Junos® OS Layer 2 Bridging and Switching

Junos® OS
Layer 2 Bridging and Switching Library for Security
Devices
Release
12.1X46-D10
Modified: 2016-06-25
Copyright © 2016, Juniper Networks, Inc.
Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
®
Junos OS Layer 2 Bridging and Switching Library for Security Devices
12.1X46-D10
Copyright © 2016, Juniper Networks, Inc.
All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at
http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of
that EULA.
ii
Copyright © 2016, Juniper Networks, Inc.
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Using the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Merging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
Part 1
Layer 2 Bridging and Transparent Mode Feature Guide for
Security Devices
Chapter 1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Bridging and Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Layer 2 Bridging and Transparent Mode Overview . . . . . . . . . . . . . . . . . . . . . . 3
Layer 2 Bridging Exceptions on SRX Series Devices . . . . . . . . . . . . . . . . . . 4
Bridge Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Understanding Bridge Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
IPv6 Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Understanding IPv6 Flows in Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . 6
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Understanding Transparent Mode Conditions . . . . . . . . . . . . . . . . . . . . . . . . . 8
Understanding Layer 2 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Understanding VLAN Retagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Understanding Integrated Routing and Bridging Interfaces . . . . . . . . . . . . . . . 10
Security Zones and Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Understanding Security Policies in Transparent Mode . . . . . . . . . . . . . . . . . . . 12
Understanding Layer 2 Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Understanding Firewall User Authentication in Transparent Mode . . . . . . . . . 14
Understanding Layer 2 Forwarding Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Understanding Layer 2 Transparent Mode Chassis Clusters . . . . . . . . . . . . . . 16
Understanding IP Spoofing in Layer 2 Transparent Mode . . . . . . . . . . . . . . . . 18
Transparent Mode Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Class of Service Functions in Transparent Mode Overview . . . . . . . . . . . . . . . 19
Understanding BA Traffic Classification on Transparent Mode Devices . . . . 20
Understanding Rewrite of Packet Headers on Transparent Mode
Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Copyright © 2016, Juniper Networks, Inc.
iii
Layer 2 Bridging and Switching Library for Security Devices
Chapter 2
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Bridge Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Example: Configuring Bridge Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Example: Configuring Layer 2 Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . . 24
Example: Configuring VLAN Retagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Example: Configuring an IRB Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Security Zones and Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Example: Configuring Layer 2 Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . 28
Example: Configuring Security Policies in Transparent Mode . . . . . . . . . . . . . 29
Example: Configuring the Default Learning for Unknown MAC Addresses . . . 31
Example: Configuring Redundant Ethernet Interfaces for Layer 2 Transparent
Mode Chassis Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Configuring IP Spoofing in Layer 2 Transparent Mode . . . . . . . . . . . . . . . . . . . 33
IPv6 Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Enabling Flow-Based Processing for IPv6 Traffic . . . . . . . . . . . . . . . . . . . . . . 35
Example: Configuring Transparent Mode for IPv6 Flows . . . . . . . . . . . . . . . . 36
Transparent Mode Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Example: Configuring BA Classifiers on Transparent Mode Devices . . . . . . . . 39
Example: Configuring Rewrite Rules on Transparent Mode Devices . . . . . . . . 42
Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Bridge-Domains Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . 46
Class-of-Service Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . 51
Interfaces Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . 55
authentication-order (Access Profile) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
bridge-domains (Bridge Domains) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
bridge-options (Bridge Domains) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
code-points (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
domain-type (Bridge Domains) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
destination-address (Security Policies) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
encapsulation (Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
family inet (Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
family inet6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
flow (Security Flow) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
forwarding-classes (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
host-inbound-traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
interface (Bridge Domains) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
interfaces (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
interfaces (Security Zones) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
inet6 (Security Forwarding Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
loss-priority (CoS Loss Priority) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
match (Security Policies) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
native-vlan-id (Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
peer-selection-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
pgcp-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
policy (Security Policies) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
port (Access RADIUS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
profile (Access) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
iv
Copyright © 2016, Juniper Networks, Inc.
Table of Contents
redundancy-group (Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
routing-interface (Bridge Domains) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
security-zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
shaping-rate (CoS Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
source-address (Security Policies) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
static-mac (Bridge Domains) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
system-services (Security Zones Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . 114
unframed | no-unframed (Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
vlan-id (Bridge Domain) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
vlan-id-list (Bridge Domains) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
vlan-tagging (Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Chapter 3
Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
clear security flow ip-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
clear security flow session family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
show igmp-snooping route (View) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
show igmp-snooping vlans (View) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
show interfaces (View J Series and SRX Series) . . . . . . . . . . . . . . . . . . . . . . . 127
show security flow gate family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
show security flow ip-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
show security flow session family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
show security flow statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
show security flow status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
show security policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
show security zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Part 2
Ethernet Port Switching Feature Guide for Security Devices
Chapter 4
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Ethernet Port Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Ethernet Ports Switching Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Supported Devices and Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Integrated Bridging and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Link Layer Discovery Protocol and LLDP-Media Endpoint Discovery . . . 165
Types of Switch Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
uPIM in a Daisy Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Q-in-Q VLAN Tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Understanding Switching Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Understanding VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Understanding the Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Link Aggregation Control Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Understanding Link Aggregation Control Protocol . . . . . . . . . . . . . . . . . . . . . 175
Link Aggregation Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Link Aggregation Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . 176
Copyright © 2016, Juniper Networks, Inc.
v
Layer 2 Bridging and Switching Library for Security Devices
802.1X Port-Based Network Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Understanding 802.1X Port-Based Network Authentication . . . . . . . . . . . . . 178
Dynamic VLAN Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
MAC RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Static MAC Bypass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Guest VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
RADIUS Server Failure Fallback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
VoIP VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Server Reject VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Port Security Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Understanding MAC Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Understanding IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
How IGMP Snooping Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
How Hosts Join and Leave Multicast Groups . . . . . . . . . . . . . . . . . . . . . . 187
GARP VLAN Registration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Understanding GARP VLAN Registration Protocol . . . . . . . . . . . . . . . . . . . . 188
Ethernet OAM Connectivity Fault Management . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Understanding Ethernet OAM Connectivity Fault Management . . . . . . . . . . 189
Ethernet OAM Link Fault Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Understanding Ethernet OAM Link Fault Management for SRX Series
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Chapter 5
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Ethernet Port Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Example: Configuring Switching Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Verifying Switching Mode Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Example: Configuring VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Configuring the Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Link Aggregation Control Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Example: Configuring Link Aggregation Control Protocol . . . . . . . . . . . . . . . 198
802.1X Port-Based Network Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Example: Configuring 802.1x Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 199
Example: Specifying RADIUS Server Connections on the Device . . . . . . . . 200
Example: Configuring 802.1x Interface Settings . . . . . . . . . . . . . . . . . . . . . . 203
Example: Configuring a Guest VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Example: Configuring MAC Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Example: Configuring IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
GARP VLAN Registration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Example: Configuring GARP VLAN Registration Protocol . . . . . . . . . . . . . . . 210
vi
Copyright © 2016, Juniper Networks, Inc.
Table of Contents
Ethernet OAM Connectivity Fault Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Example: Configuring Ethernet OAM Connectivity Fault Management . . . . . 211
Creating the Maintenance Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Creating a Maintenance Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Configuring a Maintenance Association End Point . . . . . . . . . . . . . . . . . . . . 222
Configuring the Maintenance Domain MIP Half Function . . . . . . . . . . . . . . . 224
Configuring the Continuity Check Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Configuring the Linktrace Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Ethernet OAM Link Fault Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Example: Configuring Ethernet OAM Link Fault Management . . . . . . . . . . . 226
Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Access Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Class-of-Service Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . 239
authentication-order (Access Profile) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
code-points (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
destination-address (Security Policies) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
family inet (Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
flow (Security Flow) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
forwarding-classes (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
host-inbound-traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
interfaces (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
interfaces (Security Zones) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
loss-priority (CoS Loss Priority) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
match (Security Policies) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
native-vlan-id (Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
policy (Security Policies) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
port (Access RADIUS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
profile (Access) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
radius-server (Access) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
redundancy-group (Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
source-address (Security Policies) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
source-address (Access RADIUS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
security-zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
system-services (Security Zones Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . 271
vlan-id (Bridge Domain) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
vlan-id-list (Bridge Domains) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
vlan-tagging (Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Chapter 6
Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
clear oam ethernet connectivity-fault-management path-database . . . . . 278
clear oam ethernet connectivity-fault-management statistics . . . . . . . . . . 279
show interfaces (View J Series and SRX Series) . . . . . . . . . . . . . . . . . . . . . . 280
show ethernet-switching table (View) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
show ethernet-switching mac-learning-log (View) . . . . . . . . . . . . . . . . . . . 293
show oam ethernet connectivity-fault-management adjacencies . . . . . . . 295
show oam ethernet connectivity-fault-management forwarding-state . . . 296
show oam ethernet connectivity-fault-management interfaces . . . . . . . . . 298
show oam ethernet connectivity-fault-management mep-database . . . . 300
Copyright © 2016, Juniper Networks, Inc.
vii
Layer 2 Bridging and Switching Library for Security Devices
show oam ethernet connectivity-fault-management mep-statistics . . . . . 304
show oam ethernet connectivity-fault-management mip . . . . . . . . . . . . . . 307
show oam ethernet connectivity-fault-management path-database . . . . 308
show oam ethernet connectivity-fault-management routes . . . . . . . . . . . . 310
show oam ethernet link-fault-management . . . . . . . . . . . . . . . . . . . . . . . . . 312
show security flow statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
show security flow status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
show security policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
show security zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Part 3
Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
viii
Copyright © 2016, Juniper Networks, Inc.
List of Figures
Part 2
Ethernet Port Switching Feature Guide for Security Devices
Chapter 5
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Figure 1: Ethernet CFM with SRX Series Devices . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Figure 2: Ethernet LFM with SRX Series Devices . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Copyright © 2016, Juniper Networks, Inc.
ix
Layer 2 Bridging and Switching Library for Security Devices
x
Copyright © 2016, Juniper Networks, Inc.
List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Part 1
Layer 2 Bridging and Transparent Mode Feature Guide for
Security Devices
Chapter 1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Table 3: MAC Addresses Default Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Chapter 2
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Table 4: Device Status Upon Configuration Change . . . . . . . . . . . . . . . . . . . . . . . . 36
Table 5: IPv6 Transparent Mode Configuration for IPv6 Flows . . . . . . . . . . . . . . . . 37
Chapter 3
Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Table 6: show igmp-snooping route Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 123
Table 7: show igmp-snooping vlans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Table 8: show interfaces Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Table 9: show security flow gate family Output Fields . . . . . . . . . . . . . . . . . . . . . 135
Table 10: show security flow ip-action Output Fields . . . . . . . . . . . . . . . . . . . . . . 138
Table 11: show security flow session family Output Fields . . . . . . . . . . . . . . . . . . . 141
Table 12: show security flow statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . 146
Table 13: show security flow status Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 148
Table 14: show security policies Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Table 15: show security zones Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Part 2
Ethernet Port Switching Feature Guide for Security Devices
Chapter 4
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Table 16: Supported Devices and Ports for Switching Features . . . . . . . . . . . . . . 164
Table 17: Supported Mapping Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Table 18: VLAN Configuration Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Table 19: STP Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Table 20: RSTP Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Table 21: MSTP Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Table 22: Spanning-Tree Ports Configuration Details . . . . . . . . . . . . . . . . . . . . . . 174
Table 23: LACP (Link Aggregation Control Protocol) Configuration . . . . . . . . . . . 176
Table 24: Details of Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Table 25: Aggregated Ethernet Interface Options . . . . . . . . . . . . . . . . . . . . . . . . . 177
Table 26: Edit VLAN Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Table 27: 802.1x Authentication Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Table 28: 802.1x Supplicant Capacities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Copyright © 2016, Juniper Networks, Inc.
xi
Layer 2 Bridging and Switching Library for Security Devices
Table 29: RADIUS Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Table 30: 802.1X Exclusion List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Table 31: 802.1X Port Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Table 32: IGMP Snooping Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Table 33: GVRP Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Table 34: Supported Interface Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Chapter 6
Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Table 35: show interfaces Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Table 36: show ethernet-switching table Output Fields . . . . . . . . . . . . . . . . . . . 288
Table 37: show interfaces Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Table 38: show oam ethernet connectivity-fault-management adjacencies
Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Table 39: show oam ethernet connectivity-fault-management forwarding-state
Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Table 40: show oam ethernet connectivity-fault-management interfaces Output
Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Table 41: show oam ethernet connectivity-fault-management mep-database
Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Table 42: show oam ethernet connectivity-fault-management mep-statistics
Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Table 43: show oam ethernet connectivity-fault-management mip Output
Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Table 44: show oam ethernet connectivity-fault-management path-database
Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Table 45: show oam ethernet connectivity-fault-management routes Output
Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Table 46: show oam ethernet link-fault-management Output Fields . . . . . . . . . 312
Table 47: show security flow statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . 317
Table 48: show security flow status Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 319
Table 49: show security policies Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Table 50: show security zones Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
xii
Copyright © 2016, Juniper Networks, Inc.
About the Documentation
•
Documentation and Release Notes on page xiii
•
Supported Platforms on page xiii
•
Using the Examples in This Manual on page xiii
•
Documentation Conventions on page xv
•
Documentation Feedback on page xvii
•
Requesting Technical Support on page xvii
Documentation and Release Notes
®
To obtain the most current version of all Juniper Networks technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.
Supported Platforms
For the features described in this document, the following platforms are supported:
•
J Series
•
SRX Series
Using the Examples in This Manual
If you want to use the examples in this manual, you can use the load merge or the load
merge relative command. These commands cause the software to merge the incoming
configuration into the current candidate configuration. The example does not become
active until you commit the candidate configuration.
If the example configuration contains the top level of the hierarchy (or multiple
hierarchies), the example is a full example. In this case, use the load merge command.
Copyright © 2016, Juniper Networks, Inc.
xiii
Layer 2 Bridging and Switching Library for Security Devices
If the example configuration does not start at the top level of the hierarchy, the example
is a snippet. In this case, use the load merge relative command. These procedures are
described in the following sections.
Merging a Full Example
To merge a full example, follow these steps:
1.
From the HTML or PDF version of the manual, copy a configuration example into a
text file, save the file with a name, and copy the file to a directory on your routing
platform.
For example, copy the following configuration to a file and name the file ex-script.conf.
Copy the ex-script.conf file to the /var/tmp directory on your routing platform.
system {
scripts {
commit {
file ex-script.xsl;
}
}
}
interfaces {
fxp0 {
disable;
unit 0 {
family inet {
address 10.0.0.1/24;
}
}
}
}
2. Merge the contents of the file into your routing platform configuration by issuing the
load merge configuration mode command:
[edit]
user@host# load merge /var/tmp/ex-script.conf
load complete
Merging a Snippet
To merge a snippet, follow these steps:
1.
From the HTML or PDF version of the manual, copy a configuration snippet into a text
file, save the file with a name, and copy the file to a directory on your routing platform.
For example, copy the following snippet to a file and name the file
ex-script-snippet.conf. Copy the ex-script-snippet.conf file to the /var/tmp directory
on your routing platform.
commit {
file ex-script-snippet.xsl; }
2. Move to the hierarchy level that is relevant for this snippet by issuing the following
configuration mode command:
xiv
Copyright © 2016, Juniper Networks, Inc.
About the Documentation
[edit]
user@host# edit system scripts
[edit system scripts]
3. Merge the contents of the file into your routing platform configuration by issuing the
load merge relative configuration mode command:
[edit system scripts]
user@host# load merge relative /var/tmp/ex-script-snippet.conf
load complete
For more information about the load command, see the CLI User Guide.
Documentation Conventions
Table 1 on page xv defines notice icons used in this guide.
Table 1: Notice Icons
Icon
Meaning
Description
Informational note
Indicates important features or instructions.
Caution
Indicates a situation that might result in loss of data or hardware damage.
Warning
Alerts you to the risk of personal injury or death.
Laser warning
Alerts you to the risk of personal injury from a laser.
Tip
Indicates helpful information.
Best practice
Alerts you to a recommended use or implementation.
Table 2 on page xv defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
Convention
Description
Examples
Bold text like this
Represents text that you type.
To enter configuration mode, type the
configure command:
user@host> configure
Copyright © 2016, Juniper Networks, Inc.
xv
Layer 2 Bridging and Switching Library for Security Devices
Table 2: Text and Syntax Conventions (continued)
Convention
Description
Examples
Fixed-width text like this
Represents output that appears on the
terminal screen.
user@host> show chassis alarms
•
Introduces or emphasizes important
new terms.
•
•
Identifies guide names.
A policy term is a named structure
that defines match conditions and
actions.
•
Identifies RFC and Internet draft titles.
•
Junos OS CLI User Guide
•
RFC 1997, BGP Communities Attribute
Italic text like this
Italic text like this
No alarms currently active
Represents variables (options for which
you substitute a value) in commands or
configuration statements.
Configure the machine’s domain name:
Represents names of configuration
statements, commands, files, and
directories; configuration hierarchy levels;
or labels on routing platform
components.
•
To configure a stub area, include the
stub statement at the [edit protocols
ospf area area-id] hierarchy level.
•
The console port is labeled CONSOLE.
< > (angle brackets)
Encloses optional keywords or variables.
stub <default-metric metric>;
| (pipe symbol)
Indicates a choice between the mutually
exclusive keywords or variables on either
side of the symbol. The set of choices is
often enclosed in parentheses for clarity.
broadcast | multicast
# (pound sign)
Indicates a comment specified on the
same line as the configuration statement
to which it applies.
rsvp { # Required for dynamic MPLS only
[ ] (square brackets)
Encloses a variable for which you can
substitute one or more values.
community name members [
community-ids ]
Indention and braces ( { } )
Identifies a level in the configuration
hierarchy.
; (semicolon)
Identifies a leaf statement at a
configuration hierarchy level.
Text like this
[edit]
root@# set system domain-name
domain-name
(string1 | string2 | string3)
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
GUI Conventions
Bold text like this
xvi
Represents graphical user interface (GUI)
items you click or select.
•
In the Logical Interfaces box, select
All Interfaces.
•
To cancel the configuration, click
Cancel.
Copyright © 2016, Juniper Networks, Inc.
About the Documentation
Table 2: Text and Syntax Conventions (continued)
Convention
Description
Examples
> (bold right angle bracket)
Separates levels in a hierarchy of menu
selections.
In the configuration editor hierarchy,
select Protocols>Ospf.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can provide feedback by using either of the following
methods:
•
Online feedback rating system—On any page of the Juniper Networks TechLibrary site
at http://www.juniper.net/techpubs/index.html, simply click the stars to rate the content,
and use the pop-up form to provide us with information about your experience.
Alternately, you can use the online feedback form at
http://www.juniper.net/techpubs/feedback/.
•
E-mail—Send your comments to techpubs-comments@juniper.net. Include the document
or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
support contract, or are covered under warranty, and need post-sales technical support,
you can access our tools and resources online or open a case with JTAC.
•
JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
•
Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
•
JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:
•
Find CSC offerings: http://www.juniper.net/customers/support/
•
Search for known bugs: http://www2.juniper.net/kb/
•
Find product documentation: http://www.juniper.net/techpubs/
•
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
Copyright © 2016, Juniper Networks, Inc.
xvii
Layer 2 Bridging and Switching Library for Security Devices
•
Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
•
Search technical bulletins for relevant hardware and software notifications:
http://kb.juniper.net/InfoCenter/
•
Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
•
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
•
Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html.
xviii
Copyright © 2016, Juniper Networks, Inc.
PART 1
Layer 2 Bridging and Transparent Mode
Feature Guide for Security Devices
•
Overview on page 3
•
Configuration on page 23
•
Administration on page 119
Copyright © 2016, Juniper Networks, Inc.
1
Layer 2 Bridging and Switching Library for Security Devices
2
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 1
Overview
•
Bridging and Transparent Mode on page 3
•
Bridge Domains on page 5
•
IPv6 Flows on page 6
•
Interfaces on page 8
•
Security Zones and Security Policies on page 11
•
Transparent Mode Devices on page 19
Bridging and Transparent Mode
•
Layer 2 Bridging and Transparent Mode Overview on page 3
Layer 2 Bridging and Transparent Mode Overview
Supported Platforms
SRX Series
For SRX Series devices, transparent mode provides full security services for Layer 2
bridging capabilities. On these SRX Series devices, you can configure one or more bridge
domains to perform Layer 2 bridging. A bridge domain is a set of logical interfaces that
share the same flooding or broadcast characteristics. Like a virtual LAN (VLAN), a bridge
domain spans one or more ports of multiple devices. Thus, the SRX Series device can
function as a Layer 2 switch with multiple bridge domains that participate in the same
Layer 2 network.
In transparent mode, the SRX Series device filters packets that traverse the device without
modifying any of the source or destination information in the IP packet headers.
Transparent mode is useful for protecting servers that mainly receive traffic from untrusted
sources because there is no need to reconfigure the IP settings of routers or protected
servers.
NOTE: Transparent mode is supported on all data and VOIP ALGs.
In transparent mode, all physical ports on the device are assigned to Layer 2 interfaces.
Do not route Layer 3 traffic through the device. Layer 2 zones can be configured to host
Layer 2 interfaces, and security policies can be defined between Layer 2 zones. When
packets travel between Layer 2 zones, security policies can be enforced on these packets.
Copyright © 2016, Juniper Networks, Inc.
3
Layer 2 Bridging and Switching Library for Security Devices
NOTE: Not all security features are supported in transparent mode:
•
NAT is not supported.
•
IPsec VPN is not supported.
Layer 2 Bridging Exceptions on SRX Series Devices
The bridging functions on the SRX Series devices are similar to the bridging features on
Juniper Networks MX Series routers. However, the following Layer 2 networking features
on MX Series routers are not supported on SRX Series devices:
•
Layer 2 control protocols—These protocols are used on MX Series routers for Rapid
Spanning Tree Protocol (RSTP) or Multiple Spanning Tree Protocol (MSTP) in customer
edge interfaces of a VPLS routing instance.
•
Virtual switch routing instance—The virtual switching routing instance is used on MX
Series routers to group one or more bridge domains.
•
Virtual private LAN services (VPLS) routing instance—The VPLS routing instance is
used on MX Series routers for point-to-multipoint LAN implementations between a
set of sites in a VPN.
In addition, the SRX Series devices do not support the following Layer 2 features:
Related
Documentation
4
•
Spanning Tree Protocol (STP), RSTP, or MSTP—It is the user’s responsibility to ensure
that no flooding loops exist in the network topology.
•
Internet Group Management Protocol (IGMP) snooping—Host-to-router signaling
protocol for IPv4 used to report their multicast group memberships to neighboring
routers and determine whether group members are present during IP multicasting.
•
Double-tagged VLANs or IEEE 802.1Q VLAN identifiers encapsulated within 802.1Q
packets (also called “Q in Q” VLAN tagging)—Only untagged or single-tagged VLAN
identifiers are supported on SRX Series devices.
•
Nonqualified VLAN learning, where only the MAC address is used for learning within
the bridge domain—VLAN learning on SRX Series devices is qualified; that is, both the
VLAN identifier and MAC address are used.
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Understanding Bridge Domains on page 5
•
Understanding Transparent Mode Conditions on page 8
•
Understanding Layer 2 Interfaces on page 9
•
Understanding Layer 2 Security Zones on page 12
•
Understanding Security Policies in Transparent Mode on page 12
Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Overview
Bridge Domains
•
Understanding Bridge Domains on page 5
Understanding Bridge Domains
Supported Platforms
SRX Series
The packets that are forwarded within a bridge domain are determined by the VLAN ID
of the packets and the VLAN ID of the bridge domain. Only the packets with VLAN IDs
that match the VLAN ID configured for a bridge domain are forwarded within the bridge
domain.
When configuring bridge domains, you can specify either a single VLAN ID or a list of
specific VLAN IDs. If you specify a list of VLAN IDs, a bridge domain is created for each
VLAN ID in the list. Certain bridge domain properties, such as the integrated routing and
bridging interface (IRB), are not configurable if bridge domains are created in this manner.
Each Layer 2 logical interface configured on the device is implicitly assigned to a bridge
domain based on the VLAN ID of the packets accepted by the interface. You do not need
to explicitly define the logical interfaces when configuring a bridge domain.
You can configure one or more static MAC addresses for a logical interface in a bridge
domain; this is only applicable if you specified a single VLAN ID when creating the bridge
domain.
NOTE: If a static MAC address you configure for a logical interface appears
on a different logical interface, packets sent to that interface are dropped.
You can configure the following properties that apply to all bridge domains on the SRX
Series device:
•
Layer 2 address learning—Layer 2 address learning is enabled by default. A bridge
domain learns unicast media access control (MAC) addresses to avoid flooding packets
to all interfaces in the bridge domain. Each bridge domain creates a source MAC entry
in its forwarding tables for each source MAC address learned from packets received
on interfaces that belong to the bridge domain. When you disable MAC learning, source
MAC addresses are not dynamically learned, and any packets sent to these source
addresses are flooded into a bridge domain.
•
Maximum number of MAC addresses learned from all logical interfaces on the SRX
Series device—After the MAC address limit is reached, the default is for any incoming
packets with a new source MAC address to be forwarded. You can specify that the
packets be dropped instead. The default limits of MAC addresses for the SRX Series
devices are shown in Table 3 on page 6.
Copyright © 2016, Juniper Networks, Inc.
5
Layer 2 Bridging and Switching Library for Security Devices
Table 3: MAC Addresses Default Limits
SRX Series Devices
Default Limit for MAC Addresses
SRX100
1024
SRX210
SRX220
2048
SRX240
4096
SRX650
16,384
SRX3400
131,071
SRX3600
SRX5600
SRX5800
•
Timeout interval for MAC table entries. By default, the timeout interval for MAC table
entries is 300 seconds. The minimum you can configure is 10 seconds and the maximum
is 64,000 seconds. The timeout interval applies only to dynamically learned MAC
addresses. This value does not apply to configured static MAC addresses, which never
time out.
NOTE: SRX100, SRX210, SRX220, SRX240, and SRX650 devices support
only 16,000 MAC entries.
Related
Documentation
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Overview on page 3
•
Example: Configuring Bridge Domains on page 23
•
Understanding Integrated Routing and Bridging Interfaces on page 10
•
Understanding Layer 2 Interfaces on page 9
•
Understanding Layer 2 Forwarding Tables on page 14
•
Understanding IPv6 Flows in Transparent Mode on page 6
IPv6 Flows
Understanding IPv6 Flows in Transparent Mode
Supported Platforms
6
SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, SRX5800
Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Overview
In transparent mode, the SRX Series device filters packets that traverse the device without
modifying any of the source or destination information in the packet MAC headers.
Transparent mode is useful for protecting servers that mainly receive traffic from untrusted
sources because there is no need to reconfigure the IP settings of routers or protected
servers.
A device operates in transparent mode when all physical interfaces on the device are
configured as Layer 2 interfaces. A physical interface is a Layer 2 interface if its logical
interface is configured with the bridge option at the [edit interfaces interface-name unit
unit-number family] hierarchy level. There is no command to define or enable transparent
mode on the device. The device operates in transparent mode when there are interfaces
defined as Layer 2 interfaces. The device operates in route mode (the default mode) if
all physical interfaces are configured as Layer 3 interfaces.
By default, IPv6 flows are dropped on security devices. To enable processing by security
features such as zones, screens, and firewall policies, you must enable flow-based
forwarding for IPv6 traffic with the mode flow-based configuration option at the [edit
security forwarding-options family inet6] hierarchy level. You must reboot the device
when you change the mode.
In transparent mode, you can configure Layer 2 zones to host Layer 2 interfaces, and you
can define security policies between Layer 2 zones. When packets travel between Layer
2 zones, security policies can be enforced on these packets. The following security features
are supported for IPv6 traffic in transparent mode:
•
Layer 2 security zones and security policies. See “Understanding Layer 2 Security Zones”
on page 12 and “Understanding Security Policies in Transparent Mode” on page 12.
•
Firewall user authentication. See “Understanding Firewall User Authentication in
Transparent Mode” on page 14.
•
Layer 2 transparent mode chassis clusters. See “Understanding Layer 2 Transparent
Mode Chassis Clusters” on page 16.
•
Class of service functions. See “Class of Service Functions in Transparent Mode
Overview” on page 19.
The following security features are not supported for IPv6 flows in transparent mode:
•
Logical systems
•
IPv6 GTPv2
•
J-Web interface
•
NAT
•
IPsec VPN
•
With the exception of DNS, FTP, and TFTP ALGs, all other ALGs are not supported.
Configuring bridge domains and Layer 2 logical interfaces for IPv6 flows is the same as
configuring bridge domains and Layer 2 logical interfaces for IPv4 flows. You can optionally
configure an integrated routing and bridging (IRB) interface for management traffic in a
bridge domain. The IRB interface is the only Layer 3 interface allowed in transparent
Copyright © 2016, Juniper Networks, Inc.
7
Layer 2 Bridging and Switching Library for Security Devices
mode. The IRB interface on the SRX Series device does not support traffic forwarding or
routing. The IRB interface can be configured with both IPv4 and IPv6 addresses. You can
assign an IPv6 address for the IRB interface with the address configuration statement at
the [edit interfaces irb unit number family inet6] hierarchy level. You can assign an IPv4
address for the IRB interface with the address configuration statement at the [edit
interfaces irb unit number family inet] hierarchy level.
The bridging functions on SRX Series devices are similar to the bridging features on Juniper
Networks MX Series routers. However, not all Layer 2 networking features supported on
MX Series routers are supported on SRX Series devices. See “Layer 2 Bridging and
Transparent Mode Overview” on page 3.
The SRX Series device maintains forwarding tables that contain MAC addresses and
associated interfaces for each Layer 2 bridge domain. The IPv6 flow processing is similar
to IPv4 flows. See “Understanding Layer 2 Forwarding Tables” on page 14.
Related
Documentation
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Enabling Flow-Based Processing for IPv6 Traffic on page 35
•
Example: Configuring Transparent Mode for IPv6 Flows on page 36
•
Understanding Transparent Mode Conditions on page 8
•
Understanding Layer 2 Interfaces on page 9
•
Understanding VLAN Retagging on page 10
•
Understanding Integrated Routing and Bridging Interfaces on page 10
Interfaces
Understanding Transparent Mode Conditions
Supported Platforms
SRX Series
A device operates in Layer 2 transparent mode when all physical interfaces on the device
are configured as Layer 2 interfaces. A physical interface is a Layer 2 interface if its logical
interface is configured with the bridge family.
There is no command to define or enable transparent mode on the device. The device
operates in transparent mode when there are interfaces defined as Layer 2 interfaces.
The device operates in route mode (the default mode) if there are no physical interfaces
configured as Layer 2 interfaces.
NOTE: The SRX Series device can operate at either route mode or transparent
mode, but not both modes at the same time. Changing the mode requires a
reboot of the device.
You can configure the fxp0 out-of-band management interface on the SRX Series device
as a Layer 3 interface, even if Layer 2 interfaces are defined on the device. With the
8
Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Overview
exception of the fxp0 interface, you must not define Layer 2 and Layer 3 interfaces on
the device’s network ports.
NOTE: There is no fxp0 out-of-band management interface on the SRX100,
SRX210, SRX220, SRX240, and SRX650 devices.
Related
Documentation
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Overview on page 3
•
Example: Configuring Layer 2 Logical Interfaces on page 24
•
Understanding Layer 2 Interfaces on page 9
Understanding Layer 2 Interfaces
Supported Platforms
SRX Series
Layer 2 logical interfaces are created by defining one or more logical units on a physical
interface with the family address type bridge. If a physical interface has a bridge family
logical interface, it cannot have any other family type in its logical interfaces. A logical
interface can be configured in one of the following modes:
•
Access mode—Interface accepts untagged packets, assigns the specified VLAN identifier
to the packet, and forwards the packet within the bridge domain that is configured
with the matching VLAN identifier.
•
Trunk mode—Interface accepts any packet tagged with a VLAN identifier that matches
a specified list of VLAN identifiers. Trunk mode interfaces are generally used to
interconnect switches. To configure a VLAN identifier for untagged packets received
on the physical interface, use the native-vlan-id option. If the native-vlan-id option is
not configured, untagged packets are dropped.
Tagged packets arriving on a trunk mode interface can be rewritten or “retagged” with
a different VLAN identifier. This allows incoming packets to be selectively redirected
to a firewall or other security device.
NOTE: Multiple trunk mode logical interfaces can be defined, as long as the
VLAN identifiers of a trunk interface do not overlap with those of another
trunk interface. The native-vlan-id must belong to a VLAN identifier list
configured for a trunk interface.
Related
Documentation
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Overview on page 3
•
Example: Configuring Layer 2 Logical Interfaces on page 24
•
Understanding Transparent Mode Conditions on page 8
Copyright © 2016, Juniper Networks, Inc.
9
Layer 2 Bridging and Switching Library for Security Devices
Understanding VLAN Retagging
Supported Platforms
SRX Series
The VLAN identifier in packets arriving on a Layer 2 trunk port can be rewritten or
“retagged” with a different internal VLAN identifier. VLAN retagging is a symmetric
operation; upon exiting the same trunk port, the retagged VLAN identifier is replaced with
the original VLAN identifier. VLAN retagging provides a way to selectively screen incoming
packets and redirect them to a firewall or other security device without affecting other
VLAN traffic.
VLAN retagging can be applied only to interfaces configured as Layer 2 trunk interfaces.
These interfaces can include redundant Ethernet interfaces in a Layer 2 transparent mode
chassis cluster configuration.
NOTE: If a trunk port is configured for VLAN retagging, untagged packets
received on the port cannot be assigned a VLAN identifier with the VLAN
retagging configuration. To configure a VLAN identifier for untagged packets
received on the physical interface, use the native-vlan-id statement.
To configure VLAN retagging for a Layer 2 trunk interface, specify a one-to-one mapping
of the following:
Related
Documentation
•
Incoming VLAN identifier—VLAN identifier of the incoming packet that is to be retagged.
This VLAN identifier must not be the same VLAN identifier configured with the
native-vlan-id statement for the trunk port.
•
Internal VLAN identifier—VLAN identifier for the retagged packet. This VLAN identifier
must be in the VLAN identifier list for the trunk port and must not be the same VLAN
identifier configured with the native-vlan-id statement for the trunk port.
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Overview on page 3
•
Example: Configuring VLAN Retagging on page 25
•
Example: Configuring Layer 2 Logical Interfaces on page 24
Understanding Integrated Routing and Bridging Interfaces
Supported Platforms
SRX Series
For bridge domains configured with a single VLAN identifier, you can optionally configure
an integrated routing and bridging (IRB) interface for management traffic in the bridge
domain. An IRB interface acts as a Layer 3 routing interface for a bridge domain.
10
Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Overview
NOTE: If you specify a VLAN identifier list in the bridge domain configuration,
you cannot configure an IRB interface for the bridge domain.
Currently the IRB interface on the SRX Series device does not support traffic forwarding
or routing. In transparent mode, packets arriving on a Layer 2 interface that are destined
for the device’s MAC address are classified as Layer 3 traffic while packets that are not
destined for the device’s MAC address are classified as Layer 2 traffic. Packets destined
for the device’s MAC address are sent to the IRB interface. Packets from the device’s
routing engine are sent out the IRB interface.
You create an IRB logical interface in a similar manner as a Layer 3 interface, but the IRB
interface does not support traffic forwarding or routing. The IRB interface cannot be
assigned to a security zone; however, you can configure certain services on a per-zone
basis to allow host-inbound traffic for management of the device. This allows you to
control the type of traffic that can reach the device from interfaces bound to a specific
zone.
NOTE:
Related
Documentation
•
On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, we
support an IRB interface that allows you to terminate management
connections in transparent mode. However, you cannot route traffic on
that interface or terminate IPsec VPNs.
•
You can configure only one IRB logical interface for each bridge domain.
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Overview on page 3
•
Example: Configuring an IRB Interface on page 27
•
Understanding Bridge Domains on page 5
•
Example: Configuring Bridge Domains on page 23
Security Zones and Security Policies
•
Understanding Security Policies in Transparent Mode on page 12
•
Understanding Layer 2 Security Zones on page 12
•
Understanding Firewall User Authentication in Transparent Mode on page 14
•
Understanding Layer 2 Forwarding Tables on page 14
•
Understanding Layer 2 Transparent Mode Chassis Clusters on page 16
•
Understanding IP Spoofing in Layer 2 Transparent Mode on page 18
Copyright © 2016, Juniper Networks, Inc.
11
Layer 2 Bridging and Switching Library for Security Devices
Understanding Security Policies in Transparent Mode
Supported Platforms
SRX Series
In transparent mode, security policies can be configured only between Layer 2 zones.
When packets are forwarded through the bridge domain, the security policies are applied
between security zones. A security policy for transparent mode is similar to a policy
configured for Layer 3 zones, with the following exceptions:
•
NAT is not supported.
•
IPsec VPN is not supported.
•
Application ANY is used.
Layer 2 forwarding does not permit any interzone traffic unless there is a policy explicitly
configured on the device. By default, Layer 2 forwarding performs the following actions:
•
Allows or denies traffic specified by the configured policy.
•
Allows Address Resolution Protocol (ARP) and Layer 2 non-IP multicast and broadcast
traffic. The device can receive and pass Layer 2 broadcast traffic for STP.
•
Continues to block all non-IP and non-ARP unicast traffic.
This default behavior can be changed for bridge packet flow by using either J-Web or the
CLI configuration editor:
•
Configure the block-non-ip-all option to block all Layer 2 non-IP and non-ARP traffic,
including multicast and broadcast traffic.
•
Configure the bypass-non-ip-unicast option to allow all Layer 2 non-IP traffic to pass
through the device.
NOTE: You cannot configure both options at the same time.
Related
Documentation
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Junos OS Building Blocks Library for Security Devices
•
Layer 2 Bridging and Transparent Mode Overview on page 3
•
Understanding Transparent Mode Conditions on page 8
•
Example: Configuring Security Policies in Transparent Mode on page 29
•
Example: Configuring Layer 2 Security Zones on page 28
Understanding Layer 2 Security Zones
Supported Platforms
12
SRX Series
Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Overview
A Layer 2 security zone is a zone that hosts Layer 2 interfaces. A security zone can be
either a Layer 2 or Layer 3 zone; it can host either all Layer 2 interfaces or all Layer 3
interfaces, but it cannot contain a mix of Layer 2 and Layer 3 interfaces.
The security zone type—Layer 2 or Layer 3—is implicitly set from the first interface
configured for the security zone. Subsequent interfaces configured for the same security
zone must be the same type as the first interface.
NOTE: You cannot configure a device with both Layer 2 and Layer 3 security
zones.
You can configure the following properties for Layer 2 security zones:
•
Interfaces—List of interfaces in the zone.
•
Policies—Active security policies that enforce rules for the transit traffic, in terms of
what traffic can pass through the firewall, and the actions that need to take place on
the traffic as it passes through the firewall.
•
Screens—A Juniper Networks stateful firewall secures a network by inspecting, and
then allowing or denying, all connection attempts that require passage from one security
zone to another. For every security zone, and the MGT zone, you can enable a set of
predefined screen options that detect and block various kinds of traffic that the device
determines as potentially harmful.
NOTE: You can configure the same screen options for a Layer 2 security
zone as for a Layer 3 security zone.
•
Address books—IP addresses and address sets that make up an address book to
identify its members so that you can apply policies to them.
•
TCP-RST—When this feature is enabled, the system sends a TCP segment with the
reset flag set when traffic arrives that does not match an existing session and does
not have the synchronize flag set.
In addition, you can configure a Layer 2 zone for host-inbound traffic. This allows you to
specify the kinds of traffic that can reach the device from systems that are directly
connected to the interfaces in the zone. You must specify all expected host-inbound
traffic because inbound traffic from devices directly connected to the device's interfaces
is dropped by default.
Related
Documentation
•
Junos OS Building Blocks Library for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Overview on page 3
•
Understanding Layer 2 Interfaces on page 9
•
Understanding Transparent Mode Conditions on page 8
•
Example: Configuring Layer 2 Security Zones on page 28
Copyright © 2016, Juniper Networks, Inc.
13
Layer 2 Bridging and Switching Library for Security Devices
•
Example: Configuring Layer 2 Logical Interfaces on page 24
Understanding Firewall User Authentication in Transparent Mode
Supported Platforms
SRX Series
A firewall user is a network user who must provide a username and password for
authentication when initiating a connection across the firewall. Firewall user authentication
enables administrators to restrict and permit users accessing protected resources behind
a firewall based on their source IP address and other credentials. Junos OS supports the
following types of firewall user authentication for transparent mode on the SRX Series
device:
Related
Documentation
•
Pass-through authentication—A host or a user from one zone tries to access resources
on another zone. You must use an FTP, Telnet, or HTTP client to access the IP address
of the protected resource and be authenticated by the firewall. The device uses FTP,
Telnet, or HTTP to collect username and password information, and subsequent traffic
from the user or host is allowed or denied based on the result of this authentication.
•
Web authentication—Users try to connect, by using HTTP, to an IP address on the IRB
interface that is enabled for Web authentication. You are prompted for the username
and password that are verified by the device. Subsequent traffic from the user or host
to the protected resource is allowed or denied based on the result of this authentication.
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Junos OS User Authentication Library for Security Devices
•
Layer 2 Bridging and Transparent Mode Overview on page 3
•
Understanding Integrated Routing and Bridging Interfaces on page 10
•
Example: Configuring an IRB Interface on page 27
Understanding Layer 2 Forwarding Tables
Supported Platforms
SRX Series
The SRX Series device maintains forwarding tables that contain MAC addresses and
associated interfaces for each Layer 2 bridge domain. When a packet arrives with a new
source MAC address in its frame header, the device adds the MAC address to its forwarding
table and tracks the interface at which the packet arrived. The table also contains the
corresponding interface through which the device can forward traffic for a particular MAC
address.
If the destination MAC address of a packet is unknown to the device (that is, the
destination MAC address in the packet does not have an entry in the forwarding table),
the device duplicates the packet and floods it on all interfaces in the bridge domain other
than the interface on which the packet arrived. This is known as packet flooding and is
the default behavior for the device to determine the outgoing interface for an unknown
destination MAC address. Packet flooding is performed at two levels: packets are flooded
14
Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Overview
to different zones as permitted by configured Layer 2 security policies, and packets are
also flooded to different interfaces with the same VLAN identifier within the same zone.
The device learns the forwarding interface for the MAC address when a reply with that
MAC address arrives at one of its interfaces.
You can specify that the SRX Series device use ARP queries and trace-route requests
(which are ICMP echo requests with the time-to-live values set to 1) instead of packet
flooding to locate an unknown destination MAC address. This method is considered more
secure than packet flooding because the device floods ARP queries and trace-route
packets—not the initial packet—on all interfaces. When ARP or trace-route flooding is
used, the original packet is dropped. The device broadcasts an ARP or ICMP query to all
other devices on the same subnetwork, requesting the device at the specified destination
IP address to send back a reply. Only the device with the specified IP address replies,
which provides the requestor with the MAC address of the responder.
