast Router

Interface

.

3. Select

Disable if LLDP settings must be disabled on a specific interface.

Configuring LLDP-MED (NSM Procedure)

Link Layer Discovery Protocol Media Endpoint Discovery (LLDP-MED) is an extension of

LLDP. An EX Series switch uses LLDP-MED to support device discovery of VoIP telephones and to create location databases for these telephone locations for emergency services.

The location information configured is used during emergency calls to identify the location of the LLDP-MED device.

To configure LLDP-MED:

1.


2.

In the configuration tree, expand Protocols > LLDP-MED.

3.

Add/modify LLDP—MED settings as specified in






Table 62: LLDP—MED Configuration Fields

Option Function

Disable

Fast Start

Interface

Your Action

Specifies whether LLDP must be disabled on the port.


Specifies the frequency at which

LLDP-MED advertisements are sent from the switch in the first second after it has detected an LLDP-MED device.

Select a value.

Specifies LLDP—MED settings for the interface.

1.


2. Select

Disable if LLDP—MED settings must be disabled on a specific interface.

Configuring MSTP (NSM Procedure)

Multiple Spanning Tree Protocol (MSTP) is used to create a loop-free topology in networks using multiple spanning tree regions, each region containing multiple spanning-tree instances (MSTIs). MSTIs provide different paths for different VLANs. This functionality facilitates better load sharing across redundant links.

MSTP supports up to 64 regions, each one capable of supporting 4094 MSTIs.

To configure MSTP:

1.


2.

In the Configuration tree, expand Protocols > MSTP.

3.

Add/modify MSTP settings as specified in

Table 63 on page 102

.




101

EX Series Devices

Table 63: MSTP Configuration Fields

Option Function

Disable

Configuration Name

Revision Level

Max Hops

Your Action

Specifies whether MSTP must be disabled on the port.

Specifies the configuration name.


Type a name.

Specifies the configuration revision level.

Select a value.

Specifies the number of hops in a region before the BPDU is discarded.

Select a value.

Max Age

Hello time

Forward Delay

Bridge Priority

Bpdu Block on Edge

Interface

Specifies the maximum-aging time for all MST instances. The maximum aging time is the number of seconds a switch waits without receiving spanning-tree configuration messages before attempting a reconfiguration.

Select a value.

Specifies the hello time for all MST instances.

Select a value.

Specifies the number of seconds a port waits before changing from its spanning-tree learning and listening states to the forwarding state.

Select a value.

Specifies the bridge priority.

Enter a value.

Specifies whether Bpdu blocks must be processed.

Select to enable the feature.

Specifies MSTP settings for the interface.

1.

Click the expand icon.

2. Specify the interface name.

3. Specify the port priority.

4. Specify the path cost. MSTP uses the path cost when selecting an interface to place into the forwarding state. A lower path cost represents higher-speed transmission.

5. Specify the mode. The link type can be shared or point-to-point.

6. Select Edge to enable the feature.

7. Select No root port if it is not specified.

8. Click

OK

.

9. Specify the

Bpdu timeout action

:

•

•

Block

Alarm



Table 63: MSTP Configuration Fields (continued)

Option Function

Msti

Your Action

Specifies MST instances settings for an interface or VLAN.

1.

Specify the Msti ID.

2. Enter a comment.

3. Specify the bridge priority.

4. Click OK .

Configuring OSPF (NSM Procedure)

OSPF uses the shortest path first (SPF) algorithm to determine the route to reach each destination. All devices in an area run this algorithm in parallel, storing the results in their individual topological databases. Devices with interfaces to multiple areas run multiple copies of the algorithm.

To configure OSPF in NSM:

1.


2.


3.


4.

In the configuration tree, expand Protocols and select OSPF.

5.



6.

Click one:


•


•




Table 64: OSPF Configuration Fields

Option Function

OSPF

Your Action


103

EX Series Devices

Table 64: OSPF Configuration Fields (continued)

Option

Comment

Disable

Prefix Export Limit

Rib Group

Route Type Community

Domain VPN Tag

Preference

External Preference

Reference Bandwidth

No RFC 1583

No NSSA ABR

Area

Function

Specifies the comment for OSPF.

Your Action

1.

Enter the comment.

Specifies whether to disable the OSPF configuration.

Configure a limit to the number of prefixes to be exported.

1.

Specify whether to enable or disable

OSPF.

•

•

To enable OSPF, clear the check box.

To disable OSPF, select the check box.

1.

Enter the prefix export limit or select from the list.

Specifies the routing table group.

1.

Select rib group from the list.

Specifies an extended community value to encode the OSPF route type

1.

Select route type community from the list.

Virtual private network (VPN) tag for

OSPFv2 external routes generated by the provider edge (PE) router.

1.

Enter the domain VPN tag or select from the list.

Specifies the route preference for OSPF internal routes.

1.

Enter the preference or select from the list.

Specifies the external route preference.

1.

Enter the external route preference or select from the list.

Specifies the reference bandwidth used in calculating the default interface cost.

1.

Enter the reference bandwidth.

Disable compatibility with RFC 1583.

Disabling compatibility with RFC 1583 can prevent routing loops.

Disable compatibility with NSSA ABR.

Enables you to set up the area details for OSPF.

1.

Specify whether to configure RFC

1583.

•

•

To enable compatibility with RFC

1583, clear the check box.

To disable compatibility with RFC

1583, select the check box.

1.

Specify whether NSSA ABR has to be configured.

•

•

To enable NSSA ABR, clear the check box.

To disable NSSA ABR, select the check the check box.

1.

Expand the

OSPF tree and select

Area .

2. Set up the area range, interface, sham link remote, stub and virtual link.



Table 64: OSPF Configuration Fields (continued)

Option Function

Domain ID

Your Action

Enables you to configure domain ID for the OSPF.

1.

Expand the OSPF tree and select

Domain ID

.

2. Specify the domain ID.

Export

Graceful Restart

Import

Overload

Sham Link

SPF Options

Traceoptions

Enables you to specify the export policies to be configured on the peer.

1.

Expand the


Export

.

2. Specify the export policies.

Enables you to specify the graceful restart parameters for OSPF.

Enables you to specify the import policies to be configured on the peer.

1.

Expand the


Graceful Restart

.

2. Set up the graceful restart parameters.

1.

Expand the


Import .

2. Specify the import policies.

Enables you to configure the local router so that it appears to be overloaded. You might do this when you want the router to participate in OSPF routing, but do not want it to be used for transit traffic.

1.

Expand the


Overload .

2. Specify the comment and timeout.

Enables you to configure the local endpoint of a sham link.

1.

Expand the OSPF tree and select

Sham Link .

2. Enable the feature and specify the comment and local address.

Enables you to configure options for running the shortest-path-first (SPF) algorithm. You can configure a delay for when to run the SPF algorithm after a network topology change is detected, the maximum number of times the SPF algorithm can run in succession, and a holddown interval after the SPF algorithm runs the maximum number of times.

1.

Expand the OSPF tree and select SPF

Options

.

2. Specify the comment, delay, holddown and rapid runs.

Enables you to configure OSPF protocol level tracing options.

1.

Expand the


Traceoptions

.

2. Expand the



105

EX Series Devices

Configuring RIP (NSM Procedure)

Routing Information Protocol (RIP) is an interior gateway protocol (IGP) typically used in small, homogeneous networks. RIP uses distance-vector routing to route information through IP networks. Distance-vector routing requires that each device simply informs its neighbors of its routing table. For each network path, the receiving device picks the neighbor advertising the lowest metric, then adds this entry into its routing table for readvertisement. Any host that uses RIP is assumed to have interfaces to one or more networks. These networks are considered to be directly connected networks. RIP relies on access to certain information about each of these networks. The most important information is the network's metric. RIP uses the hop count as the metric (also known as cost) to compare the value of different routes. The hop count is the number of devices that data packets must traverse between RIP networks.

To configure RIP in NSM:

1.


2.


3.


4.

In the configuration tree, expand Protocols and select Rip.

5.



6.

Click one:

•


•





Table 65: RIP Configuration Fields

Option Function

RIP

Your Action



Table 65: RIP Configuration Fields (continued)

Option

Comment

Metric In

Message Size

Hold Down

Route Timeout

Update Interval

Authentication Type

Authentication Key

Graceful Restart

Group

Import

Receive

Function

Specifies the comment for RIP.

Your Action

1.

Enter the comment.

Specifies the metric to add to incoming routes when advertising into RIP routes that were learned from other protocols.

1.

Specify the metric to add incoming routes.

Specifies the number of route entries to be included in every RIP update message.

1.

Enter the message size or select from the list.

Time period the expired route is retained in the routing table before being removed.

1.

Enter the hold down value or select from the list.

Specifies the route timeout interval for

RIP.

1.

Enter the route timeout or select from the list.

Enables you to configure an update time interval to periodically send out routes learned by RIP to neighbors.

1.

Enter the update interval or select from the list.

The type of authentication for RIP route queries received on an interface.

1.

Select authentication type from the list.

Authentication key for RIP route queries received on an interface.

1.

Enter the authentication key.

Enables you to specify the graceful restart parameters for RIP.

1.

Expand the RIP tree and select

Graceful Restart

.

2. Enable the feature and set up the graceful restart parameters.

RIP neighbors that share an export policy and metric. The export policy and metric govern what routes to advertise to neighbors in a given group.

1.

Expand the

RIP tree and select

Group

.

2. Click the New button or select a group and click Edit button.

3. Set up the Bfd Liveness Detection ,

Export, Import and Neighbor for RIP.

Enables you to specify the import policies to be configured on the peer.

Enables you to configure RIP receive options.

1.

Expand the

RIP tree and select

Import

.

2. Specify the import policies.

1.

Expand the

RIP tree and select

Receive

.

2. Specify the receive options.


107

EX Series Devices

Table 65: RIP Configuration Fields (continued)

Option

RIB Group

Send

Traceoptions

Function

The routing table group.

Enables you to configure RIP send options.

Enables you to configure RIP protocol level tracing options.

Your Action

1.

Expand the RIP tree and select Rib

Group

.

2. Specify the comment and ribgroup name.

1.

Expand the

RIP tree and select

Send

.

2. Specify the send options.

1.

Expand the

RIP tree and select

Traceoptions

.

2. Expand the


Configuring RSTP on EX Series Switches (NSM Procedure)

EX Series switches use Rapid Spanning Tree Protocol (RSTP) to provide a loop-free topology. RSTP identifies certain links as point to point. When a point-to-point link fails, the alternate link can transition to the forwarding state. RSTP provides better reconvergence time than original STP because it uses protocol handshake messages rather than fixed timeouts. Eliminating the need to wait for timers to expire makes RSTP more efficient than STP.

To configure RSTP:

1.


2.

In the Configuration tree, expand Protocols > RSTP.

3.

Add/modify RSTP settings as specified in




Table 66: RSTP Configuration Fields

Field Function

Disable Specifies whether RSTP must be disabled on the port.

Bridge Priority Specifies the bridge priority.

Your Action


Enter a value.



Table 66: RSTP Configuration Fields (continued)

Field Function

Max Age

Hello time

Forward Delay

Bpdu Block on Edge

Your Action


Select a value.


Select a value.


Select a value.



Interface Specifies MSTP settings for the interface and Bpdu timeout action.

1.







7. Select No root port if it is not specified.

8. Click

OK

.

9. Specify the

Bpdu timeout action

:

•

•

Block

Alarm

Configuring STP (NSM Procedure)

Devices such as EX Series switches provide Layer 2 loop prevention through Spanning

Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree

Protocol (MSTP). Configure BPDU protection on interfaces to prevent them from receiving

BPDUs that could result in STP misconfigurations, which could lead to network outages.

To configure STP:


109

EX Series Devices

1.


2.

In the configuration tree, expand Protocols > STP.

3.

Add/modify STP settings as specified in


.



Table 67: STP Configuration Fields

Option Function

Disable

Bridge Priority

Max Age

Your Action

Specifies whether RSTP must be disabled on the port.

Specifies the bridge priority.


Enter a value.


Select a value.

Hello time

Forward Delay

Bpdu Block on Edge


Select a value.


Select a value.





Table 67: STP Configuration Fields (continued)

Option Function

Interface

Your Action

Specifies MSTP settings for the interface and Bpdu timeout action.

1.







7. Select

No root port if it is not specified.

8. Click

OK

.

9. Specify the Bpdu timeout action :

•

•

Block

Alarm

Configuring VSTP (NSM Procedure)

VLAN Spanning Tree Protocol (VSTP) is a spanning tree protocol which creates a loop-free topology in VLANs. VSTP maintains a separate spanning tree instance for each

VLAN. Different VLANs can use different spanning tree paths and VSTP can support up to 4094 different spanning tree topologies.

To configure VSTP in NSM:

1.


2.


3.

Select VSTP.

4.



5.

Click one:

•





111

EX Series Devices



Table 68: VSTP Configuration Fields

Field Function

VSTP

Comment Specifies comment for OSPF.

Disable

Your Action

1.

Expand the Protocol tree and select

VSTP

.


Specifies whether to disable the VSTP configuration.

1.

Expand the

Protocol tree and select

VSTP

.

2. Specify whether to disable VSTP.

Bridge Priority

Max Age

Hello Time

Forward Delay

Interface

The bridge priority determines which bridge is elected as the root bridge. If two bridges have the same path cost to the root bridge, the bridge priority determines which bridge becomes the designated bridge for a LAN segment.

1.

Expand the


VSTP

.

2. Enter the bridge priority.

Specifies the maximum age of received protocol BPDUs.

1.

Expand the


VSTP .

2. Enter the max age or select from the list.

The time interval at which the root bridge transmits configuration BPDUs.

1.

Expand the


VSTP .

2. Enter the hello time or select from the list.

Specifies how long a bridge interface remains in the listening and learning states before transitioning to the forwarding state.

1.


VSTP .

2. Enter the forward delay time or select from the list.

Specifies the interface to be associated with VSTP.

1.


2. Select

VSTP and expand the tree.

3. Select

Interfaces

.

4. Set up the priority, cost, mode, edge and specify whether the interface has to be disabled.



Table 68: VSTP Configuration Fields (continued)

Field Function

Traceoptions Enables you to configure VSTP level tracing options.

Your Action

1.


2. Select

VSTP and expand the tree.

3. Select

Traceoptions

.


Configuring VRRP (NSM Procedure)

Virtual Router Redundancy Protocol (VRRP) prevents loss of network connectivity to end hosts if the static default IP gateway fails. By implementing VRRP, you can designate a number of routers as backup routers in the event that the default master router fails.

VRRP fully supports Virtual Local Area Networks (VLANs) and stacked VLANs (S-VLANs).

In case of a failure, VRRP dynamically shifts the packet-forwarding responsibility to a backup router. VRRP creates a redundancy scheme which enables hosts to keep a single

IP address for the default gateway but maps the IP address to a well-known virtual MAC address. VRRP provides this redundancy without user intervention or additional configuration at the end hosts.

To configure VRRP in NSM:

1.


2.


3.

Select VRRP.

4.



.

5.

Click one:


•


•




Table 69: VRRP Configuration Fields

Field Function

VRRP

Your Action


113

EX Series Devices

Table 69: VRRP Configuration Fields (continued)

Field

Comment

Startup Silent Period

Traceoptions

Function

Specifies comment for VRRP.

Your Action

1.


VRRP

.


Enables the system to ignore the Master

Down Event when an interface transitions from the disabled state to the enabled state. It avoids an incorrect error alarm caused by delay or interruption of incoming VRRP advertisement packets during the interface startup phase.

1.

Expand the


VRRP

.

2. Enter the startup silent period or select from the list

Enables you to configure VRRP level tracing options.

1.

Expand the

Protocol tree.

2. Select

VRRP and expand the tree.

3. Select Traceoptions .



CHAPTER 9

Configuring PoE


•

Configuring Power over Ethernet (NSM Procedure) on page 115

Configuring Power over Ethernet (NSM Procedure)

EX Series switch models provide either 8, 24, or 48 PoE ports, which supply electric power over the same ports that are used to connect network devices. These ports allow you to plug in devices that require both network connectivity and electric power, such as VoIP phones, WAPs, and some IP cameras.

The factory default configuration for EX Series switches specifies and enables PoE interfaces for the PoE ports.

To configure PoE:

1.

In the navigation tree, select Device Manager > Devices. In Device Manager, select the device for which you want to configure PoE.

2.

In the configuration tree, select PoE

3.