ARP allows the device to discover the destination MAC address for a unicast packet if
the destination IP address is in the same subnetwork as the ingress IP address. (The
ingress IP address refers to the IP address of the last device to send the packet to the
device. The device might be the source that sent the packet or a router forwarding the
packet.) Trace-route allows the device to discover the destination MAC address even if
the destination IP address belongs to a device in a subnetwork beyond that of the ingress
IP address.
When you enable ARP queries to locate an unknown destination MAC address, trace-route
requests are also enabled. You can also optionally specify that trace-route requests not
be used; however, the device can then discover destination MAC addresses for unicast
packets only if the destination IP address is in the same subnetwork as the ingress IP
address.
Whether you enable ARP queries and trace-route requests or ARP-only queries to locate
unknown destination MAC addresses, the SRX Series device performs the following series
of actions:
1.
The device notes the destination MAC address in the initial packet. The device adds
the source MAC address and its corresponding interface to its forwarding table, if they
are not already there.
2. The device drops the initial packet.
3. The device generates an ARP query packet and optionally a trace-route packet and
floods those packets out all interfaces except the interface on which the initial packet
arrived.
ARP packets are sent out with the following field values:
•
Source IP address set to the IP address of the IRB
•
Destination IP address set to the destination IP address of the original packet
•
Source MAC address set to the MAC address of the IRB
•
Destination MAC address set to the broadcast MAC address (all 0xf)
Copyright © 2016, Juniper Networks, Inc.
15
Layer 2 Bridging and Switching Library for Security Devices
Trace-route (ICMP echo request or ping) packets are sent out with the following field
values:
•
Source IP address set to the IP address of the original packet
•
Destination IP address set to the destination IP address of the original packet
•
Source MAC address set to the source MAC address of the original packet
•
Destination MAC address set to the destination MAC address of the original packet
•
Time-to-live (TTL) set to 1
4. Combining the destination MAC address from the initial packet with the interface
leading to that MAC address, the device adds a new entry to its forwarding table.
5. The device forwards all subsequent packets it receives for the destination MAC address
out the correct interface to the destination.
Related
Documentation
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Overview on page 3
•
Understanding Integrated Routing and Bridging Interfaces on page 10
•
Example: Configuring an IRB Interface on page 27
•
Example: Configuring the Default Learning for Unknown MAC Addresses on page 31
Understanding Layer 2 Transparent Mode Chassis Clusters
Supported Platforms
SRX Series
A pair of SRX Series devices in Layer 2 transparent mode can be connected in a chassis
cluster to provide network node redundancy. When configured in a chassis cluster, one
node acts as the primary device and the other as the secondary device, ensuring stateful
failover of processes and services in the event of system or hardware failure. If the primary
device fails, the secondary device takes over processing of traffic.
NOTE: If the primary device fails in a Layer 2 transparent mode chassis cluster,
the physical ports in the failed device become inactive (go down) for a few
seconds before they become active (come up) again.
To form a chassis cluster, a pair of the same kind of supported SRX Series devices
combines to act as a single system that enforces the same overall security.
Devices in Layer 2 transparent mode can be deployed in active/backup and active/active
chassis cluster configurations.
The following chassis cluster features are not supported for devices in Layer 2 transparent
mode:
16
Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Overview
•
Gratuitous ARP—The newly elected master in a redundancy group cannot send
gratuitous ARP requests to notify network devices of a change in mastership on the
redundant Ethernet interface links.
•
IP address monitoring—Failure of an upstream device cannot be detected.
A redundancy group is a construct that includes a collection of objects on both nodes. A
redundancy group is primary on one node and backup on the other. When a redundancy
group is primary on a node, its objects on that node are active. When a redundancy group
fails over, all its objects fail over together.
You can create one or more redundancy groups numbered 1 through 128 for an
active/active chassis cluster configuration. Each redundancy group contains one or more
redundant Ethernet interfaces. A redundant Ethernet interface is a pseudointerface that
contains physical interfaces from each node of the cluster. The physical interfaces in a
redundant Ethernet interface must be the same kind—either Fast Ethernet or Gigabit
Ethernet. If a redundancy group is active on node 0, then the child links of all associated
redundant Ethernet interfaces on node 0 are active. If the redundancy group fails over
to the node 1, then the child links of all redundant Ethernet interfaces on node 1 become
active.
NOTE: In the active/active chassis cluster configuration, the maximum
number of redundancy groups is equal to the number of redundant Ethernet
interfaces that you configure. In the active/backup chassis cluster
configuration, the maximum number of redundancy groups supported is two.
Configuring redundant Ethernet interfaces on a device in Layer 2 transparent mode is
similar to configuring redundant Ethernet interfaces on a device in Layer 3 route mode,
with the following difference: the redundant Ethernet interface on a device in Layer 2
transparent mode is configured as a Layer 2 logical interface.
The redundant Ethernet interface may be configured as either an access interface (with
a single VLAN ID assigned to untagged packets received on the interface) or as a trunk
interface (with a list of VLAN IDs accepted on the interface and, optionally, a native-vlan-id
for untagged packets received on the interface). Physical interfaces (one from each node
in the chassis cluster) are bound as child interfaces to the parent redundant Ethernet
interface.
In Layer 2 transparent mode, MAC learning is based on the redundant Ethernet interface.
The MAC table is synchronized across redundant Ethernet interfaces and Services
Processing Units (SPUs) between the pair of chassis cluster devices.
The IRB interface is used only for management traffic, and it cannot be assigned to any
redundant Ethernet interface or redundancy group.
All Junos OS screen options that are available for a single, nonclustered device are
available for devices in Layer 2 transparent mode chassis clusters.
Copyright © 2016, Juniper Networks, Inc.
17
Layer 2 Bridging and Switching Library for Security Devices
NOTE: Spanning-tree protocols are not supported for Layer 2 transparent
mode. You should ensure that there are no loop connections in the
deployment topology.
Related
Documentation
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Chassis Cluster Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Overview on page 3
•
Understanding Layer 2 Interfaces on page 9
•
Example: Configuring Layer 2 Logical Interfaces on page 24
•
Understanding Transparent Mode Conditions on page 8
•
Example: Configuring Redundant Ethernet Interfaces for Layer 2 Transparent Mode
Chassis Clusters on page 32
•
Understanding Layer 2 Forwarding Tables on page 14
Understanding IP Spoofing in Layer 2 Transparent Mode
Supported Platforms
SRX Series
In an IP spoofing attack, the attacker gains access to a restricted area of the network
and inserts a false source address in the packet header to make the packet appear to
come from a trusted source. IP spoofing is most frequently used in denial-of-service
(DoS) attacks. When SRX Series devices are operating in transparent mode, the IP
spoof-checking mechanism makes use of address book entries. Address books only exist
on the Routing Engine. IP spoofing in Layer 2 transparent mode is performed on the Packet
Forwarding Engine. Address book information cannot be obtained from the Routing
Engine each time a packet is received by the Packet Forwarding Engine. Therefore, address
books attached to the Layer 2 zones must be pushed to the Packet Forwarding Engine.
NOTE: IP spoofing in Layer 2 transparent mode does not support DNS and
wildcard addresses.
When a packet is received by the Packet Forwarding Engine, the packet’s source IP
address is checked to determine if it is in the incoming zone’s address-book. If the packet’s
source IP address is in the incoming zone’s address book, then this IP address is allowed
on the interface, and traffic is passed.
If the source IP address is not present in the incoming zone’s address-book, but exists in
other zones’, then the IP address is considered a spoofed IP. Accordingly, actions such
as drop and logging can be taken depending on the screen configuration
(alarm-without-drop).
18
Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Overview
NOTE: If the alarm-without-drop option is configured, the Layer 2 spoofing
packet only triggers an alarm message, but the packet is not dropped.
If a packet’s source IP address is not present in the incoming zone’s address book or other
zones’, then you cannot determine if the IP is spoofed or not. In such instances, the packet
is passed.
Junos OS takes into account the following match conditions while it searches for source
IP addresses in the address book:
Related
Documentation
•
Host-match—The IP address match found in the address-book is an address without
a prefix.
•
Prefix-match—The IP address match found in the address-book is an address with a
prefix.
•
Any-match—The IP address match found in the address-book is “any”, “any-IPv4”, or
“any-IPv6”.
•
No-match—No IP address match is found.
•
Configuring IP Spoofing in Layer 2 Transparent Mode on page 33
Transparent Mode Devices
•
Class of Service Functions in Transparent Mode Overview on page 19
•
Understanding BA Traffic Classification on Transparent Mode Devices on page 20
•
Understanding Rewrite of Packet Headers on Transparent Mode Devices on page 21
Class of Service Functions in Transparent Mode Overview
Supported Platforms
SRX Series
Devices operating in Layer 2 transparent mode support the following class-of-service
(CoS) functions:
•
IEEE 802.1p behavior aggregate (BA) classifiers to determine the forwarding treatment
for packets entering the device
NOTE: Only IEEE 802.1p BA classifier types are supported on devices
operating in transparent mode.
•
Rewrite rules to redefine IEEE 802.1 CoS values in outgoing packets
Copyright © 2016, Juniper Networks, Inc.
19
Layer 2 Bridging and Switching Library for Security Devices
NOTE: Rewrite rules that redefine IP precedence CoS values and
Differentiated Services Code Point (DSCP) CoS values are not supported
on devices operating in transparent mode.
•
Shapers to apply rate limiting to an interface
•
Schedulers that define the properties of an output queue
You configure BA classifiers and rewrite rules on transparent mode devices in the same
way as on devices operating in Layer 3 mode. For transparent mode devices, however,
you apply BA classifiers and rewrite rules only to logical interfaces configured with the
family bridge configuration statement.
Related
Documentation
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Junos OS CoS Library for Security Devices
•
Layer 2 Bridging and Transparent Mode Overview on page 3
•
Understanding Transparent Mode Conditions on page 8
•
Understanding BA Traffic Classification on Transparent Mode Devices on page 20
•
Example: Configuring BA Classifiers on Transparent Mode Devices on page 39
Understanding BA Traffic Classification on Transparent Mode Devices
Supported Platforms
SRX Series
A BA classifier checks the header information of an ingress packet. The resulting traffic
classification consists of a forwarding class (FC) and packet loss priority (PLP). The FC
and PLP associated with a packet specify the CoS behavior of a hop within the system.
For example, a hop can place a packet into a priority queue according to its FC, and
manage queues by checking the packet's PLP. Junos OS supports up to eight FCs and
four PLPs.
NOTE: MPLS EXP bit-based traffic classification is not supported.
BA classification can be applied within one DiffServ domain. BA classification can also
be applied between two domains, where each domain honors the CoS results generated
by the other domain. Junos OS performs BA classification for a packet by examining its
Layer 2 and Layer 3 CoS-related parameters. Those parameters include the following:
•
Layer 2—IEEE 802.1p: User Priority
•
Layer 3—IPv4 Precedence, IPv4 DSCP, IPv6 DSCP
On SRX Series devices in transparent mode, a BA classifier evaluates only Layer 2
parameters. On SRX Series devices in Layer 3 mode, a BA classifier can evaluate Layer
20
Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Overview
2 and Layer 3 parameters; in that case, classification resulting from Layer 3 parameters
overrides that of Layer 2 parameters.
On SRX Series devices in transparent mode, you specify one of four PLP levels—high,
medium-high, medium-low, or low—when configuring a BA classifier.
Related
Documentation
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Overview on page 3
•
Understanding Transparent Mode Conditions on page 8
•
Class of Service Functions in Transparent Mode Overview on page 19
•
Example: Configuring BA Classifiers on Transparent Mode Devices on page 39
Understanding Rewrite of Packet Headers on Transparent Mode Devices
Supported Platforms
SRX Series
Before a packet is transmitted from an interface, the CoS fields in the packet's header
can be rewritten for the forwarding class (FC) and packet loss priority (PLP) of the packet.
The rewriting function converts a packet's FC and PLP into corresponding CoS fields in
the packet header. In Layer 2 transparent mode, the CoS fields are the IEEE 802.1p priority
bits.
Related
Documentation
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Overview on page 3
•
Understanding Transparent Mode Conditions on page 8
•
Example: Configuring Rewrite Rules on Transparent Mode Devices on page 42
Copyright © 2016, Juniper Networks, Inc.
21
Layer 2 Bridging and Switching Library for Security Devices
22
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 2
Configuration
•
Bridge Domains on page 23
•
Interfaces on page 24
•
Security Zones and Security Policies on page 28
•
IPv6 Flows on page 35
•
Transparent Mode Devices on page 39
•
Configuration Statements on page 45
•
Example: Configuring Bridge Domains on page 23
Bridge Domains
Example: Configuring Bridge Domains
Supported Platforms
SRX Series
This example shows how to configure bridge domains.
•
Requirements on page 23
•
Overview on page 23
•
Configuration on page 24
•
Verification on page 24
Requirements
Before you begin, determine the properties you want to configure for the bridge domain.
See “Understanding Bridge Domains” on page 5.
Overview
In this example, you configure bridge domain bd1 for VLANs 1 and 10, and bridge domain
bd2 for VLAN 2. You then limit the number of MAC addresses learned on all logical
interfaces on the device to 64,000. When this limit is reached, incoming packets with a
new source MAC address will be dropped.
Copyright © 2016, Juniper Networks, Inc.
23
Layer 2 Bridging and Switching Library for Security Devices
Configuration
Step-by-Step
Procedure
To configure bridge domains:
1.
Configure the domain type and VLANs.
[edit]
user@host# set bridge-domains bd1 vlan-id-list 1-10
user@host# set bridge-domains bd2 vlan-id 2
2.
Limit the number of MAC addresses.
[edit]
user@host# set protocols l2-learning global-mac-limit 64000 packet-action drop
3.
If you are done configuring the device, commit the configuration.
[edit]
user@host# commit
Verification
To verify the configuration is working properly, enter the show bridge-domains and show
protocols l2-learning commands.
Related
Documentation
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Understanding Integrated Routing and Bridging Interfaces on page 10
•
Understanding Layer 2 Interfaces on page 9
•
Understanding Layer 2 Forwarding Tables on page 14
•
Example: Configuring Layer 2 Logical Interfaces on page 24
•
Example: Configuring VLAN Retagging on page 25
•
Example: Configuring an IRB Interface on page 27
Interfaces
Example: Configuring Layer 2 Logical Interfaces
Supported Platforms
SRX Series
This example shows how to configure a Layer 2 logical interface as a trunk port so that
the incoming packets can be selectively redirected to a firewall or other security device.
24
•
Requirements on page 25
•
Overview on page 25
•
Configuration on page 25
•
Verification on page 25
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
Requirements
Before you begin, configure the bridge domains. See “Example: Configuring Bridge
Domains” on page 23.
Overview
In this example, you configure logical interface ge-3/0/0.0 as a trunk port that carries
traffic for packets tagged with VLAN identifiers 1 through 10; this interface is implicitly
assigned to the previously configured bridge domains bd1 and bd2. Then you assign a
VLAN ID of 10 to any untagged packets received on physical interface ge-3/0/0.
Configuration
Step-by-Step
Procedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure a Layer 2 logical interface as a trunk port:
1.
Configure the logical interface.
[edit interfaces ge-3/0/0]
user@host# set unit 0 family bridge interface-mode trunk vlan-id-list 1–10
2.
Specify a VLAN ID for untagged packets.
[edit interfaces ge-3/0/0]
user@host# set vlan-tagging native-vlan-id 10
3.
If you are done configuring the device, commit the configuration.
[edit]
user@host# commit
Verification
To verify the configuration is working properly, enter the show interfaces ge-3/0/0 and
show interfaces ge-3/0/0.0 commands.
Related
Documentation
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Overview on page 3
•
Understanding Layer 2 Interfaces on page 9
•
Understanding Transparent Mode Conditions on page 8
•
Example: Configuring Layer 2 Security Zones on page 28
Example: Configuring VLAN Retagging
Supported Platforms
SRX Series
Copyright © 2016, Juniper Networks, Inc.
25
Layer 2 Bridging and Switching Library for Security Devices
This example shows how to configure VLAN retagging on a Layer 2 trunk interface to
selectively screen incoming packets and redirect them to a security device without
affecting other VLAN traffic.
•
Requirements on page 26
•
Overview on page 26
•
Configuration on page 26
•
Verification on page 26
Requirements
Before you begin, determine the mapping you want to include for the VLAN retagging.
See “Understanding VLAN Retagging” on page 10.
Overview
In this example, you create a Layer 2 trunk interface called ge-3/0/0 and configure it to
receive packets with VLAN identifiers 1 through 10. Packets that arrive on the interface
with VLAN identifier 11 are retagged with VLAN identifier 2. Before exiting the trunk
interface, VLAN identifier 2 in the retagged packets is replaced with VLAN identifier 11.
All VLAN identifiers in the retagged packets change back when you exit the trunk interface.
Configuration
Step-by-Step
Procedure
To configure VLAN retagging on a Layer 2 trunk interface:
1.
Create a Layer 2 trunk interface.
[edit]
user@host# set interfaces ge-3/0/0 unit 0 family bridge interface-mode trunk
vlan-id-list 1–10
2.
Configure VLAN retagging.
[edit]
user@host# set interfaces ge-3/0/0 unit 0 family bridge vlan-rewrite translate 11 2
3.
If you are done configuring the device, commit the configuration.
[edit]
user@host# commit
Verification
To verify the configuration is working properly, enter the show interfaces ge-3/0/0
command.
Related
Documentation
26
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Overview on page 3
•
Example: Configuring Layer 2 Logical Interfaces on page 24
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
Example: Configuring an IRB Interface
Supported Platforms
SRX Series
This example shows how to configure an IRB interface so it can act as a Layer 3 routing
interface for a bridge domain.
•
Requirements on page 27
•
Overview on page 27
•
Configuration on page 27
•
Verification on page 28
Requirements
Before you begin, configure a bridge domain with a single VLAN identifier. See “Example:
Configuring Bridge Domains” on page 23.
Overview
In this example, you configure the IRB logical interface unit 0 with the family type inet
and IP address 10.1.1.1/24, and then reference the IRB interface irb.0 in the bd2 bridge
domain configuration. Then you enable Web authentication on the IRB interface and
activate the webserver on the device.
NOTE: To complete the Web authentication configuration, you must perform
the following tasks:
•
Define the access profile and password for a Web authentication client.
•
Define the security policy that enables Web authentication for the client.
Either a local database or an external authentication server can be used as
the Web authentication server.
Configuration
Step-by-Step
Procedure
To configure an IRB interface:
1.
Create a Layer 2 trunk interface.
[edit]
user@host# set interfaces ge-1/0/0 unit 0 family ethernet-switching port-mode
trunk
2.
Create an IRB logical interface.
[edit]
user@host# set interface irb unit 0 family inet address 10.1.1.1/24 web-authentication
http
3.
Create a Layer 2 VLAN.
[edit]
Copyright © 2016, Juniper Networks, Inc.
27
Layer 2 Bridging and Switching Library for Security Devices
user@host# set bridge-domains bd2 vlan-id 2
4.
Reference the IRB interface in a bridge domain.
[edit]
user@host# set bridge-domains bd2 routing-interface irb.0
5.
Activate the webserver.
[edit]
user@host# set system services web-management http
6.
If you are done configuring the device, commit the configuration.
[edit]
user@host# commit
Verification
To verify the configuration is working properly, enter the show interface irb , show
bridge-domains, and show bridge-domains commands.
Related
Documentation
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Junos OS Building Blocks Library for Security Devices
•
Layer 2 Bridging and Transparent Mode Overview on page 3
•
Understanding Integrated Routing and Bridging Interfaces on page 10
•
Example: Configuring Layer 2 Security Zones on page 28
•
Understanding Bridge Domains on page 5
Security Zones and Security Policies
•
Example: Configuring Layer 2 Security Zones on page 28
•
Example: Configuring Security Policies in Transparent Mode on page 29
•
Example: Configuring the Default Learning for Unknown MAC Addresses on page 31
•
Example: Configuring Redundant Ethernet Interfaces for Layer 2 Transparent Mode
Chassis Clusters on page 32
•
Configuring IP Spoofing in Layer 2 Transparent Mode on page 33
Example: Configuring Layer 2 Security Zones
Supported Platforms
SRX Series
This example shows how to configure Layer 2 security zones.
28
•
Requirements on page 29
•
Overview on page 29
•
Configuration on page 29
•
Verification on page 29
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
Requirements
Before you begin, determine the properties you want to configure for the Layer 2 security
zone. See “Understanding Layer 2 Security Zones” on page 12.
Overview
In this example, you configure security zone l2-zone1 to include a Layer 2 logical interface
called ge-3/0/0.0 and security zone l2-zone2 to include a Layer 2 logical interface called
ge-3/0/1.0. Then you configure l2-zone2 to allow all supported application services (such
as SSH, Telnet, and SNMP) as host-inbound traffic.
Configuration
Step-by-Step
Procedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure Layer 2 security zones:
1.
Create a Layer 2 security zone and assign interfaces to it.
[edit security zones]
user@host# set security-zone l2-zone1 interfaces ge-3/0/0.0
user@host# set security-zone l2-zone2 interfaces ge-3/0/1.0
2.
Configure one of the Layer 2 security zones.
[edit security zones]
user@host# set security-zone l2–zone2 host-inbound-traffic system-services all
3.
If you are done configuring the device, commit the configuration.
[edit]
user@host# commit
Verification
To verify the configuration is working properly, enter the show security zones command.
Related
Documentation
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Overview on page 3
•
Example: Configuring Security Policies in Transparent Mode on page 29
•
Example: Configuring Layer 2 Logical Interfaces on page 24
Example: Configuring Security Policies in Transparent Mode
Supported Platforms
SRX Series
Copyright © 2016, Juniper Networks, Inc.
29
Layer 2 Bridging and Switching Library for Security Devices
This example shows how to configure security policies in transparent mode between
Layer 2 zones.
•
Requirements on page 30
•
Overview on page 30
•
Configuration on page 30
•
Verification on page 31
Requirements
Before you begin, determine the policy behavior you want to include in the Layer 2 security
zone. See “Understanding Security Policies in Transparent Mode” on page 12.
Overview
In this example, you configure a security policy to allow HTTP traffic from the 10.1.1.1/24
subnetwork in the l2–zone1 security zone to the server at 20.1.1.1/32 in the l2–zone2
security zone.
Configuration
CLI Quick
Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set security policies from-zone l2-zone1 to-zone l2-zone2 policy p1 match source-address
10.1.1.1/24
set security policies from-zone l2-zone1 to-zone l2-zone2 policy p1 match
destination-address 20.1.1.1/32
set security policies from-zone l2-zone1 to-zone l2-zone2 policy p1 match application http
set security policies from-zone l2-zone1 to-zone l2-zone2 policy p1 then permit
Step-by-Step
Procedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure security policies in transparent mode:
1.
Create policies and assign addresses to the interfaces for the zones.
[edit security policies]
user@host# set from-zone l2-zone1 to-zone l2-zone2 policy p1 match source-address
10.1.1.1/24
user@host# set from-zone l2-zone1 to-zone l2-zone2 policy p1 match
destination-address 20.1.1.1/32
2.
Set policies for the application.
[edit security policies]
user@host# set from-zone l2-zone1 to-zone l2-zone2 policy p1 match application
http
user@host# set from-zone l2-zone1 to-zone l2-zone2 policy p1 then permit
30
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
Results
From configuration mode, confirm your configuration by entering the show security policies
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
[edit]
user@host#show security policies
from-zone l2-zone1 to-zone l2-zone2
{
policy p1 {
match {
source-address 10.1.1.1/24;
destination-address 20.1.1.1/32;
application junos-http;
}
then {
permit;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
•
Verifying Layer 2 Security Policies on page 31
Verifying Layer 2 Security Policies
Purpose
Action
Related
Documentation
Verify that the Layer 2 security policies are configured properly.
From configuration mode, enter the show security policies command.
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Overview on page 3
•
Understanding Transparent Mode Conditions on page 8
•
Example: Configuring Layer 2 Security Zones on page 28
Example: Configuring the Default Learning for Unknown MAC Addresses
Supported Platforms
SRX Series
This example shows how to configure the device to use only ARP requests to learn the
outgoing interfaces for unknown destination MAC addresses.
•
Requirements on page 32
•
Overview on page 32
•
Configuration on page 32
•
Verification on page 32
Copyright © 2016, Juniper Networks, Inc.
31
Layer 2 Bridging and Switching Library for Security Devices
Requirements
Before you begin, determine the MAC addresses and associated interfaces of the
forwarding table. See “Understanding Layer 2 Forwarding Tables” on page 14.
Overview
In this example, you configure the device to use only ARP queries without trace-route
requests.
Configuration
Step-by-Step
Procedure
To configure the device to use only ARP requests to learn unknown destination MAC
addresses:
1.
Enable the device.
[edit]
user@host# set security flow bridge no-packet-flooding no-trace-route
2.
If you are done configuring the device, commit the configuration.
[edit]
user@host# commit
Verification
To verify the configuration is working properly, enter the show security flow command.
Related
Documentation
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Overview on page 3
•
Understanding Integrated Routing and Bridging Interfaces on page 10
•
Example: Configuring an IRB Interface on page 27
Example: Configuring Redundant Ethernet Interfaces for Layer 2 Transparent Mode Chassis
Clusters
Supported Platforms
SRX Series
This example shows how to configure a redundant Ethernet interface on a device as a
Layer 2 logical interface for a Layer 2 transparent mode chassis cluster.
•
Requirements on page 32
•
Overview on page 33
•
Configuration on page 33
•
Verification on page 33
Requirements
Before you begin, determine the devices you want to connect in a chassis cluster. See
“Understanding Layer 2 Transparent Mode Chassis Clusters” on page 16.
32
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
Overview
This example shows you how to configure the redundant Ethernet interface as a Layer
2 logical interface and how to bind the physical interfaces (one from each node in the
chassis cluster) to the redundant Ethernet interface. In this example, you create redundant
Ethernet interface reth0 for redundancy group 1 and configure reth0 as an access interface
with the VLAN identifier 1. Then you assign physical interface ge-2/0/2 on a chassis cluster
node to the redundant Ethernet interface reth0.
Configuration
Step-by-Step
Procedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure a redundant Ethernet interface as a Layer 2 logical interface:
1.
Configure the interfaces and redundancy group.
[edit interfaces]
user@host# set reth0 redundant-ether-options redundancy-group 1
user@host# set reth0 unit 0 family bridge interface-mode access vlan-id 1
2.
Assign a physical interface on a chassis cluster node.
[edit interfaces]
user@host# set ge-2/0/2 gigether-options redundant-parent reth0
3.
If you are done configuring the device, commit the configuration.
[edit]
user@host# commit
Verification
To verify the configuration is working properly, enter the show interfaces reth0 and show
interfaces ge-2/0/2 commands.
Related
Documentation
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Chassis Cluster Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Overview on page 3
•
Understanding Transparent Mode Conditions on page 8
•
Understanding Layer 2 Transparent Mode Chassis Clusters on page 16
•
Understanding Layer 2 Forwarding Tables on page 14
Configuring IP Spoofing in Layer 2 Transparent Mode
Supported Platforms
SRX Series
Copyright © 2016, Juniper Networks, Inc.
33
Layer 2 Bridging and Switching Library for Security Devices
You can configure the IP spoof-checking mechanism to determine whether or not an IP
is being spoofed.
To configure IP spoofing in Layer 2 transparent mode:
1.
Set the interface in Layer 2 transparent mode.
[edit]
user@host# set interfaces ge-0/0/1 unit 0 family bridge
NOTE: If the interface is in Layer 2 mode, the device is in Layer 2 mode. If
the interface is switched between Layer 3 and Layer 2 mode, the system
must be rebooted.
2. (Optional) Set the zone in Layer 2 transparent mode.
[edit]
user@host# set security zones security-zone untrust interfaces ge-0/0/1.0
3. Configure the address book.
[edit]
user@host# set security address-book my-book address myadd1 10.1.1.0/24
user@host# set security address-book my-book address myadd2 10.1.2.0/24
4. Apply the address book to the zone.
[edit]
user@host# set security address-book my-book attach zone untrust
5. Configure screen IP spoofing.
[edit]
user@host# set security screen ids-option my-screen ip spoofing
6. Apply the screen to the zone.
[edit]
user@host# set security zones security-zone untrust screen my-screen
7. (Optional) Configure the alarm-without-drop option.
[edit]
user@host# set security screen ids-option my-screen alarm-without-drop
NOTE: If the alarm-without-drop option is configured, the Layer 2 spoofing
packet only triggers an alarm message, but the packet is not dropped.
Related
Documentation
34
•
Understanding IP Spoofing in Layer 2 Transparent Mode on page 18
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
IPv6 Flows
•
Enabling Flow-Based Processing for IPv6 Traffic on page 35
•
Example: Configuring Transparent Mode for IPv6 Flows on page 36
Enabling Flow-Based Processing for IPv6 Traffic
Supported Platforms
J Series, LN Series, SRX Series
By default, the SRX Series or J Series device drops IP version 6 (IPv6) traffic. To enable
processing by security features such as zones, screens, and firewall policies, you must
enable flow-based forwarding for IPv6 traffic.
To enable flow-based forwarding for IPv6 traffic, modify the mode statement at the [edit
security forwarding-options family inet6] hierarchy level:
security {
forwarding-options {
family {
inet6 {
mode flow-based;
}
}
}
}
The following example shows the CLI commands you use to configure forwarding for
IPv6 traffic.
1.
Use the set command to change the forwarding option mode for IPv6 to flow-based.
[edit]
user@host# set security forwarding-options family inet6 mode flow-based
2. Use the show command to review your configuration.
[edit]
user@host# show security forwarding-options
family {
inet6 {
mode flow-based;
}
}
3. Check your changes to the configuration before committing.
[edit]
user@host# commit check
warning: You have enabled/disabled inet6 flow.
You must reboot the system for your change to take effect.
If you have deployed a cluster, be sure to reboot all nodes.
configuration check succeeds
4. Commit the configuration.
[edit]
user@host# commit
Copyright © 2016, Juniper Networks, Inc.
35
Layer 2 Bridging and Switching Library for Security Devices
warning: You have enabled/disabled inet6 flow.
You must reboot the system for your change to take effect.
If you have deployed a cluster, be sure to reboot all nodes.
commit complete
5. At an appropriate time, reboot the device.
NOTE: SRX Series and J Series devices only process IPv6 Routing Header 0
(RH0) to-self packets, the segleft field of which is zero. Other packets will
be dropped.
Table 4 on page 36 summarizes device status upon forwarding option configuration
change.
Table 4: Device Status Upon Configuration Change
Configuration Change
Commit
Warning
Reboot
Required
Impact on Existing
Traffic Before Reboot
Impact on New Traffic
Before Reboot
Drop to flow-based
Yes
Yes
Dropped
Dropped
Drop to packet-based
No
No
Packet-based
Packet-based
Flow-based to packet-based
Yes
Yes
None
Flow sessions created
Flow-based to drop
Yes
Yes
None
Flow sessions created
Packet-based to flow-based
Yes
Yes
Packet-based
Packet-based
Packet-based to drop
No
No
Dropped
Dropped
To process IPv6 traffic, you also need to configure IPv6 addresses for the transit interfaces
that receive and forward the traffic. For information on the inet6 protocol family and
procedures for configuring IPv6 addresses for interfaces, see the Junos OS Interfaces
Library for Security Devices.
Related
Documentation
•
Flow-Based Processing Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Understanding IP Version 6 (IPv6)
•
Using Filters to Display IPv6 Session and Flow Information for SRX Series Services
Gateways
Example: Configuring Transparent Mode for IPv6 Flows
Supported Platforms
SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, SRX5800
This example shows how to configure bridge domains, a Layer 2 interface, and an IRB
interface that supports both IPv4 and IPv6 addresses. This example also shows how to
36
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
configure the device to use only ARP requests to learn the outgoing interfaces for unknown
destination MAC addresses.
•
Requirements on page 37
•
Overview on page 37
•
Configuration on page 37
•
Verification on page 39
Requirements
The device must be enabled for IPv6 flow processing. See “Enabling Flow-Based
Processing for IPv6 Traffic” on page 35.
Overview
This example creates the configuration described in Table 5 on page 37.
Table 5: IPv6 Transparent Mode Configuration for IPv6 Flows
Feature
Name
Configuration Parameters
Bridge domains
bd1
VLAN 2
bd2
VLAN 10
Logical interface
ge-0/0/0.0
Trunk port for packets tagged with VLAN IDs 1 through 10
Physical interface
ge-0/0/0
VLAN ID 30 assigned to untagged packets
IRB interface
irb.0
Addresses:
•
IPv4 address 10.1.1.1/24
•
IPv6 address 2:10::1/64
Referenced in bd2 bridge domain
Learn the outgoing interfaces for
unknown destination MAC addresses
Use only ARP queries without trace-route requests
Configuration
CLI Quick
Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set bridge-domains bd1 vlan-id 2
set bridge-domains bd2 vlan-id-list 1-10
set interfaces ge-0/0/0 vlan-tagging native-vlan-id 30
set interfaces ge-0/0/0 unit 0 family bridge interface-mode trunk vlan-id-list 1-10
set interfaces irb unit 0 family inet address 10.1.1.1/24
set interfaces irb unit 0 family inet6 address 2:10::1/64
set bridge-domains bd2 routing-interface irb.0
Copyright © 2016, Juniper Networks, Inc.
37
Layer 2 Bridging and Switching Library for Security Devices
set security flow bridge no-packet-flooding no-trace-route
Step-by-Step
Procedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure transparent mode for IPv6 flows:
1.
Configure bridge domains.
[edit bridge-domains]
user@host# set bd1 vlan-id 2
user@host# set bd2 vlan-id-list 1-10
2.
Configure the Layer 2 interface.
[edit interfaces ge-0/0/0]
user@host# set vlan-tagging native-vlan-id 30
user@host# set unit 0 family bridge interface-mode trunk vlan-id-list 1-10
3.
Configure the IRB interface.
[edit interfaces irb unit 0]
user@host# set family inet address 10.1.1.1/24
user@host# set family inet6 address 2:10::1/64
4.
Configure the IRB interface for the bridge domain.
[edit bridge-domains]
user@host# set bd2 routing-interface irb.0
5.
Configure learning for unknown destination MAC addresses.
[edit security flow bridge]
user@host# set no-packet-flooding no-trace-route
Results
From configuration mode, confirm your configuration by entering the show bridge-domains,
show interfaces, and show security flow bridge commands. If the output does not display
the intended configuration, repeat the configuration instructions in this example to correct
it.
user@host# show bridge-domains
bd1 {
vlan-id 2;
}
bd2 {
vlan-id-list 1-10;
routing-interface irb.0;
}
user@host# show interfaces
ge-0/0/0 {
vlan-tagging;
native-vlan-id 30;
unit 0 {
family bridge {
interface-mode trunk;
38
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
vlan-id-list 1-10;
}
}
}
user@host# show security flow bridge
no-packet-flooding {
no-trace-route;
}
Verification
Confirm that the configuration is working properly.
•
Verifying IPv6 Sessions on page 39
•
Verifying IPv6 Gates on page 39
•
Verifying IPv6 IP-action Settings on page 39
Verifying IPv6 Sessions
Purpose
Action
Verify IPv6 sessions on the device.
From operational mode, enter the show security flow session family inet6 command.
Verifying IPv6 Gates
Purpose
Action
Verify IPv6 gates on the device.
From operational mode, enter the show security flow gate family inet6 command.
Verifying IPv6 IP-action Settings
Purpose
Action
Related
Documentation
Verify IPv6 IP-action settings on the device.
From operational mode, enter the show security flow ip-action family inet6 command.
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Understanding IP Version 6 (IPv6)
•
Understanding IPv6 Flows in Transparent Mode on page 6
Transparent Mode Devices
•
Example: Configuring BA Classifiers on Transparent Mode Devices on page 39
•
Example: Configuring Rewrite Rules on Transparent Mode Devices on page 42
Example: Configuring BA Classifiers on Transparent Mode Devices
Supported Platforms
SRX Series
Copyright © 2016, Juniper Networks, Inc.
39
Layer 2 Bridging and Switching Library for Security Devices
This example shows how to configure BA classifiers on transparent mode devices to
determine the forwarding treatment of packets entering the devices.
•
Requirements on page 40
•
Overview on page 40
•
Configuration on page 40
•
Verification on page 42
Requirements
Before you begin, configure a Layer 2 logical interface. See “Example: Configuring Layer
2 Logical Interfaces” on page 24.
Overview
In this example, you configure logical interface ge-0/0/4.0 as a trunk port that carries
traffic for packets tagged with VLAN identifiers 200 through 390. You then configure
forwarding classes and create BA classifier c1 for IEEE 802.1 traffic where incoming
packets with IEEE 802.1p priority bits 110 are assigned to the forwarding class fc1 with a
low loss priority. Finally, you apply the BA classifier c1 to interface ge-0/0/4.0.
Configuration
CLI Quick
Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set interfaces ge-0/0/4 vlan-tagging unit 0 family bridge interface-mode trunk vlan-id-list
200-390
set class-of-service forwarding-classes queue 0 fc1
set class-of-service forwarding-classes queue 1 fc2
set class-of-service forwarding-classes queue 3 fc4
set class-of-service forwarding-classes queue 4 fc5
set class-of-service forwarding-classes queue 5 fc6
set class-of-service forwarding-classes queue 6 fc7
set class-of-service forwarding-classes queue 7 fc8
set class-of-service forwarding-classes queue 2 fc3
set class-of-service classifiers ieee-802.1 c1 forwarding-class fc1 loss-priority low
code-point 110
set class-of-service interfaces ge-0/0/4 unit 0 classifiers ieee-802.1 c1
Step-by-Step
Procedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure BA classifiers on transparent mode devices:
1.
Configure the logical interface as a Layer 2 trunk port.
[edit]
user@host# set interfaces ge-0/0/4 vlan-tagging unit 0 family bridge interface-mode
trunk vlan-id-list 200–390
40
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
2.
Configure the class of service.
[edit]
user@host# edit class-of-service
3.
Configure the forwarding classes.
[edit class-of-service]
user@host# set forwarding-classes queue 0 fc1
user@host# set forwarding-classes queue 1 fc2
user@host# set forwarding-classes queue 3 fc4
user@host# set forwarding-classes queue 4 fc5
user@host# set forwarding-classes queue 5 fc6
user@host# set forwarding-classes queue 6 fc7
user@host# set forwarding-classes queue 7 fc8
user@host# set forwarding-classes queue 2 fc3
4.
Configure a BA classifier.
[edit class-of-service]
user@host# set classifiers ieee-802.1 c1 forwarding-class fc1 loss-priority low
code-points 110
5.
Apply the BA classifier to the interface.
[edit class-of-service]
user@host# set interfaces ge-0/0/4 unit 0 classifiers ieee-802.1 c1
Results
From configuration mode, confirm your configuration by entering the show interfaces
ge-0/0/4 and show class-of-service commands. If the output does not display the
intended configuration, repeat the configuration instructions in this example to correct
it.
[edit]
user@host# show interfaces ge-0/0/4
vlan-tagging;
unit 0 {
family bridge {
interface-mode trunk;
vlan-id-list 200-390;
}
}
[edit]
user@host# show class-of-service
classifiers {
ieee-802.1 c1 {
forwarding-class fc1 {
loss-priority low code-points 110;
}
}
}
forwarding-classes {
queue 0 fc1;
queue 1 fc2;
queue 3 fc4;
queue 4 fc5;
queue 5 fc6;
Copyright © 2016, Juniper Networks, Inc.
41
Layer 2 Bridging and Switching Library for Security Devices
queue 6 fc7;
queue 7 fc8;
queue 2 fc3;
}
interfaces {
ge-0/0/4 {
unit 0 {
classifiers {
ieee-802.1 c1;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform this task:
•
Verifying BA Classifiers on Transparent Mode Devices on page 42
Verifying BA Classifiers on Transparent Mode Devices
Purpose
Action
Related
Documentation
Verify that the BA classifier was configured on the transparent mode devices properly.
From configuration mode, enter the show interfaces ge-0/0/4 and show class-of-service
commands.
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Overview on page 3
•
Understanding Transparent Mode Conditions on page 8
•
Class of Service Functions in Transparent Mode Overview on page 19
•
Understanding BA Traffic Classification on Transparent Mode Devices on page 20
Example: Configuring Rewrite Rules on Transparent Mode Devices
Supported Platforms
SRX Series
This example shows how to configure rewrite rules on transparent mode devices to
redefine IEEE 802.1 CoS values in outgoing packets.
42
•
Requirements on page 43
•
Overview on page 43
•
Configuration on page 43
•
Verification on page 45
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
Requirements
Before you begin, configure a Layer 2 logical interface. See “Example: Configuring Layer
2 Logical Interfaces” on page 24.
Overview
In this example, you configure logical interface ge-1/0/3.0 as a trunk port that carries
traffic for packets tagged with VLAN identifiers 200 through 390. You then configure the
forwarding classes and create rewrite rule rw1 for IEEE 802.1 traffic. For outgoing packets
in the forwarding class fc1 with low loss priority, the IEEE 802.1p priority bits are rewritten
as 011. Finally, you apply the rewrite rule rw1 to interface ge-1/0/3.0.
Configuration
CLI Quick
Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set interfaces ge-1/0/3 vlan-tagging unit 0 family bridge interface-mode trunk vlan-id-list
200-390
set class-of-service forwarding-classes queue 0 fc1
set class-of-service forwarding-classes queue 1 fc2
set class-of-service forwarding-classes queue 3 fc4
set class-of-service forwarding-classes queue 4 fc5
set class-of-service forwarding-classes queue 5 fc6
set class-of-service forwarding-classes queue 6 fc7
set class-of-service forwarding-classes queue 7 fc8
set class-of-service forwarding-classes queue 2 fc3
set class-of-service rewrite-rules ieee-802.1 rw1 forwarding-class fc1 loss-priority low
code-point 011
set class-of-service interfaces ge-1/0/3 unit 0 rewrite-rules ieee-802.1 rw1
Step-by-Step
Procedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure rewrite rules on transparent mode devices:
1.
Configure the logical interface as a Layer 2 trunk port.
[edit]
user@host# set interfaces ge-1/0/3 vlan-tagging unit 0 family bridge interface-mode
trunk vlan-id-list 200-390
2.
Configure the class of service.
[edit]
user@host# edit class-of-service
3.
Configure the forwarding classes.