Enter a value to set the guard band value. The default value is 0. Guard band Specifies the band to control power availability on the switch.

4.

To add/modify PoE interface details, click Add New Entry and select Interface.

5.

In the Interface screen, click the add or edit icon.

6.

Add/modify PoE settings for the interface as specified in


7.

Click one:

•


•


Table 70: PoE Edit Settings

Option Description Your Action

Name Specifies the name for the interface.

Enter a name.

Disable Specifies that PoE is enabled on the interface.

Select this option to disable PoE on the interface.


115

EX Series Devices

Table 70: PoE Edit Settings (continued)


Priority

Maximum Power Specifies the maximum PoE wattage available to provision active PoE ports on the switch.

Select a value in watts. If no value is specified, the default is 15.4.

Telemetries

Lists the power priority (Low or High) configured on ports enabled for PoE.

Set the priority as High or Low .

Enable logging of PoE power consumption with the default telemetries settings.

Select this option to log telemetries. Specify the following:

•

•

•

Disable—Select to disable logging of telemetries.

Interval—The time interval for logging telemetries

Duration—The duration for which telemtries should be logged.


CHAPTER 10

Configuring SNMP


•

Configuring Basic System Identification for SNMP (NSM Procedure) on page 117

•

Configuring Client Lists (NSM Procedure) on page 118

•

Configuring SNMP Health Monitoring (NSM Procedure) on page 120

•

Configuring the Interfaces on Which SNMP Requests Can Be Accepted (NSM


•

Configuring the SNMP Local Engine ID (NSM Procedure) on page 123

•

Configuring the SNMP Commit Delay Timer (NSM Procedure) on page 124

•

Configuring SNMP RMON Alarms and Events (NSM Procedure) on page 125

•

Enabling SNMP Access over Routing Instances (NSM Procedure) on page 129

•

Configuring SNMPv3 (NSM Procedure) on page 131

•

Configuring Tracing of SNMP Activity (NSM Procedure) on page 137

•

Configuring SNMP Views (NSM Procedure) on page 139

•

Configuring SNMP Communities (NSM Procedure) on page 140

•

Configuring SNMP Trap Options (NSM Procedure) on page 142

•

Configuring SNMP Trap Groups (NSM Procedure) on page 144

Configuring Basic System Identification for SNMP (NSM Procedure)

To configure basic system identification information for SNMP:

1.


2.

Click the Device Tree tab and then double-click the device for which you want to configure basic system identification information.

3.

Click the Configuration tab. In the configuration tree, select Snmp.

4.

Add or modify basic system identification information as specified in


.

5.

Click one:



117

EX Series Devices

• Cancel


Table 71: Basic System Identification Details


System Name

Description

Location

Specifies a system name for the device.

Enter the system name as a free-form text string.

Provides a description for the system.

Specifies the system location information.

Enter a description for the system. For example, type

J4350 with 4 PIMs

.

Enter the system location information

(such as a lab name and a rack name).

Contact Specifies the contact information for the system.

Enter the system contact information

(such as a name and a phone number).

Snmp > Engine Id

Use Mac Address Sets the engine ID to use the MAC address.

Select this option.

Related

Documentation

•


•


•


Configuring Client Lists (NSM Procedure)

You can configure a group of SNMP clients as a client list by providing either the IPv4 or

IPv6 addresses for the individual clients that you want to assign to this client list. You can then specify that the members of the list be authorized to use a particular SNMP community. See

“Configuring SNMP Communities (NSM Procedure)” on page 140

for information about adding a client to a community. If a community is not configured with such specific client addresses in client lists as authorized, then all SNMP clients using this community string are authorized by default to access the device.

To configure client lists in NSM:

1.


2.


3.


4.

In the configuration tree, expand SNMP.

5.

Select Client List.

6.

Click the Add or Edit icon.


Chapter 10: Configuring SNMP

7.



8.

Click one:



• Apply —To apply the SNMP settings.



Table 72: Configuring Client List Fields

Option Function

Name

Your Action

Specifies the names of the client list that you are configuring to have SNMP access privileges.

Enter a name for the client list.

Any SNMP requests entering the device from client lists other than the ones listed for the community are discarded.

Comment

Client Address List

Specifies the comment for the client list.

Enter the comment.

Specifies the addresses of SNMP clients that are authorized to access this device.

1.

Click the New button or select a client address and click the Edit button.

2. Configure the following to create and define a client address list:

•

•

•

Name —Enter an IPv4 or IPv6 address for each client.

Comment

—Enter a comment for the IPv4 or IPv6 address you specified.

Restrict

—Select this check box to deny the specified SNMP client list access to the device. If you leave the

Restrict check box cleared by default, access is permitted for this particular client list.

Related

Documentation

•



119

EX Series Devices

Configuring SNMP Health Monitoring (NSM Procedure)

You can use SNMP health monitoring to minimize user configuration requirements. Health monitoring is a notification system that extends the RMON alarm infrastructure to provide predefined monitoring for a selected set of object instances (for file system usage, CPU usage, and memory usage) and includes support for unknown or dynamic object instances

(such as JUNOS Software processes).

To configure health monitoring for SNMP in NSM:

1.


2.


3.


4.


5.

Select Health Monitor.

6.

Select the Enable Feature check box.

7.



8.

Click one:

• OK


• Cancel


• Apply

—To apply the SNMP settings.



Table 73: Configuring Health Monitor Fields

Option Function

Comment

Interval

Your Action

Specifies the comment for the health monitoring configuration.

Enter a comment.

Specifies the interval. The interval represents the period of time, in seconds, over which the object instance is sampled. The sample value is then compared with the rising and falling threshold values.

Specify the interval between samples, in seconds. You can enter a value from

1 through 2147483647. The default is

300.



Table 73: Configuring Health Monitor Fields (continued)

Option Function

Rising Threshold

Falling Threshold

Idp

Your Action

Specifies the upper threshold as a percentage of the maximum possible value for the monitored variable. When the current sampled value is greater than or equal to this threshold and the value at the last sampling interval is less than this threshold, a single event is generated. A single event is also generated if the first sample after this entry becomes valid is greater than or equal to this threshold. After a rising event is generated, another rising event is not generated until the sampled value falls below this threshold and reaches the falling threshold.

Enter the rising threshold value. You can enter a value from 1 through 100. The default value is 90.

Specifies the lower threshold as a percentage of the maximum possible value for the monitored variable. When the current sampled value is less than or equal to this threshold and the value at the last sampling interval is greater than this threshold, a single event is generated. A single event is also generated if the first sample after this entry becomes valid is less than or equal to this threshold. After a falling event is generated, another falling event is not generated until the sampled value rises above this threshold and reaches the rising threshold.

Enter the falling threshold value. You can enter a value from 0 through 100. The default value is 80.

Specifies that the enterprise-specific IDP

MIB extends SNMP support to the key monitoring and threshold-crossing traps.

1.

Expand the

Health Monitor tree and select

Idp

.

2. Click the New button or select an interface and click the

Edit button.

3. Enter the comment, interval, and the rising and falling threshold values.

Related

Documentation

•

Configuring SNMP RMON Alarms and Events (NSM Procedure) on page 125

Configuring the Interfaces on Which SNMP Requests Can Be Accepted (NSM Procedure)

You can limit the access of SNMP requests through specific interfaces by configuring the interfaces on which SNMP requests can be accepted. If you do not configure specific interfaces, SNMP requests entering the device through any interface are accepted, because by default, all device interfaces have SNMP access privileges.

To configure interfaces on which SNMP requests can be accepted in NSM:


121

EX Series Devices

1.


2.


3.


4.


5.

Select Interface.

6.



7.

Click one:






Table 74: Configuring Interface Fields

Option Function

Interface Specifies the name for the specific interface configuration.

Your Action

1.

Click the New button or select an interface and click the Edit button.

2. Enter the names of one or more logical interfaces.

Related

Documentation

•




Configuring the SNMP Local Engine ID (NSM Procedure)

You can configure a local engine identifier (engine ID) as the administratively unique ID of an SNMPv3 engine. The local engine ID is used only for identifying an SNMPv3 engine and not for addressing the engine. An engine ID has two parts: prefix and suffix. The prefix is formatted according to the specifications defined in RFC 3411, An Architecture for

Describing Simple Network Management Protocol (SNMP) Management Frameworks. You can specify the suffix to be generated from the media access control (MAC) address of the management interface.

NOTE: SNMPv3 authentication and encryption keys are generated based on the associated passwords and the engine ID. If you configure or change the engine ID, you must commit the new engine ID before you configure SNMPv3 users. Otherwise the keys generated from the configured passwords are based on the previous engine ID.

To configure a local engine ID for an SNMPv3 engine in NSM:

1.


2.


3.


4.


5.

Select Engine Id.

6.



.

7.

Click one:

• OK


• Cancel


• Apply




Table 75: Configuring Engine Id Fields

Option Function

Comment Specifies the comment for the engine ID.

Your Action

Enter a comment.


123

EX Series Devices

Table 75: Configuring Engine Id Fields (continued)


Use Mac Address Specifies whether or not the SNMP engine ID is generated from the MAC address of the management interface on the device.

1.

Expand the Engine Id tree and select Use Mac Address .

2. Select an option for engine ID generation:

•

•

•

None —The SNMP engine ID does not use the MAC address.

use-mac-address

—The SNMP engine ID is generated from the

MAC address of the management interface on the device.

use-default-ip-address

—The engine ID suffix is generated from the default IP address of the management interface.

• local —The engine ID suffix is generated from the local IP address of the management interface.

For the engine ID, we recommend using the IP address of the device or using the MAC address of fxp0 or me0 if the device has only one

Routing Engine.

Related

Documentation

•

Configuring SNMPv3 (NSM Procedure) on page 131

Configuring the SNMP Commit Delay Timer (NSM Procedure)

You can configure the SNMP commit delay timer to specify the length of time between when a device first receives an SNMP nonvolatile Set request and when the commit is requested for the candidate configuration. If the device receives new SNMP Set requests within this time, the commit delay timer resets to the configured time. If the device does not receive new SNMP Set requests within this time, the candidate configuration is committed and the JUNOScript session closes (the configuration lock is released). If the device receives a new SNMP Set request while the candidate configuration is being committed, the SNMP Set request is rejected and an error notification is generated.

To configure the SNMP commit delay timer for nonvolatile requests in NSM:

1.


2.


3.


4.


5.

Select Nonvolatile.

6.



7.

Click one:








Table 76: Configuring Nonvolatile Fields

Option Function

Comment

Your Action

Specifies the comment for the nonvolatile commit delay configuration.

Enter a comment.

Commit Delay Specifies the delay time between an affirmative SNMP Set reply and the start of commit.

Specify the delay time, in seconds. The default value is 5.

Related

Documentation

•

Configuring the Interfaces on Which SNMP Requests Can Be Accepted (NSM Procedure) on page 121

Configuring SNMP RMON Alarms and Events (NSM Procedure)

You can configure SNMP remote monitoring (RMON) alarms and events to monitor integer-valued MIB objects, standard or enterprise-specific, on the device. You can set the alarm values against thresholds and trigger events when the thresholds are crossed.

To configure the SNMP RMON alarms and events in NSM:

1.


2.


3.


4.


5.

Select Rmon.

6.



7.

Click one:





125

EX Series Devices



Table 77: Configuring Rmon Fields

Option Function

Comment Specifies the comment for the RMON configuration.

Your Action

Enter the comment.



Table 77: Configuring Rmon Fields (continued)


Alarm Specifies the attributes of the RMON alarm entry. An alarm entry monitors the value of a MIB variable.

You can configure how often the value is sampled, the type of sampling to perform, and what event to trigger if a threshold is crossed.

•

•

•

•

1.

Expand the Rmon tree and select Alarm .

2. Click the New button or select a client address and click the Edit button.

3. Configure the following to create and define an RMON alarm entry:

Name

—Enter a name for the alarm entry.

Comment —Enter a comment for the alarm entry.

Description —Enter a text description for the alarm entry.

Interval

—Enter the interval (in seconds) over which data is sampled and compared with the rising and falling thresholds.

•

Falling Threshold Interval

—Enter the interval (in seconds) between samples when the rising threshold is crossed. After the alarm crosses the falling threshold, the regular sampling interval is used. You can enter a value from 1 through 2,147,483,647. The default is 60.

•

Variable —Enter the variable with which you wish to identify the MIB object that is being monitored.

•

Sample Type

—Choose the sample type to identify the method of sampling the selected variable and calculating the value to be compared against the thresholds:

•

•

• none absolute-value —The value of the selected variable is compared directly with the thresholds at the end of the sampling interval.

delta-value

—The value of the selected variable at the last sample is subtracted from the current value, and the difference is compared with the thresholds.

• Request Type —Specify the scope of the RMON alarm:

•

•

• get-request —Monitor a specific object instance.

walk-request

—Monitor all object instances belonging to a MIB branch.

get-next-request —Monitor the next object instance after the instance specified in the configuration.

•

Startup Alarm

—Specify the type of alarm that can be sent when this entry is first activated:

•

•

• falling-alarm

—First sample after the alarm entry becomes active is less than or equal to the falling threshold.

rising-alarm

—First sample after the alarm entry becomes active is greater than or equal to the rising threshold.

rising-or-falling-alarm

—First sample after the alarm entry becomes active satisfies either of the corresponding thresholds.


127

EX Series Devices



• Rising Threshold —Specify the upper threshold for the sampled variable. When the current sampled value is greater than or equal to this threshold and the value at the last sampling interval is less than this threshold, a single event is generated. A single event is also generated if the first sample after this entry becomes valid is greater than or equal to this threshold and the associated startup alarm is equal to the falling alarm or the rising-or-falling alarm. After a rising event is generated, another rising event cannot be generated until the sampled value falls below this threshold and reaches the falling threshold. You can enter a value from -2,147,483,648 through

2,147,483,647.

•

Falling Threshold —Specify the lower threshold for the sampled variable. When the current sampled value is less than or equal to this threshold and the value at the last sampling interval is greater than this threshold, a single event is generated. A single event is also generated if the first sample after this entry becomes valid is less than or equal to this threshold and the associated startup alarm is equal to the falling alarm or the rising-or-falling alarm. After a falling event is generated, another falling event cannot be generated until the sampled value rises above this threshold and reaches the rising threshold. You can enter a value from -2,147,483,648 through

2,147,483,647. The default is 20 percent less than the rising threshold.

•

•

Rising Event Index

—Specify the event entry that is triggered when a rising threshold is crossed. You can enter a value from 0 through

65,535. The default is 0.

Falling Event Index

—Specify the event entry that is triggered when a falling threshold is crossed. You can enter a value from 0 through

65,535. The default is 0.

• Syslog Subtag —Specify the tag to be added to the system log message. You can specify a string of not more than 80 uppercase characters as the system log tag.





Event Specifies the attributes of the RMON event entry. An event entry generates a notification for an alarm entry when its rising or falling threshold is crossed. You can configure the type of notification that is generated.

•

•

•

1.

Expand the Rmon tree and select Event .

2. Click the New button or select a client address and click the Edit button.

3. Configure the following to create and define an RMON event entry:

Name

—Enter a name for the event entry.

Comment —Enter a comment for the event entry.

Description —Enter a text description for the event entry.

•

Type

—Specify the type of notification generated and where the event is to be logged when a threshold is crossed:

•

•

•

• none log

—Adds the event entry to the logTable.

log-and-trap

—Sends an SNMP trap and creates a log entry.

snmptrap

—Sends an SNMP trap.

•

Community

—Specify the trap group that is used when generating a trap. If that trap group has the rmon-alarm trap category configured, a trap is sent to all the targets configured for that trap group. The community string in the trap matches the name of the trap group.

If nothing is configured, traps are sent to each group with the rmon-alarm category set.

Related

Documentation

•


•

Example: Configuring SNMP Trap Groups

Enabling SNMP Access over Routing Instances (NSM Procedure)

You can enable SNMP managers in routing instances other than the default routing instance to access SNMP information. You can use the SNMP routing instance access feature to create access lists to allow or deny SNMP clients in routing instances access to SNMP information. Specify the routing instance name to allow the SNMP client in a routing instance to access SNMP information. To deny the SNMP client in a routing instance access to SNMP information, restrict the routing instance name in the access list. If access rights are not configured, JUNOS Software does not allow SNMP managers from routing instances other than the default routing instance to access SNMP information.

To configure access lists for SNMP access over routing instances in NSM:

1.


2.


3.


4.