[edit class-of-service]
user@host# set forwarding-classes queue 0 fc1
user@host# set forwarding-classes queue 1 fc2
Copyright © 2016, Juniper Networks, Inc.
43
Layer 2 Bridging and Switching Library for Security Devices
user@host# set forwarding-classes queue 3 fc4
user@host# set forwarding-classes queue 4 fc5
user@host# set forwarding-classes queue 5 fc6
user@host# set forwarding-classes queue 6 fc7
user@host# set forwarding-classes queue 7 fc8
user@host# set forwarding-classes queue 2 fc3
4.
Configure a rewrite rule.
[edit class-of-service]
user@host# set rewrite-rules ieee-802.1 rw1 forwarding-class fc1 loss-priority low
code-point 011
5.
Apply the rewrite rule to the interface.
[edit class-of-service]
user@host# set interfaces ge-1/0/3 unit 0 rewrite-rules ieee-802.1 rw1
Results
From configuration mode, confirm your configuration by entering the show interfaces
ge-1/0/3 and show class-of-service commands. If the output does not display the intended
configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host# show interfaces ge-1/0/3
vlan-tagging;
unit 0 {
family bridge {
interface-mode trunk;
vlan-id-list 200-390;
}
}
[edit]
user@host# show class-of-service
forwarding-classes {
queue 0 fc1;
queue 1 fc2;
queue 3 fc4;
queue 4 fc5;
queue 5 fc6;
queue 6 fc7;
queue 7 fc8;
queue 2 fc3;
}
interfaces {
ge-1/0/3 {
unit 0 {
rewrite-rules {
ieee-802.1 rw1;
}
}
}
}
rewrite-rules {
ieee-802.1 rw1 {
forwarding-class fc1 {
loss-priority low code-point 011;
44
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform this task:
•
Verifying Rewrite Rules on Transparent Mode Devices on page 45
Verifying Rewrite Rules on Transparent Mode Devices
Purpose
Action
Related
Documentation
Verify that the rewrite rule was configured on the transparent mode devices properly.
From configuration mode, enter the show interfaces ge-1/0/3 and show class-of-service
commands.
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Overview on page 3
•
Understanding Transparent Mode Conditions on page 8
•
Understanding Rewrite of Packet Headers on Transparent Mode Devices on page 21
Configuration Statements
•
Bridge-Domains Configuration Statement Hierarchy on page 46
•
Class-of-Service Configuration Statement Hierarchy on page 51
•
Interfaces Configuration Statement Hierarchy on page 55
•
authentication-order (Access Profile) on page 71
•
bridge on page 72
•
bridge-domains (Bridge Domains) on page 73
•
bridge-options (Bridge Domains) on page 78
•
code-points (CoS) on page 79
•
domain-type (Bridge Domains) on page 79
•
destination-address (Security Policies) on page 80
•
encapsulation (Interfaces) on page 81
•
family inet (Interfaces) on page 82
•
family inet6 on page 85
•
flow (Security Flow) on page 88
•
forwarding-classes (CoS) on page 90
•
host-inbound-traffic on page 91
•
interface (Bridge Domains) on page 92
Copyright © 2016, Juniper Networks, Inc.
45
Layer 2 Bridging and Switching Library for Security Devices
•
interfaces (CoS) on page 93
•
interfaces (Security Zones) on page 94
•
inet6 (Security Forwarding Options) on page 95
•
loss-priority (CoS Loss Priority) on page 96
•
match (Security Policies) on page 97
•
native-vlan-id (Interfaces) on page 98
•
peer-selection-service on page 99
•
pgcp-service on page 100
•
policy (Security Policies) on page 101
•
port (Access RADIUS) on page 103
•
profile (Access) on page 104
•
redundancy-group (Interfaces) on page 107
•
routing-interface (Bridge Domains) on page 108
•
security-zone on page 109
•
shaping-rate (CoS Interfaces) on page 111
•
source-address (Security Policies) on page 112
•
static-mac (Bridge Domains) on page 113
•
system-services (Security Zones Interfaces) on page 114
•
unframed | no-unframed (Interfaces) on page 115
•
vlan-id (Bridge Domain) on page 116
•
vlan-id-list (Bridge Domains) on page 117
•
vlan-tagging (Interfaces) on page 118
Bridge-Domains Configuration Statement Hierarchy
Supported Platforms
SRX Series
Use the statements in the bridge-domains configuration hierarchy to configure a bridging
domain that includes a set of logical ports that share the same flooding or broadcast
characteristics.
bridge-domains bridge-domain-name {
bridge-options {
interface interface-name {
static-mac mac-address {
vlan-id vlan-id;
}
}
mac-table-aging-time seconds;
mac-table-size {
number;
packet-action drop;
}
}
description text;
46
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
domain-type bridge;
forwarding-options {
dhcp-relay {
active-server-group active-server-group-name;
dhcpv6 {
active-server-group active-server-group-name;
authentication {
password password;
username-include {
circuit-type;
client-id;
delimiter delimiter;
domain-name domain-name;
interface-name;
logical-system-name;
relay-agent-interface-id;
relay-agent-remote-id;
relay-agent-subscriber-id;
routing-instance-name;
user-prefix user-prefix;
}
}
dynamic-profile (dynamic-profile-name | junos-default-profile) {
aggregate-clients (merge | replace);
use-primary ( primary-profile-name | junos-default-profile);
}
group group-name {
active-server-group active-server-group-name;
authentication {
password password;
username-include {
circuit-type;
client-id;
delimiter delimiter;
domain-name domain-name;
interface-name;
logical-system-name;
relay-agent-interface-id;
relay-agent-remote-id;
relay-agent-subscriber-id;
routing-instance-name;
user-prefix user-prefix;
}
}
dynamic-profile (dynamic-profile-name | junos-default-profile) {
aggregate-clients (merge | replace) {
use-primary (primary-profile-name | junos-default-profile);
}
}
interface interface-name {
dynamic-profile (dynamic-profile-name| junos-default-profile) {
aggregate-clients (merge | replace) {
use-primary (primary-profile-name | junos-default-profile);
}
}
exclude;
Copyright © 2016, Juniper Networks, Inc.
47
Layer 2 Bridging and Switching Library for Security Devices
overrides {
(allow-snooped-clients | no-allow-snooped-clients);
interface-client-limit number;
no-bind-on-request;
send-release-on-delete;
}
service-profile profile-name;
trace;
upto upto-interface-name;
}
liveness-detection {
failure-action (clear-binding | clear-binding-if-interface-up | log-only);
method {
bfd {
detection-time {
threshold milliseconds;
}
holddown-interval milliseconds;
minimum-interval milliseconds;
minimum-receive-interval milliseconds;
multiplier number;
no-adaptation;
session-mode (automatic | multihop | singlehop);
transmit-interval {
minimum-interval milliseconds;
threshold milliseconds;
}
version (0 | 1 | automatic);
}
}
}
overrides {
(allow-snooped-clients | no-allow-snooped-clients);
interface-client-limit number;
no-bind-on-request;
send-release-on-delete;
}
relay-agent-interface-id {
prefix {
host-name;
logical-system-name;
routing-instance-name;
}
use-interface-description (device | logical):
}
service-profile dynamic-profile-name;
}
liveness-detection {
failure-action (clear-binding | clear-binding-if-interface-up | log-only);
method {
bfd {
detection-time {
threshold milliseconds;
}
holddown-interval milliseconds;
minimum-interval milliseconds;
48
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
minimum-receive-interval milliseconds;
multiplier number;
no-adaptation;
session-mode (automatic | multihop | singlehop);
transmit-interval {
minimum-interval milliseconds;
threshold milliseconds;
}
version (0 | 1 | automatic);
}
}
}
overrides {
(allow-snooped-clients | no-allow-snooped-clients);
interface-client-limit number;
no-bind-on-request;
send-release-on-delete;
}
relay-agent-interface-id {
prefix {
host-name;
logical-system-name;
routing-instance-name;
}
use-interface-description (device | logical):
}
server-group {
server-group-name {
server-ip-address;
}
}
service-profile service-profile-name;
}
group group-name {
active-server-group server-group-name;
interface interface-name {
exclude;
upto interface-name;
}
relay-option-60 {
vendor-option {
default-local-server-group local-server-group-name;
default-relay-server-group server-group-name;
drop;
equals {
ascii ascii-name {
drop;
local-server-group local-server-group-name;
relay-server-group server-group-name;
}
hexadecimal hexadecimal {
drop;
local-server-group local-server-group-name;
relay-server-group server-group-name;
}
}
Copyright © 2016, Juniper Networks, Inc.
49
Layer 2 Bridging and Switching Library for Security Devices
starts-with {
ascii ascii-name {
drop;
local-server-group local-server-group-name;
relay-server-group server-group-name;
}
hexadecimalhexadecimal {
drop;
local-server-group local-server-group-name;
relay-server-group server-group-name;
}
}
}
}
relay-option-82 {
circuit-id {
prefix {
host-name;
logical-system-name;
routing-instance-name;
}
use-interface-description (device | logical);
}
}
}
relay-option-60 {
vendor-option {
default-local-server-group local-server-group-name;
default-relay-server-group server-group-name;
drop;
equals {
ascii ascii-name {
drop;
local-server-group local-server-group-name;
relay-server-group server-group-name;
}
hexadecimal hexadecimal {
drop;
local-server-group local-server-group-name;
relay-server-group server-group-name;
}
}
starts-with {
ascii ascii-name {
drop;
local-server-group local-server-group-name;
relay-server-group server-group-name;
}
hexadecimal hexadecimal {
drop;
local-server-group local-server-group-name;
relay-server-group server-group-name;
}
}
}
}
50
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
relay-option-82 {
circuit-id {
prefix {
host-name;
logical-system-name;
routing-instance-name;
}
use-interface-description (device | logical);
}
}
server-group server-group-name {
ip-address;
}
}
filter {
input input-filter-name;
}
flood {
input input-filter-name;
}
}
routing-interface routing-interface-name;
service-id service-id;
vlan-id (all | none | vlan-id);
vlan-id-list [vlan-id];
}
Related
Documentation
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
Class-of-Service Configuration Statement Hierarchy
Supported Platforms
J Series, SRX Series
Use the statements in the class-of-service configuration hierarchy to configure
class-of-services (CoS) features.
class-of-service {
adaptive-shapers adaptive-shaper-name {
trigger becn {
shaping-rate (absolute-rate | percent percent);
}
}
application-traffic-control {
rate-limiters rate-limiter-name {
bandwidth-limit kbps;
burst-size-limit bytes;
}
rule-sets rule-set-name {
rule rule-name {
match {
application [application-name];
application-any;
application-group [application-group-name];
Copyright © 2016, Juniper Networks, Inc.
51
Layer 2 Bridging and Switching Library for Security Devices
application-known;
application-unknown;
}
then {
dscp-code-point dscp-value;
forwarding-class class-name;
log;
loss-priority (high | low |medium-high | medium-low);
rate-limit {
loss-priority-high;
client-to-server rate-limiter;
server-to-client rate-limiter;
}
}
}
}
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
classifiers {
(dscp | dscp-ipv6 | exp | ieee-802.1 | ieee-802.1ad | inet-precedence) classifier name
{
forwarding-class class-name {
loss-priority (high | low | medium-high | medium-low) {
code-points [alias-or-bit-string ];
}
}
import (classifier-name | default);
}
}
code-point-aliases {
(dscp | dscp-ipv6 |exp |ieee-802.1 |ieee-802.1ad |inet-precedence) alias-name{
dscp-bits;
}
}
drop-profiles profile-name {
fill-level percent {
drop-probability number;
}
interpolate {
drop-probability [number];
fill-level [percent];
}
}
forwarding-classes {
class class-name {
52
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
priority (high | low);
queue-num number;
spu-priority (high | low);
}
queue queue-number {
class-name {
priority (high | low);
}
}
}
forwarding-policy {
class class-name {
classification-override {
forwarding-class class-name;
}
}
next-hop-map next-hop-map-name {
forwarding-class class-name {
discard;
lsp-next-hop [lsp-regular-expression];
next-hop [next-hop-identifier];
non-lsp-next-hop;
}
}
}
fragmentation-maps fragmentation-map-name {
forwarding-class forwarding-class-name {
drop-timeout milliseconds;
(fragment-threshold bytes |no-fragmentation) ;
multilink-class number;
}
}
host-outbound-traffic {
dscp-code-point static-dscp-code-point;
forwarding-class class-name;
tcp {
raise-internet-control-priority;
}
}
interfaces interface-name {
input-traffic-control-profile profile-name;
output-traffic-control-profile profile-name;
output-traffic-control-profile-remaining profile-name;
scheduler-map scheduler-map;
shaping-rate bps;
unit logical-unit-number {
adaptive-shaper adaptive-shaper-name;
classifiers {
(dscp | dscp-ipv6 | exp | ieee-802.1 | ieee-802.1ad | inet-precedence)
}
forwarding-class class-name;
input-traffic-control-profile {
profile-name;
shared-instance shared-instance-name;
}
loss-priority-maps {
Copyright © 2016, Juniper Networks, Inc.
53
Layer 2 Bridging and Switching Library for Security Devices
frame-relay-de {
(lpmap-name | default);
}
}
output-traffic-control-profile {
profile-name;
shared-instance shared-instance-name;
}
rewrite-rules {
(dscp |dscp-ipv6 |exp |frame-relay-de |ieee-802.1 |ieee-802.1ad
|inet-precedence)
}
scheduler-map scheduler-map-name;
shaping-rate {
rate;
}
vc-shared-scheduler;
virtual-channel-group group-name;
}
}
}
loss-priority-maps {
frame-relay-de loss-priority-map-name {
loss-priority (high | low | medium-high | medium-low) {
code-points [bit-string];
}
}
}
rewrite-rules {
(dscp |dscp-ipv6 |exp |frame-relay-de |ieee-802.1 |ieee-802.1ad |inet-precedence)
rewrite-rule-name {
forwarding-class forwarding-class-name {
loss-priority (high | low | medium-high | medium-low) {
code-point alias-or-bit-string;
}
import (default | rewrite-rule-name);
}
}
}
scheduler-maps scheduler-map-name {
forwarding-class class-name {
scheduler scheduler-name;
}
}
schedulers scheduler-name {
buffer-size {
exact;
(percent percent | remainder percent | temporal microseconds) ;
}
drop-profile-map {
loss-priority (any | high | low | medium-high | medium-low);
protocol any ;
drop-profile profile;
}
priority (high | low | medium-high | medium-low | strict-high);
shaping-rate (absolute-rate | percent percent);
54
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
transmit-rate <exact> (percent percent | rate bits | remainder percent);
}
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
traffic-control-profiles profile-name {
delay-buffer-rate ( absolute-rate | cps cells-per-second | percent percent);
guaranteed-rate (absolute-rate | percent percent);
overhead-accounting (bytes bytes | cell-mode | frame-mode);
scheduler-map scheduler-map-name;
shaping-rate (absolute-rate | percent percent);
}
tri-color;
virtual-channel-groups virtual-channel-group-name {
virtual-channel-name {
default;
scheduler-map scheduler-map-name;
shaping-rate (absolute-rate | percent percent);
}
}
virtual-channels virtual-channel-name;
}
Related
Documentation
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Application Quality of Service Feature Guide for Security Devices
•
IDP Class of Service Action Feature Guide for Security Devices
•
CoS Virtual Channels and Tunnels Feature Guide for Security Devices
•
CoS and Hierarchical Schedulers Feature Guide for Security Devices
•
Link Services and Special Interfaces Feature Guide for Security Devices
•
Junos OS CoS Library for Security Devices
Interfaces Configuration Statement Hierarchy
Supported Platforms
J Series, LN Series, SRX Series
Use the statements in the interfaces configuration hierarchy to configure interfaces on
the device.
interfaces {
interface-name {
Copyright © 2016, Juniper Networks, Inc.
55
Layer 2 Bridging and Switching Library for Security Devices
accounting-profile name;
clocking (external | internal);
dce;
description text;
disable;
e1-options {
bert-algorithm algorithm;
bert-error-rate rate;
bert-period seconds;
fcs (16 | 32);
framing (g704 | g704-no-crc4 | unframed);
idle-cycle-flag (flags | ones);
invert-data data;
loopback (local | remote);
start-end-flag (shared | filler);
timeslots time-slot-range;
}
e3-options {
bert-algorithm algorithm;
bert-error-rate rate;
bert-period seconds;
compatibility-mode {
digital-link {
subrate value;
}
kentrox {
subrate value;
}
larscom;
}
fcs (16 | 32);
framing (g.751 | g.832);
idle-cycle-flag value;
invert-data;
loopback (local | remote);
(no-payload-scrambler | payload-scrambler);
(no-unframed | -unframed);
start-end-flag (filler | shared);
}
encapsulation (ether-vpls-ppp | ethernet-bridge | ethernet-ccc | ethernet-tcc |
ethernet-vpls | extended-frame-relay-ccc | extended-frame-relay-tcc |
extended-vlan-bridge | extended-vlan-ccc | extended-vlan-tcc | extended-vlan-vpls
| frame-relay-port-ccc | vlan-ccc | vlan-vpls);
fastether-options {
802.3ad interface-name {
(backup | primary);
lacp {
port-priority port-number;
}
}
(auto-negotiation | no-auto-negotiation);
ignore-l3-incompletes;
ingress-rate-limit rate;
(loopback | no-loopback);
mpls {
pop-all-labels {
56
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
required-depth number;
}
}
redundant-parent interface-name;
source-address-filter mac-address;
}
flexible-vlan-tagging;
gigether-options {
802.3ad interface-name {
(backup | primary);
lacp {
port-priority port-number;
}
}
(auto-negotiation <remote-fault> (local-interface-offline | local-interface-online)
| no-auto-negotiation);
(flow-control | no-flow-control);
ignore-l3-incompletes;
(loopback | no-loopback);
mpls {
pop-all-labels {
required-depth [number];
}
}
redundant-parent interface-name;
source-address-filter mac-address;
}
gratuitous-arp-reply;
hierarchical-scheduler {
maximum-hierarchy-levels 2;
}
hold-time {
down milliseconds;
up milliseconds;
}
keepalives {
down-count number;
interval number;
up-count number;
}
link-mode (full-duplex | half-duplex);
lmi {
lmi-type (ansi | c-lmi | itu);
n391dte number;
n392dce number;
n392dte number;
n393dce number;
n393dte number;
t391dte number;
t392dce number;
}
logical-tunnel-options {
per-unit-mac-disable;
}
mac mac-address;
mtu bytes;
Copyright © 2016, Juniper Networks, Inc.
57
Layer 2 Bridging and Switching Library for Security Devices
native-vlan-idvlan-id;
no-gratuitous-arp-request;
no-keepalives;
optics-options {
alarm {
low-light-alarm (link-down | syslog);
}
warning {
low-light-warning (link-down | syslog);
}
wavelength wavelength-options;
}
otn-options {
bytes {
transmit-payload-type number];
}
fec (efec | gfec | none);
(laser-enable | no-laser-enable);
(line-loopback | no-line-loopback);
rate (fixed-stuff-bytes | no-fixed-stuff-bytes | pass-thru);
trigger {
oc-lof {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
oc-lom {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
oc-los {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
oc-wavelength-lock {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
odu-ais {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
58
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
odu-bdi {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
odu-lck {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
odu-oci {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
odu-sd {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
odu-tca-bbe {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
odu-tca-es {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
odu-tca-ses {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
odu-tca-uas {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
Copyright © 2016, Juniper Networks, Inc.
59
Layer 2 Bridging and Switching Library for Security Devices
odu-ttim {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
opu-ptim {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-ais {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-bdi {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-bdi {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-fec-deg {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-fec-deg {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-fec-exe {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
60
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
otu-iae {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-sd {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-tca-bbe {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-tca-es {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-tca-ses {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-tca-uas {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-ttim {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
}
tti (odu-dapi | odu-expected-receive-dapi | odu-expected-receive-sapi | odu-sapi |
otu-dapi |otu-expected-receive-dapi | otu-expected-receive-sapi |otu-sapi);
}
passive-monitor-mode;
(per-unit-scheduler | no-per-unit-schedule);
port-mirror-instance;
Copyright © 2016, Juniper Networks, Inc.
61
Layer 2 Bridging and Switching Library for Security Devices
ppp-options {
chap {
access-profile name;;
default-chap-secret secret;
local-name name;
no-rfc2486;
passive;
}
compression {
acfc;
pfc;
}
dynamic-profile (dynamic-profile | junos-default-profile);
lcp-max-conf-req number;
lcp-restart-timer milliseconds;
loopback-clear-timer seconds;
ncp-max-conf-req number;
ncp-restart-timer milliseconds;
no-termination-request;
pap {
access-profile name;
default-password password;
local-name name;
local-password password;
no-rfc2486;
passive;
}
}
promiscuous-mode;
receive-bucket {
overflow {
discard;
tag;
}
rate number;
threshold number;
}
redundant-pseudo-interface-options {
redundancy-group number;
}
satop-options {
excessive-packet-loss-rate {
sample-period milliseconds;
threshold percentage;
}
idle-pattern number;
(jitter-buffer-auto-adjust | jitter-buffer-latency milliseconds | jitter-buffer-packets
number;
payload-size number;
}
speed (100m |10m | 1g);
stacked-vlan-tagging;
switch-options {
switch-port port-number {
(auto-negotiation | no-auto-negotiation);
cascade-port;
62
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
link-mode (full-duplex | half-duplex);
speed (100m |10m | 1g);
vlan-id number;
}
}
t1-options {
alarm-compliance {
accunet-t1-5-service;
}
bert-algorithm algorithm;
bert-error-rate rate;
bert-period seconds;
buildout value;
byte-encoding (nx56 | nx64);
fcs (16 | 32);
framing (esf | sf);
idle-cycle-flags (flags | ones);
invert-data;
line-encoding (ami | b8zs);
loopback (local | payload | remote);
remote-loopback-respond;
start-end-flag (filler | shared);
timeslots time-slot-range;
}
t3-options {
bert-algorithm algorithm ;
bert-error-rate rate ;
bert-period seconds ;
(cbit-parity | no-cbit-parity);
compatibility-mode {
adtran {
subrate value;
}
digital-link {
subrate value;
}
kentrox {
subrate value;
}
larscom;
subrate value;
}
verilink;
subrate value;
}
}
fcs (16 | 32);
(feac-loop-respond | no-feac-loop-respond);
idle-cycle-flag (flags | ones);
(long-buildout | no-long-buildout);
(loop-timing | no-loop-timing);
loopback (local | payload | remote);
(no-payload-scrambler | payload-scrambler);
(no-unframed | unframed);
start-end-flag value (filler | shared);
}
Copyright © 2016, Juniper Networks, Inc.
63
Layer 2 Bridging and Switching Library for Security Devices
traceoptions {
flag (all | event | ipc | media);
}
transmit-bucket {
overflow {
discard;
}
rate number;
threshold number;
}
(traps | no-traps);
unit unit-number {
accept-source-mac {
mac-address mac-address;
}
accounting-profile name;
arp-resp (restricted | unrestricted);
backup-options {
interface interface-name;
}
bandwidth bandwidth;
description text;
disable;
encapsulation (dix | ether-vpls-fr | frame-relay-ppp | ppp-over-ether | vlan-bridge |
vlan-ccc | vlan-vpls |vlan-tcc);
family {
bridge {
bridge-domain-type (svlan| bvlan);
filter {
group number;
input filter-name;
input-list [filter-name];
output filter-name;
output-list [filter-name];
}
interface-mode (access | trunk);
policer {
input input-policer-name;
output outputpolicer-name;
}
vlan-id vlan-id;
vlan-id-list [vlan-id];
vlan-rewrite {
translate {
from-vlan-id;
to-vlan-id ;
}
}
}
ccc {
filter {
group number;
input filter-name;
input-list [filter-name];
output filter-name;
output-list [filter-name];
64
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
}
policer {
input input-policer-name;
output output-policer-name;
}
}
ethernet-switching {
native-vlan-id native-vlan-id;
port-mode (access | tagged-access | trunk);
reflective-relay;
vlan {
members [member-name];
}
}
inet {
accounting {
destination-class-usage;
source-class-usage {
input;
output;
}
}
address (source–address/prefix) {
arp destination-address {
(mac mac-address | multicast-mac multicast-mac-address);
publish publish-address;
}
broadcast address;
preferred;
primary;
vrrp-group group-id {
(accept-data | no-accept-data);
advertise-interval seconds;
advertisements-threshold number;
authentication-key key-value;
authentication-type (md5 | simple);
fast-interval milliseconds;
inet6-advertise-interval milliseconds
(preempt <hold-timeseconds> | no-preempt );
priority value;
track {
interface interface-name {
bandwidth-threshold bandwidth;
priority-cost value;
}
priority-hold-time seconds;
route route-address{
routing-instance routing-instance;
priority-cost value;
}
}
virtual-address [address];
virtual-link-local-address address;
vrrp-inherit-from {
active-group value;
active-interface interface-name;
Copyright © 2016, Juniper Networks, Inc.
65
Layer 2 Bridging and Switching Library for Security Devices
}
}
web-authentication {
http;
https;
redirect-to-https;
}
}
dhcp {
client-identifier {
(ascii string | hexadecimal string);
}
lease-time (length | infinite);
retransmission-attempt value;
retransmission-interval seconds;
server-address server-address;
update-server;
vendor-id vendor-id ;
}
dhcp-client {
client-identifier {
prefix {
host-name;
logical-system-name;
routing-instance-name;
}
use-interface-description (device | logical);
user-id (ascii string| hexadecimal string);
}
lease-time (length | infinite);
retransmission-attempt value;
retransmission-interval seconds;
server-address server-address;
update-server;
vendor-id vendor-id ;
}
filter {
group number;
input filter-name;
input-list [filter-name];
output filter-name;
output-list [filter-name];
}
mtu value;
no-neighbor-learn;
no-redirects;
policer {
arp arp-name;
input input-name;
output output-name;
}
primary;
rpf-check {
fail-filter filter-name;
mode {
loose;
66
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
}
}
sampling {
input;
output;
simple-filter;
}
targeted-broadcast {
(forward-and-send-to-re |forward-only);
}
unnumbered-address {
interface-name;
preferred-source-address preferred-source-address;
}
}
inet6 {
accounting {
destination-class-usage;
source-class-usage {
input;
ouput;
}
}
address source–address/prefix {
eui-64;
ndp address {
(mac mac-address | multicast-mac multicast-mac-address);
publish;
}
preferred;
primary;
vrrp-inet6-group group_id {
(accept-data | no-accept-data);
advertisements-threshold number;
authentication-key value;
authentication-type (md5 | simple);
fast-interval milliseconds;
inet6-advertise-interval milliseconds;
(preempt <hold-time seconds>| no-preempt );
priority value;
track {
interface interface-name {
bandwidth-threshold value;
priority-cost value;
}
priority-hold-time seconds;
route route-address{
routing-instance routing-instance;
}
}
virtual-inet6-address [address];
virtual-link-local-address address;
vrrp-inherit-from {
active-group value;
active-interface interface-name;
}
Copyright © 2016, Juniper Networks, Inc.
67
Layer 2 Bridging and Switching Library for Security Devices
}
web-authentication {
http;
https;
redirect-to-https;
}
}
(dad-disable | no-dad-disable);
dhcpv6-client {
client-ia-type (ia-na | ia-pd);
client-identifier duid-type (duid-ll | duid-llt | vendor);
client-type (autoconfig | stateful);
rapid-commit;
req-option (dns-server | domain | fqdn | nis-domain | nis-server | ntp-server |
sip-domain | sip-server |time-zone | vendor-spec);
retransmission-attempt number;
update-router-advertisement {
interface interface-name;
}
update-server;
}
filter {
group number;
input filter-name;
input-list [filter-name];
output filter-name;
output-list [filter-name];
}
mtu value;
nd6-stale-time seconds;
no-neighbor-learn;
policer {
input input-name;
output output-name;
}
rpf-check {
fail-filter filter-name;
mode {
loose;
}
}
sampling {
input;
output;
}
unnumbered-address {
interface-name;
preferred-source-address preferred-source-address;
}
}
iso {
address source-address;
mtu value;
}
mlfr-end-to-end {
bundle bundle-name;
68
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
}
mlfr-uni-nni {
bundle bundle-name;
}
mlppp {
bundle bundle-name;
}
mpls {
filter {
group number;
input filter-name;
input-list [filter-name];
output filter-name;
output-list [filter-name];
}
mtu mtu-value;
policer {
input input-name;
output output-name;
}
}
tcc {
policer {
input input-name;
output output-name;
}
proxy {
inet-address inet-address;
}
remote {
inet-address inet-address;
mac-address mac-address;
}
}
vpls {
filter {
group number;
input filter-name;
input-list [filter-name];
output filter-name;
output-list [filter-name];
}
policer {
input input-name;
output output-name;
}
}
}
input-vlan-map {
inner-tag-protocol-id tpid;
inner-vlan-id number ;
(pop | push | swap);
tag-protocol-id tpid;
vlan-id number;
}
interface-shared-with {
Copyright © 2016, Juniper Networks, Inc.
69
Layer 2 Bridging and Switching Library for Security Devices
psd-name;
}
native-inner-vlan-id value;
(no-traps | traps);
output-vlan-map {
inner-tag-protocol-id tpid;
inner-vlan-id number;
(pop | push | swap);
tag-protocol-id tpid;
vlan-id number;
}
ppp-options {
chap {
access-profile name;
default-chap-secret name;
local-name name;
no-rfc2486;
passive;
}
dynamic-profile profile-name;
lcp-max-conf-req number;
lcp-restart-timer milliseconds;
loopback-clear-timer seconds;
ncp-max-conf-req number;
ncp-restart-timer milliseconds;
no-termination-request;
pap {
access-profile name;
default-password password;
local-name name;
local-password password;
no-rfc2486;
passive;
}
}
proxy-arp (restricted | unrestricted);
radio-router {
bandwidth number;
credit {
interval number;
}
data-rate number;
latency number;
quality number;
resource number;
threshold number;
}
swap-by-poppush;
traps;
vlan-id vlan-id;
vlan-id-range vlan-id-range;
vlan-id-list [vlan-id];
vlan-id-range vlan-id1-vlan-id2;
vlan-tags {
(inner vlan-id | inner-range vlan-id1-vlan-id2);
inner-list [vlan-id];
70
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
outer vlan-id;
}
}
vlan-tagging;
}
}
Related
Documentation
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Junos OS Interfaces Library for Security Devices
•
Administration Guide for Security Devices
authentication-order (Access Profile)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
J Series, SRX Series
authentication-order [ldap | none | password | radius | securid];
[edit access profile profile-name]
Statement modified in Release 9.1 of Junos OS.
Set the order in which the Junos OS tries different authentication methods when verifying
that a client can access the devices. For each login attempt, the software tries the
authentication methods in order, from first to last.
•
ldap—Verify the client using LDAP.
•
none—Specify no authentication performed.
•
password—Verify the client using the information configured at the [edit access profile
profile-name client client-name] hierarchy level.
Required Privilege
Level
Related
Documentation
•
radius—Verify the client using RADIUS authentication services.
•
securid—Verify the client using SecurID authentication services.
access—To view this statement in the configuration.
access-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
71
Layer 2 Bridging and Switching Library for Security Devices
bridge
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
LN Series, SRX Series
bridge {
block-non-ip-all;
bpdu-vlan-flooding;
bypass-non-ip-unicast;
no-packet-flooding {
no-trace-route;
}
}
[edit security flow]
Statement introduced in Release 9.5 of Junos OS.
Changes default Layer 2 forwarding behavior.
•
block-non-ip-all—Block all Layer 2 non-IP and non-ARP traffic, including multicast and
broadcast traffic.
•
bpdu-vlan-flooding—Set 802.1D bridge protocol data unit (BPDU) flooding based on
VLAN.
•
bypass-non-ip-unicast—Allow all Layer 2 non-IP traffic to pass through the device.
•
no-packet-flooding—Stop IP flooding and send ARP or ICMP requests to discover the
destination MAC address for a unicast packet.
•
no-trace-route—Do not send ICMP requests to discover the destination MAC address
for a unicast packet. Only ARP requests are sent. This option only allows the device
to discover the destination MAC address for a unicast packet if the destination IP
address is in the same subnetwork as the ingress IP address.
NOTE: The block-non-ip-all and bypass-non-ip-unicast options cannot be
configured at the same time.
Required Privilege
Level
Related
Documentation
72
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Flow-Based Processing Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
bridge-domains (Bridge Domains)
Supported Platforms
Syntax
SRX Series
bridge-domains bridge-domain-name {
bridge-options {
interface interface-name {
static-mac mac-address {
vlan-id vlan-id;
}
}
mac-table-aging-time seconds;
mac-table-size {
number;
packet-action drop;
}
}
description text;
domain-type bridge;
forwarding-options {
dhcp-relay {
active-server-group active-server-group-name;
dhcpv6 {
active-server-group active-server-group-name;
authentication {
password password;
username-include {
circuit-type;
client-id;
delimiter delimiter;
domain-name domain-name;
interface-name;
logical-system-name;
relay-agent-interface-id;
relay-agent-remote-id;
relay-agent-subscriber-id;
routing-instance-name;
user-prefix user-prefix;
}
}
dynamic-profile (dynamic-profile-name | junos-default-profile) {
aggregate-clients (merge | replace);
use-primary ( primary-profile-name | junos-default-profile);
}
group group-name {
active-server-group active-server-group-name;
authentication {
password password;
username-include {
circuit-type;
client-id;
delimiter delimiter;
domain-name domain-name;
interface-name;
logical-system-name;
Copyright © 2016, Juniper Networks, Inc.
73
Layer 2 Bridging and Switching Library for Security Devices
relay-agent-interface-id;
relay-agent-remote-id;
relay-agent-subscriber-id;
routing-instance-name;
user-prefix user-prefix;
}
}
dynamic-profile (dynamic-profile-name | junos-default-profile) {
aggregate-clients (merge | replace) {
use-primary (primary-profile-name | junos-default-profile);
}
}
interface interface-name {
dynamic-profile (dynamic-profile-name| junos-default-profile) {
aggregate-clients (merge | replace) {
use-primary (primary-profile-name | junos-default-profile);
}
}
exclude;
overrides {
(allow-snooped-clients | no-allow-snooped-clients);
interface-client-limit number;
no-bind-on-request;
send-release-on-delete;
}
service-profile profile-name;
trace;
upto upto-interface-name;
}
liveness-detection {
failure-action (clear-binding | clear-binding-if-interface-up | log-only);
method {
bfd {
detection-time {
threshold milliseconds;
}
holddown-interval milliseconds;
minimum-interval milliseconds;
minimum-receive-interval milliseconds;
multiplier number;
no-adaptation;
session-mode (automatic | multihop | singlehop);
transmit-interval {
minimum-interval milliseconds;
threshold milliseconds;
}
version (0 | 1 | automatic);
}
}
}
overrides {
(allow-snooped-clients | no-allow-snooped-clients);
interface-client-limit number;
no-bind-on-request;
send-release-on-delete;
}
74
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
relay-agent-interface-id {
prefix {
host-name;
logical-system-name;
routing-instance-name;
}
use-interface-description (device | logical):
}
service-profile dynamic-profile-name;
}
liveness-detection {
failure-action (clear-binding | clear-binding-if-interface-up | log-only);
method {
bfd {
detection-time {
threshold milliseconds;
}
holddown-interval milliseconds;
minimum-interval milliseconds;
minimum-receive-interval milliseconds;
multiplier number;
no-adaptation;
session-mode (automatic | multihop | singlehop);
transmit-interval {
minimum-interval milliseconds;
threshold milliseconds;
}
version (0 | 1 | automatic);
}
}
}
overrides {
(allow-snooped-clients | no-allow-snooped-clients);
interface-client-limit number;
no-bind-on-request;
send-release-on-delete;
}
relay-agent-interface-id {
prefix {
host-name;
logical-system-name;
routing-instance-name;
}
use-interface-description (device | logical):
}
server-group {
server-group-name {
server-ip-address;
}
}
service-profile service-profile-name;
}
group group-name {
active-server-group server-group-name;
interface interface-name {
exclude;
Copyright © 2016, Juniper Networks, Inc.
75
Layer 2 Bridging and Switching Library for Security Devices
upto interface-name;
}
relay-option-60 {
vendor-option {
default-local-server-group local-server-group-name;
default-relay-server-group server-group-name;
drop;
equals {
ascii ascii-name {
drop;
local-server-group local-server-group-name;
relay-server-group server-group-name;
}
hexadecimal hexadecimal {
drop;
local-server-group local-server-group-name;
relay-server-group server-group-name;
}
}
starts-with {
ascii ascii-name {
drop;
local-server-group local-server-group-name;
relay-server-group server-group-name;
}
hexadecimalhexadecimal {
drop;
local-server-group local-server-group-name;
relay-server-group server-group-name;
}
}
}
}
relay-option-82 {
circuit-id {
prefix {
host-name;
logical-system-name;
routing-instance-name;
}
use-interface-description (device | logical);
}
}
}
relay-option-60 {
vendor-option {
default-local-server-group local-server-group-name;
default-relay-server-group server-group-name;
drop;
equals {
ascii ascii-name {
drop;
local-server-group local-server-group-name;
relay-server-group server-group-name;
}
hexadecimal hexadecimal {
76
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
drop;
local-server-group local-server-group-name;
relay-server-group server-group-name;
}
}
starts-with {
ascii ascii-name {
drop;
local-server-group local-server-group-name;
relay-server-group server-group-name;
}
hexadecimal hexadecimal {
drop;
local-server-group local-server-group-name;
relay-server-group server-group-name;
}
}
}
}
relay-option-82 {
circuit-id {
prefix {
host-name;
logical-system-name;
routing-instance-name;
}
use-interface-description (device | logical);
}
}
server-group server-group-name {
ip-address;
}
}
filter {
input input-filter-name;
}
flood {
input input-filter-name;
}
}
routing-interface routing-interface-name;
service-id service-id;
vlan-id (all | none | vlan-id);
vlan-id-list [vlan-id];
}
Hierarchy Level
Release Information
Description
[edit]
Statement modified in Release 9.5 of Junos OS.
Configure a domain that includes a set of logical ports that share the same flooding or
broadcast characteristics in order to perform Layer 2 bridging.
Copyright © 2016, Juniper Networks, Inc.
77
Layer 2 Bridging and Switching Library for Security Devices
Options
bridge-domain-name—Name of the bridge domain.
The remaining statements are explained separately.
Required Privilege
Level
Related
Documentation
routing—To view this statement in the configuration.
routing-control—To add this statement to the configuration.
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
bridge-options (Bridge Domains)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
SRX Series
bridge-options {
interface interface-name {
static-mac mac-address {
vlan-id vlan-id;
}
}
mac-table-aging-time seconds;
mac-table-size {
number;
packet-action drop;
}
}
[edit bridge-domains bridge-domain-name]
Statement modified in Release 9.5 of Junos OS.
Configure Layer 2 learning and forwarding properties for a bridge domain.
The remaining statements are explained separately.
Required Privilege
Level
Related
Documentation
78
routing—To view this statement in the configuration.
routing-control—To add this statement to the configuration.
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
code-points (CoS)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
QFX Series
code-points [ aliases ] [ bit-patterns ];
[edit class-of-service classifiers (dscp | ieee-802.1) classifier-name forwarding-class
class-name loss-priority level]
Statement introduced in Junos OS Release 11.1 for the QFX Series.
Configure one or more code-point aliases or bit sets to apply to a forwarding class.
aliases—Name of the alias or aliases.
bit-patterns—Value of the code-point bits, in decimal form.
Required Privilege
Level
Related
Documentation
interfaces—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Ethernet Port Switching Feature Guide for Security Devices
•
Link Services and Special Interfaces Feature Guide for Security Devices
•
Junos OS CoS Library for Security Devices
domain-type (Bridge Domains)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Required Privilege
Level
Related
Documentation
SRX Series
domain-type bridge;
[edit bridge-domains bridge-domain-name]
Statement modified in Release 9.5 of Junos OS.
Define the type of domain for a Layer 2 bridge domain.
routing—To view this statement in the configuration.
routing–control—To add this statement to the configuration.
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
Copyright © 2016, Juniper Networks, Inc.
79
Layer 2 Bridging and Switching Library for Security Devices
destination-address (Security Policies)
Supported Platforms
Syntax
Hierarchy Level
J Series, LN Series, SRX Series
destination-address {
[address];
any;
any-ipv4;
any-ipv6;
}
[edit security policies from-zone zone-name to-zone zone-name policy policy-name match]
Release Information
Statement introduced in Junos OS Release 8.5. Support for IPv6 addresses added in
Junos OS Release 10.2. Support for IPv6 addresses in active/active chassis cluster
configurations (in addition to the existing support of active/passive chassis cluster
configurations) added in Junos OS Release 10.4. Support for wildcard addresses added
in Junos OS Release 11.1.
Description
Define the matching criteria. You can specify one or more IP addresses, address sets, or
wildcard addresses. You can specify wildcards any, any-ipv4, or any-ipv6.
Options
address—IP address (any, any-ipv4, any-ipv6), IP address set, or address book entry, or
wildcard address (represented as A.B.C.D/wildcard-mask). You can configure multiple
addresses or address prefixes separated by spaces and enclosed in square brackets.
Required Privilege
Level
Related
Documentation
80
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Security Policies Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
encapsulation (Interfaces)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
J Series, LN Series, SRX Series
encapsulation (ether-vpls-ppp | ethernet-bridge | ethernet-ccc | ethernet-tcc | ethernet-vpls
| extended-frame-relay-ccc | extended-frame-relay-tcc | extended-vlan-bridge |
extended-vlan-ccc | extended-vlan-tcc | extended-vlan-vpls | frame-relay-port-ccc |
vlan-ccc | vlan-vpls);
[edit interfaces interface-name unit logical-unit-number ]
Statement introduced in Release 9.5 of Junos OS.
Specify logical link layer encapsulation.
•
cisco-hdlc—For normal mode (when the device is using only one B-channel).
Cisco-compatible High-Level Data Link Control is a group of protocols for transmitting
data between network points
•
frame-relay—Configure a Frame Relay encapsulation when the physical interface has
multiple logical units, and the units are either point to point or multipoint.
•
multilink-frame-relay-uni-nni—Link services interfaces functioning as FRF.16 bundles
can use Multilink Frame Relay UNI NNI encapsulation.
•
ppp—For normal mode (when the device is using only one ISDN B-channel per call).
Point-to-Point Protocol is for communication between two computers using a serial
interface.
•
Required Privilege
Level
Related
Documentation
ppp-over-ether—This encapsulation is used for underlying interfaces of pp0 interfaces.
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
•
Junos OS Interfaces Library for Security Devices
Copyright © 2016, Juniper Networks, Inc.