129

EX Series Devices

5.

Select Routing Instance Access.

6.


7.



8.

Click one:






Table 78: Configuring Routing Instance Access Fields


Comment

Access List

Specifies the comment for the routing instance access configuration.

Enter a comment.

Specifies addresses of client members in the access lists.

1.

Expand the

Routing Instance Access tree and select

Access List

.

2. Click the New button or select an entry and click the Edit button.

3. Configure the following to create and define an access list entry for a routing instance:

•

•

•

Name

—Enter a name for the access list entry.

Comment

—Enter a comment for the access list entry.

Restrict —Select this check box to deny the specified SNMP client list access to the routing instance. If you leave the Restrict check box cleared by default, access is permitted for this particular list.

Related

Documentation

•




Configuring SNMPv3 (NSM Procedure)

You can configure SNMP version 3 (SNMPv3) for message security and access control.

You can configure the entries for the user-based security model (USM) that SNMPv3 uses for message security and the view-based access control model (VACM) that SNMPv3 uses for access control. USM specifies authentication and encryption. USM uses the concept of a user for which security parameters (levels of security, authentication, privacy protocols, and keys) are configured for both the agent and the manager. VACM specifies access-control rules.

To configure the SNMPv3 options in NSM:

1.


2.


3.


4.


5.

Select V3.

6.



7.

Click one:






Table 79: Configuring V3 Fields

Option Function

Comment

Your Action

Specifies the comment for the SNMPv3 configuration.

Enter a comment.


131

EX Series Devices

Table 79: Configuring V3 Fields (continued)


Notify

Notify Filter

Specifies the management targets for notifications as well as the type of notifications.

Notifications can be either traps or informs.

1.

Expand the V3 tree and select Notify .


3. Configure the following to create and define an entry:

•

•

•

Name

—Specify the name for the notification.

Comment —Enter the comment for the notification.

Type —Choose the notification type:

•

• trap

—Unconfirmed notifications inform —Confirmed notifications

•

Tag

—Specify a tag. Notifications are sent to all targets configured with this tag.

Lists the group of MIB objects on which access is to be defined.

The notify filter limits the type of traps or informs sent to the

Network Security

Management (NMS).

1.

Expand the

V3 tree and select

Notify Filter

.



•

•

•

Name

—Specify the name for the notification filter.

Comment —Enter the comment for the notification filter.

•

•

OID —Specify an object identifier (OID) to represent a subtree of MIB objects. All MIB objects represented by this ID have the specified OID as a prefix. Specify the OID using either a sequence of dotted integers or a subtree name.

•

None include —Include the subtree of MIB objects represented by the specified OID.

exclude

—Exclude the subtree of MIB objects represented by the specified OID.

SNMP Community Lists the SNMP communities authorizing the SNMPv1 or SNMPv2 clients. The access privileges associated with the configured security name define which MIB objects are available and the operations

(notify, read, or write) allowed on those objects.

1.

Expand the V3 tree and select SNMP Community .


•

•

•

•

Name

—Specify the name for the SNMP community.

Comment —Enter the comment for the community.

Community Name

—Enter the community string for the SNMPv1 or

SNMPv2 community. If you do not enter a name, it is the same as the community index. Ensure that community names are unique.

Security Name

—Enter the name you want to use for access control.

This is done to associate the community string to a security name.

• Context —Specify the context in which the community string is to be used.

•

Tag —Specify the addresses of managers that are allowed to use this community string.





Target Address Specifies the management application’s address and parameters to be used in sending notifications.

1.

Expand the V3 tree and select Target Address .



•

•

•

Name

—Specify the name to be assigned to the target address.

Comment —Enter a comment for the target address.

Address —Enter the IPv4 or the IPv6 address of the device to receive traps or informs.

NOTE: Specify an address, not a hostname.

•

•

Port

—Enter the UDP port number for the SNMP target.

Timeout

—Specify the number of seconds to wait for an inform acknowledgment. If no acknowledgment is received within the timeout period, the inform is retransmitted. The default timeout period is 15 seconds.

•

•

•

Retry Count —Specify the maximum number of times the inform is transmitted if no acknowledgment is received. If no acknowledgment is received after the inform is transmitted the maximum number of times, the inform message is discarded. The default count is 3 times.

Tag List

—Specify an SNMP tag list to be used to define sets of target addresses.

Address Mask

—Specify an address mask to verify the source addresses for this group of target addresses. An address mask, combined with the address, defines a range of addresses.

•

Routing Instance

—Specify a routing instance for this SNMPv3 target address.

•

•

Logical System —On routers only, specify the logical system group for this SNMPv3 target address.

Target Parameters

—Specify the message processing and security parameters to be used in sending notifications to a particular management target.


133

EX Series Devices



Target Parameters Specifies the message processing and security parameters to be used in sending notifications to a particular management target.

1.

Expand the V3 tree and select Target Parameters .



•

•

•

Name

—Specify the name to be assigned to this group of target parameters.

Comment —Enter a comment for this group of target parameters.

•

Notify Filter —Specify the notify filter to be used by this specific set of target parameters.

Parameters

—Configure the entries for this specific set of target parameters:

Message Processing Model

—Specify the message processing model:

•

•

•

•

None v1

—SNMPv1 message process model v2c —SNMPv2c message process model v3

—SNMPv3 message process model

Security Model —Specify this group’s security model:

•

•

•

•

None usm —SNMPv3 security model v1

—SNMPv1 message process model v2c —SNMPv2c message process model

Security Level

—Specify this group’s security level:

•

•

•

• authentication

—Authentication but no encryption.

none

—Authentication and no encryption.

privacy

—Authentication and encryption.

Security Name

—The user name (if USM is used) or the SNMP community name (if SNMPv1 or SNMPv2c security models are used) when generating the notification.





Usm Specifies USM information.

1.

Expand the V3 tree and select Usm .


•

•

Comment

—Enter a comment for this USM set.

Local Engine —Specify the local-engine information for USM. Assign a user associated with an SNMPv3 group. Specify the authentication type for the SNMPv3 user as MD5 or SHA.

Assign the encryption algorithm:

•

•

Advanced Encryption Standard

Triple Data Encryption Standard

(privayc-aes128)

(privacy-3des)

•

Data Encryption Standard

(privacy-des)

Configure the password used to generate the key used for encryption.

•

Remote Engine

—Enter the engine ID for the SNMP agent on the remote device where the user resides for the USM. You must do this to send inform messages to an SNMPv3 user on a remote device. The engine

ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host. Assign a user associated with an SNMPv3 group.

Assign the authentication type:

•

•

MD5

—Sets the message digest algorithm (MD5) as the authentication type.

SHA —Sets the secure hash algorithm (SHA) as the authentication type.

Assign the encryption algorithm:

•

•

•

Advanced Encryption Standard (privayc-aes128)

Triple Data Encryption Standard

(privacy-3des)

Data Encryption Standard (privacy-des)

Configure the plain-text password used to generate the key used for encryption meeting these requirements on a device:

•

•

The password must be at least eight characters long.

The password can include alphabetic, numeric, and special characters, but not control characters.


135

EX Series Devices



Vacm Specifies the VACM information.

1.

Expand the V3 tree and select Vacm .


•

•

Comment

—Enter a comment for this VACM set.

Access —Assign the security name to a group of SNMP security names that belong to the same an SNMP access policy and define the access privileges for this group. Users belonging to a particular SNMP group inherit all access privileges granted to that group. Specify a context prefix for this group or a default context prefix for all VACM entries by configuring the context security model and entering a comment for the context security model.

Specify this group’s security model:

•

•

•

•

Any usm —SNMPv3 security model v1

—SNMPv1 message process model v2c

—SNMPv2c message process model

Specify this group’s security level:

•

•

• authentication

—Provides authentication but no encryption.

none

—No authentication and no encryption.

privacy

—Provides authentication and encryption.

Designate the level of security view access.

•

•

•

Read View

—Provides read access.

Write View —Provides write access.

Notify View

—Provides notify access, in which a list of notifications is sent to each user in this group.

•

Security To Group

—Configure the group to which a specific security name belongs. Assign the security name to a group of SNMP security names that belong to the same SNMP access policy and define the access privileges for this group. Users belonging to a particular SNMP group inherit all access privileges granted to that group.

Specify this group’s security model:

•

•

• usm

—SNMPv3 security model.

v1 —SNMPv1 message process model v2c

—SNMPv2c message process model.