81
Layer 2 Bridging and Switching Library for Security Devices
family inet (Interfaces)
Supported Platforms
Syntax
82
J Series, LN Series, SRX Series
inet {
accounting {
destination-class-usage;
source-class-usage {
input;
output;
}
}
address (source–address/prefix) {
arp destination-address {
(mac mac-address | multicast-mac multicast-mac-address);
publish publish-address;
}
broadcast address;
preferred;
primary;
vrrp-group group-id {
(accept-data | no-accept-data);
advertise-interval seconds;
advertisements-threshold number;
authentication-key key-value;
authentication-type (md5 | simple);
fast-interval milliseconds;
inet6-advertise-interval milliseconds
(preempt <hold-timeseconds> | no-preempt );
priority value;
track {
interface interface-name {
bandwidth-threshold bandwidth;
priority-cost value;
}
priority-hold-time seconds;
route route-address{
routing-instance routing-instance;
priority-cost value;
}
}
virtual-address [address];
virtual-link-local-address address;
vrrp-inherit-from {
active-group value;
active-interface interface-name;
}
}
web-authentication {
http;
https;
redirect-to-https;
}
}
dhcp {
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
client-identifier {
(ascii string | hexadecimal string);
}
lease-time (length | infinite);
retransmission-attempt value;
retransmission-interval seconds;
server-address server-address;
update-server;
vendor-id vendor-id ;
}
dhcp-client {
client-identifier {
prefix {
host-name;
logical-system-name;
routing-instance-name;
}
use-interface-description (device | logical);
user-id (ascii string| hexadecimal string);
}
lease-time (length | infinite);
retransmission-attempt value;
retransmission-interval seconds;
server-address server-address;
update-server;
vendor-id vendor-id ;
}
filter {
group number;
input filter-name;
input-list [filter-name];
output filter-name;
output-list [filter-name];
}
mtu value;
no-neighbor-learn;
no-redirects;
policer {
arp arp-name;
input input-name;
output output-name;
}
primary;
rpf-check {
fail-filter filter-name;
mode {
loose;
}
}
sampling {
input;
output;
simple-filter;
}
targeted-broadcast {
(forward-and-send-to-re |forward-only);
Copyright © 2016, Juniper Networks, Inc.
83
Layer 2 Bridging and Switching Library for Security Devices
}
unnumbered-address {
interface-name;
preferred-source-address preferred-source-address;
}
}
Hierarchy Level
Release Information
Description
Options
[edit interfaces interface unit unit ]
Statement introduced in a prior release of Junos OS.
Assign an IP address to a logical interface.
ipaddress—Specifies the IP address for the interface.
NOTE: You use family inet to assign an IPv4 address. You use family inet6 to
assign an IPv6 address. An interface can be configured with both an IPv4 and
IPv6 address.
Required Privilege
Level
Related
Documentation
84
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Junos OS Interfaces Library for Security Devices
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
family inet6
Supported Platforms
Syntax
J Series, LN Series, SRX Series
inet6 {
accounting {
destination-class-usage;
source-class-usage {
input;
ouput;
}
}
address source–address/prefix {
eui-64;
ndp address {
(mac mac-address | multicast-mac multicast-mac-address);
publish;
}
preferred;
primary;
vrrp-inet6-group group_id {
(accept-data | no-accept-data);
advertisements-threshold number;
authentication-key value;
authentication-type (md5 | simple);
fast-interval milliseconds;
inet6-advertise-interval milliseconds;
(preempt <hold-time seconds>| no-preempt );
priority value;
track {
interface interface-name {
bandwidth-threshold value;
priority-cost value;
}
priority-hold-time seconds;
route route-address{
routing-instance routing-instance;
}
}
virtual-inet6-address [address];
virtual-link-local-address address;
vrrp-inherit-from {
active-group value;
active-interface interface-name;
}
}
web-authentication {
http;
https;
redirect-to-https;
}
}
(dad-disable | no-dad-disable);
dhcpv6-client {
client-ia-type (ia-na | ia-pd);
Copyright © 2016, Juniper Networks, Inc.
85
Layer 2 Bridging and Switching Library for Security Devices
client-identifier duid-type (duid-ll | duid-llt | vendor);
client-type (autoconfig | statefull);
rapid-commit;
req-option (dns-server | domain | fqdn | nis-domain | nis-server | ntp-server | sip-domain
| sip-server |time-zone | vendor-spec);
retransmission-attempt number;
update-router-advertisement {
interface interface-name;
}
update-server;
}
filter {
group number;
input filter-name;
input-list [filter-name];
output filter-name;
output-list [filter-name];
}
mtu value;
nd6-stale-time seconds;
no-neighbor-learn;
policer {
input input-name;
output output-name;
}
rpf-check {
fail-filter filter-name;
mode {
loose;
}
}
sampling {
input;
output;
}
unnumbered-address {
interface-name;
preferred-source-address preferred-source-address;
}
}
Hierarchy Level
Release Information
Description
Options
[edit interfaces interface unit unit ]
Statement supported in Junos 10.2 for SRX Series and J Series devices.
Assign an IP address to a logical interface.
ipaddress—Specifies the IP address for the interface.
NOTE: You use family inet6 to assign an IPv6 address. You use family inet to
assign an IPv4 address. An interface can be configured with both an IPv4 and
IPv6 address.
86
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
Required Privilege
Level
Related
Documentation
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Junos OS Interfaces Library for Security Devices
Copyright © 2016, Juniper Networks, Inc.
87
Layer 2 Bridging and Switching Library for Security Devices
flow (Security Flow)
Supported Platforms
Syntax
88
J Series, LN Series, SRX Series
flow {
aging {
early-ageout seconds;
high-watermark percent;
low-watermark percent;
}
allow-dns-reply;
bridge {
block-non-ip-all;
bpdu-vlan-flooding;
bypass-non-ip-unicast;
no-packet-flooding {
no-trace-route;
}
}
force-ip-reassembly;
ipsec-performance-acceleration;
load distribution {
session-affinity ipsec;
}
pending-sess-queue-length (high | moderate | normal);
route-change-timeout seconds;
syn-flood-protection-mode (syn-cookie | syn-proxy);
tcp-mss {
all-tcp mss value;
gre-in {
mss value;
}
gre-out {
mss value;
}
ipsec-vpn {
mss value;
}
}
tcp-session {
fin-invalidate-session;
no-sequence-check;
no-syn-check;
no-syn-check-in-tunnel;
rst-invalidate-session;
rst-sequence-check;
strict-syn-check;
tcp-initial-timeout seconds;
time-wait-state {
(session-ageout | session-timeout seconds);
}
}
traceoptions {
file {
filename;
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
packet-filter filter-name {
destination-port port-identifier;
destination-prefix address;
interface interface-name;
protocol protocol-identifier;
source-port port-identifier;
source-prefix address;
}
rate-limit messages-per-second;
}
}
Hierarchy Level
Release Information
Description
Options
Required Privilege
Level
Related
Documentation
[edit security]
Statement modified in Release 9.5 of Junos OS.
Determine how the device manages packet flow. The device can regulate packet flow
in the following ways:
•
Enable or disable DNS replies when there is no matching DNS request.
•
Set the initial session-timeout values.
The remaining statements are explained separately.
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Processing Overview Feature Guide for Security Devices
•
Junos OS Logical Systems Library for Security Devices
Copyright © 2016, Juniper Networks, Inc.
89
Layer 2 Bridging and Switching Library for Security Devices
forwarding-classes (CoS)
Supported Platforms
J Series, SRX Series
Syntax
Hierarchy Level
Release Information
Description
Options
forwarding-classes {
class class-name {
priority (high | low);
queue-num number;
spu-priority (high | low);
}
queue queue-number {
class-name {
priority (high | low);
}
}
}
[edit class-of-service]
Statement introduced in Junos OS Release 8.5. Statement updated in Junos OS Release
11.4. The spu-priority option introduced in Junos OS Release 11.4R2.
Configure forwarding classes and assign queue numbers.
•
class-name—Display the forwarding class name assigned to the internal queue number.
NOTE: This option is supported only on high-end SRX Series devices,
including the SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and
SRX5800.
NOTE: AppQoS forwarding classes must be different from those defined
for interface-based rewriters.
•
policing-priority—Layer 2 policing. One forwarding class can be configured as premium
and others are configured as normal.
•
90
priority—Fabric priority value:
•
high—Forwarding class’s fabric queuing has high priority.
•
low—Forwarding class’s fabric queuing has low priority.
•
queue-number—Specify the internal queue number to which a forwarding class is
assigned.
•
spu-priority—Services Processing Unit (SPU) priority queue, either high or low.
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
NOTE: The spu-priority option is only supported on SRX1400, SRX3000
line, and SRX5000 line devices.
Required Privilege
Level
Related
Documentation
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
CoS Components Feature Guide for Security Devices
•
CoS Virtual Channels and Tunnels Feature Guide for Security Devices
•
Application Quality of Service Feature Guide for Security Devices
host-inbound-traffic
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
Required Privilege
Level
Related
Documentation
J Series, LN Series, SRX Series
host-inbound-traffic {
protocols protocol-name {
except;
}
system-services service-name {
except;
}
}
[edit security zones functional-zone management],
[edit security zones functional-zone management interfaces interface-name],
[edit security zones security-zone zone-name],
[edit security zones security-zone zone-name interfaces interface-name]
Statement introduced in Junos OS Release 8.5.
Control the type of traffic that can reach the device from interfaces bound to the zone.
The remaining statements are explained separately.
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Security Zones and Interfaces Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
91
Layer 2 Bridging and Switching Library for Security Devices
interface (Bridge Domains)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
Required Privilege
Level
Related
Documentation
92
SRX Series
interface interface-name {
static-mac mac-address {
vlan-id vlan-id;
}
}
[edit bridge-domains bridge-domain-name bridge-options]
Statement modified in Release 9.5 of Junos OS.
Specify the logical interfaces to include in the bridge domain.
interface-name—Name of a logical interface.
routing—To view this statement in the configuration.
routing-control—To add this statement to the configuration.
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
•
Junos OS Interfaces Library for Security Devices
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
interfaces (CoS)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
Required Privilege
Level
J Series, LN Series, SRX Series
interfaces interface-name {
input-traffic-control-profile profile-name;
output-traffic-control-profile profile-name;
output-traffic-control-profile-remaining profile-name;
scheduler-map scheduler-map;
shaping-rate bps;
unit logical-unit-number {
adaptive-shaper adaptive-shaper-name;
classifiers {
(dscp | dscp-ipv6 | exp | ieee-802.1 | ieee-802.1ad | inet-precedence)
}
forwarding-class class-name;
input-traffic-control-profile {
profile-name;
shared-instance shared-instance-name;
}
loss-priority-maps {
frame-relay-de {
(lpmap-name | default);
}
}
output-traffic-control-profile {
profile-name;
shared-instance shared-instance-name;
}
rewrite-rules {
(dscp |dscp-ipv6 |exp |frame-relay-de |ieee-802.1 |ieee-802.1ad |inet-precedence)
}
scheduler-map scheduler-map-name;
shaping-rate {
rate;
}
vc-shared-scheduler;
virtual-channel-group group-name;
}
}
}
[edit class-of-service interface interface-name unit number]
Statement introduced in Junos OS Release 8.5.
Associate the class-of-service configuration elements with an interface.
interface interface-name unit number—The user-specified interface name and unit number.
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
Copyright © 2016, Juniper Networks, Inc.
93
Layer 2 Bridging and Switching Library for Security Devices
Related
Documentation
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
CoS Components Feature Guide for Security Devices
•
CoS Virtual Channels and Tunnels Feature Guide for Security Devices
•
IDP Class of Service Action Feature Guide for Security Devices
interfaces (Security Zones)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
J Series, LN Series, SRX Series
interfaces interface-name {
host-inbound-traffic {
protocols protocol-name {
except;
}
system-services service-name {
except;
}
}
}
[edit security zones functional-zone management],
[edit security zones security-zone zone-name]
Statement introduced in Junos OS Release 8.5.
Specify the set of interfaces that are part of the zone.
interface-name —Name of the interface.
The remaining statements are explained separately.
Required Privilege
Level
Related
Documentation
94
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Security Zones and Interfaces Feature Guide for Security Devices
•
Administration Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
inet6 (Security Forwarding Options)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
J Series, SRX Series
inet6 {
mode (drop | flow-based | packet-based);
}
[edit security forwarding-options family]
Statement introduced in Release 8.5 of Junos OS.
Enable packet-based or flow-based processing of IPv6 traffic. By default, the device
drops IPv6 traffic.
NOTE: Packet-based processing is not supported on the following SRX Series
devices: SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800.
Options
Required Privilege
Level
Related
Documentation
The mode statement is described separately.
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
95
Layer 2 Bridging and Switching Library for Security Devices
loss-priority (CoS Loss Priority)
Supported Platforms
Syntax
Hierarchy Level
Release Information
loss-priority level code-points[ values ];
[edit class-of-service loss-priority-maps frame-relay-de map-name]
Statement introduced in Junos OS Release 8.5.
Description
Map CoS values to a loss priority.
Options
level can be one of the following:
Required Privilege
Level
Related
Documentation
96
J Series, LN Series, SRX Series
•
high—Packet has high loss priority.
•
medium-high—Packet has medium-high loss priority.
•
medium-low—Packet has medium-low loss priority.
•
low—Packet has low loss priority.
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
CoS Components Feature Guide for Security Devices
•
CoS Virtual Channels and Tunnels Feature Guide for Security Devices
•
Junos OS CoS Library for Security Devices
•
Link Services and Special Interfaces Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
match (Security Policies)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
Required Privilege
Level
Related
Documentation
J Series, LN Series, SRX Series
match {
application {
[application];
any;
}
destination-address {
[address];
any;
any-ipv4;
any-ipv6;
}
source-address {
[address];
any;
any-ipv4;
any-ipv6;
}
source-identity {
[role-name];
any;
authenticated-user;
unauthenticated-user;
unknown-user;
}
}
[edit security policies from-zone zone-name to-zone zone-name policy policy-name]
Statement introduced in Junos OS Release 8.5. Statement updated with source-identity
option in Junos OS Release 12.1.
Configure security policy match criteria.
The remaining statements are explained separately.
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Security Policies Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
97
Layer 2 Bridging and Switching Library for Security Devices
native-vlan-id (Interfaces)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
J Series, SRX Series
native-vlan-idvlan-id;
[edit interfaces interface-name ]
Statement introduced in Release 9.5 of Junos OS.
Configure VLAN identifier for untagged packets received on the physical interface of a
trunk mode interface.
vlan-id—Configure a VLAN identifier for untagged packets. Enter a number from 0 through
4094.
Required Privilege
Level
Related
Documentation
98
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration
•
Ethernet Port Switching Feature Guide for Security Devices
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Junos OS Interfaces Library for Security Devices
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
peer-selection-service
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
SRX Series
peer-selection-service {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
[edit system processes]
Statement introduced in Junos OS Release 8.5.
Enable the peer selection service process.
•
command binary-file-path—Path to the binary process.
•
disable—Disable the peer selection service process.
•
failover—Configure the device to reboot if the software process fails four times within
30 seconds, and specify the software to use during the reboot.
•
alternate-media—Configure the device to switch to backup media that contains a
version of the system if a software process fails repeatedly.
•
other-routing-engine—Instruct the secondary Routing Engine to take mastership if
a software process fails. If this statement is configured for a process, and that process
fails four times within 30 seconds, then the device reboots from the secondary
Routing Engine.
Required Privilege
Level
Related
Documentation
system—To view this statement in the configuration.
system-control—To add this statement to the configuration.
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
99
Layer 2 Bridging and Switching Library for Security Devices
pgcp-service
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
SRX Series
pgcp-service {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
[edit system processes]
Statement introduced in Junos OS Release 8.5.
Specify the Packet Gateway Control Protocol (PGCP) that is required for the border
gateway function (BGF) feature.
•
command binary-file-path—Path to the binary process.
•
disable—Disable the Packet Gateway Control Protocol (PGCP) process.
•
failover—Configure the device to reboot if the software process fails four times within
30 seconds, and specify the software to use during the reboot.
•
alternate-media—Configure the device to switch to backup media that contains a
version of the system if a software process fails repeatedly.
•
other-routing-engine—Instruct the secondary Routing Engine to take mastership if
a software process fails. If this statement is configured for a process, and that process
fails four times within 30 seconds, the device reboots from the secondary Routing
Engine.
Required Privilege
Level
Related
Documentation
100
system—To view this statement in the configuration.
system-control—To add this statement to the configuration.
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
policy (Security Policies)
Supported Platforms
Syntax
J Series, SRX Series
policy policy-name {
description description;
match {
application {
[application];
any;
}
destination-address {
[address];
any;
any-ipv4;
any-ipv6;
}
source-address {
[address];
any;
any-ipv4;
any-ipv6;
}
source-identity {
[role-name];
any;
authenticated-user;
unauthenticated-user;
unknown-user;
}
}
scheduler-name scheduler-name;
then {
count {
alarm {
per-minute-threshold number;
per-second-threshold number;
}
}
deny;
log {
session-close;
session-init;
}
permit {
application-services {
application-firewall {
rule-set rule-set-name;
}
application-traffic-control {
rule-set rule-set-name;
}
gprs-gtp-profile profile-name;
gprs-sctp-profile profile-name;
idp;
Copyright © 2016, Juniper Networks, Inc.
101
Layer 2 Bridging and Switching Library for Security Devices
redirect-wx | reverse-redirect-wx;
ssl-proxy {
profile-name profile-name;
}
uac-policy {
captive-portal captive-portal;
}
utm-policy policy-name;
}
destination-address {
drop-translated;
drop-untranslated;
}
firewall-authentication {
pass-through {
access-profile profile-name;
client-match user-or-group-name;
web-redirect;
}
user-firewall {
access-profile profile-name;
ssl-termination-profile profile-name;
}
web-authentication {
client-match user-or-group-name;
}
}
services-offload;
tcp-options {
sequence-check-required;
syn-check-required;
}
tunnel {
ipsec-group-vpn group-vpn;
ipsec-vpn vpn-name;
pair-policy pair-policy;
}
}
reject;
}
}
Hierarchy Level
Release Information
Description
Options
[edit security policies from-zone zone-name to-zone zone-name]
Statement introduced in Junos OS Release 8.5. The services-offload option added in
Junos OS Release 11.4. Statement updated with the source-identity option and the
description option added in Junos OS Release 12.1. Support for the user-firewall option
added in Junos OS Release 12.1X45-D10.
Define a security policy.
policy-name—Name of the security policy.
The remaining statements are explained separately.
102
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
Required Privilege
Level
Related
Documentation
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Application Quality of Service Feature Guide for Security Devices
•
Security Policies Feature Guide for Security Devices
port (Access RADIUS)
Supported Platforms
Syntax
Hierarchy Level
Release Information
J Series, SRX Series
port port-number;
[edit access radius-server server-address],
[edit access profile profile-name radius-server server-address]
Statement modified in Release 8.5 of Junos OS.
Description
Configure the port number on which to contact the RADIUS server.
Options
port-number—Port number on which to contact the RADIUS server.
Default: 1812 (as specified in RFC 2865)
Required Privilege
Level
Related
Documentation
secret—To view this statement in the configuration.
secret-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
103
Layer 2 Bridging and Switching Library for Security Devices
profile (Access)
Supported Platforms
Syntax
104
J Series, LN Series, SRX Series
profile profile-name {
accounting {
accounting-stop-on-access-deny;
accounting-stop-on-failure;
coa-immediate-update;
duplication;
immediate-update;
order [accounting-method];
statistics (time | volume-time);
update-interval minutes;
}
accounting-order [accounting-method];
address-assignment pool pool-name;
authentication-order [ldap | none | password | radius | securid];
authorization-order [jsrc];
client client-name {
chap-secret chap-secret;
client-group [ group-names ];
firewall-user {
password password;
}
no-rfc2486;
pap-password pap-password;
x-auth ip-address;
}
client-name-filter {
count number;
domain-name domain-name;
separator special-character;
}
ldap-options {
assemble {
common-name common-name;
}
base-distinguished-name base-distinguished-name;
revert-interval seconds;
search {
admin-search {
distinguished-name distinguished-name;
password password;
}
search-filter search-filter-name;
}
}
ldap-server server-address {
port port-number;
retry attempts;
routing-instance routing-instance-name;
source-address source-address;
timeout seconds;
}
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
provisioning-order (gx-plus | jsrc);
radius {
accounting-server [server];
attributes {
exclude {
acc-aggr-cir-id-asc [access-request | accounting-start | accounting-stop];
acc-aggr-cir-id-bin [access-request | accounting-start | accounting-stop];
acc-loop-cir-id [access-request | accounting-start | accounting-stop];
accounting-authentic [accounting-off | accounting-on | accounting-start |
accounting-stop];
accounting-delay-time [accounting-off | accounting-on | accounting-start |
accounting-stop];
accounting-session-id [access-request];
accounting-terminate-cause [accounting-off];
act-data-rate-dn [access-request | accounting-start | accounting-stop];
act-data-rate-up [access-request | accounting-start | accounting-stop];
act-interlv-delay-dn [access-request | accounting-start | accounting-stop];
act-interlv-delay-up [access-request | accounting-start | accounting-stop];
att-data-rate-dn [access-request | accounting-start | accounting-stop];
att-data-rate-up [access-request | accounting-start | accounting-stop];
called-station-id [access-request | accounting-start | accounting-stop];
calling-station-id [access-request | accounting-start | accounting-stop];
class [access-request | accounting-start | accounting-stop];
delegated-ipv6-prefix [accounting-start | accounting-stop];
dhcp-gi-address [access-request | accounting-start | accounting-stop];
dhcp-mac-address [access-request | accounting-start | accounting-stop];
dhcp-options [access-request | accounting-start | accounting-stop];
downstream-calculated-qos-rate [access-request | accounting-start |
accounting-stop];
dsl-forum-attributes [access-request | accounting-start | accounting-stop];
dsl-line-state [access-request | accounting-start | accounting-stop];
dsl-type [access-request | accounting-start | accounting-stop];
dynamic-iflset-name [accounting-start | accounting-stop];
event-time-stamp [accounting-off | accounting-on | accounting-start |
accounting-stop];
framed-interface-id [access-request | accounting-start | accounting-stop];
framed-ip-address [access-request | accounting-start | accounting-stop];
framed-ip-netmask [access-request | accounting-start | accounting-stop];
framed-ip-route [access-request | accounting-start | accounting-stop];
framed-ipv6-pool [accounting-start | accounting-stop];
framed-ipv6-prefix [accounting-start | accounting-stop];
framed-ipv6-route [accounting-start | accounting-stop];
framed-pool [accounting-start | accounting-stop];
input-filter [accounting-start | accounting-stop];
input-gigapackets [accounting-stop];
input-gigawords [accounting-stop];
input-ipv6-gigawords [accounting-stop];
input-ipv6-octets [accounting-stop];
input-ipv6-packets [accounting-stop];
interface-description [access-request | accounting-start | accounting-stop];
l2c-downstream-data [access-request | accounting-start | accounting-stop];
l2c-upstream-data [access-request | accounting-start | accounting-stop];
max-data-rate-dn [access-request | accounting-start | accounting-stop];
max-data-rate-up [access-request | accounting-start | accounting-stop];
max-interlv-delay-dn [access-request | accounting-start | accounting-stop];
max-interlv-delay-up [access-request | accounting-start | accounting-stop];
Copyright © 2016, Juniper Networks, Inc.
105
Layer 2 Bridging and Switching Library for Security Devices
min-data-rate-dn [access-request | accounting-start | accounting-stop];
min-data-rate-up [access-request | accounting-start | accounting-stop];
min-lp-data-rate-dn [access-request | accounting-start | accounting-stop];
min-lp-data-rate-up [access-request | accounting-start | accounting-stop];
nas-identifier [access-request | accounting-start | accounting-stop];
nas-port [access-request | accounting-off | accounting-on | accounting-start |
accounting-stop];
nas-port-id [access-request | accounting-start | accounting-stop];
nas-port-type [access-request | accounting-start | accounting-stop];
output-filter [accounting-start | accounting-stop];
output-gigapackets [accounting-stop];
output-gigawords [accounting-stop];
output-ipv6-gigawords [accounting-stop];
output-ipv6-octets [accounting-stop];
output-ipv6-packets [accounting-stop];
upstream-calculated-qos-rate [access-request | accounting-start | accounting-stop];
}
ignore {
dynamic-iflset-name;
framed-ip-netmask;
input-filter;
logical-system-routing-instance;
output-filter;
}
}
authentication-server [server];
radius-options {
request-rate number;
revert-interval seconds;
}
radius-server server-address {
accounting-port port-number
max-outstanding-requests number-of--outstanding-requests;
port port-number;
retry attempts;
routing-instance routing-instance-name;
secret password;
source-address source-address;
timeout seconds;
}
service {
accounting-order {
activation-protocol;
radius;
}
}
session-options {
client-group [group-name];
client-idle-timeout minutes;
client-session-timeout minutes;
}
}
Hierarchy Level
106
[edit access]
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
Release Information
Description
Required Privilege
Level
Related
Documentation
Statement introduced in Junos OS Release 10.4.
Create a profile containing a set of attributes that define device management access.
access—To view this statement in the configuration.
access-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Dynamic VPN Feature Guide for SRX Series Gateway Devices
•
Master Administrator for Logical Systems Feature Guide for Security Devices
•
Modem Interfaces Feature Guide for Security Devices
•
Junos OS Interfaces Library for Security Devices
redundancy-group (Interfaces)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
J Series, LN Series, SRX Series
redundancy-group number;
[edit interfaces interface-name redundant-ether-options]
Statement introduced in Release 9.0 of Junos OS.
Specify the redundancy group that a redundant Ethernet interface belongs to.
number —Number of the redundancy group that the redundant interface belongs to.
Failover properties of the interface are inherited from the redundancy group.
Range: 1 through 255
Required Privilege
Level
Related
Documentation
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Junos OS Interfaces Library for Security Devices
Copyright © 2016, Juniper Networks, Inc.
107
Layer 2 Bridging and Switching Library for Security Devices
routing-interface (Bridge Domains)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
SRX Series
routing-interface routing-interface-name;
[edit bridge-domains bridge-domain-name]
Statement modified in Release 9.5 of Junos OS.
Specify a routing interface to include in a bridge domain.
routing-interface-name—Name of the integrated routing and bridging (IRB) interface to
include in the bridge domain. The format of the interface name is irb.x, where x is the
unit number of the interface you configured at the [edit interfaces irb] hierarchy level.
NOTE: You can specify only one IRB interface for each bridge domain.
Required Privilege
Level
Related
Documentation
108
routing—To view this statement in the configuration.
routing-control—To add this statement to the configuration.
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
security-zone
Supported Platforms
Syntax
Hierarchy Level
Release Information
J Series, LN Series, SRX Series
security-zone zone-name {
address-book {
address address-name {
ip-prefix {
description text;
}
description text;
dns-name domain-name {
ipv4-only;
ipv6-only;
}
range-address lower-limit to upper-limit;
wildcard-address ipv4-address/wildcard-mask;
}
address-set address-set-name {
address address-name;
address-set address-set-name;
description text;
}
}
application-tracking;
description text;
host-inbound-traffic {
protocols protocol-name {
except;
}
system-services service-name {
except;
}
}
interfaces interface-name {
host-inbound-traffic {
protocols protocol-name {
except;
}
system-services service-name {
except;
}
}
}
screen screen-name;
tcp-rst;
}
[edit security zones]
Statement introduced in Junos OS Release 8.5. Support for wildcard addresses added
in Junos OS Release 11.1. The description option added in Junos OS Release 12.1.
Copyright © 2016, Juniper Networks, Inc.
109
Layer 2 Bridging and Switching Library for Security Devices
Description
Options
Define a security zone, which allows you to divide the network into different segments
and apply different security options to each segment.
zone-name —Name of the security zone.
The remaining statements are explained separately.
Required Privilege
Level
Related
Documentation
110
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Application Tracking Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
shaping-rate (CoS Interfaces)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
J Series, LN Series, SRX Series
shaping-rate rate;
[edit class-of-service interfaces interface-name],
[edit class-of-service interfaces interface-name unit logical-unit-number]
Statement introduced in Junos OS Release 8.5.
For logical interfaces on which you configure packet scheduling, configure traffic shaping
by specifying the amount of bandwidth to be allocated to the logical interface.
NOTE: The shaping-rate statement cannot be applied to a physical interface
on J Series routing platforms.
Logical and physical interface traffic shaping is mutually exclusive. This means you can
include the shaping-rate statement at the [edit class-of-service interfaces interface
interface-name] hierarchy level or the [edit class-of-service interfaces interface
interface-name unit logical-unit-number] hierarchy level, but not both.
Alternatively, you can configure a shaping rate for a logical interface and oversubscribe
the physical interface by including the shaping-rate statement at the [edit class-of-service
traffic-control-profiles] hierarchy level. With this configuration approach, you can
independently control the delay-buffer rate.
Default
If you do not include this statement at the [edit class-of-service interfaces interface
interface-name unit logical-unit-number] hierarchy level, the default logical interface
bandwidth is the average of unused bandwidth for the number of logical interfaces that
require default bandwidth treatment. If you do not include this statement at the [edit
class-of-service interfaces interface interface-name] hierarchy level, the default physical
interface bandwidth is the average of unused bandwidth for the number of physical
interfaces that require default bandwidth treatment.
Options
rate—Peak rate, in bits per second (bps). You can specify a value in bits per second either
as a complete decimal number or as a decimal number followed by the abbreviation
k (1000), m (1,000,000), or g (1,000,000,000).
Range: For logical interfaces, 1000 through 32,000,000,000 bps.
For physical interfaces, 1000 through 160,000,000,000 bps.
Required Privilege
Level
Related
Documentation
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
•
CoS Components Feature Guide for Security Devices
•
Example: Configuring a Large Delay Buffer on a Channelized T1 Interface
Copyright © 2016, Juniper Networks, Inc.
111
Layer 2 Bridging and Switching Library for Security Devices
•
CoS Virtual Channels and Tunnels Feature Guide for Security Devices
•
Link Services and Special Interfaces Feature Guide for Security Devices
•
Junos OS CoS Library for Security Devices
source-address (Security Policies)
Supported Platforms
Syntax
Hierarchy Level
J Series, LN Series, SRX Series
source-address {
[address];
any;
any-ipv4;
any-ipv6;
}
[edit security policies from-zone zone-name to-zone zone-name policy policy-name match]
Release Information
Statement introduced in Junos OS Release 8.5. Support for IPv6 addresses added in
Junos OS Release 10.2. Support for IPv6 addresses in active/active chassis cluster
configurations (in addition to the existing support of active/passive chassis cluster
configurations) added in Junos OS Release 10.4. Support for wildcard addresses added
in Junos OS Release 11.1.
Description
Define the matching criteria. You can specify one or more IP addresses, address sets, or
wildcard addresses. You can specify wildcards any, any-ipv4, or any-ipv6.
Options
address—IP addresses, address sets, or wildcard addresses (represented as
A.B.C.D/wildcard-mask). You can configure multiple addresses or address prefixes
separated by spaces and enclosed in square brackets.
Required Privilege
Level
Related
Documentation
112
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Security Policies Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
static-mac (Bridge Domains)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
Required Privilege
Level
Related
Documentation
SRX Series
static-mac mac-address;
[edit bridge-domains bridge-domain-name bridge-options interface interface-name]
Statement modified in Release 9.5 of Junos OS.
Configure a static MAC address for a logical interface in a bridge domain.
mac-address—MAC address
routing—To view this statement in the configuration.
routing-control—To add this statement to the configuration.
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
113
Layer 2 Bridging and Switching Library for Security Devices
system-services (Security Zones Interfaces)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
J Series, LN Series, SRX Series
system-services service-name {
except;
}
[edit security zones security-zone zone-name interfaces interface-name host-inbound-traffic]
Statement introduced in Junos OS Release 8.5.
Specify the types of traffic that can reach the device on a particular interface.
•
service-name —Service for which traffic is allowed. The following services are supported:
•
all—Enable all possible system services available on the Routing Engine (RE).
•
any-service—Enable services on entire port range.
•
bootp—Enable traffic destined to BOOTP and DHCP relay agents.
•
dhcp—Enable incoming DHCP requests.
•
dhcpv6—Enable incoming DHCP requests for IPv6.
•
dns—Enable incoming DNS services.
•
finger—Enable incoming finger traffic.
•
ftp—Enable incoming FTP traffic.
•
http—Enable incoming J-Web or clear-text Web authentication traffic.
•
https—Enable incoming J-Web or Web authentication traffic over Secure Sockets
Layer (SSL).
•
ident-reset—Enable the access that has been blocked by an unacknowledged
identification request.
114
•
ike—Enable Internet Key Exchange traffic.
•
netconf SSH—Enable incoming NetScreen Security Manager (NSM) traffic over SSH.
•
ntp—Enable incoming Network Time Protocol (NTP) traffic.
•
ping—Allow the device to respond to ICMP echo requests.
•
r2cp—Enable incoming Radio Router Control Protocol traffic.
•
reverse-ssh—Reverse SSH traffic.
•
reverse-telnet—Reverse Telnet traffic.
•
rlogin—Enable incoming rlogin (remote login) traffic.
•
rpm—Enable incoming real-time performance monitoring (RPM) traffic.
•
rsh—Enable incoming Remote Shell (rsh) traffic.
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
•
snmp—Enable incoming SNMP traffic (UDP port 161).
•
snmp-trap—Enable incoming SNMP traps (UDP port 162).
•
ssh—Enable incoming SSH traffic.
•
telnet—Enable incoming Telnet traffic.
•
tftp—Enable TFTP services.
•
traceroute—Enable incoming traceroute traffic (UDP port 33434).
•
xnm-clear-text—Enable incoming Junos XML protocol traffic for all specified
interfaces.
•
xnm-ssl— Enable incoming Junos XML protocol-over-SSL traffic for all specified
interfaces.
•
Required Privilege
Level
Related
Documentation
except—(Optional) except can only be used if all has been defined.
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Security Zones and Interfaces Feature Guide for Security Devices
unframed | no-unframed (Interfaces)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Required Privilege
Level
Related
Documentation
SRX550, SRX650
(unframed | no-unframed);
[edit interfaces interface-name t3-options]
Statement introduced in Release 11.1 of Junos OS.
Enable or disable framing for the T3 interface on a 1-Port Clear Channel DS3/E3 GPIM
on an SRX650 device. By default, unframed mode is enabled. Select no-unframed to
enable framing. Select unframed to return to the default mode.
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
•
Junos OS Interfaces Library for Security Devices
Copyright © 2016, Juniper Networks, Inc.
115
Layer 2 Bridging and Switching Library for Security Devices
vlan-id (Bridge Domain)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
MX Series, SRX Series
vlan-id (all | none | vlan-id);
[edit bridge-domains bridge-domain-name],
[edit logical-systems logical-system-name bridge-domains bridge-domain-name],
[edit logical-systems logical-system-name routing-instances routing-instance-name
bridge-domains bridge-domain-name],
[edit routing-instances routing-instance-name bridge-domains bridge-domain-name]
Statement introduced in Junos OS Release 8.4.
Support for Layer 2 trunk ports added in Junos OS Release 9.2.
Support for logical systems added in Junos OS Release 9.6.
(MX Series routers only) Specify a VLAN identifier (VID) to include in the packets sent
to and from the bridge domain or a VPLS routing instance.
NOTE: When configuring a VLAN identifier for provider backbone bridge
(PBB) routing instances, dual-tagged VIDs and the none option are not
permitted.
Options
all—Specify that the bridge domain spans all the VLAN identifiers configured on the
member logical interfaces.
NOTE: You cannot specify the all option if you include a routing interface in
the bridge domain.
none—Specify to enable shared VLAN learning or to send untagged frames over VPLS
VT interfaces.
vlan-id—A valid VLAN identifier. If you configure multiple bridge domains with a valid
VLAN identifier, you must specify a unique VLAN identifier for each domain. However,
you can use the same VLAN identifier for bridge domains that belong to different
virtual switches. Use this option to send singly tagged frames with the specified
VLAN identifier over VPLS VT interfaces.
NOTE: If you specify a VLAN identifier, you cannot also use the all option.
They are mutually exclusive.
116
Copyright © 2016, Juniper Networks, Inc.
Chapter 2: Configuration
Required Privilege
Level
Related
Documentation
routing—To view this statement in the configuration.
routing-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
vlan-id-list (Bridge Domains)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
SRX Series
vlan-id-list [vlan-id];
[edit bridge-domains bridge-domain-name]
Statement modified in Release 9.5 of Junos OS.
Specify multiple VLAN identifiers to create a bridge domain for each VLAN identifier.
vlan-id—A list of valid VLAN identifiers. A bridge domain is created for each VLAN identifier
in the list.
NOTE: If you specify a VLAN identifier list, you cannot configure an IRB
interface in the bridge domain.
Required Privilege
Level
Related
Documentation
routing—To view this statement in the configuration.
routing-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
Copyright © 2016, Juniper Networks, Inc.
117
Layer 2 Bridging and Switching Library for Security Devices
vlan-tagging (Interfaces)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
LN Series, SRX Series
vlan-tagging native-vlan-id vlan-id;
[edit interfaces interface ]
Statement introduced in Release 9.5 of Junos OS.
Configure VLAN identifier for untagged packets received on the physical interface of a
trunk mode interface.
native-vlan-id—Configures a VLAN identifier for untagged packets. Enter a number from
0 through 4094.
NOTE: The native-vlan-id can be configured only when either
flexible-vlan-tagging mode or interface-mode trunk is configured.
Required Privilege
Level
Related
Documentation
118
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Junos OS Interfaces Library for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 3
Administration
•
Operational Commands on page 119
Operational Commands
•
clear security flow ip-action
•
clear security flow session family
•
show igmp-snooping route (View)
•
show igmp-snooping vlans (View)
•
show interfaces (View J Series and SRX Series)
•
show security flow gate family
•
show security flow ip-action
•
show security flow session family
•
show security flow statistics
•
show security flow status
•
show security policies
•
show security zones
Copyright © 2016, Juniper Networks, Inc.
119
Layer 2 Bridging and Switching Library for Security Devices
clear security flow ip-action
Supported Platforms
Syntax
Release Information
Description
Options
J Series, SRX Series
clear security flow ip-action [filter]
Command introduced in Release 10.4 of Junos OS. Logical systems option introduced in
Release 11.2 of Junos OS.
Clear IP-action entries, based on filtered options, for IP sessions running on the device.
filter—Filter the display based on the specified criteria.
The following filters display those sessions that match the criteria specified by the filter.
Refer to the sample output for filtered output examples.
all | [filter]—All active sessions on the device.
destination-port destination-port—Destination port number of the traffic. Range is 1 through
65,535.
destination-prefix destination-prefix—Destination IP prefix or address.
family (inet | inet6) [filter]—IPv4 traffic or IPv6-NATPT traffic and filtered options.
logical-system logical-system-name | all [filter]—Specified logical system or all logical
systems.
protocol protocol-name | protocol-number [filter]—Protocol name or number and filtered
options.
120
•
ah or 51
•
egp or 8
•
esp or 50
•
gre or 47
•
icmp or 1
•
icmp6 or 58
•
igmp or 2
•
ipip or 4
•
ospf or 89
•
pim or 103
•
rsvp or 46
•
sctp or 132
•
tcp or 6
•
udp or 17
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Administration
root-logical-system [filter]—Default logical system information and filtered options.
source-port source-port—Source port number of the traffic. Range is 1 through 65,535.
source-prefix source-prefix—Source IP prefix or address of the traffic.
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
clear
•
show security flow ip-action on page 137
clear security flow ip-action all on page 121
clear security flow ip-action destination-prefix on page 121
clear security flow ip-action family inet on page 121
clear security flow ip-action protocol udp on page 121
When you enter this command, the system responds with the status of your request.
Sample Output
clear security flow ip-action all
user@host>clear security flow ip-action all
1008 ip-action entries cleared
clear security flow ip-action destination-prefix
user@host>clear security flow ip-action destination-prefix 5.0.0.0/8
87 ip-action entries cleared
clear security flow ip-action family inet
user@host>clear security flow ip-action family inet
2479 ip-action entries cleared
clear security flow ip-action protocol udp
user@host>clear security flow ip-action protocol udp
270 ip-action entries cleared
Copyright © 2016, Juniper Networks, Inc.
121
Layer 2 Bridging and Switching Library for Security Devices
clear security flow session family
Supported Platforms
Syntax
Release Information
Description
Options
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
J Series, SRX Series
clear security flow session family (inet | inet6)
Command introduced in Release 10.2 of Junos OS.
Clear sessions that match the specified protocol family.
•
inet—Clear IPv4 sessions.
•
inet6—Clear IPv6 sessions.
clear
•
show security flow session family on page 141
clear security flow session family inet on page 122
clear security flow session family inet6 on page 122
When you enter this command, you are provided feedback on the status of your request.
Sample Output
clear security flow session family inet
user@host> clear security flow session family inet
1 active sessions cleared
clear security flow session family inet6
user@host> clear security flow session family inet6
1 active sessions cleared
122
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Administration
show igmp-snooping route (View)
Supported Platforms
Syntax
Release Information
Description
Options
Required Privilege
Level
Related
Documentation
Output Fields
J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
show igmp-snooping route ( brief | detail | ethernet-switching | inet | vlan)
Command introduced in Release 9.5 of Junos OS.
Display IGMP snooping route information.
•
none—Display general parameters.
•
brief | detail—(Optional) Display the specified level of output.
•
ethernet-switching—(Optional) Display Ethernet switching information.
•
inet—(Optional) Display inet information.
•
vlan vlan-id |vlan-name—(Optional) Display route information for the specified VLAN.
view
•
Ethernet Interfaces Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
Table 6 on page 123 lists the output fields for the show igmp-snooping route command.
Output fields are listed in the approximate order in which they appear.
Table 6: show igmp-snooping route Output Fields
Field Name
Field Description
VLAN
Name of the VLAN.
Group
Multicast group address.
Next-hop
ID associated with the next-hop device.
Sample Output
show igmp-snooping route
user@host> show igmp-snooping route
VLAN
Group
Next-hop
v11
224.1.1.1, *
533
Interfaces: ge-0/0/13.0, ge-0/0/1.0
v12
224.1.1.3, *
534
Interfaces: ge-0/0/13.0, ge-0/0/0.0
show igmp-snooping route vlan v1
user@host> show igmp-snooping route vlan v1
Copyright © 2016, Juniper Networks, Inc.
123
Layer 2 Bridging and Switching Library for Security Devices
Table: 0
VLAN
Group
v1
224.1.1.1, *
Interfaces: ge-0/0/0.0
v1
224.1.1.3, *
Interfaces: ge-0/0/0.0
v1
224.1.1.5, *
Interfaces: ge-0/0/0.0
v1
224.1.1.7, *
Interfaces: ge-0/0/0.0
v1
224.1.1.9, *
Interfaces: ge-0/0/0.0
v1
224.1.1.11, *
Interfaces: ge-0/0/0.0
124
Next-hop
1266
1266
1266
1266
1266
1266
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Administration
show igmp-snooping vlans (View)
Supported Platforms
Syntax
Release Information
Description
Options
Required Privilege
Level
Related
Documentation
Output Fields
J Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
show igmp-snooping vlans
<brief | detail >
<vlan vlan-id | vlan-name >
Command introduced in Release 9.5 of Junos OS.
Display IGMP snooping VLAN information.
•
none—Display general parameters.
•
brief | detail—(Optional) Display the specified level of output.
•
vlan vlan-id | vlan-name —(Optional) Display VLAN information for the specified VLAN.
view
•
Ethernet Interfaces Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
lists the output fields for the show igmp-snooping vlans command. Output fields are
listed in the approximate order in which they appear.
Table 7: show igmp-snooping vlans
Field Name
Field Description
VLAN
Name of the VLAN.
Interfaces
Number of interfaces in the VLAN.
Groups
Number of groups in the VLAN.
MRouters
Number of multicast routers associated with the VLAN.
Receivers
Number of host receivers in the VLAN.
Tag
Numerical identifier of the VLAN.
vlan-interface
Internal VLAN interface identifier.
Membership timeout
Membership timeout value.
Querier timeout
Timeout value for interfaces dynamically marked as router interfaces (interfaces that
receive queries). When the querier timeout is reached, the switch marks the interface as
a host interface.
Copyright © 2016, Juniper Networks, Inc.
125
Layer 2 Bridging and Switching Library for Security Devices
Table 7: show igmp-snooping vlans (continued)
Field Name
Field Description
Interface
Name of the interface.
Reporters
Number of dynamic groups on an interface.
Sample Output
show igmp-snooping vlans
user@host> show igmp-snooping vlans
VLAN Interfaces Groups MRouters
default 0
0
0
v1
11
50
0
v10
1
0
0
v11
1
0
0
v180
3
0
1
v181
3
0
0
v182
3
0
0
Receivers
0
0
0
0
0
0
0
Sample Output
show igmp-snooping vlans vlan v10
user@host> show igmp-snooping vlans vlan v10
VLAN
Interfaces
Groups MRouters
Receivers
v10
1
0
0
0
Sample Output
show igmp-snooping vlans vlan v10 detail
user@host>
VLAN: v10,
Membership
Interface:
126
sshow igmp-snooping vlans vlan v10 detail
Tag: 10, vlan-interface: vlan.10
timeout: 260, Querier timeout: 255
ge-0/0/10.0, tagged, Groups: 0, Reporters: 0
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Administration
show interfaces (View J Series and SRX Series)
Supported Platforms
Syntax
Release Information
Description
J Series, LN Series, SRX Series
show interfaces
< interface-name | brief | controller | descriptions | destination-class | detail | diagnostics |
extensive | far-end-interval | filters | flow-statistics | interval | load-balancing |
mac-database | mc-ae | media | policers | queue | redundancy | routing | routing-instance
| snmp-index | source-class | statistics | switch-port | terse | transport | zone>
Command modified in Release 9.5 of Junos OS.
Display status information and statistics about interfaces on J Series and SRX Series
devices running Junos OS.
On SRX Series devices, on configuring identical IPs on a single interface, you will not see
a warning message; instead, you will see a syslog message.
Options
•
interface-name —(Optional) Display standard information about the specified interface.
Following is a list of typical interface names. Replace pim with the PIM slot and port
with the port number. For a complete list, see the Junos OS Layer 2 Bridging and
Switching Library for Security Devices.
•
at- pim/0/port—ATM-over-ADSL or ATM-over-SHDSL interface.
•
br-pim/0/port—Basic Rate Interface for establishing ISDN connections.
•
ce1-pim/0/ port—Channelized E1 interface.
•
cl-0/0/8—3G wireless modem interface for SRX210 devices.
•
ct1-pim/0/port—Channelized T1 interface.
•
dl0—Dialer Interface for initiating ISDN and USB modem connections.
•
e1-pim/0/port—E1 interface.
•
e3-pim/0/port—E3 interface.
•
fe-pim/0/port—Fast Ethernet interface.
•
ge-pim/0/port—Gigabit Ethernet interface.
•
se-pim/0/port—Serial interface.
•
t1-pim/0/port—T1 (also called DS1) interface.
•
t3-pim/0/port—T3 (also called DS3) interface.
•
wx-slot/0/0—WAN acceleration interface, for the WXC Integrated Services Module
(ISM 200).
•
brief—(Optional) Display brief output.
•
controller—(Optional) Show controller information.
•
descriptions—(Optional) Display interface description strings.
Copyright © 2016, Juniper Networks, Inc.
127
Layer 2 Bridging and Switching Library for Security Devices
Required Privilege
Level
Related
Documentation
List of Sample Output
128
•
destination-class—(Optional) Show statistics for destination class.
•
detail—(Optional) Display detailed output.
•
diagnostics—(Optional) Show interface diagnostics information.
•
extensive—(Optional) Display extensive output.
•
far-end-interval—(Optional) Show far end interval statistics.
•
filters—(Optional) Show interface filters information.
•
flow-statistics—(Optional) Show security flow counters and errors.
•
interval—(Optional) Show interval statistics.
•
load-balancing—(Optional) Show load-balancing status.
•
mac-database—(Optional) Show media access control database information.
•
mc-ae—(Optional) Show MC-AE configured interface information.
•
media—(Optional) Display media information.
•
policers—(Optional) Show interface policers information.
•
queue—(Optional) Show queue statistics for this interface.
•
redundancy—(Optional) Show redundancy status.
•
routing—(Optional) Show routing status.
•
routing-instance—(Optional) Name of routing instance.
•
snmp-index—(Optional) SNMP index of interface.
•
source-class—(Optional) Show statistics for source class.
•
statistics—(Optional) Display statistics and detailed output.
•
switch-port—(Optional) Front end port number (0..15).
•
terse—(Optional) Display terse output.
•
transport—(Optional) Show interface transport information.
•
zone—(Optional) Interface's zone.
view
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
•
Junos OS Interfaces Library for Security Devices
show interfaces Gigabit Ethernet on page 129
show interfaces extensive (Gigabit Ethernet) on page 129
show interfaces terse on page 132
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Administration
show interfaces extensive (WAN Acceleration) on page 133
show interfaces extensive (3G Wireless Modem) on page 134
Output Fields
Table 8 on page 129 lists the output fields for the show interfaces command. Output fields
are listed in the approximate order in which they appear.
Table 8: show interfaces Output Fields
Field Name
Field Description
Allowed host inbound traffic
The allowed traffic through the interface.
Traffic statistics
Number of packets and bytes transmitted and received on the physical interface.
Local statistics
Number of packets and bytes transmitted and received on the physical interface.
Transit statistics
Number of packets and bytes transiting the physical interface.
Flow input statistics
Statistics on packets received by flow module.
Flow output statistics
Statistics on packets sent by flow module.
Flow error statistics
Statistics on errors in the flow module.
Admin
The interface is enabled (up) or disabled (down).
Sample Output
show interfaces Gigabit Ethernet
user@host> show interfaces ge-0/0/1.0
Logical interface ge-0/0/1.0 (Index 67) (SNMP ifIndex 36)
Flags: Device-Down SNMP-Traps Encapsulation: ENET2
Protocol inet, MTU: 1500
Flags: None
Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
Destination: 4.4.4/24, Local: 4.4.4.254, Broadcast: 4.4.4.255
Security: Zone: Untrust, ident-reset: on
Allowed host-inbound traffic: bfd bgp bootp dhcp dvmrp finger ftp
http https ike ident-reset igmp ldp mld
msdp netconf ospf ospf3 pgm pim ping rip
ripng rlogin router-discovery rpm rsh
rsvp sap snmp snmp-trap ssh telnet
traceroute vrrp xnm-clear xnm-sslshow
interfaces <interface-name> extensive
Sample Output
show interfaces extensive (Gigabit Ethernet)
user@host> show interfaces ge-0/0/1.0 extensive
Physical interface: ge-0/0/1, Enabled, Physical link is Down
Interface index: 135, SNMP ifIndex: 510, Generation: 138
Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps,
BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
Copyright © 2016, Juniper Networks, Inc.
129
Layer 2 Bridging and Switching Library for Security Devices
Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
Remote fault: Online
Device flags
: Present Running Down
Interface flags: Hardware-Down SNMP-Traps Internal: 0x0
Link flags
: None
CoS queues
: 8 supported, 8 maximum usable queues
Hold-times
: Up 0 ms, Down 0 ms
Current address: 00:1f:12:e4:b1:01, Hardware address: 00:1f:12:e4:b1:01
Last flapped
: 2015-05-12 08:36:59 UTC (1w1d 22:57 ago)
Statistics last cleared: Never
Traffic statistics:
Input bytes :
0
0 bps
Output bytes :
0
0 bps
Input packets:
0
0 pps
Output packets:
0
0 pps
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0,
L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0,
FIFO errors: 0, Resource errors: 0
Output errors:
Carrier transitions: 0, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0,
FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0
Egress queues: 8 supported, 4 in use
Queue counters:
Queued packets Transmitted packets
Dropped packets
0 best-effort
0
0
0
1 expedited-fo
0
0
0
2 assured-forw
0
0
0
3 network-cont
0
0
0
Queue number:
Mapped forwarding classes
0
best-effort
1
expedited-forwarding
2
assured-forwarding
3
network-control
Active alarms : LINK
Active defects : LINK
MAC statistics:
Receive
Total octets
0
Total packets
0
Unicast packets
0
Broadcast packets
0
Multicast packets
0
CRC/Align errors
0
FIFO errors
0
MAC control frames
0
MAC pause frames
0
Oversized frames
0
Jabber frames
0
Fragment frames
0
VLAN tagged frames
0
Code violations
0
Filter statistics:
Input packet count
0
Input packet rejects
0
Input DA rejects
0
Input SA rejects
0
130
Transmit
0
0
0
0
0
0
0
0
0
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Administration
Output packet count
Output packet pad count
Output packet error count
CAM destination filters: 2, CAM source filters: 0
Autonegotiation information:
Negotiation status: Incomplete
Packet Forwarding Engine configuration:
Destination slot: 0
CoS information:
Direction : Output
CoS transmit queue
Bandwidth
Limit
%
bps
%
0 best-effort
95
950000000
95
none
3 network-control
5
50000000
5
none
Interface transmit statistics: Disabled
Logical interface ge-0/0/1.0 (Index 71) (SNMP ifIndex 514)
Flags: Device-Down SNMP-Traps 0x0 Encapsulation: ENET2
Traffic statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Local statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Transit statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Security: Zone: public
Flow Statistics :
Flow Input statistics :
Self packets :
0
ICMP packets :
0
VPN packets :
0
Multicast packets :
0
Bytes permitted by policy :
0
Connections established :
0
Flow Output statistics:
Multicast packets :
0
Bytes permitted by policy :
0
Flow error statistics (Packets dropped due to):
Address spoofing:
0
Authentication failed:
0
Incoming NAT errors:
0
Invalid zone received packet:
0
Multiple user authentications:
0
Multiple incoming NAT:
0
No parent for a gate:
0
No one interested in self packets: 0
No minor session:
0
No more sessions:
0
No NAT gate:
0
No route present:
0
Copyright © 2016, Juniper Networks, Inc.
0
0
0
Buffer Priority
usec
0
low
0
low
(Generation 136)
0
0
0
0
bps
bps
pps
pps
131
Layer 2 Bridging and Switching Library for Security Devices
No SA for incoming SPI:
0
No tunnel found:
0
No session for a gate:
0
No zone or NULL zone binding
0
Policy denied:
0
Security association not active:
0
TCP sequence number out of window: 0
Syn-attack protection:
0
User authentication errors:
0
Protocol inet, MTU: 1500, Generation: 150, Route table: 0
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
Destination: 1.1.1/24, Local: 1.1.1.1, Broadcast: 1.1.1.255,
Generation: 150
Sample Output
show interfaces terse
user@host> show interfaces terse
Interface
Admin
ge-0/0/0
up
ge-0/0/0.0
up
gr-0/0/0
up
ip-0/0/0
up
st0
up
st0.1
up
ls-0/0/0
up
lt-0/0/0
up
mt-0/0/0
up
pd-0/0/0
up
pe-0/0/0
up
e3-1/0/0
up
t3-2/0/0
up
e1-3/0/0
up
se-4/0/0
up
t1-5/0/0
up
br-6/0/0
up
dc-6/0/0
up
dc-6/0/0.32767
up
bc-6/0/0:1
down
bc-6/0/0:1.0
up
dl0
up
dl0.0
up
dsc
up
gre
up
ipip
up
lo0
up
lo0.16385
up
lsi
mtun
pimd
pime
pp0
132
up
up
up
up
up
Link Proto
up
up
inet
up
up
up
ready inet
up
up
up
up
up
up
up
up
down
up
up
up
up
up
down
up
up
inet
up
up
up
up
up
inet
Local
Remote
10.209.4.61/18
10.0.0.1
10.0.0.16
--> 0/0
--> 0/0
up
up
up
up
up
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Administration
Sample Output
show interfaces extensive (WAN Acceleration)
user@host> show interfaces wx-6/0/0 extensive
Physical interface: wx-6/0/0, Enabled, Physical link is Up
Interface index: 142, SNMP ifIndex: 41, Generation: 143
Type: PIC-Peer, Link-level type: PIC-Peer, MTU: 1522, Clocking: Unspecified,
Speed: 1000mbps
Device flags
: Present Running
Interface flags: Point-To-Point Promiscuous SNMP-Traps Internal: 0x4000
Link type
: Full-Duplex
Link flags
: None
Physical info : Unspecified
Hold-times
: Up 0 ms, Down 0 ms
Current address: Unspecified, Hardware address: Unspecified
Alternate link address: Unspecified
Last flapped
: 2007-08-01 05:19:35 UTC (02:12:04 ago)
Statistics last cleared: Never
Traffic statistics:
Input bytes :
58427
0 bps
Output bytes :
115078
0 bps
Input packets:
847
0 pps
Output packets:
972
0 pps
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Giants: 0,
Policed discards: 0, Resource errors: 0
Output errors:
Carrier transitions: 0, Errors: 0, Drops: 0, MTU errors: 0,
Resource errors: 0
Logical interface wx-6/0/0.0 (Index 68) (SNMP ifIndex 43) (Generation 135)
Flags: Point-To-Point SNMP-Traps Encapsulation: PIC-Peering
Security: Zone: wx-zone
Allowed host-inbound traffic : any-service bootp bfd bgp dns dvmrp
igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp
finger ftp tftp ident-reset http https ike netconf ping rlogin rpm rsh snmp
snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl
Flow Statistics :
Flow Input statistics :
Self packets :
0
ICMP packets :
0
VPN packets :
0
Bytes permitted by policy :
70137
Connections established :
4
Flow Output statistics:
Multicast packets :
0
Bytes permitted by policy :
2866
Flow error statistics (Packets dropped due to):
Address spoofing:
0
Authentication failed:
0
Incoming NAT errors:
0
Invalid zone received packet:
0
Multiple user authentications:
0
Multiple incoming NAT:
0
No parent for a gate:
0
No one interested in self packets: 0
No minor session:
0
No more sessions:
0
No NAT gate:
0
No route present:
0
No SA for incoming SPI:
0
Copyright © 2016, Juniper Networks, Inc.
133
Layer 2 Bridging and Switching Library for Security Devices
No tunnel found:
0
No session for a gate:
0
No zone or NULL zone binding
0
Policy denied:
0
Security association not active:
0
TCP sequence number out of window: 0
Syn-attack protection:
0
User authentication errors:
0
Protocol inet, MTU: 1500, Generation: 141, Route table: 0
Flags: None
Addresses, Flags: Is-Preferred Is-Primary
Destination: 10.87.13.2, Local: 3.3.3.3, Broadcast: Unspecified,
Generation: 142
Sample Output
show interfaces extensive (3G Wireless Modem)
user@host> show interfaces cl-0/0/8 extensive
Physical interface: cl-0/0/8, Enabled, Physical link is Up
Interface index: 67, SNMP ifIndex: 25, Generation: 4
Type: Async-Serial, Link-level type: PPP-Subordinate, MTU: 1504,
Clocking: Unspecified, Speed: MODEM
Device flags
: Present Running
Interface flags: Point-To-Point SNMP-Traps Internal: 0x4000
Link flags
: None
Hold-times
: Up 0 ms, Down 0 ms
CoS queues
: 8 supported, 8 maximum usable queues
Last flapped
: Never
Statistics last cleared: Never
Traffic statistics:
Input bytes :
0
0 bps
Output bytes :
868
0 bps
Input packets:
0
0 pps
Output packets:
16
0 pps
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Giants: 0,
Policed discards: 0, Resource errors: 0
Output errors:
Carrier transitions: 0, Errors: 0, Drops: 0, MTU errors: 0,
Resource errors: 0
Egress queues: 8 supported, 4 in use
Queue counters:
Queued packets Transmitted packets
Dropped packets
0 best-effort
6
6
1 expedited-fo
0
0
2 assured-forw
0
0
3 network-cont
10
10
MODEM status:
Modem type
: Sierra-USB-3G Data/Fax Modem Version
Initialization command string : ATS0=2
Initialization status
: Ok
Call status
: Connected to 14591
Call duration
: 134316 seconds
Call direction
: Dialout
Baud rate
: <x> bps
134
0
0
0
0
2.27m
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Administration
show security flow gate family
Supported Platforms
Syntax
Release Information
Description
Options
Required Privilege
Level
Related
Documentation
Output Fields
J Series, SRX Series
show security flow gate family (inet | inet6)
Command introduced in Release 10.4 of Junos OS.
Display filtered summary of information about existing gates, types of gates, and the
maximum allowed number of gates.
•
inet—Displays IPv4 information.
•
inet6—Displays IPv6 gate information.
view
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
show security flow gate
Table 1 lists the output fields for the show security flow gate family command. Output
fields are listed in the approximate order in which they appear.
Table 9: show security flow gate family Output Fields
Field Name
Field Description
Valid gates
Number of valid gates.
Pending gates
Number of pending gates.
Invalidated gates
Number of invalid gates.
Gates in other states
Number of gates in other states.
Total gates
Total number of gates.
Sample Output
user@host> show security flow gate family inet6
Hole: 2001:13::8-0-0->2001:12::8-33135-33135
Translated: ::/0->::/0
Protocol: tcp
Application: FTP ALG/79
Age: 24 seconds
Copyright © 2016, Juniper Networks, Inc.
135
Layer 2 Bridging and Switching Library for Security Devices
Flags: 0x8080
Zone: zserver
Reference count: 1
Resource: 1-2-2
Valid gates: 1
Pending gates: 0
Invalidated gates: 0
Gates in other states: 0
Total gates: 1
user@host> show security flow gate family inet6 destination-prefix 2001:12::8 or source-prefix
Hole: 2001:13::8-0-0->2001:12::8-33135-33135
Translated: ::/0->::/0
Protocol: tcp
Application: FTP ALG/79
Age: 26 seconds
Flags: 0x8080
Zone: zserver
Reference count: 1
Resource: 1-2-2
Valid gates: 1
Pending gates: 0
Invalidated gates: 0
Gates in other states: 0
Total gates: 1
136
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Administration
show security flow ip-action
Supported Platforms
Syntax
Release Information
Description
Options
J Series, LN Series, SRX Series
show security flow ip-action [ <filter> ] [ summary family (inet | inet6) ]
Command introduced in Release 10.1 of Junos OS. Logical systems option added in
Release 11.2 of Junos OS. Summary option introduced in Release 12.1 of Junos OS.
Display the current IP-action settings, based on filtered options, for IP sessions running
on the device.
•
filter—Filter the display based on the specified criteria.
The following filters display those sessions that match the criteria specified by the
filter. Refer to the sample output for filtered output examples.
all | [filter]—All active sessions on the device.
destination-port destination-port—Destination port number of the traffic. Range is 1
through 65,535.
destination-prefix destination-prefix—Destination IP prefix or address.
family (inet | inet6) [filter]—IPv4 traffic or IPv6-NATPT traffic and filtered options.
logical-system logical-system-name | all [filter]—Specified logical system or all logical
systems.
protocol protocol-name | protocol-number [filter]—Protocol name or number and filtered
options.
•
ah or 51
•
egp or 8
•
esp or 50
•
gre or 47
•
icmp or 1
•
icmp6 or 58
•
igmp or 2
•
ipip or 4
•
ospf or 89
•
pim or 103
•
rsvp or 46
•
sctp or 132
•
tcp or 6
•
udp or 17
Copyright © 2016, Juniper Networks, Inc.
137
Layer 2 Bridging and Switching Library for Security Devices
root-logical-system [filter]—Default logical system information and filtered options.
source-port source-port—Source port number of the traffic. Range is 1 through 65,535.
source-prefix source-prefix—Source IP prefix or address of the traffic.
•
summary —Summary information about IP-action entries.
family—Display summary of IP-action entries by family. This option is used to filter the
output.
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
•
inet—Display summary of IPv4 entries.
•
inet6—Display summary of IPv6 entries.
view
•
Flow-Based Processing Feature Guide for Security Devicesclear security flow ip-action
on page 120clear security flow session destination-port
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
clear security flow ip-action on page 120
show security flow ip-action destination-port on page 139
show security flow ip-action destination-prefix on page 139
show security flow ip-action family inet protocol on page 139
show security flow ip-action family inet logical-system all on page 139
show security flow ip-action source-prefix on page 139
show security flow ip-action | count on page 140
show security flow ip-action summary on page 140
show security flow ip-action summary family inet on page 140
show security flow ip-action summary family inet6 on page 140
Table 10 on page 138 lists the output fields for the show security flow ip-action command.
Output fields are listed in the approximate order in which they appear.
Table 10: show security flow ip-action Output Fields
Field Name
Field Description
Src-Addr
Source address of outbound IP traffic.
Src-Port
Source port number of outbound IP traffic.
Dst-Addr
Destination address of inbound IP traffic.
Dst-Port/Proto
Destination port number and protocol type of inbound IP traffic.
Timeout (sec)
Configured timeouts and time remaining for an IP session.
Zone
Security zone associated with an IP session.
138
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Administration
Table 10: show security flow ip-action Output Fields (continued)
Field Name
Field Description
Action
Configured action type, for example, block, close, and notify.
IPv4 action count
The total number of IPv4 entries.
IPv6 action count
The total number of IPv6 entries.
Sample Output
show security flow ip-action destination-port
user@host> show security flow ip-action destination-port 161
Src-Addr
146.107.179.107
27.38.182.32
53.69.226.79
220.53.101.56
98.114.199.126
Src-Port
*
*
*
*
*
Dst-Addr
5.0.0.1
5.0.0.1
5.0.0.1
5.0.0.1
5.0.0.1
Dst-Port/Proto
161/udp
161/udp
161/udp
161/udp
161/udp
Timeout(sec)
200/200
198/200
175/200
159/200
194/200
Zone
*
*
*
*
*
Action
close
close
close
close
close
Zone
*
*
*
*
*
Action
close
close
close
close
close
Zone
*
*
*
*
*
Action
close
close
close
close
close
Zone
*
*
*
*
Action
close
close
close
close
show security flow ip-action destination-prefix
user@host> show security flow ip-action destination-prefix 5.0.0.0/8
Src-Addr
146.107.179.107
27.38.182.32
53.69.226.79
220.53.101.56
98.114.199.126
Src-Port
*
*
*
*
*
Dst-Addr
5.0.0.1
5.0.0.1
5.0.0.1
5.0.0.1
5.0.0.1
Dst-Port/Proto
161/udp
161/udp
161/udp
161/udp
161/udp
Timeout(sec)
200/200
198/200
175/200
159/200
194/200
show security flow ip-action family inet protocol
user@host> show security flow ip-action family inet protocol icmp
Src-Addr
190.205.17.194
125.185.38.244
201.46.164.123
66.64.249.134
104.65.181.148
Src-Port
*
*
*
*
*
Dst-Addr
5.0.0.1
5.0.0.1
5.0.0.1
5.0.0.1
5.0.0.1
Dst-Port/Proto
0/icmp
0/icmp
0/icmp
0/icmp
0/icmp
Timeout(sec)
87/200
156/200
174/200
97/200
167/200
show security flow ip-action family inet logical-system all
user@host> show security flow ip-action family inet logical-system all
Src-Addr
175.87.147.87
32.28.234.28
24.231.158.231
0.113.112.113
Src-Port
*
*
*
*
Dst-Addr
*
*
*
*
Dst-Port/Proto
*/*
*/*
*/*
*/*
Timeout(sec)
51/200
112/200
124/200
138/200
show security flow ip-action source-prefix
user@host> show security flow ip-action source-prefix 212.0.0.0/8
Copyright © 2016, Juniper Networks, Inc.
139
Layer 2 Bridging and Switching Library for Security Devices
Src-Addr
212.178.48.164
212.141.190.190
212.193.112.136
212.235.103.142
212.4.132.110
Src-Port
*
*
*
*
*
Dst-Addr
*
*
*
5.0.0.1
*
Dst-Port/Proto
*/*
*/*
*/*
161/udp
*/*
Timeout(sec)
21/200
93/200
145/200
171/200
181/200
Zone
*
*
*
*
*
Action
close
close
close
close
close
show security flow ip-action | count
user@host> show security flow ip-action | count
Count: 203 lines
show security flow ip-action summary
user@host> show security flow ip-action summary
IPv4 action count: 2000
IPv6 action count: 0
show security flow ip-action summary family inet
user@host> show security flow ip-action summary
IPv4 action count: 50
show security flow ip-action summary family inet6
user@host> show security flow ip-action summary family inet6
IPv6 action count: 0
140
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Administration
show security flow session family
Supported Platforms
Syntax
Release Information
Description
Options
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
J Series, LN Series, SRX Series
show security flow session family (inet | inet6)
[brief | extensive | summary]
Command introduced in Release 10.2 of Junos OS.
Display filtered summary of information about existing sessions, including types of
sessions, active and failed sessions, and the maximum allowed number of sessions.
•
inet—Display details summary of IPv4 sessions.
•
inet6—Display details summary of IPv6 sessions.
•
brief | extensive | summary–Display the specified level of output.
view
•
Flow-Based Processing Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
clear security flow session family on page 122
show security flow session family inet on page 142
show security flow session family inet brief on page 143
show security flow session family inet extensive on page 143
show security flow session family inet summary on page 144
Table 11 on page 141 lists the output fields for the show security flow session family
command. Output fields are listed in the approximate order in which they appear.
Table 11: show security flow session family Output Fields
Field Name
Field Description
Session ID
Number that identifies the session. Use this ID to get more information about the session.
Policy name
Policy that permitted the traffic.
Timeout
Idle timeout after which the session expires.
In
Incoming flow (source and destination IP addresses, application protocol, interface,
session token, route, gateway, tunnel, port sequence, FIN sequence, FIN state, packets
and bytes).
Out
Reverse flow (source and destination IP addresses, application protocol, interface,
session token, route, gateway, tunnel, port sequence, FIN sequence, FIN state, packets
and bytes).
Copyright © 2016, Juniper Networks, Inc.
141
Layer 2 Bridging and Switching Library for Security Devices
Table 11: show security flow session family Output Fields (continued)
Field Name
Field Description
Total sessions
Total number of sessions.
Status
Session status.
Flag
Internal flag depicting the state of the session, used for debugging purposes.
Policy name
Name and ID of the policy that the first packet of the session matched.
Source NAT pool
The name of the source pool where NAT is used.
Application
Name of the application.
Maximum timeout
Maximum session timeout.
Current timeout
Remaining time for the session unless traffic exists in the session.
Session State
Session state.
Start time
Time when the session was created, offset from the system start time.
Unicast-sessions
Number of unicast sessions.
Multicast-sessions
Number of multicast sessions.
Failed-sessions
Number of failed sessions.
Sessions-in-use
Number of sessions in use.
Maximum-sessions
•
Valid sessions
•
Pending sessions
•
Invalidated sessions
•
Sessions in other states
Number of maximum sessions.
Sample Output
show security flow session family inet
root> show security flow session family inet
Flow Sessions on FPC4 PIC1:
Session ID: 170067516, Policy name: self-traffic-policy/1, Timeout: 4, Valid
In: 40.0.0.100/23 --> 40.0.0.1/26637;icmp, If: ge-0/0/2.0, Pkts: 1, Bytes: 84
Out: 40.0.0.1/26637 --> 40.0.0.100/23;icmp, If: .local..0, Pkts: 1, Bytes: 84
Total sessions: 1
Flow Sessions on FPC5 PIC0:
142
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Administration
Session ID: 200066737, Policy name: self-traffic-policy/1, Timeout: 2, Valid
In: 40.0.0.100/21 --> 40.0.0.1/26637;icmp, If: ge-0/0/2.0, Pkts: 1, Bytes: 84
Out: 40.0.0.1/26637 --> 40.0.0.100/21;icmp, If: .local..0, Pkts: 1, Bytes: 84
Total sessions: 1
Flow Sessions on FPC5 PIC1:
Session ID: 210066726, Policy name: self-traffic-policy/1, Timeout: 2, Valid
In: 40.0.0.100/22 --> 40.0.0.1/26637;icmp, If: ge-0/0/2.0, Pkts: 1, Bytes: 84
Out: 40.0.0.1/26637 --> 40.0.0.100/22;icmp, If: .local..0, Pkts: 1, Bytes: 84
Total sessions: 1
show security flow session family inet brief
root> show security flow session family inet brief
Flow Sessions on FPC4 PIC1:
Session ID: 170067516, Policy name: self-traffic-policy/1, Timeout: 4, Valid
In: 40.0.0.100/23 --> 40.0.0.1/26637;icmp, If: ge-0/0/2.0, Pkts: 1, Bytes: 84
Out: 40.0.0.1/26637 --> 40.0.0.100/23;icmp, If: .local..0, Pkts: 1, Bytes: 84
Total sessions: 1
Flow Sessions on FPC5 PIC0:
Session ID: 200066737, Policy name: self-traffic-policy/1, Timeout: 2, Valid
In: 40.0.0.100/21 --> 40.0.0.1/26637;icmp, If: ge-0/0/2.0, Pkts: 1, Bytes: 84
Out: 40.0.0.1/26637 --> 40.0.0.100/21;icmp, If: .local..0, Pkts: 1, Bytes: 84
Total sessions: 1
Flow Sessions on FPC5 PIC1:
Session ID: 210066726, Policy name: self-traffic-policy/1, Timeout: 2, Valid
In: 40.0.0.100/22 --> 40.0.0.1/26637;icmp, If: ge-0/0/2.0, Pkts: 1, Bytes: 84
Out: 40.0.0.1/26637 --> 40.0.0.100/22;icmp, If: .local..0, Pkts: 1, Bytes: 84
Total sessions: 1
show security flow session family inet extensive
root> show security flow session family inet extensive
Flow Sessions on FPC4 PIC1:
Session ID: 170067527, Status: Normal
Flag: 0x80000040
Policy name: self-traffic-policy/1
Source NAT pool: Null
Maximum timeout: 4, Current timeout: 2
Session State: Valid
Start time: 667332, Duration: 1
In: 40.0.0.100/56 --> 40.0.0.1/26637;icmp,
Interface: ge-0/0/2.0,
Session token: 0x180, Flag: 0x0x21
Route: 0x60010, Gateway: 40.0.0.100, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 1, Bytes: 84
Out: 40.0.0.1/26637 --> 40.0.0.100/56;icmp,
Interface: .local..0,
Session token: 0x80, Flag: 0x0x30
Route: 0xfffb0006, Gateway: 40.0.0.1, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Copyright © 2016, Juniper Networks, Inc.
143
Layer 2 Bridging and Switching Library for Security Devices
Pkts: 1, Bytes: 84
Total sessions: 1
Flow Sessions on FPC5 PIC0:
Session ID: 200066749, Status: Normal
Flag: 0x80000040
Policy name: self-traffic-policy/1
Source NAT pool: Null
Maximum timeout: 4, Current timeout: 4
Session State: Valid
Start time: 667329, Duration: 1
In: 40.0.0.100/57 --> 40.0.0.1/26637;icmp,
Interface: ge-0/0/2.0,
Session token: 0x180, Flag: 0x0x21
Route: 0x60010, Gateway: 40.0.0.100, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 1, Bytes: 84
Out: 40.0.0.1/26637 --> 40.0.0.100/57;icmp,
Interface: .local..0,
Session token: 0x80, Flag: 0x0x30
Route: 0xfffb0006, Gateway: 40.0.0.1, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 1, Bytes: 84
Total sessions: 1
Flow Sessions on FPC5 PIC1:
Session ID: 210066737, Status: Normal
Flag: 0x80000040
Policy name: self-traffic-policy/1
Source NAT pool: Null
Maximum timeout: 4, Current timeout: 2
Session State: Valid
Start time: 667326, Duration: 3
In: 40.0.0.100/55 --> 40.0.0.1/26637;icmp,
Interface: ge-0/0/2.0,
Session token: 0x180, Flag: 0x0x21
Route: 0x60010, Gateway: 40.0.0.100, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 1, Bytes: 84
Out: 40.0.0.1/26637 --> 40.0.0.100/55;icmp,
Interface: .local..0,
Session token: 0x80, Flag: 0x0x30
Route: 0xfffb0006, Gateway: 40.0.0.1, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 1, Bytes: 84
Total sessions: 1
show security flow session family inet summary
root> show security flow session family inet summary
Flow Sessions on FPC4 PIC1:
Valid sessions: 1
Pending sessions: 0
Invalidated sessions: 0
144
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Administration
Sessions in other states: 0
Total sessions: 1
Flow Sessions on FPC5 PIC0:
Valid sessions: 1
Pending sessions: 0
Invalidated sessions: 1
Sessions in other states: 0
Total sessions: 2
Flow Sessions on FPC5 PIC1:
Valid sessions: 1
Pending sessions: 0
Invalidated sessions: 1
Sessions in other states: 0
Total sessions: 2
Copyright © 2016, Juniper Networks, Inc.
145
Layer 2 Bridging and Switching Library for Security Devices
show security flow statistics
Supported Platforms
Syntax
Release Information
Description
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
J Series, LN Series, SRX Series
show security flow statistics
Command introduced in Release 10.2 of Junos OS.
Display flow-related system statistics.
view
•
Flow-Based Processing Feature Guide for Security Devices
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
show security flow statistics on page 146
Table 12 on page 146 lists the output fields for the show security flow statistics command.
Output fields are listed in the approximate order in which they appear.
Table 12: show security flow statistics Output Fields
Field Name
Field Description
Current sessions
Number of current sessions.
Packets forwarded
Number of packets forwarded.
Packets dropped
Number of Packets dropped.
Fragment packets
Number of fragment packets.
Sample Output
show security flow statistics
root> show security flow statistics
Flow Statistics of FPC4 PIC1:
Current sessions: 63
Packets forwarded: 3001
Packets dropped: 1281
Fragment packets: 0
Flow Statistics of FPC5 PIC0:
Current sessions: 22
Packets forwarded: 859
Packets dropped: 0
Fragment packets: 0
Flow Statistics of FPC5 PIC1:
146
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Administration
Current sessions: 22
Packets forwarded: 858
Packets dropped: 0
Fragment packets: 0
Flow Statistics Summary:
System total valid sessions: 107
Packets forwarded: 4718
Packets dropped: 1281
Fragment packets: 0
Copyright © 2016, Juniper Networks, Inc.
147
Layer 2 Bridging and Switching Library for Security Devices
show security flow status
Supported Platforms
Syntax
Release Information
Description
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
J Series, LN Series, SRX Series
show security flow status
Command introduced in Junos OS Release 10.2 ; session distribution mode option added
in Junos OS Release 12.1X44-D10; enhanced route scaling mode option added in Junos
OS Release 12.1X45-D10.
Display the flow processing modes and logging status.
view
•
Flow-Based Processing Feature Guide for Security Devices
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
MPLS Feature Guide for Security Devices
show security flow status on page 149
show security flow status (IPsec Performance Acceleration) on page 149
Table 13 on page 148 lists the output fields for the show security flow status command.
Output fields are listed in the approximate order in which they appear.
Table 13: show security flow status Output Fields
Field Name
Field Description
Flow forwarding mode
Flow processing mode.
Flow trace status
flow session distribution
148
•
Inet forwarding mode
•
Inet6 forwarding mode
•
MPLS forwarding mode
•
ISO forwarding mode
•
Session distribution mode
•
Enhanced route scaling mode
Flow logging status.
•
Flow tracing status
•
Flow tracing options
SPU load distribution mode.
•
RR-based
•
Hash-based
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Administration
Table 13: show security flow status Output Fields (continued)
Field Name
Field Description
Flow packet ordering
packet-ordering mode.
Flow ipsec performance acceleration
•
Hardware
•
Software
IPsec VPN performance acceleration status.
Sample Output
show security flow status
root> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: flow based
MPLS forwarding mode: drop
ISO forwarding mode: drop
+Enhanced route scaling mode: Enabled (reboot needed to disable)
Flow trace status
Flow tracing status: on
Flow tracing options: all
Flow session distribution
Distribution mode: Hash-based
Flow packet ordering
Ordering mode: Software (reboot needed to change to software)
show security flow status (IPsec Performance Acceleration)
root> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: RR-based
Flow packet ordering
Ordering mode: Software (reboot needed to change to software)
Flow ipsec performance acceleration: on
Copyright © 2016, Juniper Networks, Inc.
149
Layer 2 Bridging and Switching Library for Security Devices
show security policies
Supported Platforms
Syntax
J Series, LN Series, SRX Series
show security policies
<detail>
<none>
policy-name policy-name
<detail>
<global>
Release Information
Command modified in Junos OS Release 9.2. Support for IPv6 addresses added in Junos
OS Release 10.2. Support for IPv6 addresses in active/active chassis cluster configurations
in addition to the existing support of active/passive chassis cluster configurations added
in Junos OS Release 10.4. Support for wildcard addresses added in Junos OS Release
11.1. Support for global policy added in Junos OS Release 11.4. Support for services
offloading added in Junos OS Release 11.4. Support for source-identities added in Junos
OS Release 12.1. The Description output field added in Junos OS Release 12.1. Support for
negated address added in Junos OS Release 12.1X45-D10.
Description
Display a summary of all security policies configured on the device. If a particular policy
is specified, display information particular to that policy.
Options
Required Privilege
Level
Related
Documentation
List of Sample Output
150
•
none—Display basic information about all configured policies.
•
detail—(Optional) Display a detailed view of all of the policies configured on the device.
•
policy-name policy-name—(Optional) Display information about the specified policy.
•
global—Display information about global policies.
view
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Infranet Authentication Feature Guide for Security Devices
•
Junos OS UTM Library for Security Devices
•
Security Policies Feature Guide for Security Devices
•
Junos OS Logical Systems Library for Security Devices
show security policies on page 153
show security policies policy-name p1 detail on page 153
show security policies (services-offload) on page 154
show security policies detail on page 155
show security policies policy-name p1 (Negated Address) on page 155
show security policies policy-name p1 detail (Negated Address) on page 156
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Administration
Output Fields
Table 14 on page 151 lists the output fields for the show security policies command. Output
fields are listed in the approximate order in which they appear.
Table 14: show security policies Output Fields
Field Name
Field Description
From zone
Name of the source zone.
To zone
Name of the destination zone.
Policy
Name of the applicable policy.
Description
Description of the applicable policy.
State
Status of the policy:
•
enabled: The policy can be used in the policy lookup process, which determines access
rights for a packet and the action taken in regard to it.
•
disabled: The policy cannot be used in the policy lookup process, and therefore it is
not available for access control.
Index
An internal number associated with the policy.
Sequence number
Number of the policy within a given context. For example, three policies that are applicable
in a from-zoneA-to-zoneB context might be ordered with sequence numbers 1, 2, and 3.
Also, in a from-zoneC-to-zoneD context, four policies might have sequence numbers 1,
2, 3, and 4.
Source addresses
For standard display mode, the names of the source addresses for a policy. Address sets
are resolved to their individual names.
For detail display mode, the names and corresponding IP addresses of the source
addresses for a policy. Address sets are resolved to their individual address name-IP
address pairs.
Destination addresses
Name of the destination address (or address set) as it was entered in the destination
zone’s address book. A packet’s destination address must match this value for the policy
to apply to it.
Source addresses (excluded)
Name of the source address excluded from the policy.
Destination addresses (excluded)
Name of the destination address excluded from the policy.
Source identities
One or more user roles specified for a policy.
Copyright © 2016, Juniper Networks, Inc.
151
Layer 2 Bridging and Switching Library for Security Devices
Table 14: show security policies Output Fields (continued)
Field Name
Field Description
Applications
Name of a preconfigured or custom application whose type the packet matches, as
specified at configuration time.
•
IP protocol: The IP protocol used by the application—for example, TCP, UDP, ICMP.
•
ALG: If an ALG is explicitly associated with the policy, the name of the ALG is displayed.
If application-protocol ignore is configured, ignore is displayed. Otherwise, 0 is displayed.
However, even if this command shows ALG: 0, ALGs might be triggered for packets
destined to well-known ports on which ALGs are listening, unless ALGs are explicitly
disabled or when application-protocol ignore is not configured for custom applications.
•
Inactivity timeout: Elapsed time without activity after which the application is
terminated.
•
Destination Address Translation
Application Firewall
Source port range: The low-high source port range for the session application.
Status of the destination address translation traffic:
•
drop translated—Drop the packets with translated destination addresses.
•
drop untranslated—Drop the packets without translated destination addresses.
An application firewall includes the following:
•
Rule-set—Name of the rule set.
•
Rule—Name of the rule.
•
Dynamic applications—Name of the applications.
•
Dynamic application groups—Name of the application groups.
•
Action—The action taken with respect to a packet that matches the application
firewall rule set. Actions include the following:
•
•
permit
•
deny
Default rule—The default rule applied when the identified application is not specified
in any rules of the rule set.
Action or Action-type
Session log
152
•
The action taken in regard to a packet that matches the policy’s tuples. Actions include
the following:
•
permit
•
firewall-authentication
•
tunnel ipsec-vpn vpn-name
•
pair-policy pair-policy-name
•
source-nat pool pool-name
•
pool-set pool-set-name
•
interface
•
destination-nat name
•
deny
•
reject
•
services-offload
Session log entry that indicates whether the at-create and at-close flags were set at
configuration time to log session information.