Related

Documentation

•




Configuring Tracing of SNMP Activity (NSM Procedure)

You can configure the traceoptions feature to track the activities of SNMP agents and record the information in log files. The logged error descriptions provide information you can use to solve problems faster. If this feature is not configured, JUNOS Software does not trace SNMP activities. The default tracing behavior is outlined below:

• Important activities are logged in files located in the /var/log directory. You cannot change the directory in which trace files are located. You can only customize other settings. Each log is named after the SNMP agent that generates it.

•

When a trace file named filename reaches its maximum size, it is renamed filename.0, then filename.1, and so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten. You can set the file size to be of any size from 10 KB through 1 gigabyte (GB). When the size of the trace file reaches the maximum value, it is renamed to the next consequential name. This process repeats until the maximum file number limit is reached. Then the oldest file is overwritten by the newest file. This way, new files are created once the size of each file exceeds the specified maximum file size value. The number of files can be from 2 through 1000.

•

Log files can be accessed only by the user who configures the tracing operation.

To configure SNMP tracing activity in NSM:

1.


2.


3.


4.


5.

Select Traceoptions.

6.



7.

Click one:







137

EX Series Devices

Table 80: Configuring Traceoptions Fields


Comment

No Remote Trace

File

Specifies the comment for the tracing configuration.

Enter a comment.

Specify whether or not this tracing configuration is written on the remote host.

Select the

No Remote Trace check box to force local tracing for this configuration.

JUNOS Software supports system-wide remote tracing, by which traces are written to files on the remote host To override the system-wide remote tracing configuration for a particular process,

When the No Remote

Trace check box is enabled, the process does local tracing.

Specifies the limits on the number and size of trace files.

1.

Expand the Traceoptions tree and select File .

2. Configure the following to create and define a tracing file entry:

•

•

•

•

Comment

—Enter a comment for the tracing file.

Size —Specify the size limit for the trace file.

Files

—Specify the maximum trace file versions to be created.

Access

—Specify access permissions for the tracing file:

•

•

•

None world-readable

—Allows any user to read all log files.

no-world-readable —Allows log files to be accessed only by the user who configures the tracing operation.

•

Match —Specify a regular expression (regex) to be matched in the trace operation output.



Table 80: Configuring Traceoptions Fields (continued)


Flag Specifies which trace operations are to be logged. If this is not configured, only important activities are logged by default.

1.

Expand the Traceoptions tree and select Flag .

2. Click the New button or select a tracing flag and click the Edit button.

3. Configure the following to create and define a tracing flag entry:

•

Name

—Specify the tracing flag to be used:

•

•

•

•

•

•

•

•

•

• timer —Log internally generated events.

protocol-timeouts

—Log SNMP response timeouts.

pdu —Log SNMP request and response packets.

varbind-error

—Log variable binding errors.

routing-socket —Log routing socket calls.

interface-stats

—Log physical and logical interface statistics.

subagent —Log subagent restarts.

general

—Log general events.

nonvolatile-sets —Log nonvolatile SNMP set request handling.

all

—Log all SNMP events.

• Comment —Enter a comment for the tracing flag.

Related

Documentation

•


Configuring SNMP Views (NSM Procedure)

By default, an SNMP community grants read access and denies write access to all supported MIB objects, including communities configured for read-write authorization.

To restrict or grant read or write access to a set of MIB objects, configure a MIB view and associate the view with a community. Each MIB object of a view has a common object identifier (OID) prefix. Each OID represents a subtree of the MIB object hierarchy. The subtree can be represented either by a sequence of integers separated by periods (such as 1.3.6.1.2.1.2) or by its subtree name (such as interfaces). Use a view to specify a group of MIB objects on which to define access. You can also use the wildcard character asterisk

(*) to include OIDs that match a particular pattern in the SNMP view. To enable a view, associate it with a community.

To configure SNMP views in NSM:

1.


2.


3.


4.


5.

Select View.

6.



139

EX Series Devices

7.



.

8.

Click one:




Table 81: Configuring SNMP View Fields


Name Specifies a name for the view.

Enter a name for the view.

Oid

Name

Include or Exclude

Specifies an OID used to represent a subtree of MIB objects.

Specifies the MIB for the view.

1.

Expand the View tree and select oid .

2. Click the New button or select an OID and click the Edit button.

Enter the OID of the MIB in either dotted-integer format or subtree-name format.

Specifies whether the view includes or excludes the set of MIB objects.

Select exclude to exclude the subtree of

MIB objects represented by the specified

OID.

Select include to include the subtree of

MIB objects represented by the specified

OID.

Related

Documentation

•


•


•


Configuring SNMP Communities (NSM Procedure)

You can configure an SNMP community to authorize access to the SNMP server by SNMP clients, based on the source IP address of incoming SNMP request packets. A community also defines which MIB objects are available and the operations (read-only or read-write) allowed on those objects. The SNMP client application specifies an SNMP community name in Get, GetNext, GetBulk, and Set SNMP requests. If a community is not configured, all SNMP requests are denied.

To configure SNMP communities in NSM:

1.


2.


3.




4.


5.

Select Community.

6.

Click the Add or Edit icon.

7.



.

8.

Click one:






Table 82: Configuring Community Fields

Option Function

Name

Comment

View

Authorization

Client List Name

Your Action

Specifies the name of the community.

Enter a name for the community.

Specifies the comment for the community.

Specifies the view associated with the community.

Enter a comment.

Enter a name for the view.

Specifies the type of access granted to the community. Access is authorized for

SNMP Get, GetBulk, GetNext, and Set requests.

Select an access type for the community:

•

•

•

None —No requests are enabled.

read-only —Enable Get, GetNext, and

GetBulk requests. This option is enabled by default.

read-write

—Enable all requests, including Set requests.

You must configure a view to enable

Set requests.

Specifies a client list or prefix list to be assigned to an SNMP community.

1.

Expand the

Community tree and select

Client List Name

.

2. Select a name.


141

EX Series Devices

Table 82: Configuring Community Fields (continued)

Option Function

Routing Instance Specifies a routing instance for a community.

Your Action

1.

Expand the Community tree and select

Routing Instance

.


3. Configure the following to create and define a routing instance:

•

Name

—Enter a name for the routing instance.

NOTE: On routers, to configure a routing instance within a logical system, specify the logical system name followed by the routing instance name. Use a slash ( / ) to separate the two names. To configure the default routing instance on a logical system, specify the logical system name followed by “default.”

• Comment—Enter a comment for the routing instance.

Related

Documentation

•

Configuring Client Lists (NSM Procedure) on page 118

Configuring SNMP Trap Options (NSM Procedure)

You can configure the SNMP trap options feature to recognize the duplicate traps and to distinguish SNMPv1 traps based on the outgoing interface. This feature is helpful when some SNMP traps that come from the same device leave the device through a different outgoing interface, causing each such SNMP trap packet to have a different source address. You can set the source address of every SNMP trap packet sent by a device to be the same, regardless of the outgoing interface. You can also set the agent address of each SNMPv1 trap.

To configure the SNMP trap options in NSM:

1.


2.


3.


4.


5.

Select Trap Options.

6.


7.



8.

Click one:



• OK


• Cancel


• Apply




Table 83: Configuring Trap Options Fields


Comment Specifies the comment for the SNMP trap option.

Enter the comment.

Agent Address

Logical System

Routing Instances

Specifies the agent address of all SNMPv1 traps generated by this device.

Choose the agent address:

•

•

None outgoing-interface —Sets the agent address of each SNMPv1 trap to the address of the outgoing interface of that trap.

On routers only, specifies the name of the logical system for this SNMP client.

The logical system performs a subset of the actions of its parent physical device and have its own interfaces, policies, and routing instances.

1.

Expand the

Trap Options tree and select

Logical System

.

2. Click the New button or select a routing instance and click the Edit button.

3. Configure the following to create and define a logical system entry:

•

•

•

Name

—Specify the name of the logical system.

Comment

—Enter a comment for the logical system.

Routing Instance —Configure the following to create and define a routing instance entry:

Lo0 —Choose one of the following as the source address for the trap packets:

• lo0

—The source address of the SNMP trap packets is set to the lowest loopback address configured on the interface lo0.

• address —The source address of the SNMP trap packets is set to the address you specify. Enter a valid IPv4 address configured on one of the device interfaces.