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Administration
Table 14: show security policies Output Fields (continued)
Field Name
Field Description
Scheduler name
Name of a preconfigured scheduler whose schedule determines when the policy is active
(or inactive) to check an incoming packet to determine how to treat the packet.
Policy statistics
Policy statistics include the following:
•
Input bytes—The number of bytes presented for processing by the device.
•
Output bytes—The number of bytes actually processed by the device.
•
Input packets—The number of packets presented for processing by the device.
•
Active sessions—The number of sessions currently present because of access control
lookups that used this policy.
•
Session deletions—The number of sessions deleted since system startup.
•
Policy lookups—Number of times the policy was accessed to check for a match.
NOTE: Configure the Policy P1 with the count option to display policy statistics.
Sample Output
show security policies
user@host> show security policies
From zone: trust, To zone: untrust
Policy: p1, State: enabled, Index: 4, Sequence number: 1
Source addresses:
sa-1-ipv4: 2.2.2.0/24
sa-2-ipv6: 2001:0db8::/32
sa-3-ipv6: 2001:0db6/24
sa-4-wc: 192.168.0.11/255.255.0.255
Destination addresses:
da-1-ipv4: 2.2.2.0/24
da-2-ipv6: 2400:0af8::/32
da-3-ipv6: 2400:0d78:0/24
da-4-wc: 192.168.22.11/255.255.0.255
Source identities: role1, role2, role4
Applications: any
Action: permit, application services, log, scheduled
Application firewall : my_ruleset1
Policy: p2, State: enabled, Index: 5, Sequence number: 2
Source addresses:
sa-1-ipv4: 2.2.2.0/24
sa-2-ipv6: 2001:0db8::/32
sa-3-ipv6: 2001:0db6/24
Destination addresses:
da-1-ipv4: 2.2.2.0/24
da-2-ipv6: 2400:0af8::/32
da-3-ipv6: 2400:0d78:0/24
Source identities: role1, role4
Applications: any
Action: deny, scheduled
show security policies policy-name p1 detail
user@host> show security policies policy-name p1 detail
Policy: p1, action-type: permit, State: enabled, Index: 4
Description: The policy p1 is for the sales team
Copyright © 2016, Juniper Networks, Inc.
153
Layer 2 Bridging and Switching Library for Security Devices
Sequence number: 1
From zone: trust, To zone: untrust
Source addresses:
sa-1-ipv4: 2.2.2.0/24
sa-2-ipv6: 2001:0db8::/32
sa-3-ipv6: 2001:0db6/24
sa-4-wc: 192.168.0.11/255.255.0.255
Destination addresses:
da-1-ipv4: 2.2.2.0/24
da-2-ipv6: 2400:0af8::/32
da-3-ipv6: 2400:0d78:0/24
da-4-wc: 192.168.22.11/255.255.0.255
Source identities:
role1
role2
role4
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Destination Address Translation: drop translated
Application firewall :
Rule-set: my_ruleset1
Rule: rule1
Dynamic Applications: junos:FACEBOOK, junos:YSMG
Dynamic Application groups: junos:web, junos:chat
Action: deny
Default rule: permit
Session log: at-create, at-close
Scheduler name: sch20
Policy statistics:
Input bytes
:
50000
Output bytes
:
40000
Input packets
:
200
Output packets
:
100
Session rate
:
2
Active sessions :
11
Session deletions:
20
Policy lookups
:
12
100
100
200
100
1
bps
bps
pps
pps
sps
show security policies (services-offload)
user@host> show security policies
Default policy: deny-all
From zone: trust, To zone: untrust
Policy: p1, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Source identities: role1, role2, role4
Applications: any
Action: permit, services-offload, count
From zone: untrust, To zone: trust
Policy: p2, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Source identities: role1, role2, role4
Applications: any
Action: permit, services-offload
154
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Administration
show security policies detail
user@host> show security policies detail
Default policy: deny-all
Policy: p1, action-type: permit, services-offload:enabled , State:
4, Scope Policy: 0
Policy Type: Configured
Description: The policy p1 is for the sales team
Sequence number: 1
From zone: trust, To zone: untrust
Source addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Destination addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Source identities:
role1
role2
role4
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No
Policy statistics:
Input bytes
:
500
0
Output bytes
:
408
0
Input packets
:
8
0
Output packets
:
6
0
Session rate
:
3
0
Active sessions :
1
Session deletions:
2
Policy lookups
:
3
Policy: p2, action-type: permit, services-offload:enabled , State:
5, Scope Policy: 0
Policy Type: Configured
Description: The policy p2 is for the sales team
Sequence number: 1
From zone: untrust, To zone: trust
Source addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Destination addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Source identities:
role1
role2
role4
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No
enabled, Index:
bps
bps
pps
pps
sps
enabled, Index:
show security policies policy-name p1 (Negated Address)
user@host>show security policies policy-name p1
node0:
--------------------------------------------------------------------------
Copyright © 2016, Juniper Networks, Inc.
155
Layer 2 Bridging and Switching Library for Security Devices
From zone: trust, To zone: untrust
Policy: p1, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses(excluded): as1
Destination addresses(excluded): as2
Applications: any
Action: permit
show security policies policy-name p1 detail (Negated Address)
user@host>show security policies policy-name p1 detail
node0:
-------------------------------------------------------------------------Policy: p1, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: trust, To zone: untrust
Source addresses(excluded):
ad1(ad): 255.255.255.255/32
ad2(ad): 1.1.1.1/32
ad3(ad): 15.100.199.56 ~ 15.200.100.16
ad4(ad): 15.100.196.0/22
ad5(ad): 15.1.7.199 ~ 15.1.8.19
ad6(ad): 15.1.8.0/21
ad7(ad): 15.1.7.0/24
Destination addresses(excluded):
ad13(ad2): 20.1.7.0/24
ad12(ad2): 20.1.4.1/32
ad11(ad2): 20.1.7.199 ~ 20.1.8.19
ad10(ad2): 50.1.4.0/22
ad9(ad2): 20.1.1.11 ~ 50.1.5.199
ad8(ad2): 2.1.1.1/32
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No
156
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Administration
show security zones
Supported Platforms
Syntax
Release Information
Description
Options
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
J Series, LN Series, SRX Series
show security zones
<detail | terse>
< zone-name >
Command introduced in Junos OS Release 8.5. The Description output field added in
Junos OS Release 12.1.
Display information about security zones.
•
none—Display information about all zones.
•
detail | terse—(Optional) Display the specified level of output.
•
zone-name —(Optional) Display information about the specified zone.
view
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
security-zone on page 109
•
Security Zones and Interfaces Feature Guide for Security Devices
•
Junos OS Logical Systems Library for Security Devices
show security zones on page 158
show security zones abc on page 158
show security zones abc detail on page 158
show security zones terse on page 159
Table 15 on page 157 lists the output fields for the show security zones command. Output
fields are listed in the approximate order in which they appear.
Table 15: show security zones Output Fields
Field Name
Field Description
Security zone
Name of the security zone.
Description
Description of the security zone.
Policy configurable
Whether the policy can be configured or not.
Interfaces bound
Number of interfaces in the zone.
Interfaces
List of the interfaces in the zone.
Copyright © 2016, Juniper Networks, Inc.
157
Layer 2 Bridging and Switching Library for Security Devices
Table 15: show security zones Output Fields (continued)
Field Name
Field Description
Zone
Name of the zone.
Type
Type of the zone.
Sample Output
show security zones
user@host> show security zones
Functional zone: management
Description: This is the management zone.
Policy configurable: No
Interfaces bound: 1
Interfaces:
ge-0/0/0.0
Security zone: Host
Description: This is the host zone.
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
fxp0.0
Security zone: abc
Description: This is the abc zone.
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/1.0
Security zone: def
Description: This is the def zone.
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/2.0
Sample Output
show security zones abc
user@host> show security zones abc
Security zone: abc
Description: This is the abc zone.
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/1.0
Sample Output
show security zones abc detail
user@host> show security zones abc detail
158
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Administration
Security zone: abc
Description: This is the abc zone.
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/1.0
Sample Output
show security zones terse
user@host> show security zones terse
Zone
Type
my-internal
Security
my-external
Security
dmz
Security
Copyright © 2016, Juniper Networks, Inc.
159
Layer 2 Bridging and Switching Library for Security Devices
160
Copyright © 2016, Juniper Networks, Inc.
PART 2
Ethernet Port Switching Feature Guide for
Security Devices
•
Overview on page 163
•
Configuration on page 193
•
Administration on page 277
Copyright © 2016, Juniper Networks, Inc.
161
Layer 2 Bridging and Switching Library for Security Devices
162
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 4
Overview
•
Ethernet Port Switching on page 163
•
VLANs on page 169
•
Spanning Tree Protocol on page 171
•
Link Aggregation Control Protocol on page 175
•
802.1X Port-Based Network Authentication on page 178
•
Port Security on page 184
•
IGMP Snooping on page 186
•
GARP VLAN Registration Protocol on page 188
•
Ethernet OAM Connectivity Fault Management on page 189
•
Ethernet OAM Link Fault Management on page 190
Ethernet Port Switching
•
Ethernet Ports Switching Overview on page 163
•
Understanding Switching Modes on page 168
Ethernet Ports Switching Overview
Supported Platforms
J Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX650
Certain ports on Juniper Networks devices can function as Ethernet access switches that
switch traffic at Layer 2 and route traffic at Layer 3.
You can deploy supported devices in branch offices as an access or desktop switch with
integrated routing capability, thus eliminating intermediate access switch devices from
your network topology. The Ethernet ports provide switching while the Routing Engine
provides routing functionality, enabling you to use a single device to provide routing,
access switching, and WAN interfaces.
This topic contains the following sections:
•
Supported Devices and Ports on page 164
•
Integrated Bridging and Routing on page 165
•
Link Layer Discovery Protocol and LLDP-Media Endpoint Discovery on page 165
Copyright © 2016, Juniper Networks, Inc.
163
Layer 2 Bridging and Switching Library for Security Devices
•
Types of Switch Ports on page 166
•
uPIM in a Daisy Chain on page 167
•
Q-in-Q VLAN Tagging on page 167
Supported Devices and Ports
Juniper Networks supports switching features on the following Ethernet ports and devices
(see Table 16 on page 164):
•
Multiport Gigabit Ethernet uPIMs on the J Series device
•
Onboard Ethernet ports (Gigabit and Fast Ethernet built-in ports) on the SRX100,
SRX210, and SRX240 devices
•
Multiport Gigabit Ethernet XPIM on the SRX650 device
Table 16: Supported Devices and Ports for Switching Features
Device
Ports
J Series devices
Multiport Gigabit Ethernet uPIMs
SRX100 devices
Onboard Fast Ethernet ports (fe-0/0/0 and fe-0/0/7)
SRX210 devices
Onboard Gigabit Ethernet ports (ge-0/0/0 and ge-0/0/1) and
1-Port Gigabit Ethernet SFP Mini-PIM port.
Onboard Fast Ethernet ports (fe-0/0/2 and fe-0/0/7)
SRX220 devices
Onboard Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/7)
and 1-Port Gigabit Ethernet SFP Mini-PIM port.
SRX240 devices
Onboard Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/15)
and 1-Port Gigabit Ethernet SFP Mini-PIM port.
SRX550 devices
Onboard Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/9,
Multiport Gigabit Ethernet XPIM modules, and 1-Port Gigabit
Ethernet SFP Mini-PIM port.
SRX650 devices
Multiport Gigabit Ethernet XPIM modules
On J Series and SRX650 devices, you can set multiport switch modules (uPIMs and
XPIMs, respectively) to three modes of operation: routing (the default), switching, or
enhanced switching. Routed traffic is forwarded from any port of the Gigabit Ethernet
uPIM to the WAN interface. Switched traffic is forwarded from one port of the Gigabit
Ethernet uPIM to another port on the same Gigabit Ethernet uPIM. Switched traffic is not
forwarded from a port on one uPIM to a port on a different uPIM.
On the SRX100, SRX220, and SRX240 devices, you can set the onboard Gigabit Ethernet
ports to operate as either switched ports or routed ports.
164
Copyright © 2016, Juniper Networks, Inc.
Chapter 4: Overview
Integrated Bridging and Routing
Integrated bridging and routing (IRB) provides support for simultaneous Layer 2 bridging
and Layer 3 routing within the same bridge domain. Packets arriving on an interface of
the bridge domain are switched or routed based on the destination MAC address of the
packet. Packets with the router’s MAC address as the destination are routed to other
Layer 3 interfaces.
Link Layer Discovery Protocol and LLDP-Media Endpoint Discovery
Devices use Link Layer Discovery Protocol (LLDP) and LLDP-Media Endpoint Discovery
(MFD) to learn and distribute device information on network links. The information allows
the device to quickly identify a variety of systems, resulting in a LAN that interoperates
smoothly and efficiently.
LLDP-capable devices transmit information in Type Length Value (TLV) messages to
neighbor devices. Device information can include specifics, such as chassis and port
identification and system name and system capabilities. The TLVs leverage this
information from parameters that have already been configured in the Junos OS.
LLDP-MED goes one step further, exchanging IP-telephony messages between the device
and the IP telephone. These TLV messages provide detailed information on Power over
Ethernet (PoE) policy. The PoE Management TLVs let the device ports advertise the
power level and power priority needed. For example, the device can compare the power
needed by an IP telephone running on a PoE interface with available resources. If the
device cannot meet the resources required by the IP telephone, the device could negotiate
with the telephone until a compromise on power is reached.
The following basic TLVs are supported:
•
Chassis Identifier—The MAC address associated with the local system.
•
Port identifier—The port identification for the specified port in the local system.
•
Port Description—The user-configured port description. The port description can be a
maximum of 256 characters.
•
System Name—The user-configured name of the local system. The system name can
be a maximum of 256 characters.
•
Switching Features Overview—This information is not configurable, but taken from the
software.
•
System Capabilities—The primary function performed by the system. The capabilities
that system supports; for example, bridge or router. This information is not configurable,
but based on the model of the product.
•
Management Address—The IP management address of the local system.
The following LLDP-MED TLVs are supported:
•
LLDP-MED Capabilities—A TLV that advertises the primary function of the port. The
values range from 0 through 15:
Copyright © 2016, Juniper Networks, Inc.
165
Layer 2 Bridging and Switching Library for Security Devices
•
•
0—Capabilities
•
1—Network policy
•
2—Location identification
•
3—Extended power through medium-dependent interface power-sourcing equipment
(MDI-PSE)
•
4—Inventory
•
5–15—Reserved
LLDP-MED Device Class Values:
•
0—Class not defined
•
1—Class 1 device
•
2—Class 2 device
•
3—Class 3 device
•
4—Network connectivity device
•
5–255— Reserved
•
Network Policy—A TLV that advertises the port VLAN configuration and associated
Layer 2 and Layer 3 attributes. Attributes include the policy identifier, application types,
such as voice or streaming video, 802.1Q VLAN tagging, and 802.1p priority bits and
Diffserv code points.
•
Endpoint Location—A TLV that advertises the physical location of the endpoint.
•
Extended Power via MDI—A TLV that advertises the power type, power source, power
priority, and power value of the port. It is the responsibility of the PSE device (network
connectivity device) to advertise the power priority on a port.
LLDP and LLDP-MED must be explicitly configured on uPIMs (in enhanced switching
mode) on J Series devices, base ports on SRX100, SRX210, and SRX240 devices, and
Gigabit Backplane Physical Interface Modules (GPIMs) on SRX650 devices. To configure
LLDP on all interfaces or on a specific interface, use the lldp statement at the [set
protocols] hierarchy. To configure LLDP-MED on all interfaces or on a specific interface,
use the lldp-med statement at the [set protocols] hierarchy.
Types of Switch Ports
The ports, or interfaces, on a switch operate in either access mode or trunk mode.
An interface in access mode connects to a network device, such as a desktop computer,
an IP telephone, a printer, a file server, or a security camera. The interface itself belongs
to a single VLAN. The frames transmitted over an access interface are normal Ethernet
frames.
Trunk interfaces handle traffic for multiple VLANs, multiplexing the traffic for all those
VLANs over the same physical connection. Trunk interfaces are generally used to
interconnect switches to one another.
166
Copyright © 2016, Juniper Networks, Inc.
Chapter 4: Overview
uPIM in a Daisy Chain
You cannot combine multiple uPIMs to act as a single integrated switch. However, you
can connect uPIMs on the same chassis externally by physically connecting a port on
one uPIM to a port on another uPIM in a daisy-chain fashion.
Two or more uPIMs daisy-chained together create a single switch with a higher port count
than either individual uPIM. One port on each uPIM is used solely for the connection. For
example, if you daisy-chain a 6-port uPIM and an 8-port uPIM, the result operates as a
12-port uPIM. Any port of a uPIM can be used for daisy chaining.
Configure the IP address for only one of the daisy-chained uPIMs, making it the primary
uPIM. The secondary uPIM routes traffic to the primary uPIM, which forwards it to the
Routing Engine. This results in some increase in latency and packet drops due to
oversubscription of the external link.
Only one link between the two uPIMs is supported. Connecting more than one link between
uPIMs creates a loop topology, which is not supported.
Q-in-Q VLAN Tagging
Q-in-Q tunneling, defined by the IEEE 802.1ad standard, allows service providers on
Ethernet access networks to extend a Layer 2 Ethernet connection between two customer
sites.
In Q-in-Q tunneling, as a packet travels from a customer VLAN (C-VLAN) to a service
provider's VLAN, a service provider-specific 802.1Q tag is added to the packet. This
additional tag is used to segregate traffic into service-provider-defined service VLANs
(S-VLANs). The original customer 802.1Q tag of the packet remains and is transmitted
transparently, passing through the service provider's network. As the packet leaves the
S-VLAN in the downstream direction, the extra 802.1Q tag is removed.
NOTE: When Q-in-Q tunneling is configured for a service provider’s VLAN,
all Routing Engine packets, including packets from the routed VLAN interface,
that are transmitted from the customer-facing access port of that VLAN will
always be untagged.
There are three ways to map C-VLANs to an S-VLAN:
•
All-in-one bundling—Use the dot1q-tunneling statement at the [edit vlans] hierarchy
to map without specifying customer VLANs. All packets from a specific access interface
are mapped to the S-VLAN.
•
Many-to-one bundling—Use the customer-vlans statement at the [edit vlans] hierarchy
to specify which C-VLANs are mapped to the S-VLAN.
•
Mapping C-VLAN on a specific interface—Use the mapping statement at the [edit
vlans] hierarchy to map a specific C-VLAN on a specified access interface to the
S-VLAN.
Copyright © 2016, Juniper Networks, Inc.
167
Layer 2 Bridging and Switching Library for Security Devices
Table 17 on page 168 lists the C-VLAN to S-VLAN mapping supported on SRX Series
devices:
Table 17: Supported Mapping Methods
Mapping
SRX210
SRX240
SRX650
J Series Devices
(PIM)
All-in-one bundling
Yes
Yes
Yes
Yes
Many-to-one bundling
No
No
Yes
No
Mapping C-VLAN on a
specific interface
No
No
Yes
No
NOTE: On SRX650 devices, in the dot1q-tunneling configuration options,
customer VLANs range and VLAN push do not work together for the same
S-VLAN, even when you commit the configuration. If both are configured,
then VLAN push takes priority over customer VLANs range.
IRB interfaces are supported on Q-in-Q VLANs for SRX210, SRX240, SRX650, and J Series
devices. Packets arriving on an IRB interface on a Q-in-Q VLAN are routed regardless of
whether the packet is single or double tagged. The outgoing routed packets contain an
S-VLAN tag only when exiting a trunk interface; the packets exit the interface untagged
when exiting an access interface.
In a Q-in-Q deployment, customer packets from downstream interfaces are transported
without any changes to source and destination MAC addresses. You can disable MAC
address learning at both the interface level and the VLAN level. Disabling MAC address
learning on an interface disables learning for all the VLANs of which that interface is a
member. When you disable MAC address learning on a VLAN, MAC addresses that have
already been learned are flushed.
Related
Documentation
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
•
Ethernet Port Switching Feature Guide for Security Devices
•
Understanding Switching Modes on page 168
Understanding Switching Modes
Supported Platforms
J Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX650
There are two types of switching modes:
•
168
Switching Mode–The uPIM appears in the list of interfaces as a single interface, which
is the first interface on the uPIM. For example, ge-2/0/0. You can optionally configure
each uPIM port only for autonegotiation, speed, and duplex mode. A uPIM in switching
mode can perform the following functions:
Copyright © 2016, Juniper Networks, Inc.
Chapter 4: Overview
•
•
Layer 3 forwarding—Routes traffic destined for WAN interfaces and other PIMs
present on the chassis.
•
Layer 2 forwarding—Switches intra-LAN traffic from one host on the LAN to another
LAN host (one port of uPIM to another port of same uPIM).
Enhanced Switching Mode–Each port can be configured for switching or routing mode.
This usage differs from the routing and switching modes, in which all ports must be in
either switching or routing mode. The uPIM in enhanced switching mode provides the
following features:
•
Supports configuration of different types of VLANs and inter-VLAN routing.
•
Supports Layer 2 control plane protocols such as Spanning Tree Protocol (STP) and
Link Aggregation Control Protocol (LACP).
•
Supports port-based Network Access Control (PNAC) by means of authentication
servers.
You can set a multiport Gigabit Ethernet uPIM on a J Series device to either switching or
enhanced switching mode.
When you set a multiport uPIM to switching mode, the uPIM appears as a single entity
for monitoring purposes. The only physical port settings that you can configure are
autonegotiation, speed, and duplex mode on each uPIM port, and these settings are
optional.
Related
Documentation
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
•
Ethernet Port Switching Feature Guide for Security Devices
•
Example: Configuring Switching Modes on page 193
•
Ethernet Ports Switching Overview on page 163
•
Understanding VLANs on page 169
VLANs
Understanding VLANs
Supported Platforms
J Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX650
Each VLAN is a collection of network nodes that are grouped together to form separate
broadcast domains. On an Ethernet network that is a single LAN, all traffic is forwarded
to all nodes on the LAN. On VLANs, frames whose origin and destination are in the same
VLAN are forwarded only within the local VLAN. Frames that are not destined for the
local VLAN are the only ones forwarded to other broadcast domains. VLANs thus limit
the amount of traffic flowing across the entire LAN, reducing the possible number of
collisions and packet retransmissions within a VLAN and on the LAN as a whole.
On an Ethernet LAN, all network nodes must be physically connected to the same network.
On VLANs, the physical location of the nodes is not important, so you can group network
Copyright © 2016, Juniper Networks, Inc.
169
Layer 2 Bridging and Switching Library for Security Devices
devices in any way that makes sense for your organization, such as by department or
business function, by types of network nodes, or even by physical location. Each VLAN
is identified by a single IP subnetwork and by standardized IEEE 802.1Q encapsulation.
To identify which VLAN the traffic belongs to, all frames on an Ethernet VLAN are identified
by a tag, as defined in the IEEE 802.1Q standard. These frames are tagged and are
encapsulated with 802.1Q tags.
For a simple network that has only a single VLAN, all traffic has the same 802.1Q tag.
When an Ethernet LAN is divided into VLANs, each VLAN is identified by a unique 802.1Q
tag. The tag is applied to all frames so that the network nodes receiving the frames know
to which VLAN a frame belongs. Trunk ports, which multiplex traffic among a number of
VLANs, use the tag to determine the origin of frames and where to forward them.
Fore VLAN configuration details, see Table 18 on page 170.
Table 18: VLAN Configuration Details
Field
Function
Action
Specifies a unique name for the VLAN.
Enter a name.
General
VLAN Name
NOTE: VLAN text field is disabled when vlan-tagging is
not enabled.
VLAN ID/Range
Specifies the identifier or range for the VLAN.
Select one:
•
VLAN ID—Type a unique identification number from
1 through 4094. If no value is specified, it defaults to
1.
•
VLAN Range—Type a number range to create VLANs
with IDs corresponding to the range. For example, the
range 2–3 will create two VLANs with the ID 2 and 3.
Description
Describes the VLAN.
Enter a brief description for the VLAN.
Input Filter
Specifies the VLAN firewall filter that is applied
to incoming packets.
To apply an input firewall filter, select the firewall filter
from the list.
Output Filter
Specifies the VLAN firewall filter that is applied
to outgoing packets.
To apply an output firewall filter, select the firewall filter
from the list.
Specifies the ports to be associated with this
VLAN for data traffic. You can also remove the
port association.
Click one:
Ports
Ports
•
Add—Select the ports from the available list.
•
Remove—Select the port that you do not want
associated with the VLAN.
IP Address
Layer 3 Information
170
Specifies IP address options for the VLAN.
Select to enable the IP address options.
Copyright © 2016, Juniper Networks, Inc.
Chapter 4: Overview
Table 18: VLAN Configuration Details (continued)
Field
Function
Action
IP Address
Specifies the IP address of the VLAN.
Enter the IP address.
Subnet Mask
Specifies the range of logical addresses within
the address space that is assigned to an
organization.
Enter the address, for example, 255.255.255.0. You can
also specify the address prefix.
Input Filter
Specifies the VLAN interface firewall filter that
is applied to incoming packets.
To apply an input firewall filter to an interface, select
the firewall filter from the list.
Output Filter
Specifies the VLAN interface firewall filter that
is applied to outgoing packets.
To apply an output firewall filter to an interface, select
the firewall filter from the list.
ARP/MAC Details
Specifies the details for configuring the static
IP address and MAC.
Click the ARP/MAC Details button. Enter the static IP
address and MAC address in the window that is
displayed.
Specifies the ports to be associated with this
VLAN for voice traffic. You can also remove the
port association.
Click one:
VoIP
Ports
•
Add—Select the ports from the available list.
•
Remove—Select the port that you do not want
associated with the VLAN.
Related
Documentation
•
Ethernet Port Switching Feature Guide for Security Devices
•
Example: Configuring VLANs on page 195
•
Ethernet Ports Switching Overview on page 163
•
Verifying Switching Mode Configuration on page 194
Spanning Tree Protocol
•
Understanding the Spanning Tree Protocol on page 171
Understanding the Spanning Tree Protocol
Supported Platforms
J Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX650
Spanning Tree Protocol (STP), defined in IEEE 802.1D, creates a tree of links in the
Ethernet switched network. Links that cause loops in the network are disabled, thereby
providing a single active link between any two switches.
Rapid Spanning Tree Protocol (RSTP), originally defined in IEEE 802.1w and later merged
into IEEE 802.1D, facilitates faster spanning tree convergence after a topology change.
Multiple Spanning Tree Protocol (MSTP), initially defined in IEEE 802.1s and later included
in IEEE 802.1Q, supports mapping of multiple VLANs onto a single spanning tree instance.
Copyright © 2016, Juniper Networks, Inc.
171
Layer 2 Bridging and Switching Library for Security Devices
This reduces the number of spanning tree instances required in a switched network with
many VLANs.
Juniper Networks devices provide Layer 2 loop prevention through STP, RSTP, and MSTP.
You can configure bridge protocols data unit (BPDU) protection on interfaces to prevent
them from receiving BPDUs that could result in STP misconfigurations, which could lead
to network outages.
For STP configuration parameters, see Table 19 on page 172.
Table 19: STP Configuration Parameters
Field
Function
Action
Protocol Name
Displays the spanning-tree protocol.
View only.
Disable
Disables STP on the interface.
To enable this option, select the
check box.
BPDU Protect
Specifies that BPDU blocks are to be processed.
To enable this option, select the
check box.
Bridge Priority
Specifies the bridge priority. The bridge priority determines which
bridge is elected as the root bridge. If two bridges have the same
path cost to the root bridge, the bridge priority determines which
bridge becomes the designated bridge for a LAN segment.
Select a value.
Forward Delay
Specifies the number of seconds an interface waits before changing
from spanning-tree learning and listening states to the forwarding
state.
Enter a value from 4 through 30
seconds.
Hello Time
Specifies time interval in seconds at which the root bridge transmits
configuration BPDUs.
Enter a value from 1 through 10
seconds.
Max Age
Specifies the maximum aging time in seconds for all MST instances.
The maximum aging time is the number of seconds a switch waits
without receiving spanning-tree configuration messages before
attempting a reconfiguration.
Enter a value from 6 through 40
seconds.
For RSTP configuration parameters, see Table 20 on page 172.
Table 20: RSTP Configuration Parameters
Field
Function
Action
Protocol Name
Displays the spanning-tree protocol.
View only.
Disable
Specifies whether RSTP must be disabled on the interface.
To enable this option, select the
check box.
BPDU Protect
Specifies that BPDU blocks are to be processed.
To enable this option, select the
check box.
172
Copyright © 2016, Juniper Networks, Inc.
Chapter 4: Overview
Table 20: RSTP Configuration Parameters (continued)
Field
Function
Action
Bridge Priority
Specifies the bridge priority. The bridge priority determines which
bridge is elected as the root bridge. If two bridges have the same
path cost to the root bridge, the bridge priority determines which
bridge becomes the designated bridge for a LAN segment.
Select a value.
Forward Delay
Specifies the number of seconds a port waits before changing from
its spanning-tree learning and listening states to the forwarding
state.
Enter a value from 4 through 30
seconds.
Hello Time
Specifies the hello time in seconds for all MST instances.
Enter a value from 1 through 10
seconds.
Max Age
Specifies the maximum aging time in seconds for all MST instances.
The maximum aging time is the number of seconds a switch waits
without receiving spanning-tree configuration messages before
attempting a reconfiguration.
Enter a value from 6 through 40
seconds.
For MSTP configuration parameters, see Table 21 on page 173.
Table 21: MSTP Configuration Parameters
Field
Function
Action
Protocol Name
Displays the spanning-tree protocol.
View only.
Disable
Specifies whether MSTP must be disabled on the interface.
To enable this option, select the check
box.
BPDU Protect
Specifies that BPDU blocks are to be processed.
To enable this option, select the check
box.
Bridge Priority
Specifies the bridge priority. The bridge priority determines
which bridge is elected as the root bridge. If two bridges have
the same path cost to the root bridge, the bridge priority
determines which bridge becomes the designated bridge for
a LAN segment.
Select a value.
Forward Delay
Specifies the number of seconds a port waits before changing
from its spanning-tree learning and listening states to the
forwarding state.
Enter a value from 4 through 30
seconds.
Hello Time
Specifies the hello time in seconds for all MST instances.
Enter a value from 1 through 10 seconds.
Max Age
Specifies the maximum aging time for all MST instances. The
maximum aging time is the number of seconds a switch waits
without receiving spanning-tree configuration messages before
attempting a reconfiguration.
Enter a value from 6 through 40
seconds.
Configuration
Name
MSTP region name carried in the MSTP bridge protocol data
units (BPDUs).
Enter a name.
Copyright © 2016, Juniper Networks, Inc.
173
Layer 2 Bridging and Switching Library for Security Devices
Table 21: MSTP Configuration Parameters (continued)
Field
Function
Action
Max Hops
Maximum number of hops a BPDU can be forwarded in the
MSTP region.
Enter a value from 1 through 255.
Revision Level
Revision number of the MSTP region configuration.
Enter a value from 0 through 65,535.
Specifies the multiple spanning-tree instance (MSTI) identifier.
MSTI IDs are local to each region, so you can reuse the same
MSTI ID in different regions.
Click one:
MSTI tab
MSTI Id
•
Add—Creates a MSTI.
•
Edit—Edits an existing MSTI.
•
Delete—Deletes an existing MSTI.
Bridge Priority
Specifies the bridge priority. The bridge priority determines
which bridge is elected as the root bridge. If two bridges have
the same path cost to the root bridge, the bridge priority
determines which bridge becomes the designated bridge for
a LAN segment.
Select a value.
VLAN
Specifies the VLANs for the MSTI.
Click one:
Interfaces
Specifies the interface for the MSTP protocol.
•
Add—Selects VLANs from the list.
•
Remove—Deletes the selected VLAN.
Click one:
•
Add—Selects interfaces from the list.
•
Edit—Edits the selected interface.
•
Remove—Deletes the selected
interface.
For spanning-tree port configuration details, see Table 22 on page 174.
Table 22: Spanning-Tree Ports Configuration Details
Field
Function
Action
Interface Name
Specifies the interface for the
spanning-tree protocol type.
Select an interface.
Cost
Specifies the link cost to control which
bridge is the designated bridge and which
interface is the designated interface.
Enter a value from 1 through
200,000,000.
Priority
Specifies the interface priority to control
which interface is elected as the root
port.
Select a value.
Edge
Configures the interface as an edge
interface. Edge interfaces immediately
transition to a forwarding state.
Select to configure the interface as an
edge interface.
174
Copyright © 2016, Juniper Networks, Inc.
Chapter 4: Overview
Table 22: Spanning-Tree Ports Configuration Details (continued)
Field
Function
Action
Mode
Specifies the link mode.
Select one:
•
Point to Point—For full-duplex links,
select this mode.
•
Shared—For half-duplex links, select
this mode.
Related
Documentation
•
Ethernet Port Switching Feature Guide for Security Devices
•
Configuring the Spanning Tree Protocol on page 196
•
Ethernet Ports Switching Overview on page 163
•
Verifying Switching Mode Configuration on page 194
Link Aggregation Control Protocol
•
Understanding Link Aggregation Control Protocol on page 175
Understanding Link Aggregation Control Protocol
Supported Platforms
J Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
LACP, a subcomponent of IEEE 802.3ad, provides additional functionality for link
aggregation groups (LAGs). Use the link aggregation feature to aggregate one or more
Ethernet interfaces to form to form a logical point-to-point link, known as a LAG, virtual
link, or bundle. The MAC client can treat this virtual link like a single link.
This topic contains the following sections:
•
Link Aggregation Benefits on page 175
•
Link Aggregation Configuration Guidelines on page 176
Link Aggregation Benefits
Link aggregation increases bandwidth, provides graceful degradation as failure occurs,
and increases availability. It provides network redundancy by load-balancing traffic across
all available links. If one of the links should fail, the system automatically load-balances
traffic across all remaining links.
When LACP is not enabled, a local LAG might attempt to transmit packets to a remote
single interface, which causes the communication to fail. When LACP is enabled, a local
LAG cannot transmit packets unless a LAG with LACP is also configured on the remote
end of the link.
A typical LAG deployment includes aggregate trunk links between an access switch and
a distribution switch or customer edge (CE) device.
Copyright © 2016, Juniper Networks, Inc.
175
Layer 2 Bridging and Switching Library for Security Devices
Link Aggregation Configuration Guidelines
When configuring link aggregation, note the following guidelines and restrictions:
•
Link aggregation is supported only for Ethernet interfaces that are configured in
switching mode (family ethernet-switching). Aggregating interfaces that are configured
in routed mode (family inet) is not supported.
•
You can configure a LAG by specifying the link number as a physical device and then
associating a set of ports with the link. All the ports must have the same speed and be
in full-duplex mode. Junos OS assigns a unique ID and port priority to each port. The
ID and priority are not configurable.
•
You can optionally configure LACP for link negotiation.
•
You can optionally configure LACP for link protection.
•
You can create up to eight Ethernet ports in each bundle.
•
Each LAG must be configured on both sides of the link. The ports on either side of the
link must be set to the same speed. At least one end of the LAG should be configured
as active.
•
LAGs are not supported on virtual chassis port links.
•
By default, Ethernet links do not exchange protocol data units (PDUs), which contain
information about the state of the link. You can configure Ethernet links to actively
transmit PDUs, or you can configure the links to passively transmit them, sending out
LACP PDUs only when they receive them from another link. The transmitting link is
known as the actor and the receiving link is known as the partner.
•
LAGs can only be used for a point-to-point connection.
For LACP configuration details, see Table 23 on page 176 and Table 24 on page 176.
Table 23: LACP (Link Aggregation Control Protocol) Configuration
Field
Function
Aggregated Interface
Indicates the name of the aggregated interface.
Link Status
Indicates whether the interface is linked (Up) or not linked
(Down).
VLAN (VLAN ID)
Virtual LAN identifier value for IEEE 802.1Q VLAN tags (0.4094).
Description
The description for the LAG.
Table 24: Details of Aggregation
Field
Function
Administrative Status
Displays if the interface is enabled (Up) or disabled (Down).
176
Copyright © 2016, Juniper Networks, Inc.
Chapter 4: Overview
Table 24: Details of Aggregation (continued)
Field
Function
Logical Interfaces
Shows the logical interface of the aggregated interface.
Member Interfaces
Member interfaces hold all the aggregated interfaces of the
selected interfaces.
Port Mode
Specifies the mode of operation for the port: trunk or access.
Native VLAN (VLAN ID)
VLAN identifier to associate with untagged packets received
on the interface.
IP Address/Subnet Mask
Specifies the address of the aggregated interfaces.
IPV6 Address/Subnet Mask
Specifies the IPV6 address of the aggregated interfaces.
For aggregated Ethernet interface options, see Table 25 on page 177.
Table 25: Aggregated Ethernet Interface Options
Field
Function
Action
Aggregated Interface
Indicates the name of the aggregated
interface.
Enter the aggregated interface name. If
an aggregated interface already exists,
then the field is displayed as read-only.
LACP Mode
Specifies the mode in which LACP
packets are exchanged between the
interfaces. The modes are:
Select from the list.
•
None—Indicates that no mode is
applicable.
•
Active—Indicates that the interface
initiates transmission of LACP packets
•
Passive—Indicates that the interface
only responds to LACP packets.
Description
The description for the LAG.
Enter the description.
Interface
Indicates that the interfaces available for
aggregation.
Click Add to select the interfaces.
NOTE: Only interfaces that are
configured with the same speeds can be
selected together for a LAG.
Speed
Indicates the speed of the interface.
Enable Log
Specifies whether to enable generation
of log entries for LAG.
Copyright © 2016, Juniper Networks, Inc.
Select to enable log generation.
177
Layer 2 Bridging and Switching Library for Security Devices
NOTE: On SRX100, SRX110, SRX120, SRX210, SRX220, SRX240, SRX650,
and J Series devices, the speed mode and link mode configuration are
available for member interfaces of ae.
For VLAN options, see Table 26 on page 178.
Table 26: Edit VLAN Options
Field
Function
Action
Port Mode
Specifies the mode of operation for the
port: trunk or access.
If you select Trunk, you can:
1.
Click Add to add a VLAN member.
2. Select the VLAN and click OK.
3. (Optional) Associate a native VLAN
ID with the port.
If you select Access, you can:
1.
Select the VLAN member to be
associated with the port.
2. (Optional) Associate a VoIP VLAN
with the interface. Only a VLAN with
a VLAN ID can be associated as a
VoIP VLAN.
3. Click OK.
VLAN Options
For trunk interfaces, the VLANs for which
the interface can carry traffic.
Click Add to select VLAN members.
Native VLAN
VLAN identifier to associate with
untagged packets received on the
interface.
Select the VLAN identifier.
Related
Documentation
•
Ethernet Port Switching Feature Guide for Security Devices
•
Example: Configuring Link Aggregation Control Protocol on page 198
•
Ethernet Ports Switching Overview on page 163
•
Verifying Switching Mode Configuration on page 194
802.1X Port-Based Network Authentication
•
Understanding 802.1X Port-Based Network Authentication on page 178
Understanding 802.1X Port-Based Network Authentication
Supported Platforms
J Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX650
IEEE 802.1X and MAC RADIUS authentication both provide network edge security,
protecting Ethernet LANs from unauthorized user access by blocking all traffic to and
178
Copyright © 2016, Juniper Networks, Inc.
Chapter 4: Overview
from devices at the interface until the supplicant's credential or MAC address is presented
and matched on the authentication server (a RADIUS server). When the supplicant is
authenticated, the switch stops blocking access and opens the interface to the supplicant.
A LAN network configured for 802.1X authentication contains three basic components:
•
Supplicant—The IEEE term for a host that requests to join the network. The host can
be responsive or nonresponsive. A responsive host is one on which 802.1X authentication
is enabled and that provides authentication credentials (such as a user name and
password). A nonresponsive host is one on which 802.1X authentication is not enabled.
•
Authenticator Port Access Entity—The IEEE term for the authenticator. The SRX Series
or J Series device is the authenticator and controls access by blocking all traffic to and
from supplicants until they are authenticated.
•
Authentication server—The server containing the back-end database that makes
authentication decisions. (Junos OS supports RADIUS authentication servers.) The
authentication server contains credential information for each supplicant that can
connect to the network. The authenticator forwards credentials supplied by the
supplicant to the authentication server. If the credentials forwarded by the authenticator
match the credentials in the authentication server database, access is granted. If the
credentials forwarded do not match, access is denied.
NOTE: Change of authorization (CoA) is not supported on SRX100, SRX210,
SRX240, SRX650, and J Series devices.
The implementation of 802.1X authentication provides the following features for the
specified devices. See Table 27 on page 179. The 802.1X implementation provides the
following supplicant capacities. See Table 28 on page 180.
Table 27: 802.1x Authentication Features
Feature
SRX100
SRX210
SRX240
SRX650
J Series
Dynamic VLAN assignment
No
Yes
Yes
Yes
No
MAC RADIUS authentication
Yes
Yes
Yes
Yes
No
Static MAC bypass
Yes (without
VLAN option)
Yes
Yes
Yes
Yes (without
VLAN option)
Guest VLAN
No
Yes
Yes
Yes
No
RADIUS server failure fallback
No
Yes
Yes
Yes
No
VoIP VLAN support
No
Yes
Yes
Yes
No
RADIUS accounting
Yes
Yes
Yes
Yes
No
Copyright © 2016, Juniper Networks, Inc.
179
Layer 2 Bridging and Switching Library for Security Devices
Table 28: 802.1x Supplicant Capacities
SRX100
SRX210
SRX240
SRX650
J Series
Supplicants per port
64
64
64
64
64
Supplicants per system
2K
2K
2K
2K
2K
Supplicants with dynamic VLAN
assignments
Not supported
64
300
2K
Not supported
This topic contains the following sections:
•
Dynamic VLAN Assignment on page 180
•
MAC RADIUS Authentication on page 180
•
Static MAC Bypass on page 180
•
Guest VLAN on page 181
•
RADIUS Server Failure Fallback on page 181
•
VoIP VLAN Support on page 183
•
RADIUS Accounting on page 183
•
Server Reject VLAN on page 184
Dynamic VLAN Assignment
When a supplicant first connects to an SRX Series or J Series device, the authenticator
sends a request to the supplicant to begin 802.1X authentication. If the supplicant is an
802.1X-enabled device, it responds, and the authenticator relays an authentication
request to the RADIUS server.
As part of the reply to the authentication request, the RADIUS server returns information
about the VLAN to which the port belongs. By configuring the VLAN information at the
RADIUS server, you can control the VLAN assignment on the port.