Specifies the routing instances for SNMPv1 and

SNMPv2 trap targets. All targets configured in the trap group use these routing instances.

1.

Expand the

Trap Options tree and select

Routing Instances

.

2. Click the New button or select a routing instance and click the Edit button.

3. Configure the following to create and define a routing instance entry:

•

•

Name

—Specify the name of the routing instance.

Comment

—Enter a comment for the routing instance.


143

EX Series Devices

Table 83: Configuring Trap Options Fields (continued)


Source Address Specifies the source address of every SNMP trap packet sent by this device. You can set a valid interface address as the source address for

SNMP traps regardless of the outgoing interface. If the source address is not specified, the address of the outgoing interface is used as the source address.

1.

Expand the Trap options tree and select Routing Instances .

2. Expand the

Routing Instances tree and select

Source Address

, or expand the

Trap options tree and select

Source Address directly.

3. Configure the following to create and define a source address entry:

•

•

Comment —Enter a comment for the source address.

Lo0

—Choose one of the following as the source address for the trap packets:

•

• lo0

—The source address of the SNMP trap packets is set to the lowest loopback address configured on the interface lo0.

address

—The source address of the SNMP trap packets is set to the address you specify. Enter a valid IPv4 address configured on one of the device interfaces.

Configuring SNMP Trap Groups (NSM Procedure)

You can create and name a group of one or more types of SNMP traps and then define which systems receive the group of SNMP traps. The trap group must be configured for

SNMP traps to be sent. The trap group name can be any string and is embedded in the community name field of the trap. To configure your own trap group port, use the

Destination Port option. The default destination port is port 162. For each trap group that you define, specify:

•

At least one system as the recipient of the SNMP traps in the trap group

• The types of traps the trap group can receive

• Routing instance used by the trap group

To configure trap groups in NSM:

1.


2.


3.


4.


5.

Select Trap Group.

6.


7.



8.

Click one:

•

OK






Table 84: Configuring SNMP Trap Group Fields

Option Function

Name

Version

Destination Port

Routing Instance

Specifies a name for the trap group.

Specifies the version number of the

SNMP trap group.

Specifies the SNMP trap group port number.

Specifies a routing instance for trap targets.

Categories

Targets

Your Action

Enter a name for the trap group.

Select the version number for the SNMP trap group from the list.

Enter a trap group port number.

Enter the name of the routing instance.

Defines the types of traps that are sent to the targets of the named trap group.

1.

Expand the trap-group tree and select

Categories .

2. Select the trap type.

NOTE: If you do not configure categories, all trap types are included in trap notifications.

3. On routers, choose an Otn Alarm and a Sonet Alarm for your trap category.

Specifies the IPv4 or IPv6 address of the systems to receive traps.

1.

Expand the trap-group tree and select

Targets .

2. Click the New button or select an OID and click the Edit button.

3. Enter the IPv4 or IPv6 addresses of the system (do not enter hostnames).

Related

Documentation

•


•


•



145

EX Series Devices


CHAPTER 11

Configuring Virtual LANs


•

Configuring VLANs (NSM Procedure) on page 147

Configuring VLANs (NSM Procedure)

EX Series switches use bridging and virtual LANs (VLANs) to connect network devices in a LAN—desktop computers, IP telephones, printers, file servers, wireless access points, and others—and to segment the LAN into smaller bridging domains.

To configure a VLAN:

1.

In the navigation tree, select Device Manager > Devices. In Device Manager, select the device for which you want to configure VLANs.

2.

In the Configuration tree, expand Vlans.

3.

Select Vlan.

4.

In the VLAN screen, click the add or edit icon.

5.

Add/modify VLAN settings as specified in


6.

Click one:





Table 85: VLAN Edit Settings

Option Description

Vlan Name Specifies a unique name for the VLAN.

Your Action

Enter a name.


147

EX Series Devices

Table 85: VLAN Edit Settings (continued)


Description

Vlan ID

Describes the VLAN.

The identifier for the VLAN.

Enter a brief description for the VLAN.

Type a unique identification number from

1 through

4094

. If no value is specified, it defaults to 0.

L3 Interface

Mac Limit

Mac Table Aging Time

Specifies the Layer 3 interface on trunk ports to allow the interface to transfer traffic between multiple

VLANs.

Type the L3 interface.

Specifies the MAC address limit.

Specifies the maximum time that an entry can remain in the forwarding table before it 'ages out'.


Type the number of seconds from

60 through

1000000

.

Filter Specifies the VLAN firewall filter that is applied to incoming and outgoing packets.

To specify an input and output filter:

1.

Click

Filter

.

2. Specify the filter to be used for incoming and outgoing packets.

Interface Specifies the interface to be added to the VLAN.

To add an interface, click

Interface

.

Specify the interface to be included as part of the VLAN.


CHAPTER 12

Configuring a Virtual Chassis


•

Configuring a Virtual Chassis on page 149

Configuring a Virtual Chassis

To take advantage of the scalability features of EX–4200 switches, you can configure a virtual chassis that includes up to 10 member switches. You can interconnect the member switches using the dedicated virtual chassis ports (VCPs) on the back of the switch. You do not have to configure the interface for the dedicated VCPs.

A virtual chassis can be configured with either:

• preprovisioned configuration—Allows you to deterministically control the member ID and role assigned to a member switch by tying it to its serial number.

• nonprovisioned configuration—The master sequentially assigns a member ID to other member switches. The role is determined by the mastership priority value and other factors in the master election algorithm.

1.

Configuring a Virtual Chassis with a Preprovisioned Configuration File on page 149

2.

Add a Member to a Virtual Chassis on page 150

Configuring a Virtual Chassis with a Preprovisioned Configuration File

To configure a virtual chassis using a preprovisioned configuration:

1.

Make a list of the serial numbers of all the switches to be connected as a virtual chassis.

2.

Note the desired role (routing-engine or linecard) of each switch. If you configure the member with a routing-engine role, it is eligible to function as a master or backup. If you configure the member with a linecard role, it is not eligible to become a master or backup.

3.

Interconnect the member switches using the dedicated VCPs on the rear panel of switches. See Connecting a Virtual Chassis Cable to an EX4200 Switch.

NOTE: Arrange the switches in sequence, either from top to bottom or from bottom to top (0–9).


149

EX Series Devices

4.

Power on only the switch that you plan to use as the master switch (SWA-0). Do not power on the other switches at this time.

5.

Run the EZ Setup program on SWA-0, specifying the identification parameters. See

Connecting and Configuring an EX Series Switch (CLI Procedure) for details.

NOTE: The properties that you specify for SWA-0 apply to the entire virtual chassis, including all the member listed in the preprovisioned configuration file.

6.

Specify all the members that you want to included in the virtual chassis, listing each switch’s serial number with the desired member ID and the desired role:

7.

Power on the member switches.

NOTE: You cannot modify the mastership-priority when you are using a preprovisioned configuration. The mastership priority values are generated automatically and controlled by the role that is assigned to the member switch in the configuration file. The two routing engines are assigned the same mastership priority value. However, the member that was powered on first has higher prioritization according to the master election algorithm. See

Understanding How the Master in an EX Series Virtual Chassis Is Elected.

Add a Member to a Virtual Chassis

To add a member switch to a virtual chassis:

1.

In the navigation tree, select Device Manager > Devices. In Device Manager, select the device for which you want to add a member switch.

2.

In the Configuration tree, expand Virtual Chassis.

3.

Select Member.

4.



.

5.

Click one:

•






Chapter 12: Configuring a Virtual Chassis

Table 86: Virtual Chassis Configuration Fields

Field Function

Member Details

Name

Mastership Priority

Role

Serial Number

No Management

VLAN

Refresh

Your Action

Specifies the identifier for the member switch. The master switch assigns member IDs.

Specifies the mastership priority to be assigned to the member.

Specifies the role to be assigned to the member.

Select an identifier from the list. Select an

ID from

0 through

9

.

Select a number from 1 through 255 , with

255 being the highest priority (

128 is the default).

Select the appropriate role.

Specifies the serial number of the member.

Refreshes the operational status of virtual chassis members.

Enter the serial number.

If you want to reserve an individual member's management Ethernet port for local troubleshooting, you can remove that port from being part of the Virtual

Management Ethernet (VME).

Click to disable management VLAN on the port.