MAC RADIUS Authentication
If the authenticator sends three requests to a supplicant to begin 802.1X authentication
and receives no response, the supplicant is considered nonresponsive. For a nonresponsive
supplicant, the authenticator sends a request to the RADIUS server for authentication
of the supplicant’s MAC address. If the MAC address matches an entry in a predefined
list of MAC addresses on the RADIUS server, authentication is granted and the
authenticator opens LAN access on the interface where the supplicant is connected.
You can configure the number of times the authenticator attempts to receive a response
and the time period between attempts.
Static MAC Bypass
The authenticator can allow particular supplicants direct access to the LAN and bypass
the authentication server by including the supplicants’ MAC addresses in the static MAC
bypass list configured on the SRX Series or J Series device. This list is checked first. If a
180
Copyright © 2016, Juniper Networks, Inc.
Chapter 4: Overview
match is found, the supplicant is considered successfully authenticated and the interface
is opened up for it. No further authentication is done for that supplicant. If a match is not
found and 802.1X authentication is enabled for the supplicant, the device continues with
MAC RADIUS authentication on the authentication server.
For each MAC address in the list, you can configure the VLAN to which the supplicant is
moved or the interfaces on which the supplicant can connect.
Guest VLAN
You can specify a guest VLAN that provides limited network access for nonresponsive
supplicants. If a guest-vlan is configured, the authenticator connects all nonresponsive
supplicants to the predetermined VLAN, providing limited network access, often only to
the Internet. This type of configuration can be used to provide Internet access to visitors
without compromising company security.
NOTE: In 802.1x, mac-radius and guest-vlan should not be configured
together, because guest-vlan does not work when mac-radius is configured.
IEEE 802.1X provides LAN access to nonresponsive hosts, which are hosts where 802.1X
is not enabled. These hosts, referred to as guests, typically are provided access only to
the Internet.
RADIUS Server Failure Fallback
You can define one of four actions to be taken if no RADIUS authentication server is
reachable (if, for example, a server failure or a timeout has occurred on the authentication
server).
•
deny—(default) Prevent traffic from flowing from the supplicant through the interface.
•
permit—Allow traffic to flow from the supplicant through the interface as if the
supplicant were successfully authenticated by the RADIUS server.
•
use-cache—Force successful authentication if authentication was granted before the
failure or timeout. This ensures that authenticated users are not adversely affected by
a failure or timeout.
•
vlan vlan-name | vlan-id —Move the supplicant to a different VLAN specified by name
or ID. This applies only to the first supplicant connecting to the interface.
NOTE: For permit, use-cache, and vlan fallback actions to work, 802.1X
supplicants need to accept an out of sequence SUCCESS packet.
For RADIUS server settings, see Table 29 on page 182.
Copyright © 2016, Juniper Networks, Inc.
181
Layer 2 Bridging and Switching Library for Security Devices
Table 29: RADIUS Server Settings
Field
Function
Your Action
IP Address
Specifies the IP address of the server.
Enter the IP address in dotted decimal
notation.
Password
Specifies the login password.
Enter the password.
Confirm Password
Verifies the login password for the server.
Reenter the password.
Server Port Number
Specifies the port with which the server is associated.
Type the port number.
Source Address
Specifies the source address of the SRX Series device
for communicating with the server.
Type the IP address in dotted decimal
notation.
Retry Attempts
Specifies the number of login retries allowed after a
login failure.
Type the number.
Timeout
Specifies the time interval to wait before the connection
to the server is closed.
Type the interval in seconds.
For 802.1X exclusion list details, see Table 30 on page 182.
Table 30: 802.1X Exclusion List
Field
Function
Your Action
MAC Address
Specifies the MAC address to be excluded from
802.1X authentication.
Enter the MAC address.
Exclude if connected
through the port
Specifies that a supplicant can bypass
authentication if it is connected through a particular
interface.
Select to enable the option. Select the port
through which the supplicant is connected.
Move the host to the VLAN
Moves the host to a specific VLAN once the host
is authenticated.
Select to enable the option. Select the
VLAN from the list.
For 802.1X port settings, see Table 31 on page 182.
Table 31: 802.1X Port Settings
Field
Function
Your Action
Specifies the mode to be adopted for supplicants:
Select the required mode.
Supplicant Mode
Supplicant Mode
182
•
Single—allows only one host for authentication.
•
Multiple—allows multiple hosts for authentication. Each host is
checked before being admitted to the network.
•
Single authentication for multiple hosts—allows multiple hosts
but only the first is authenticated.
Copyright © 2016, Juniper Networks, Inc.
Chapter 4: Overview
Table 31: 802.1X Port Settings (continued)
Field
Function
Your Action
Enable
re-authentication
Specifies enabling reauthentication on the selected interface.
Select to enable
reauthentication. Enter the
timeout for reauthentication in
seconds.
Action for
nonresponsive hosts
Specifies the action to be taken in case a supplicant is nonresponsive:
Select the desired action.
Authentication
Timeouts
•
Move to the Guest VLAN—moves the supplicant to the specified
Guest VLAN.
•
Deny—does not permit access to the supplicant.
Specifies timeout values for:
•
Port waiting time after an authentication failure
•
EAPOL retransmitting interval
•
Maximum EAPOL requests
•
Maximum number of retries
•
Port timeout value for a response from the supplicant
•
Port timeout value for a response from the RADIUS server
Enter timeout values in seconds
for the appropriate options.
VoIP VLAN Support
When VoIP is used with 802.1X, the RADIUS server authenticates the phone, and Link
Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED) provides the
class-of-service (CoS) parameters for the phone.
You can configure 802.1X authentication to work with VoIP in multiple-supplicant or
single-supplicant mode:
•
Multiple-supplicant mode—Allows multiple supplicants to connect to the interface.
Each supplicant is authenticated individually.
•
Single-supplicant mode—Authenticates only the first supplicant. All other supplicants
who connect later to the interface are allowed to “piggyback” on the first supplicant’s
authentication and gain full access.
RADIUS Accounting
Configuring RADIUS accounting on a SRX Series or J Series device lets you collect
statistical data about users logging on and off a LAN, and sends it to a RADIUS accounting
server. The collected data can be used for general network monitoring, to analyze and
track usage patterns, or to bill a user based on the amount of time or type of services
accessed.
To configure RADIUS accounting, specify one or more RADIUS accounting servers to
receive the statistical data from the device, and select the type of accounting data to be
Copyright © 2016, Juniper Networks, Inc.
183
Layer 2 Bridging and Switching Library for Security Devices
collected. To view the collected statistics, you can access the log file configured to receive
them.
Server Reject VLAN
By default, when authentication fails, the supplicant is denied access to the network.
However, you can specify a VLAN to which the supplicant is moved if authentication fails.
The server reject VLAN is similar to a guest VLAN. With a server reject VLAN, however,
authentication is first attempted by credential, then by MAC address. If both authentication
methods fail, the supplicant is given access to a predetermined VLAN with limited network
access.
Related
Documentation
•
Ethernet Port Switching Feature Guide for Security Devices
•
Example: Configuring 802.1x Authentication on page 199
•
Ethernet Ports Switching Overview on page 163
•
Verifying Switching Mode Configuration on page 194
•
Port Security Overview on page 184
•
Understanding MAC Limiting on page 185
Port Security
Port Security Overview
Supported Platforms
SRX100, SRX110, SRX210, SRX220, SRX240, SRX650
Ethernet LANs are vulnerable to attacks such as address spoofing (forging) and Layer 2
denial of service (DoS) attacks on network devices. Port security features help protect
the access ports on your services gateway against the losses of information and
productivity that can result from such attacks.
Junos OS on SRX Series devices provides features to help secure ports on a switching
port on the services gateway. The ports can be categorized as either trusted or untrusted.
You apply policies appropriate to those categories to protect against various types of
attacks.
The MAC limit port security feature can be turned on to obtain the most robust port
security level. Basic port security features are enabled in the services gateway's default
configuration. You can configure additional features with minimal configuration steps.
Related
Documentation
184
•
Ethernet Port Switching Feature Guide for Security Devices
•
Ethernet Ports Switching Overview on page 163
•
Understanding MAC Limiting on page 185
•
Verifying Switching Mode Configuration on page 194
Copyright © 2016, Juniper Networks, Inc.
Chapter 4: Overview
Understanding MAC Limiting
Supported Platforms
SRX100, SRX110, SRX210, SRX220, SRX240, SRX650
MAC limiting protects against flooding of the Ethernet switching table (also known as
the MAC forwarding table or Layer 2 forwarding table). You enable this feature on
interfaces (ports). MAC move limiting detects MAC movement and MAC spoofing on
access interfaces. You enable this feature on VLANs.
MAC limiting sets a limit on the number of MAC addresses that can be learned dynamically
on a single Layer 2 access interface or on all the Layer 2 access interfaces on the services
gateway.
You configure the maximum number of dynamic MAC addresses allowed per interface.
When the limit is exceeded, incoming packets with new MAC addresses are treated as
specified by the configuration.
You can choose to have one of the following actions performed when the MAC addresses
limit is exceeded:
•
drop—Drop the packet and generate an alarm, an SNMP trap, or a system log entry.
This is the default.
•
log—Do not drop the packet but generate an alarm, an SNMP trap, or a system log
entry.
•
none—Take no action.
•
shutdown—Disable the interface and generate an alarm. If you have configured the
services gateway with the port-error-disable statement, the disabled interface recovers
automatically upon expiration of the specified disable timeout. If you have not
configured the services gateway for autorecovery from port error disabled conditions,
you can bring up the disabled interfaces with running the clear ethernet-switching
port-error command.
NOTE: MAC limit is only applied to new MAC learning requests. If you already
have 10 learned MAC addresses and you configure the limit as 5, all the MACs
will remain in the forwarding database (FDB) table. Once the learned MAC
addresses age out (or are cleared by the user with the clear ethernet-switching
command), they are not relearned.
MAC limiting does not apply to static MAC addresses. Users can configure
any number of static MAC addresses independent of MAC limiting and all of
them are added to FDB.
Related
Documentation
•
Ethernet Port Switching Feature Guide for Security Devices
•
Example: Configuring MAC Limiting on page 207
•
Port Security Overview on page 184
Copyright © 2016, Juniper Networks, Inc.
185
Layer 2 Bridging and Switching Library for Security Devices
•
Ethernet Ports Switching Overview on page 163
•
Verifying Switching Mode Configuration on page 194
•
Understanding IGMP Snooping on page 186
IGMP Snooping
Understanding IGMP Snooping
Supported Platforms
J Series, SRX210, SRX220, SRX240, SRX650
Internet Group Management Protocol (IGMP) snooping regulates multicast traffic in a
switched network. With IGMP snooping enabled, the Juniper Networks device monitors
the IGMP transmissions between a host (a network device) and a multicast router, keeping
track of the multicast groups and associated member interfaces. The Juniper Networks
device uses that information to make intelligent multicast-forwarding decisions and to
forward traffic to its intended destination interfaces.
This topic contains the following sections:
•
How IGMP Snooping Works on page 186
•
How Hosts Join and Leave Multicast Groups on page 187
How IGMP Snooping Works
A J Series device usually learns unicast MAC addresses by checking the source address
field of the frames it receives. However, a multicast MAC address can never be the source
address for a packet. As a result, the switch floods multicast traffic on the VLAN,
consuming significant amounts of bandwidth.
IGMP snooping regulates multicast traffic on a VLAN to avoid flooding. When IGMP
snooping is enabled, the switch intercepts IGMP packets and uses the content of the
packets to build a multicast cache table. The cache table is a database of multicast
groups and their corresponding member ports. The cache table is then used to regulate
multicast traffic on the VLAN.
When the router receives multicast packets, it uses the cache table to selectively forward
the packets only to the ports that are members of the destination multicast group.
For IGMP snooping configuration details, see Table 32 on page 186.
Table 32: IGMP Snooping Configuration Fields
Field
Function
Action
VLAN Name
Specifies the VLAN on which to enable
IGMP snooping.
Select the VLAN from the list.
186
Copyright © 2016, Juniper Networks, Inc.
Chapter 4: Overview
Table 32: IGMP Snooping Configuration Fields (continued)
Field
Function
Action
Immediate Leave
Immediately removes a multicast group
membership from an interface when it
receives a leave message from that
interface and suppresses the sending of
any group-specific queries for the
multicast group
To enable the option, select the check
box.
Query Interval
Configures how frequently the switch
sends host-query timeout messages to
a multicast group.
Enter a value from 1 through 1024
seconds.
Query Last Member Interval
Configures the interval between
group-specific query timeout messages
sent by the switch.
Enter a value from 1 through 1024
seconds.
Query Response Interval
Configures the length of time the switch
waits to receive a response to a specific
query message from a host.
Enter a value from 1 through 25 seconds.
Robust Count
Specifies the number of timeout
intervals the switch waits before timing
out a multicast group.
Enter a value from 2 through 10.
Interfaces List
Statically configures an interface as a
switching interface toward a multicast
router (the interface to receive multicast
traffic).
1.
To disable the option, clear the check
box.
Click Add.
2. Select an interface from the list.
3. Select Multicast Router Interface.
4. Enter the maximum number of
groups an interface can join in Group
Limit.
5. In Static, choose one:
•
Click Add, type a group IP address,
and click OK.
•
Select a group and click Remove
to remove the group membership.
How Hosts Join and Leave Multicast Groups
Hosts can join multicast groups in either of two ways:
•
By sending an unsolicited IGMP join message to a multicast router that specifies the
IP multicast that the host is attempting to join.
•
By sending an IGMP join message in response to a general query from a multicast
router.
A multicast router continues to forward multicast traffic to a VLAN provided that at least
one host on that VLAN responds to the periodic general IGMP queries. For a host to remain
a member of a multicast group, therefore, it must continue to respond to the periodic
general IGMP queries.
Copyright © 2016, Juniper Networks, Inc.
187
Layer 2 Bridging and Switching Library for Security Devices
To leave a multicast group, a host can either not respond to the periodic general IGMP
queries, which results in a “silent leave” (the only leave option for hosts connected to
switches running IGMPv1), or send a group-specific IGMPv2 leave message.
Related
Documentation
•
Ethernet Port Switching Feature Guide for Security Devices
•
Example: Configuring IGMP Snooping on page 208
•
Ethernet Ports Switching Overview on page 163
•
Verifying Switching Mode Configuration on page 194
GARP VLAN Registration Protocol
•
Understanding GARP VLAN Registration Protocol on page 188
Understanding GARP VLAN Registration Protocol
Supported Platforms
J Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX650
As a network expands and the number of clients and VLANs increases, VLAN
administration becomes complex, and the task of efficiently configuring VLANs becomes
increasingly difficult. To automate VLAN administration, you can enable GARP VLAN
Registration Protocol (GVRP) on the network.
The Generic VLAN Registration Protocol (GVRP) is an application protocol of the Generic
Attribute Registration Protocol (GARP) and is defined in the IEEE 802.1Q standard. GVRP
learns VLANs on a particular 802.1Q trunk port and adds the corresponding trunk port to
the VLAN if the advertised VLAN is preconfigured on the switch.
The VLAN registration information sent by GVRP includes the current VLAN
membership—that is, which switches are members of which VLANs—and which switch
ports are in which VLAN. GVRP shares all VLAN information configured manually on a
local switch.
As part of ensuring that VLAN membership information is current, GVRP removes switches
and ports from the VLAN information when they become unavailable. Pruning VLAN
information limits the network VLAN configuration to active participants only, reducing
network overhead, and targets the scope of broadcast, unknown unicast, and multicast
(BUM) traffic to interested devices only.
For GVRP global settings, see Table 33 on page 188.
Table 33: GVRP Global Settings
Field
Function
Action
Disable GVRP
Disables GVRP on all the interfaces.
Click to select.
Join Timer
Specifies the number of milliseconds an interface must wait
before sending VLAN advertisements.
Enter a value from 0 through
4,294,967,295 milliseconds.
188
Copyright © 2016, Juniper Networks, Inc.
Chapter 4: Overview
Table 33: GVRP Global Settings (continued)
Field
Function
Action
Leave Timer
Specifies the number of milliseconds an interface must wait
after receiving a leave message to remove itself from the VLAN
specified in the message.
Enter a value from 0 through
4,294,967,295 milliseconds.
Leave All Timer
Specifies the interval in milliseconds at which Leave All
messages are sent on interfaces. Leave All messages help to
maintain current GVRP VLAN membership information in the
network.
Enter a value from 0 through
4,294,967,295 milliseconds.
Related
Documentation
•
Ethernet Port Switching Feature Guide for Security Devices
•
Example: Configuring GARP VLAN Registration Protocol on page 210
•
Ethernet Ports Switching Overview on page 163
•
Verifying Switching Mode Configuration on page 194
Ethernet OAM Connectivity Fault Management
•
Understanding Ethernet OAM Connectivity Fault Management on page 189
Understanding Ethernet OAM Connectivity Fault Management
Supported Platforms
SRX210, SRX220, SRX240, SRX550, SRX650
Ethernet interfaces on branch SRX Series devices support the IEEE 802.1ag standard for
Operation, Administration, and Management (OAM). The 802.1ag is an IEEE standard
for connectivity fault management (CFM). The IEEE 802.1ag provides a specification for
Ethernet CFM. The Ethernet network can consist of one or more service instances. A
service instance could be a VLAN or a concatenation of VLANs. The goal of CFM is to
provide a mechanism to monitor, locate, and isolate faulty links.
CFM support includes the following features:
•
Fault monitoring using the Continuity Check Protocol. This is a neighbor discovery and
health check protocol that discovers and maintains adjacencies at the VLAN or link
level.
•
Path discovery and fault verification using the Linktrace protocol.
•
Fault isolation using the Loopback protocol.
The Loopback protocol is used to check access to maintenance association end points
(MEPs) under the same maintenance association (MA). The Loopback messages are
triggered by an administrator using the ping ethernet command.
CFM partitions the service network into various administrative domains. For example,
operators, providers, and customers might be part of different administrative domains.
Each administrative domain is mapped into one maintenance domain providing enough
Copyright © 2016, Juniper Networks, Inc.
189
Layer 2 Bridging and Switching Library for Security Devices
information to perform its own management, thus avoiding security breaches and making
end-to-end monitoring possible.
In a CFM maintenance domain, each service instance is called a maintenance association.
A maintenance association can be thought of as a full mesh of maintenance association
end points (MEPs) having similar characteristics. MEPs are active CFM entities generating
and responding to CFM protocol messages. There is also a maintenance association
intermediate point (MIP), which is a CFM entity similar to the MEP, but more passive
(MIPs only respond to CFM messages).
Each maintenance domain is associated with a maintenance domain level from 0 through
7. Level allocation is based on the network hierarchy, where outer domains are assigned
a higher level than the inner domains. You configure customer end points to have the
highest maintenance domain level. The maintenance domain level is a mandatory
parameter that indicates the nesting relationships between various maintenance domains.
The level is embedded in each CFM frame. CFM messages within a given level are
processed by MEPs at that same level.
To enable CFM on an Ethernet interface, you must configure maintenance domains,
maintenance associations, and MEPs.
NOTE:
Related
Documentation
•
You cannot configure MEP and MIP on the same VLAN.
•
CFM and link fault management (LFM) cannot be configured on the same
interface.
•
CFM cannot be configured with Generic VLAN Registration Protocol (GVRP).
•
CFM is not supported on VOIP VLAN ports.
•
Lower level CFM frames are forwarded by a higher level down MEP.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Example: Configuring Ethernet OAM Connectivity Fault Management on page 211
Ethernet OAM Link Fault Management
•
Understanding Ethernet OAM Link Fault Management for SRX Series Services
Gateways on page 190
Understanding Ethernet OAM Link Fault Management for SRX Series Services Gateways
Supported Platforms
190
LN Series, SRX100, SRX210, SRX220, SRX240, SRX550, SRX650
Copyright © 2016, Juniper Networks, Inc.
Chapter 4: Overview
The Ethernet interfaces on SRX Series devices support the IEEE 802.3ah standard for
Operation, Administration, and Maintenance (OAM). The standard defines OAM link fault
management (LFM). You can configure IEEE 802.3ah OAM LFM on point-to-point Ethernet
links that are connected either directly or through Ethernet repeaters. The IEEE 802.3ah
standard meets the requirement for OAM capabilities as Ethernet moves from being
solely an enterprise technology to a WAN and access technology, and the standard
remains backward-compatible with existing Ethernet technology.
This feature is supported on SRX100, SRX210, SRX220, SRX240, SRX550, and SRX650
devices.
NOTE: For SRX550 and SRX650 devices, LFM is supported only on devices
that have 16-port or 24-port GPIMs.
The following OAM LFM features are supported:
•
Discovery and link monitoring—The discovery process is triggered automatically when
OAM is enabled on the interface. The discovery process permits Ethernet interfaces
to discover and monitor the peer on the link if it also supports the IEEE 802.3ah standard.
In active mode, the interface discovers and monitors the peer on the link if the peer
also supports IEEE 802.3ah OAM functionality. In passive mode, the peer initiates the
discovery process. After the discovery process has been initiated, both sides participate
in discovery. The device performs link monitoring by sending periodic OAM protocol
data units (PDUs) to advertise OAM mode, configuration, and capabilities.
You can specify the number of OAM PDUs that an interface can miss before the link
between peers is considered down.
•
Remote fault detection—Remote fault detection uses flags and events. Flags convey
Link Fault (a loss of signal), Dying Gasp (an unrecoverable condition such as a power
failure), and Critical Event (an unspecified vendor-specific critical event). You can
specify the periodic OAM PDU sending interval for fault detection. SRX Series devices
use the Event Notification OAM PDU to notify the remote OAM device when a problem
is detected. You can specify the action to be taken by the system when the configured
link-fault event occurs.
•
Remote loopback—Remote loopback mode ensures link quality between the device
and a remote peer during installation or troubleshooting. In this mode, when the
interface receives a frame that is not an OAM PDU or a pause frame, it sends it back
on the same interface on which it was received. The link appears to be in the active
state. You can use the returned loopback acknowledgement to test delay, jitter, and
throughput.
Junos OS can place a remote data terminal equipment (DTE) into loopback mode (if
remote loopback mode is supported by the remote DTE). When you place a remote
DTE into loopback mode, the interface receives the remote loopback request and puts
the interface into remote loopback mode. When the interface is in remote loopback
mode, all frames except OAM PDUs are looped back without any changes made to
the frames. OAM PDUs continue to be sent and processed.
Copyright © 2016, Juniper Networks, Inc.
191
Layer 2 Bridging and Switching Library for Security Devices
Table 34 on page 192 lists the interfaces modes supported.
Table 34: Supported Interface Modes
Interfaces
Mode
Physical interface (fe/ge)
Family
•
ccc
•
ethernet-switching
•
inet6
•
inet
•
iso
•
mpls
•
tcc
IFD encapsulations
Aggregated Ethernet interface
(Static or LACP lag)
•
ethernet-ccc
•
extended-vlan-ccc (IFD vlan-tagging mode)
•
ethernet-tcc
•
extended-vlan-tcc
Family
•
ethernet-switching
•
inet
•
mpls
•
iso
•
inet6
IFD encapsulations
Related
Documentation
192
•
ethernet-ccc
•
extended-vlan-ccc (IFD vlan-tagging mode)
•
vlan-ccc
•
Ethernet Port Switching Feature Guide for Security Devices
•
Example: Configuring Ethernet OAM Link Fault Management on page 226
•
Ethernet Interfaces Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 5
Configuration
•
Ethernet Port Switching on page 193
•
VLANs on page 195
•
Spanning Tree Protocol on page 196
•
Link Aggregation Control Protocol on page 198
•
802.1X Port-Based Network Authentication on page 199
•
Port Security on page 206
•
IGMP Snooping on page 208
•
GARP VLAN Registration Protocol on page 210
•
Ethernet OAM Connectivity Fault Management on page 211
•
Ethernet OAM Link Fault Management on page 226
•
Configuration Statements on page 230
Ethernet Port Switching
•
Example: Configuring Switching Modes on page 193
•
Verifying Switching Mode Configuration on page 194
Example: Configuring Switching Modes
Supported Platforms
J Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX650
This example shows how to configure a multiport Gigabit Ethernet uPIM to function in
switching mode so the uPIM appears as a single entity for monitoring purposes.
•
Requirements on page 193
•
Overview on page 194
•
Configuration on page 194
•
Verification on page 194
Requirements
Before you begin, see “Understanding Switching Modes” on page 168.
Copyright © 2016, Juniper Networks, Inc.
193
Layer 2 Bridging and Switching Library for Security Devices
Overview
In this example, you configure chassis and set the uPIM mode of operation to switching.
You then set the uPIM mode of operation to enhanced switching. Finally, you configure
interface ge-2/0/0 and set the physical port parameter to auto-negotiation on switch
port 1 on the uPIM.
Configuration
Step-by-Step
Procedure
To configure a uPIM to function in switching mode:
1.
Set the uPIM mode of operation to switching.
[edit chassis fpc 0 pic 0 ethernet]
user@host# set pic-mode switching
2.
Set the uPIM mode of operation to enhanced switching.
[edit chassis fpc 0 pic 0 ethernet]
user@host# set pic-mode enhanced-switching
3.
Set a physical port parameter on the uPIM.
[edit]
user@host# set interfaces ge-2/0/0 switch-options switch-port 1 auto-negotiation
4.
If you are done configuring the device, commit the configuration.
[edit]
user@host# commit
Verification
To verify the configuration is working properly, enter the show interfaces ge-2/0/0
switch-options and show chassis fpc 0 commands.
Related
Documentation
•
Ethernet Port Switching Feature Guide for Security Devices
•
Ethernet Ports Switching Overview on page 163
•
Verifying Switching Mode Configuration on page 194
Verifying Switching Mode Configuration
Supported Platforms
Purpose
J Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX650
The operational mode command for checking the status and statistics for multiport
uPIMs in switching mode is different from that in routing mode. For uPIMs in routing mode,
the operational commands are the same as for other Gigabit Ethernet interfaces, such
as the 1-port Gigabit Ethernet ePIM and built-in Gigabit Ethernet ports.
However, not all operational mode commands are supported for ports of a uPIM in
switching mode. For example, the operational mode command for monitoring port
statistics is not supported.
194
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
NOTE: To clear the statistics for the individual switch ports, use the clear
interfaces statistics ge-pim/0/0 switch-port port-number command.
To verify the status and view statistics for a port on a uPIM in switching mode:
user@host# show interfaces ge-slot/0/0 switch-port port-number
Port 0, Physical link is Up
Speed: 100mbps, Auto-negotiation: Enabled
Statistics:
Receive
Transmit
Total bytes
28437086
21792250
Total packets
409145
88008
Unicast packets
9987
83817
Multicast packets
145002
0
Broadcast packets
254156
4191
Multiple collisions
23
10
FIFO/CRC/Align errors
0
0
MAC pause frames
0
0
Oversized frames
0
Runt frames
0
Jabber frames
0
Fragment frames
0
Discarded frames
0
Autonegotiation information:
Negotiation status: Complete
Link partner:
Link mode: Full-duplex, Flow control: None, Remote fault: OK, Link
partner Speed: 100 Mbps
Local resolution:
Flow control: None, Remote fault: Link OK
VLANs
•
Example: Configuring VLANs on page 195
Example: Configuring VLANs
Supported Platforms
J Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX650
This example shows you how to configure a VLAN.
Requirements
Before you begin:
•
Determine which interfaces to use and verify that they are in switch mode. See
“Example: Configuring Switching Modes” on page 193.
•
Determine what ports to use on the device and how to segment your network. See
“Understanding Switching Modes” on page 168.
Overview
In this example, you create a new VLAN and then configure attributes.
Copyright © 2016, Juniper Networks, Inc.
195
Layer 2 Bridging and Switching Library for Security Devices
Configuration
GUI Step-by-Step
Procedure
To access the VLAN:
1.
In the J-Web user interface, select Configure>Switching>VLAN.
The VLAN configuration page displays a list of existing VLANs. If you select a specific
VLAN, the specific VLAN details are displayed in the details section.
2. Click one:
•
Add—Creates a VLAN.
•
Edit—Edits an existing VLAN configuration.
•
Delete—Deletes an existing VLAN.
NOTE: If you delete a VLAN, the VLAN configuration for all the
associated interfaces is also deleted.
Add or edit VLAN information.
3. Click one:
•
OK—Saves the configuration and returns to the main configuration page, then click
Commit Options>Commit.
•
Related
Documentation
Cancel—Cancels your entries and returns to the main configuration page.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Understanding VLANs on page 169
•
Ethernet Ports Switching Overview on page 163
•
Verifying Switching Mode Configuration on page 194
Spanning Tree Protocol
•
Configuring the Spanning Tree Protocol on page 196
Configuring the Spanning Tree Protocol
Supported Platforms
J Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX650
This example shows you how to configure the Spanning Tree Protocol on a Ethernet
switched network.
Requirements
Before you begin:
196
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
•
Determine which interfaces to use and verify that they are in switch mode. See
“Example: Configuring Switching Modes” on page 193.
•
Review information about switching modes. See “Understanding Switching Modes”
on page 168.
Overview
In this example, you enable the Spanning Tree Protocol on switched Ethernet ports.
Configuration
GUI Step-by-Step
Procedure
To access the Spanning Tree Quick Configuration:
1.
In the J-Web user interface, select Configure>Switching>Spanning Tree.
The Spanning Tree Configuration page displays a list of existing spanning-trees. If you
select a specific spanning tree, the specific spanning tree details are displayed in the
General and Interfaces tabs.
2. Click one of the following:
•
Add—Creates a spanning tree.
•
Edit—Edits an existing spanning-tree configuration.
•
Delete—Deletes an existing spanning tree.
When you are adding a spanning tree, select a protocol name: STP, RSTP, or MSTP.
Select the Ports tab to configure the ports associated with this spanning tree. Click
one of the following:
•
Add—Creates a new spanning-tree interface configuration.
•
Edit—Modifies an existing spanning-tree interface configuration.
•
Delete—Deletes an existing spanning-tree interface configuration.
When you are adding or editing a spanning-tree port, enter information describing the
port.
3. Click one:
Related
Documentation
•
Click OK to check your configuration and save it as a candidate configuration, then
click Commit Options>Commit.
•
Click Cancel to cancel the configuration without saving changes.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Understanding the Spanning Tree Protocol on page 171
•
Ethernet Ports Switching Overview on page 163
•
Verifying Switching Mode Configuration on page 194
Copyright © 2016, Juniper Networks, Inc.
197
Layer 2 Bridging and Switching Library for Security Devices
Link Aggregation Control Protocol
•
Example: Configuring Link Aggregation Control Protocol on page 198
Example: Configuring Link Aggregation Control Protocol
Supported Platforms
J Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX650
This example shows how to configure LACP.
Requirements
Before you begin:
•
Verify that the Ethernet interfaces are in switch mode. See “Example: Configuring
Switching Modes” on page 193.
•
Link aggregation of one or more interfaces must be set up to form a virtual link or link
aggregation group (LAG) before you can apply LACP. See “Understanding Switching
Modes” on page 168.
Overview
In this example, you configure link aggregation for switched Ethernet interfaces then
apply LACP.
Configuration
GUI Step-by-Step
Procedure
To access the LACP Configuration:
1.
In the J-Web user interface, select Configure>Interfaces>Link Aggregation.
The Aggregated Interfaces list is displayed.
2. Click one of the following:
•
Device Count—Creates an aggregated Ethernet interface, or LAG. You can choose
the number of device that you want to create.
•
Add—Adds a new aggregated Ethernet Interface, or LAG.
•
Edit— Modifies a selected LAG
•
Aggregation—Modifies an selected LAG.
•
VLAN—Specifies VLAN options for the selected LAG.
•
IP Option—Configuring IP address to LAG is not supported and when you try to
configure the IP address an error message is displayed.
•
Delete—Deletes the selected LAG.
•
Disable Port or Enable Port—Disables or enables the administrative status on the
selected interface.
3. Click one:
198
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
Related
Documentation
•
Click OK to check your configuration and save it as a candidate configuration, then
click Commit Options>Commit.
•
Click Cancel to cancel the configuration without saving changes.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Understanding Link Aggregation Control Protocol on page 175
•
Ethernet Ports Switching Overview on page 163
•
Verifying Switching Mode Configuration on page 194
802.1X Port-Based Network Authentication
•
Example: Configuring 802.1x Authentication on page 199
•
Example: Specifying RADIUS Server Connections on the Device on page 200
•
Example: Configuring 802.1x Interface Settings on page 203
•
Example: Configuring a Guest VLAN on page 205
Example: Configuring 802.1x Authentication
Supported Platforms
J Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX650
This example shows how to configure 802.1X authentication, configure RADIUS, and
configure a guest VLAN.
•
Requirements on page 199
•
Overview on page 199
•
Configuration on page 199
Requirements
Before you begin:
•
Verify that the interfaces to use are in switch mode. See “Example: Configuring Switching
Modes” on page 193.
•
Review switching mode and VLAN information. See “Understanding Switching Modes”
on page 168 and “Understanding VLANs” on page 169.
Overview
In this example, you configure 802.1X authentication.
Configuration
GUI Step-by-Step
Procedure
1.
From the Configure menu, select Security > 802.1X.
The 802.1X screen displays a list of interfaces, whether 802.1X security has been
enabled, and the assigned port role.
Copyright © 2016, Juniper Networks, Inc.
199
Layer 2 Bridging and Switching Library for Security Devices
When you select a particular interface, the Details section displays 802.1X details for
the selected interface.
NOTE: After you make changes to the configuration, click OK to check
your configuration and save it as a candidate configuration, then click
Commit Options>Commit.
2. Click one: RADIUS Servers or Exclusion List. Click Add or Edit to add or modify the
settings.
•
•
Related
Documentation
Edit—specifies 802.1X settings for the selected interface.
•
Apply 802.1X Profile—applies a predefined 802.1X profile based on the port role.
If a message appears asking if you want to configure a RADIUS server, click Yes
and enter information.
•
802.1X Configuration—configures custom 802.1X settings for the selected
interface. If a message appears asking if you want to configure a RADIUS server,
click Yes and enter information.
Delete—deletes the existing 802.1X authentication configuration on the selected
interface.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Understanding 802.1X Port-Based Network Authentication on page 178
•
Ethernet Ports Switching Overview on page 163
•
Verifying Switching Mode Configuration on page 194
Example: Specifying RADIUS Server Connections on the Device
Supported Platforms
J Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX650
This example shows how to specify a RADIUS server for 802.1X authentication to provide
network edge security.
•
Requirements on page 200
•
Overview on page 201
•
Configuration on page 201
•
Verification on page 202
Requirements
Before you begin, verify that the interfaces that will be used are in switch mode. See
“Example: Configuring Switching Modes” on page 193.
200
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
•
To use 802.1X or MAC RADIUS authentication, you must specify the connections on
the SRX Series or J Series device for each RADIUS server to which you will connect.
Overview
In this example, you set the RADIUS server IP address to 10.0.0.100 and the secret
password to abc. The secret password on the device must match the secret password
on the server. To define more than one RADIUS server, you need to enter separate
radius-server commands.
You then specify the source address as 10.93.14.100. By default, the RADIUS server uses
the address of the interface sending the RADIUS request to determine the source of the
request. If the request has been diverted on an alternate route to the RADIUS server, the
interface relaying the request might not be an interface on the device. To ensure that the
source is identified correctly, specify its IP address explicitly.
Then you create a profile called profile1 and set the authentication order to radius. You
can specify one or more RADIUS servers to be associated with profile1. Finally, you define
profile1 as the authentication profile for 802.1X or MAC RADIUS authenticator.
Configuration
CLI Quick
Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set access radius-server 10.0.0.100 port 1812 secret abc
set access radius-server 10.0.0.100 source-address 10.93.14.100
set access profile profile1 authentication-order radius
set access profile profile1 radius authentication-server 10.0.0.100
set protocols dot1x authenticator authentication-profile-name profile1
Step-by-Step
Procedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To specify a RADIUS server for 802.1X authentication:
1.
Configure access.
[edit]
user@host# edit access
NOTE: For 802.1X authentication, the RADIUS server must be configured
at the access hierarchy level.
2.
Define the IP address and the secret password for the RADIUS server.
[edit access]
user@host# set radius-server 10.0.0.100 port 1812 secret abc
Copyright © 2016, Juniper Networks, Inc.
201
Layer 2 Bridging and Switching Library for Security Devices
3.
Specify the IP address and the source address.
[edit access]
user@host# set radius-server 10.0.0.100 source-address 10.93.14.100
4.
Create the profile.
[edit access]
user@host# edit profile profile1
5.
Configure the authentication order.
[edit access profile profile1]
user@host# set authentication-order radius
6.
Specify one or more RADIUS servers to be associated with profile1.
[edit access profile profile1]
user@host# set radius authentication-server 10.0.0.100
7.
Define authentication profile.
[edit]
user@host# set protocols dot1x authenticator authentication-profile-name profile1
Results
From configuration mode, confirm your configuration by entering the show access and
show protocols dot1x commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit]
user@host# show access
radius-server {
10.0.0.100 {
port 1812;
secret "$ABC123"; ## SECRET-DATA
source-address 10.93.14.100;
}
}
profile profile1 {
authentication-order radius;
radius {
authentication-server 10.0.0.100;
}
}
[edit]
user@host# show protocols dot1x
authenticator {
authentication-profile-name profile1;
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform this task:
•
202
Verifying a RADIUS Server on page 203
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
Verifying a RADIUS Server
Purpose
Action
Related
Documentation
Verify that the RADIUS server is configured properly.
From configuration mode, enter the show access and show protocols dot1x commands.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Understanding 802.1X Port-Based Network Authentication on page 178
•
Understanding Switching Modes on page 168
•
Understanding VLANs on page 169
•
Ethernet Ports Switching Overview on page 163
•
Example: Configuring 802.1x Authentication on page 199
Example: Configuring 802.1x Interface Settings
Supported Platforms
J Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX650
This example shows how to configure 802.1X interface settings for network edge security.
•
Requirements on page 203
•
Overview on page 203
•
Configuration on page 204
•
Verification on page 205
Requirements
Before you begin:
•
Verify that the interfaces that will be used are in switch mode. See “Example: Configuring
Switching Modes” on page 193.
•
Ensure that the interfaces are defined in the interfaces hierarchy with family
ethernet-switching.
Overview
In this example, you set the supplicant mode to multiple after configuring protocol dot1x
and authenticator interface ge-0/0/5. You then enable reauthentication and set the
reauthentication interval to 120. You configure the interface timeout value for the response
from the supplicant as 5. You then configure the timeout for the interface before it resends
an authentication request to the RADIUS server as 5. You specify the time, in seconds,
the interface waits before retransmitting the initial EAPoL PDUs to the supplicant as 60.
Finally, you configure the maximum number of times an EAPoL request packet is
retransmitted to the supplicant before the authentication session times out as 5.
Copyright © 2016, Juniper Networks, Inc.
203
Layer 2 Bridging and Switching Library for Security Devices
Configuration
CLI Quick
Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set protocols dot1x authenticator interface ge-0/0/5 supplicant multiple reauthentication
120
set protocols dot1x authenticator interface ge-0/0/5 supplicant-timeout 5 server-timeout
5 transmit-period 60
set protocols dot1x authenticator interface ge-0/0/5 maximum-requests 5
Step-by-Step
Procedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure 802.1x interface settings:
1.
Configure the protocol.
[edit]
user@host# edit protocols dot1x
2.
Configure an interface.
[edit protocols dot1x]
user@host# edit authenticator interface ge-0/0/5
3.
Configure the supplicant mode.
[edit protocols dot1x authenticator interface ge-0/0/5.0]
user@host# set supplicant multiple
4.
Enable reauthentication and specify the reauthentication interval.
[edit protocols dot1x authenticator interface ge-0/0/5.0]
user@host# set reauthentication 120
5.
Configure the interface timeout value for the response from the supplicant.
[edit protocols dot1x authenticator interface ge-0/0/5.0]
user@host# set supplicant-timeout 5
6.
Set the server timeout value.
[edit protocols dot1x authenticator interface ge-0/0/5.0]
user@host# set server-timeout 5
7.
Configure transmit period.
[edit protocols dot1x authenticator interface ge-0/0/5.0]
user@host# set transmit-period 60
8.
Specify the maximum request value.
[edit protocols dot1x authenticator interface ge-0/0/5.0]
user@host# set maximum-requests 5
204
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
Results
From configuration mode, confirm your configuration by entering the show protocols
dot1x command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
[edit]
user@host# show protocols dot1x
authenticator {
interface {
ge-0/0/5.0 {
supplicant multiple;
transmit-period 60;
reauthentication 120;
supplicant-timeout 5;
server-timeout 5;
maximum-requests 5;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
•
Verifying 802.1X Interface Settings on page 205
Verifying 802.1X Interface Settings
Purpose
Action
Related
Documentation
Verify that the 802.1X interface settings are working properly.
From configuration mode, enter the show protocols dot1x command.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Understanding 802.1X Port-Based Network Authentication on page 178
•
Example: Configuring 802.1x Authentication on page 199
•
Ethernet Ports Switching Overview on page 163
•
Understanding Switching Modes on page 168
•
Understanding VLANs on page 169
Example: Configuring a Guest VLAN
Supported Platforms
J Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX650
This example shows how to configure a guest VLAN for limited network access or for
Internet-only access to avoid compromising a company’s security.
•
Requirements on page 206
•
Overview on page 206
Copyright © 2016, Juniper Networks, Inc.
205
Layer 2 Bridging and Switching Library for Security Devices
•
Configuration on page 206
•
Verification on page 206
Requirements
Before you begin, verify that the interfaces that will be used are in switch mode. See
“Example: Configuring Switching Modes” on page 193 and “Understanding Switching
Modes” on page 168.
Overview
In this example, you configure a VLAN called visitor-vlan with a VLAN ID of 300. Then
you set protocols and configure visitor-vlan as the guest VLAN.
Configuration
Step-by-Step
Procedure
To configure a guest VLAN:
1.
Configure a VLAN.
[edit]
user@host# set vlans visitor-vlan vlan-id 300
2.
Specify the guest VLAN.
[edit]
user@host# set protocols dot1x authenticator interface all guest-vlan visitor-vlan
3.
If you are done configuring the device, commit the configuration.
[edit]
user@host# commit
Verification
To verify the configuration is working properly, enter the show vlans and show protocols
dot1x commands.