Click to refresh the operational status.


151

EX Series Devices


PART 2

Index

•

Index on page 155


153

EX Series Devices


Index

Symbols

802.1x authentication...........................................................

93

A

aggregated devices, configuring.........................................

13

analyzer

Configuring........................................................................

37

B

BGP configuring.......................................................................

90

C

chassis alarms, configuring..................................................

14

classifiers

CoS........................................................................................

17

client lists

configuring.......................................................................

118

code point aliases....................................................................

19

commit delay timer configuring......................................................................

124

See also nonvolatile communities configuring......................................................................

140

confederation

configuring.......................................................................

86

configuring virtual chassis.................................................

149

configuring VLANs.................................................................

147

CoS classifiers............................................................................

17

CoS code point aliases..........................................................

19

CoS drop profiles......................................................................

21

CoS forwarding classes........................................................

23

CoS interfaces..........................................................................

24

CoS rewrite rules.....................................................................

30

CoS scheduler maps.............................................................

34

CoS schedulers........................................................................

33

customer support......................................................................

x contacting JTAC.................................................................

x

D

drop profiles...............................................................................

21

F

fate sharing

configuring.........................................................................

81

firewall filter policer................................................................................

48

firewall filters

configuring........................................................................

45

flow

configuring........................................................................

79

forwarding classes..................................................................

23

forwarding table

configuring.........................................................................

77

G

generated routes configuring........................................................................

75

graceful restart

configuring........................................................................

76

GVRP...........................................................................................

95

H

health monitoring configuring......................................................................

120

I

IGMP configuring.......................................................................

96

IGMP snooping........................................................................

98

instance export configuring........................................................................

85

instance import configuring........................................................................

85

interface configuring........................................................................

121

interface routes configuring........................................................................

84

L

LLDP............................................................................................

99

LLDP MED................................................................................

100

local engine ID configuring.......................................................................

123

M

martian addresses configuring........................................................................

82

maximum paths

configuring........................................................................

87


155

EX Series Devices maximum prefixes configuring.........................................................................

61

MSTP..........................................................................................

101

multicast configuring........................................................................

63

multipath

configuring.......................................................................

66

O

Options configuring........................................................................

67

OSPF..........................................................................................

103

P

policer configuring........................................................................

48

Port Mirroring............................................................................

37

port security configuring........................................................................

39

protocols

802.1x.................................................................................

93

BGP.....................................................................................

90

GVRP..................................................................................

95

IGMP...................................................................................

96

IGMP snooping...............................................................

98

LLDP...................................................................................

99

LLDP-MED......................................................................

100

OSPF.................................................................................

103

protocols.........................................................................

108

RIP.....................................................................................

106

STP....................................................................................

109

VRRP..................................................................................

113

VSTP....................................................................................

111

Protocols

MSTP.................................................................................

101

R

redundant trunk groups.......................................................

38

resolution

configuring.......................................................................

68

rewrite rules..............................................................................

30

rib

configuring.........................................................................

71

rib groups configuring........................................................................

69

RIP..............................................................................................

106

rmon configuring.......................................................................

125

routing engine redundancy, configuring..........................

15

routing instance access

configuring......................................................................

129

routing options

confederation..................................................................

86

fate sharing.......................................................................

81

flow......................................................................................

79

forwarding table..............................................................

77

generated routes.............................................................

75

graceful restart................................................................

76

instance export...............................................................

85

instance import..............................................................

85

interface routes..............................................................

84

martian addresses.........................................................

82

maximum paths.............................................................

87

maximum prefixes..........................................................

61

multicast...........................................................................

63

multipath..........................................................................

66

Options...............................................................................

67

resolution..........................................................................

68

rib...........................................................................................

71

rib groups..........................................................................

69

source routing..................................................................

73

Static Routes....................................................................

74

RSTP..........................................................................................

108

S

scheduler maps.......................................................................

34

schedulers..................................................................................

33

secure access port..................................................................

39

SNMP client lists.........................................................................

118

commit delay timer.....................................................

124

See also nonvolatile

communities..................................................................

140

health monitoring.........................................................

120

interface............................................................................

121

local engine ID................................................................

123

rmon..................................................................................

125

routing instance access.............................................

129

traceoptions....................................................................

137

trap groups.....................................................................

144

trap options....................................................................

142

v3.........................................................................................

131

views.................................................................................

139

source routing configuring........................................................................

73

static IP configuring.........................................................................

41


Static Routes configuring........................................................................

74

STP.............................................................................................

109

support, technical See technical support

T

technical support

contacting JTAC.................................................................

x

traceoptions configuring.......................................................................

137

trap groups

configuring......................................................................

144

trap options configuring......................................................................

142

V

v3 configuring........................................................................

131

views

configuring......................................................................

139

virtual chassis.........................................................................

149

virtual LAN................................................................................

147

VLANs........................................................................................

147

VoIP configuring........................................................................

42

VRRP...........................................................................................

113

VSTP.............................................................................................

111

Index


157

EX Series Devices


Juniper Network and Security Manager (NSM) Admin Guide

Network and Security Manager

NSM Configuration Guide for EX Series Devices

Table of Contents

Part 1

Managing EX Series Switches with NSM

Part 2

Index

About This Guide

Objectives

Audience

Conventions

Table 1: Notice Icons

Table 2: Text Conventions

Table 3: Syntax Conventions

Documentation

Table 4: Network and Security Manager Publications

Table 4: Network and Security Manager Publications (continued)

Requesting Technical Support

Self-Help Online Tools and Resources

Opening a Case with JTAC

PART 1

Managing EX Series Switches with NSM

CHAPTER 1

Configuring User Access and

Authentication

Configuring RADIUS Authentication (NSM Procedure)

Table 5: RADIUS Authentication Configuration Details

Configuring TACACS+ Authentication (NSM Procedure)

Table 6: TACACS+ Authentication Configuration Details

Table 6: TACACS+ Authentication Configuration Details (continued)

Configuring Authentication Order (NSM Procedure)

Configuring User Access (NSM Procedure)

Configuring Login Classes

Table 7: Login Class Authentication Configuration Details

Table 7: Login Class Authentication Configuration Details (continued)

Table 7: Login Class Authentication Configuration Details (continued)

Configuring User Accounts

Table 8: User Authentication Configuration Details

Table 8: User Authentication Configuration Details (continued)

Configuring Template Accounts (NSM Procedure)

Creating a Remote Template Account

Table 9: Remote Template Account Details

Creating a Local Template Account

Table 10: Local Template Account Details

CHAPTER 2

Configuring Chassis

Configuring Aggregated Devices (NSM Procedure)

Table 11: Aggregated Devices Configuration Details

Configuring Chassis Alarms (NSM Procedure)

Table 12: Chassis Alarms Configuration Details

Configuring Routing Engine Redundancy (NSM Procedure)

Table 13: Chassis Redundancy Configuration Details

Table 13: Chassis Redundancy Configuration Details (continued)

CHAPTER 3

Configuring Class of Service

Configuring CoS Classifiers (NSM Procedure)

Table 14: Configuring and Applying Behavior Aggregate Classifiers

Table 14: Configuring and Applying Behavior Aggregate Classifiers (continued)

Configuring CoS Code Point Aliases (NSM Procedure)

Table 15: Configuring Code Point Aliases

Configuring CoS Drop Profile (NSM Procedure)

Table 16: Drop Profile Configuration Fields

Table 16: Drop Profile Configuration Fields (continued)

Configuring CoS Forwarding Classes (NSM Procedure)

Table 17: Assigning Forwarding Classes to Output Queues

Table 17: Assigning Forwarding Classes to Output Queues (continued)

Configuring CoS Interfaces (NSM Procedure)

Table 18: Interfaces Configuration Fields

Table 18: Interfaces Configuration Fields (continued)

Table 18: Interfaces Configuration Fields (continued)

Table 18: Interfaces Configuration Fields (continued)

Table 18: Interfaces Configuration Fields (continued)

Configuring CoS Rewrite Rules (NSM Procedure)

Table 19: Configuring and Applying Rewrite Rules

Table 19: Configuring and Applying Rewrite Rules (continued)

Table 19: Configuring and Applying Rewrite Rules (continued)

Configuring CoS Schedulers (NSM Procedure)

Table 20: Configuring Schedulers

Table 20: Configuring Schedulers (continued)