Related
Documentation
•
Ethernet Port Switching Feature Guide for Security Devices
•
Understanding VLANs on page 169
•
Understanding 802.1X Port-Based Network Authentication on page 178
•
Example: Configuring 802.1x Authentication on page 199
•
Ethernet Ports Switching Overview on page 163
•
Example: Configuring MAC Limiting on page 207
Port Security
206
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
Example: Configuring MAC Limiting
Supported Platforms
SRX100, SRX110, SRX210, SRX220, SRX240, SRX650
•
Requirements on page 207
•
Overview on page 207
•
Configuration on page 207
•
Verification on page 208
Requirements
Before you begin, verify that the interfaces that will be used are in switch mode. See
“Example: Configuring Switching Modes” on page 193 and “Understanding Switching
Modes” on page 168.
Overview
MAC limiting protects against flooding of the Ethernet switching table on the SRX Series
Services Gateways. MAC limiting sets a limit on the number of MAC addresses that can
be learned on a single Layer 2 access interface (port).
This example shows how to configure port security features by setting a MAC limit of 5.
Configuration
Step-by-Step
Procedure
The action is not specified, so the switch performs the default action drop if the limit is
exceeded:
1.
On a single interface (here, the interface is ge-0/0/1):
[edit ethernet-switching-options secure-access-port]
user@host# set interface ge–0/0/1 mac-limit 5
2.
On all interfaces:
[edit ethernet-switching-options secure-access-port]
user@host# set interface all mac–limit 5
NOTE: Do not set the mac-limit to 1. The first learned MAC address is
often inserted into the FDB automatically (for example, for routed VLAN
interfaces the first MAC address inserted into the forwarding database
is the MAC address of the RVI; for Aggregated Ethernet bundles using
LACP, the first MAC address inserted into the FDB in the forwarding
table is the source address of the protocol packet). The services gateway
will therefore not learn MAC addresses other than the automatic
addresses when the mac-limit is set to 1, and this will cause problems
with MAC learning and forwarding.
3.
For specifying specific allowed MAC addresses:
•
Copyright © 2016, Juniper Networks, Inc.
On a single interface (here, the interface is ge-0/0/2):
207
Layer 2 Bridging and Switching Library for Security Devices
[edit ethernet-switching-options secure-access-port]
user@host# set interface ge–0/0/2 allowed-mac 00:05:85:3A:82:80
user@host# set interface ge–0/0/2 allowed-mac 00:05:85:3A:82:81
user@host# set interface ge–0/0/2 allowed-mac 00:05:85:3A:82:83
•
On all interfaces:
[edit ethernet-switching-options secure-access-port]
user@host# set interface all allowed-mac 00:05:85:3A:82:80
user@host# set interface all allowed-mac 00:05:85:3A:82:81
user@host# set interface all allowed-mac 00:05:85:3A:82:83
Verification
Verifying That MAC Limiting Is Working Correctly on the Services Gateway
Purpose
Action
Verify that MAC limiting is working on the services gateway.
Display the learned MAC addresses. The following sample output shows the results when
two packets were sent from hosts on ge-0/0/1 and five packets requests were sent from
hosts on ge-0/0/2, with both interfaces set to a MAC limit of 4 with the action drop:
user@host> show ethernet-switching table
Ethernet-switching table: 7 entries, 6 learned
VLAN MAC address Type Age Interfaces
employee-vlan * Flood - ge-0/0/2.0
employee-vlan 00:05:85:3A:82:77 Learn 0 ge-0/0/1.0
employee-vlan 00:05:85:3A:82:79 Learn 0 ge-0/0/1.0
employee-vlan 00:05:85:3A:82:80 Learn 0 ge-0/0/2.0
employee-vlan 00:05:85:3A:82:81 Learn 0 ge-0/0/2.0
employee-vlan 00:05:85:3A:82:83 Learn 0 ge-0/0/2.0
employee-vlan 00:05:85:3A:82:85 Learn 0 ge-0/0/2.0
Meaning
Related
Documentation
The sample output shows that with a MAC limit of 4 for each interface, the packet for a
fifth MAC address on ge-0/0/2 was dropped because it exceeded the MAC limit. The
address was not learned, and thus an asterisk (*) rather than an address appears in the
MAC address column in the first line of the sample output.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Understanding MAC Limiting on page 185
•
Ethernet Ports Switching Overview on page 163
•
Verifying Switching Mode Configuration on page 194
•
Example: Configuring IGMP Snooping on page 208
IGMP Snooping
Example: Configuring IGMP Snooping
Supported Platforms
J Series, SRX210, SRX220, SRX240, SRX650
This example shows you how to configure IGMP snooping.
208
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
Requirements
Before you begin:
•
Ensure that the interfaces that will be used are in switch mode. See “Example:
Configuring Switching Modes” on page 193.
•
You should have a switched multicast network environment with VLANs configured.
See “Example: Configuring VLANs” on page 195.
Overview
In this example, you configure IGMP snooping.
Configuration
GUI Step-by-Step
Procedure
To access the IGMP Snooping Quick Configuration:
1.
In the J-Web user interface, select Configure>Switching>IGMP Snooping.
The VLAN Configuration page displays a list of existing IGMP snooping configurations.
2. Click one:
•
Add—Creates an IGMP snooping configuration for the VLAN.
•
Edit—Edits an existing IGMP snooping configuration for the VLAN.
•
Delete—Deletes member settings for the interface.
NOTE: If you delete a configuration, the VLAN configuration for all the
associated interfaces is also deleted.
•
Disable Vlan—Disables IGMP snooping on the selected VLAN.
When you are adding or editing a VLAN, enter information.
3. Click one:
Related
Documentation
•
Click OK to check your configuration and save it as a candidate configuration, then
click Commit Options>Commit.
•
Click Cancel to cancel the configuration without saving changes.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Understanding IGMP Snooping on page 186
•
Ethernet Ports Switching Overview on page 163
•
Verifying Switching Mode Configuration on page 194
Copyright © 2016, Juniper Networks, Inc.
209
Layer 2 Bridging and Switching Library for Security Devices
GARP VLAN Registration Protocol
•
Example: Configuring GARP VLAN Registration Protocol on page 210
Example: Configuring GARP VLAN Registration Protocol
Supported Platforms
J Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX650
This example shows you how to enable GVRP.
Requirements
Before you begin:
•
Ensure that the interfaces that will be used are in switch mode. See “Example:
Configuring Switching Modes” on page 193.
•
You should have a switched multicast network environment with VLANs configured.
See “Example: Configuring VLANs” on page 195.
Overview
In this example, you configure GVRP on an interface.
Configuration
GUI Step-by-Step
Procedure
To access the GVRP Quick Configuration:
1.
In the J-Web user interface, select Configure>Switching>GVRP.
The GVRP Configuration page displays a list of interfaces on which GVRP is enabled.
2. Click one:
•
Global Settings—Modifies GVRP timers. Enter the information.
•
Add—Enables GVRP on an interface.
•
Disable Port—Disables an interface.
•
Delete—Deletes an interface.
3. Click one:
Related
Documentation
210
•
Click OK to check your configuration and save it as a candidate configuration, then
click Commit Options>Commit.
•
Click Cancel to cancel the configuration without saving changes.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Understanding GARP VLAN Registration Protocol on page 188
•
Ethernet Ports Switching Overview on page 163
•
Verifying Switching Mode Configuration on page 194
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
Ethernet OAM Connectivity Fault Management
•
Example: Configuring Ethernet OAM Connectivity Fault Management on page 211
•
Creating the Maintenance Domain on page 221
•
Creating a Maintenance Association on page 222
•
Configuring a Maintenance Association End Point on page 222
•
Configuring the Maintenance Domain MIP Half Function on page 224
•
Configuring the Continuity Check Protocol on page 224
•
Configuring the Linktrace Protocol on page 225
Example: Configuring Ethernet OAM Connectivity Fault Management
Supported Platforms
SRX210, SRX220, SRX240, SRX550, SRX650
Connectivity Fault Management (CFM) provides a mechanism to monitor, locate, and
isolate faulty links.
This example describes how to enable and configure an end-to-end OAM CFM session
on an Ethernet interface.
•
Requirements on page 211
•
Overview on page 211
•
Configuring Ethernet OAM Connectivity Fault Management on page 212
•
Verification on page 218
Requirements
This example uses the following hardware and software components:
•
Three SRX Series devices connected by a point-to-point Ethernet link.
•
Junos OS Release 12.1X44-D10 or later for SRX Series devices.
Overview
Ethernet interfaces on SRX Series devices support the IEEE 802.1ag standard for
Operation, Administration, and Management (OAM). The IEEE 802.1ag specification
provides a specification for Ethernet connectivity fault management (CFM). CFM can be
used to detect faults in the network path between the customer premises devices. It also
helps in detecting the device or node in the provider network, where the failure occurred.
This example describes how to configure an end to end CFM session. In this example,
three devices are connected by a point-to-point Ethernet link. The link between these
devices is monitored using CFM. To check connectivity or fault through the provider
network, maintenance intermediate point (MIP) is configured.
Copyright © 2016, Juniper Networks, Inc.
211
Layer 2 Bridging and Switching Library for Security Devices
Topology
Figure 1 on page 212 shows three SRX Series devices connected by a point-to-point Ethernet
link.
Figure 1: Ethernet CFM with SRX Series Devices
Configuring Ethernet OAM Connectivity Fault Management
•
Configuring Ethernet OAM Connectivity Fault Management on Device 1 on page 212
•
Configuring Ethernet OAM CFM with MIP Half Function on Device 2 on page 214
•
Configuring Ethernet OAM Connectivity Fault Management on Device 3 on page 216
Configuring Ethernet OAM Connectivity Fault Management on Device 1
CLI Quick
Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set interfaces fe-0/0/4 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members v100
set vlans v100 vlan-id 100
set protocols oam ethernet connectivity-fault-management maintenance-domain
Customer-md level 5
212
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
set protocols oam ethernet connectivity-fault-management maintenance-domain
Customer-md maintenance-association Customer-ma mep 100 interface fe-0/0/4.0
set protocols oam ethernet connectivity-fault-management maintenance-domain
Customer-md maintenance-association Customer-ma mep 100 interface vlan-id 100
set protocols oam ethernet connectivity-fault-management maintenance-domain
Customer-md maintenance-association Customer-ma mep 100 auto-discovery
set protocols oam ethernet connectivity-fault-management maintenance-domain
Customer-md maintenance-association Customer-ma continuity-check interval 10s
set protocols oam ethernet connectivity-fault-management maintenance-domain
Customer-md maintenance-association Customer-ma continuity-check hold-interval
20
Step-by-Step
Procedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To enable and configure OAM CFM on device 1:
1.
Define a VLAN and enable the interface for family Ethernet switching with port
mode trunk or access.
[edit]
user@host# set interfaces fe-0/0/4 unit 0 family ethernet-switching port-mode
trunk
user@host# set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members
v100
user@host# set vlans v100 vlan-id 100
2.
Specify the maintenance domain name and the maintenance domain level.
[edit protocols oam ethernet connectivity-fault-management ]
user@host# set maintenance-domain Customer-md level 5
3.
Create a maintenance association and configure MEP.
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
Customer-md]
user@host# set maintenance-association Customer-ma mep 100 interface
fe-0/0/4.0
user@host# set maintenance-association Customer-ma mep 100 interface vlan-id
100
4.
Enable MEP automatic discovery.
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
Customer-md maintenance-association Customer-ma]
user@host# set mep 100 auto-discovery
5.
Enable the Continuity Check Protocol and specify the continuity check interval and
hold interval.
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
Customer-md maintenance-association Customer-ma]
user@host# set continuity-check interval 10s
user@host# set continuity-check hold-interval 20
Copyright © 2016, Juniper Networks, Inc.
213
Layer 2 Bridging and Switching Library for Security Devices
Results
From configuration mode, confirm your configuration by entering the show protocols
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
For brevity, this show protocols command output includes only the configuration that is
relevant to this example. Any other configuration on the system has been replaced with
ellipses (...).
[edit]
user@host# show protocols
oam {
ethernet {
connectivity-fault-management {
maintenance-domain Customer-md {
level 5;
maintenance-association Customer-ma {
continuity-check {
interval 10s;
hold-interval 20;
}
mep 100 {
interface fe-0/0/4.0 vlan-id 100;
auto-discovery;
}
}
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring Ethernet OAM CFM with MIP Half Function on Device 2
CLI Quick
Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members v100
set interfaces fe-0/0/4 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members v100
set vlans v100 vlan-id 100
set protocols oam ethernet connectivity-fault-management maintenance-domain
default-5 vlan-name v100
set protocols oam ethernet connectivity-fault-management maintenance-domain
default-5 mip-half-function default
214
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
Step-by-Step
Procedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure MIP half function:
1.
Define a VLAN and enable the interface for family Ethernet switching with port
mode trunk or access.
[edit]
user@host# set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode
trunk
user@host# set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members
v100
user@host# set interfaces fe-0/0/4 unit 0 family ethernet-switching port-mode
trunk
user@host# set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members
v100
user@host# set vlans v100 vlan-id 100
2.
Create a maintenance domain and configure VLAN.
[edit protocols oam ethernet connectivity-fault-management]
user@host# set maintenance-domain default-5 vlan-name v100
3.
Create a MIP half function.
[edit protocols oam ethernet connectivity-fault-management ]
user@host# set maintenance-domain default-5 mip-half-function default
NOTE: If you want to configure traceoptions, run the following
commands:
set protocols oam ethernet connectivity-fault-management traceoptions
file CFM_trace
set protocols oam ethernet connectivity-fault-management traceoptions
flag all
Results
From configuration mode, confirm your configuration by entering the show protocols
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
For brevity, this show command output includes only the configuration that is relevant
to this example. Any other configuration on the system has been replaced with ellipses
(...).
[edit]
user@host# show protocols
oam {
ethernet {
connectivity-fault-management {
traceoptions {
file CFM_trace;
Copyright © 2016, Juniper Networks, Inc.
215
Layer 2 Bridging and Switching Library for Security Devices
flag all;
}
maintenance-domain default-5 {
vlan-name v100;
mip-half-function default;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring Ethernet OAM Connectivity Fault Management on Device 3
CLI Quick
Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members v100
set vlans v100 vlan-id 100
set protocols oam ethernet connectivity-fault-management maintenance-domain
Customer-md level 5
set protocols oam ethernet connectivity-fault-management maintenance-domain
Customer-md maintenance-association Customer-ma mep 101 interface ge-0/0/1.0
set protocols oam ethernet connectivity-fault-management maintenance-domain
Customer-md maintenance-association Customer-ma mep 101 interface vlan-id 100
set protocols oam ethernet connectivity-fault-management maintenance-domain
Customer-md maintenance-association Customer-ma mep 101 auto-discovery
set protocols oam ethernet connectivity-fault-management maintenance-domain
Customer-md maintenance-association Customer-ma continuity-check hold-interval
20
set protocols oam ethernet connectivity-fault-management maintenance-domain
Customer-md maintenance-association Customer-ma continuity-check interval 10s
Step-by-Step
Procedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To enable and configure OAM CFM on Device 3:
1.
Define a VLAN and enable the interface for family Ethernet switching with port
mode trunk or access.
[edit]
user@host# set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode
trunk
user@host# set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members
v100
user@host# set vlans v100 vlan-id 100
2.
Specify the maintenance domain name and the maintenance domain level.
[edit protocols oam ethernet connectivity-fault-management ]
user@host# set maintenance-domain Customer-md level 5
216
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
3.
Create a maintenance association and configure MEP.
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
Customer-md]
user@host# set maintenance-association Customer-ma mep 101 interface
ge-0/0/1.0
user@host# set maintenance-association Customer-ma mep 101 interface vlan-id
100
4.
Enable MEP automatic discovery.
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
Customer-md]
user@host# set maintenance-association Customer-ma mep 101 auto-discovery
5.
Enable the Continuity Check Protocol and specify the continuity check interval and
hold interval.
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
Customer-md maintenance-association Customer-ma]
user@host# set continuity-check interval 10s
user@host# set continuity-check hold-interval 20
Results
From configuration mode, confirm your configuration by entering the show protocols
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
For brevity, this show command output includes only the configuration that is relevant
to this example. Any other configuration on the system has been replaced with ellipses
(...).
[edit]
user@host# show protocols
oam {
ethernet {
connectivity-fault-management {
maintenance-domain Customer-md {
level 5;
maintenance-association Customer-ma {
continuity-check {
interval 10s;
hold-interval 20;
}
mep 101 {
interface ge-0/0/1.0 vlan-id 100;
auto-discovery;
}
}
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Copyright © 2016, Juniper Networks, Inc.
217
Layer 2 Bridging and Switching Library for Security Devices
Verification
Confirm that the configuration is working properly.
•
Verifying the OAM CFM Configuration on Device 1 on page 218
•
Verifying the OAM CFM Configuration with MIP Half Function on Device 2 on page 219
•
Verifying the OAM CFM Configuration on Device 3 on page 219
•
Verifying the Path Using the Linktrace Protocol on page 220
•
Verifying MEP Continuity Using Ping on page 221
Verifying the OAM CFM Configuration on Device 1
Purpose
Action
Verify that OAM CFM has been configured properly.
From operational mode, enter the following commands:
•
show oam ethernet connectivity-fault-management adjacencies to display
connectivity-fault-management adjacencies.
•
show oam ethernet connectivity-fault-management interfaces to display the Ethernet
OAM information for the specified interface.
These commands produce the following sample output:
user@host# show oam ethernet connectivity-fault-management adjacencies
Mep-id
Interface
State
Timer to Expire
101
fe-0/0/4.0
ok
29
user@host# show oam ethernet connectivity-fault-management interfaces
Interface
Link
Status
Level MEP
Neighbours
Identifier
fe-0/0/4.0
Up
Active
5
100
1
user@host# show oam ethernet connectivity-fault-management interfaces detail
Interface name: fe-0/0/4.0, vlan 100, Interface status: Active, Link status: Up
Maintenance domain name: Customer-md, Format: string, Level: 5
Maintenance association name: Customer-ma, Format: string
Continuity-check status: enabled, Interval: 10s
MEP identifier: 100, Direction: down, MAC address: 2c:6b:f5:62:29:84
MEP status: running
Defects:
Remote MEP not receiving CCM
: no
Erroneous CCM received
: no
Cross-connect CCM received
: no
RDI sent by some MEP
: no
Statistics:
CCMs sent
: 7
CCMs received out of sequence
: 0
LBMs sent
: 0
Valid in-order LBRs received
: 0
Valid out-of-order LBRs received
: 0
LBRs received with corrupted data
: 0
LBRs sent
: 0
LTMs sent
: 0
LTMs received
: 0
LTRs sent
: 0
218
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
LTRs received
Sequence number of next LTM request
1DMs sent
Valid 1DMs received
Invalid 1DMs received
DMMs sent
DMRs sent
Valid DMRs received
Invalid DMRs received
Remote MEP count: 1
Identifier
MAC address
State
101
80:71:1f:ad:53:81
ok
Meaning
:
:
:
:
:
:
:
:
:
0
0
0
0
0
0
0
0
0
Interface
fe-0/0/4.0
•
If the show oam ethernet connectivity-fault-management interfaces detail command
output displays continuity-check status as enabled and displays details of the remote
MEP, it means that connectivity fault management (CFM) was configured properly.
•
If the show oam ethernet connectivity-fault-management adjacencies command output
displays the state as ok, it indicates that the Continuity Check Protocol is up.
Verifying the OAM CFM Configuration with MIP Half Function on Device 2
Purpose
Action
Verify that OAM CFM has been configured properly.
From operational mode, run the show oam ethernet connectivity-fault-management mip
command.
user@host# show oam ethernet connectivity-fault-management mip vlan 100
default maintenance-domain mhf
: default
Interface
ge-0/0/1.0
fe-0/0/4.0
Meaning
Level
5
5
The show oam ethernet connectivity-fault-management mip command output displays
the MIP information.
Verifying the OAM CFM Configuration on Device 3
Purpose
Action
Verify that OAM CFM has been configured properly.
From operational mode, enter the following commands:
•
show oam ethernet connectivity-fault-management adjacencies to display
connectivity-fault-management adjacencies.
•
show oam ethernet connectivity-fault-management interfaces to display the Ethernet
OAM information for the specified interface.
user@host# show oam ethernet connectivity-fault-management adjacencies
Mep-id
Interface
State
Timer to Expire
100
ge-0/0/1.0
ok
27
user@host# show oam ethernet connectivity-fault-management interfaces detail
Copyright © 2016, Juniper Networks, Inc.
219
Layer 2 Bridging and Switching Library for Security Devices
Interface name: ge-0/0/1.0, vlan 100, Interface status: Active, Link status: Up
Maintenance domain name: Customer-md, Format: string, Level: 5
Maintenance association name: Customer-ma, Format: string
Continuity-check status: enabled, Interval: 10s
MEP identifier: 101, Direction: down, MAC address: 80:71:1f:ad:53:81
MEP status: running
Defects:
Remote MEP not receiving CCM
: no
Erroneous CCM received
: no
Cross-connect CCM received
: no
RDI sent by some MEP
: no
Statistics:
CCMs sent
: 77
CCMs received out of sequence
: 0
LBMs sent
: 0
Valid in-order LBRs received
: 0
Valid out-of-order LBRs received
: 0
LBRs received with corrupted data
: 0
LBRs sent
: 0
LTMs sent
: 0
LTMs received
: 0
LTRs sent
: 0
LTRs received
: 0
Sequence number of next LTM request
: 0
1DMs sent
: 0
Valid 1DMs received
: 0
Invalid 1DMs received
: 0
DMMs sent
: 0
DMRs sent
: 0
Valid DMRs received
: 0
Invalid DMRs received
: 0
Remote MEP count: 1
Identifier
MAC address
State
Interface
100
2c:6b:f5:62:29:84
ok
ge-0/0/1.0
Meaning
•
If the show oam ethernet connectivity-fault-management interfaces detail command
output displays continuity-check status as enabled and displays details of the remote
MEP, it means that connectivity fault management (CFM) was configured properly.
•
If the show oam ethernet connectivity-fault-management adjacencies command output
displays the state as ok, it indicates that the Continuity Check Protocol is up.
Verifying the Path Using the Linktrace Protocol
Purpose
Action
Verify the path between maintenance endpoints.
From operational mode, enter the traceroute ethernet command.
user@host# traceroute ethernet maintenance-domain Customer-md maintenance-association
Customer-ma mep 101
Linktrace to 80:71:1f:ad:53:81, Interface : fe-0/0/4.0
Maintenance Domain: Customer-md, Level: 5
Maintenance Association: Customer-ma, Local Mep: 100
Transaction Identifier: 3
Hop
TTL
Source MAC address
Next-hop MAC address
.
1
63
80:71:1f:ad:50:04
80:71:1f:ad:50:01
2
62
80:71:1f:ad:53:81
00:00:00:00:00:00
220
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
Verifying MEP Continuity Using Ping
Purpose
Action
Verify access to MEPs under the same maintenance association.
From operational mode, enter the ping ethernet command.
user@host# ping ethernet maintenance-domain Customer-md maintenance-association
Customer-ma mep 101
PING to 80:71:1f:ad:53:81, Interface fe-0/0/4.0
60 bytes from 80:71:1f:ad:53:81: lbm_seq=0
60 bytes from 80:71:1f:ad:53:81: lbm_seq=1
60 bytes from 80:71:1f:ad:53:81: lbm_seq=2
60 bytes from 80:71:1f:ad:53:81: lbm_seq=3
--- ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
Related
Documentation
•
Ethernet Port Switching Feature Guide for Security Devices
•
Understanding Ethernet OAM Connectivity Fault Management on page 189
Creating the Maintenance Domain
Supported Platforms
SRX210, SRX220, SRX240, SRX550, SRX650
A maintenance domain consist of network entities such as operators, providers, and
customers. To enable CFM on an Ethernet interface, maintenance domains, maintenance
associations, and MEPs must be created and configured.
To create a maintenance domain:
1.
Specify a name for the maintenance domain.
[edit protocols oam ethernet connectivity-fault-management]
user@host# set maintenance-domain domain-name
2. Specify a format for the maintenance domain name. If you specify none, no name is
configured.
•
A plain ASCII character string
•
A domain name service (DNS) format
•
A media access control (MAC) address plus a two-octet identifier in the range 0
through 65,535
•
none
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name]
user@host# set name-format format
For example, to specify the name format as a MAC address plus a two-octet identifier:
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name]
user@host# set name-format mac+2oct
Copyright © 2016, Juniper Networks, Inc.
221
Layer 2 Bridging and Switching Library for Security Devices
3. Configure the maintenance domain level, which is used to indicate the nesting
relationship between this domain and other domains. Use a value from 0 through 7.
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name]
user@host# set level level-number
Related
Documentation
•
Ethernet Port Switching Feature Guide for Security Devices
•
Understanding Ethernet OAM Connectivity Fault Management on page 189
•
Configuring the Continuity Check Protocol on page 224
•
Configuring the Maintenance Domain MIP Half Function on page 224
•
Creating a Maintenance Association on page 222
•
Configuring a Maintenance Association End Point on page 222
•
Configuring the Linktrace Protocol on page 225
Creating a Maintenance Association
Supported Platforms
SRX210, SRX220, SRX240, SRX550, SRX650
In a CFM maintenance domain, each service instance is called a maintenance association.
To create a maintenance association:
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name]
user@host# set maintenance-association ma-name
NOTE: On branch SRX Series devices, a maximum of seven maintenance
associations are supported.
Related
Documentation
•
Ethernet Port Switching Feature Guide for Security Devices
•
Understanding Ethernet OAM Connectivity Fault Management on page 189
•
Creating the Maintenance Domain on page 221
•
Configuring the Maintenance Domain MIP Half Function on page 224
•
Configuring the Continuity Check Protocol on page 224
•
Configuring a Maintenance Association End Point on page 222
•
Configuring the Linktrace Protocol on page 225
Configuring a Maintenance Association End Point
Supported Platforms
222
SRX210, SRX220, SRX240, SRX550, SRX650
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
To configure a maintenance association end point (MEP):
1.
Specify an ID for the MEP. The value can be from 1 through 8191.
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name maintenance-association ma-name]
user@host# set mep mep-id
2. Enable maintenance endpoint automatic discovery if you want to have the MEP accept
continuity check messages (CCMs) from all remote MEPs of the same maintenance
association.
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name maintenance-association ma-name mep mep-id]
user@host# set auto-discovery
3. Specify that CFM CCM packets be transmitted only in one direction for the MEP. That
is, set the direction as down so that CCMs are transmitted only out of (not into) the
interface configured on this MEP.
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name maintenance-association ma-name mep mep-id]
user@host# set direction down
4. Specify the logical interface to which the MEP is attached. It can be either an access
interface or a trunk interface. If you specify a trunk interface, the VLAN associated
with that interface must have a VLAN ID.
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name maintenance-association ma-name mep mep-id]
user@host# set interface interface-name
5. Configure a remote MEP from which CCMs are expected. If automatic discovery is not
enabled, the remote MEP must be configured under the mep statement or the CCMs
from the remote MEP are treated as errors.
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name maintenance-association ma-name mep mep-id]
user@host# set remote-mep mep-id
NOTE: You cannot configure MEPs at different levels for the same VLANs.
Related
Documentation
•
Ethernet Port Switching Feature Guide for Security Devices
•
Understanding Ethernet OAM Connectivity Fault Management on page 189
•
Creating the Maintenance Domain on page 221
•
Configuring the Maintenance Domain MIP Half Function on page 224
•
Creating a Maintenance Association on page 222
•
Configuring the Continuity Check Protocol on page 224
•
Configuring the Linktrace Protocol on page 225
Copyright © 2016, Juniper Networks, Inc.
223
Layer 2 Bridging and Switching Library for Security Devices
Configuring the Maintenance Domain MIP Half Function
Supported Platforms
SRX210, SRX220, SRX240, SRX550, SRX650
MIP half function divides the maintenance association intermediate point (MIP)
functionality into two unidirectional segments, improves visibility with minimal
configuration, and improves network coverage by increasing the number of points that
can be monitored. MHF extends monitoring capability by responding to loop back and
link trace messages to help isolate faults. Whenever a MIP is configured, the MIP half
function value for all maintenance domains and maintenance associations must be the
same.
To configure the MIP half function:
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name]
user@host# set mip-half-function default
NOTE:
Related
Documentation
•
If SRX240, SRX550, or SRX650 devices are configured as MIPs, ensure
that a static MAC is configured in the Ethernet Switching table with the
next-hop interface to the MEP MAC.
•
You cannot configure MIP in a non-default domain.
•
In Q-in-Q mode, double tag packets are not retained by MIP.
•
A maximum of 116 MIPs can be configured on a device.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Understanding Ethernet OAM Connectivity Fault Management on page 189
•
Creating the Maintenance Domain on page 221
•
Creating a Maintenance Association on page 222
•
Configuring the Continuity Check Protocol on page 224
•
Configuring a Maintenance Association End Point on page 222
•
Configuring the Linktrace Protocol on page 225
Configuring the Continuity Check Protocol
Supported Platforms
224
SRX210, SRX220, SRX240, SRX550, SRX650
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
The Continuity Check Protocol is used for fault detection by a maintenance association
end point (MEP) within a maintenance association. The MEP periodically sends continuity
check multicast messages. The receiving MEPs use the continuity check messages (CCMs)
to build a MEP database of all MEPs in the maintenance association.
To configure the Continuity Check Protocol:
1.
Enable the Continuity Check Protocol.
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name maintenance-association ma-name]
user@host# set continuity-check
2. Specify the continuity check hold interval. The hold interval is the number of minutes
to wait before flushing the MEP database if no updates occur. The default value is 10
minutes.
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name maintenance-association ma-name continuity-check]
user@host# set hold-interval number
3. Specify the CCM interval. The interval is the time between the transmission of CCMs.
You can specify 10 minutes (10m), 1 minute (1m), 10 seconds (10s), 1 second (1s), or
100 milliseconds (100ms).
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name maintenance-association ma-name continuity-check]
user@host# set interval number
4. Specify the number of CCMs (that is, protocol data units) that can be lost before the
MEP is marked as down. The default number of protocol data units (PDUs) is 3.
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name maintenance-association ma-name continuity-check]
user@host# set loss-threshold number
NOTE: If the CCM interval is 100 milliseconds, only four MEPs are supported
on a device.
Related
Documentation
•
Ethernet Port Switching Feature Guide for Security Devices
•
Understanding Ethernet OAM Connectivity Fault Management on page 189
•
Creating the Maintenance Domain on page 221
•
Creating a Maintenance Association on page 222
•
Configuring the Maintenance Domain MIP Half Function on page 224
•
Configuring the Linktrace Protocol on page 225
Configuring the Linktrace Protocol
Supported Platforms
SRX210, SRX220, SRX240, SRX550, SRX650
Copyright © 2016, Juniper Networks, Inc.
225
Layer 2 Bridging and Switching Library for Security Devices
The Linktrace protocol is used for path discovery between a pair of maintenance points.
Linktrace messages are triggered by an administrator using the traceroute ethernet
command to verify the path between a pair of MEPs under the same maintenance
association. Linktrace messages can also be used to verify the path between a MEP and
a MIP under the same maintenance domain.
To configure the Linktrace protocol:
1.
Configure the linktrace path age timer. If no response to a linktrace request is received,
the request and response entries are deleted after the age timer expires.
[edit protocols oam ethernet connectivity-fault-management]
user@host# set linktrace age time
2. Configure the number of linktrace reply entries to be stored per linktrace request.
[edit protocols oam ethernet connectivity-fault-management]
user@host# set linktrace path-database-size path-database-size
Related
Documentation
•
Ethernet Port Switching Feature Guide for Security Devices
•
Understanding Ethernet OAM Connectivity Fault Management on page 189
•
Creating the Maintenance Domain on page 221
•
Creating a Maintenance Association on page 222
•
Configuring the Maintenance Domain MIP Half Function on page 224
•
Configuring the Continuity Check Protocol on page 224
Ethernet OAM Link Fault Management
•
Example: Configuring Ethernet OAM Link Fault Management on page 226
Example: Configuring Ethernet OAM Link Fault Management
Supported Platforms
LN Series, SRX100, SRX210, SRX220, SRX240, SRX550, SRX650
The Ethernet interfaces on the SRX Series devices support the IEEE 802.3ah standard
for Operation, Administration, and Maintenance (OAM). The standard defines OAM link
fault management (LFM). You can configure IEEE 802.3ah OAM LFM on point-to-point
Ethernet links that are connected either directly or through Ethernet repeaters.
This feature is supported on SRX100, SRX210, SRX220, SRX240, SRX550, and SRX650
devices.
This example describes how to enable and configure OAM LFM on a Gigabit Ethernet or
Fast Ethernet interface:
226
•
Requirements on page 227
•
Overview on page 227
•
Configuration on page 228
•
Verification on page 229
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
Requirements
This example uses the following hardware and software components:
•
Junos OS Release 12.1 R2 or later for SRX Series Services Gateways
•
Any two models of SRX Series devices connected directly
Before you begin:
•
Establish basic connectivity. See the Getting Started Guide for your device.
•
Configure network interfaces as necessary. See Example: Creating an Ethernet Interface.
•
Ensure that you configure the interfaces as per the interface modules listed in
“Understanding Ethernet OAM Link Fault Management for SRX Series Services
Gateways” on page 190
Overview
The Ethernet interfaces on the SRX Series devices support the IEEE 802.3ah standard
for Operation, Administration, and Maintenance (OAM). The standard defines OAM link
fault management (LFM). You can configure IEEE 802.3ah OAM LFM on point-to-point
Ethernet links that are connected either directly or through Ethernet repeaters.
This example uses two SRX Series devices connected directly. Before you begin configuring
Ethernet OAM LFM on these two devices, connect the two devices directly through
supported interfaces. See “Understanding Ethernet OAM Link Fault Management for
SRX Series Services Gateways” on page 190.
Figure 2 on page 227 shows the topology used in this example.
Figure 2: Ethernet LFM with SRX Series Devices
SRX Series device
ge-0/0/0
ge-0/0/1
g034412
SRX Series device
NOTE: For more information about configuring Ethernet OAM Link Fault
®
Management, see Junos OS Ethernet Interfaces.
Copyright © 2016, Juniper Networks, Inc.
227
Layer 2 Bridging and Switching Library for Security Devices
Configuration
To configure Ethernet OAM LFM, perform these tasks:
•
Configuring Ethernet OAM Link Fault Management on Device 1 on page 228
•
Configuring Ethernet OAM Link Fault Management on Device 2 on page 229
Configuring Ethernet OAM Link Fault Management on Device 1
CLI Quick
Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set protocols oam ethernet link-fault-management interface ge-0/0/0
set protocols oam ethernet link-fault-management interface ge-0/0/0 link-discovery
active
set protocols oam ethernet link-fault-management interface ge-0/0/0 pdu-interval 800
Step-by-Step
Procedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure Ethernet OAM LFM on device 1:
1.
Enable IEEE 802.3ah OAM support.
[edit protocols oam ethernet link-fault-management]
user@device1# set interface ge-0/0/0
2.
Specify that the interface initiates the discovery process.
[edit protocols oam ethernet link-fault-management]
user@device1# set interface ge-0/0/0 link-discovery active
3.
Set the periodic OAM PDU-sending interval (in milliseconds) for fault detection.
[edit protocols oam ethernet link-fault-management]
user@device1# set interface pdu-interval 800
Results
From configuration mode, confirm your configuration by entering the show protocols
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
[edit]
user@device1# show protocols
protocols {
oam {
ethernet {
link-fault-management {
interface ge-0/0/0 {
pdu-interval 800;
link-discovery active;
}
}
}
228
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
}
}
Configuring Ethernet OAM Link Fault Management on Device 2
CLI Quick
Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set protocols oam ethernet link-fault-management interface ge-0/0/1
set protocols oam ethernet link-fault-management interface ge-0/0/1 pdu-interval 800
set protocols oam ethernet link-fault-management interface ge-0/0/1 negotiation-options
allow-remote-loopback
Step-by-Step
Procedure
To configure Ethernet OAM LFM on device 2:
1.
Enable OAM on the peer interface.
[edit protocols oam ethernet link-fault-management]
user@device2# set interface ge-0/0/1
2.
Set the periodic OAM PDU-sending interval (in milliseconds) for fault detection.
[edit protocols oam ethernet link-fault-management]
user@device2# set interface ge-0/0/1 pdu-interval 800
3.
Enable remote loopback support for the local interface.
[edit protocols oam ethernet link-fault-management]
user@device2# set interface ge-0/0/1 negotiation-options allow-remote-loopback
Results
From configuration mode, confirm your configuration by entering the show protocols
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
[edit]
user@device2# show protocols
protocols {
oam {
ethernet {
link-fault-management {
interface ge-0/0/1 {
negotiation-options {
allow-remote-loopback;
}
}
}
}
}
}
Verification
Verify the OAM LFM Configuration
Purpose
Verify that OAM LFM is configured properly.
Copyright © 2016, Juniper Networks, Inc.
229
Layer 2 Bridging and Switching Library for Security Devices
Action
From operational mode, enter the show oam ethernet link-fault-management command.
user@device1>show oam ethernet link-fault-management
Interface: ge-0/0/0.0
Status: Running, Discovery state: Send Any
Peer address: 00:19:e2:50:3b:e1
Flags:Remote-Stable Remote-State-Valid Local-Stable 0x50
Remote entity information:
Remote MUX action: forwarding, Remote parser action: forwarding
Discovery mode: active, Unidirectional mode: unsupported
Remote loopback mode: supported, Link events: supported
Variable requests: unsupported
Meaning
Related
Documentation
The output displays the MAC address and the discovery state is Send Any if OAM LFM
has been configured properly.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Understanding Ethernet OAM Link Fault Management for SRX Series Services Gateways
on page 190
•
Ethernet Interfaces Feature Guide for Security Devices
Configuration Statements
230
•
Access Configuration Statement Hierarchy on page 231
•
Class-of-Service Configuration Statement Hierarchy on page 239
•
authentication-order (Access Profile) on page 244
•
code-points (CoS) on page 245
•
destination-address (Security Policies) on page 246
•
family inet (Interfaces) on page 247
•
flow (Security Flow) on page 250
•
forwarding-classes (CoS) on page 252
•
host-inbound-traffic on page 253
•
interfaces (CoS) on page 254
•
interfaces (Security Zones) on page 255
•
loss-priority (CoS Loss Priority) on page 256
•
match (Security Policies) on page 257
•
native-vlan-id (Interfaces) on page 258
•
policy (Security Policies) on page 259
•
port (Access RADIUS) on page 261
•
profile (Access) on page 262
•
radius-server (Access) on page 265
•
redundancy-group (Interfaces) on page 266
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
•
source-address (Security Policies) on page 267
•
source-address (Access RADIUS) on page 268
•
security-zone on page 269
•
system-services (Security Zones Interfaces) on page 271
•
vlan-id (Bridge Domain) on page 273
•
vlan-id-list (Bridge Domains) on page 274
•
vlan-tagging (Interfaces) on page 275
Access Configuration Statement Hierarchy
Supported Platforms
J Series, LN Series, SRX Series
Use the statements in the access configuration hierarchy to configure access to the device
and authentication methods, including address assignment and address pool, user and
firewall authentication, a group profile, LDAP options and LDAP server configuration, an
access profile, RADIUS options and RADIUS server configuration, and SecurID server
configuration.
access {
address-assignment {
abated-utilization percentage;
abated-utilization-v6 percentage;
high-utilization percentage;
high-utilization-v6 percentage;
neighbor-discovery-router-advertisement ndra-name;
pool pool-name {
family {
inet {
dhcp-attributes {
boot-file boot-file-name;
boot-server boot-server-name;
domain-name domain-name;
grace-period seconds;
maximum-lease-time (seconds | infinite);
name-server ipv4-address;
netbios-node-type (b-node | h-node | m-node | p-node);
next-server next-server-name;
option dhcp-option-identifier-code {
array {
byte [8-bit-value];
flag [ false| off |on |true];
integer [32-bit-numeric-values];
ip-address [ip-address];
short [signed-16-bit-numeric-value];
string [character string value];
unsigned-integer [unsigned-32-bit-numeric-value];
unsigned-short [16-bit-numeric-value];
}
byte 8-bit-value;
flag (false | off | on | true);
integer 32-bit-numeric-values;
ip-address ip-address;
Copyright © 2016, Juniper Networks, Inc.
231
Layer 2 Bridging and Switching Library for Security Devices
short signed-16-bit-numeric-value;
string character string value;
unsigned-integer unsigned-32-bit-numeric-value;
unsigned-short 16-bit-numeric-value;
}
option-match {
option-82 {
circuit-id match-value {
range range-name;
}
remote-id match-value;
range range-name;
}
}
}
propagate-ppp-settings [interface-name];
propagate-settings interface-name;
router ipv4-address;
server-identifier ip-address;
sip-server {
ip-address ipv4-address;
name sip-server-name;
}
tftp-server server-name;
wins-server ipv4-address;
}
host hostname {
hardware-address mac-address;
ip-address reserved-address;
}
network network address;
range range-name {
high upper-limit;
low lower-limit;
}
xauth-attributes {
primary-dns ip-address;
primary-wins ip-address;
secondary-dns ip-address;
secondary-wins ip-address;
}
}
inet6 {
dhcp-attributes {
dns-server ipv6-address;
grace-period seconds;
maximum-lease-time (seconds | infinite);
option dhcp-option-identifier-code {
array {
byte [8-bit-value];
flag [ false| off |on |true];
integer [32-bit-numeric-values];
ip-address [ip-address];
short [signed-16-bit-numeric-value];
string [character string value];
unsigned-integer [unsigned-32-bit-numeric-value];
232
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
unsigned-short [16-bit-numeric-value];
}
byte 8-bit-value;
flag (false | off | on | true);
integer 32-bit-numeric-values;
ip-address ip-address;
short signed-16-bit-numeric-value;
string character string value;
unsigned-integer unsigned-32-bit-numeric-value;
unsigned-short 16-bit-numeric-value;
}
propagate-ppp-settings [interface-name];
sip-server-address ipv6-address;
sip-server-domain-name domain-name;
}
prefix ipv6-network-prefix;
range range-name {
high upper-limit;
low lower-limit;
prefix-length delegated-prefix-length;
}
}
link pool-name;
}
}
address-pool pool-name {
(address address-or-address-prefix ) {
address-range {
high upper-limit;
low lower-limit;
mask network-mask;
}
primary-dns name;
primary-wins name;
secondary-dns name;
secondary-wins name;
}
address-protection;
domain {
delimiter delimiter;
map domain-map-name {
aaa-logical-system logical-system-name;
aaa-routing-instance routing-instance-name;
access-profile access-profile-name;
address-pool address-pool-name;
dynamic-profile dynamic-profile-name;
padn destination-address; {
mask destination-mask;
metric metric-value
}
strip-domain;
target-logical-system logical-system-name;
target-routing-instance target-routing-instance;
}
parse-direction (left-to-right | right-to-left);
}
Copyright © 2016, Juniper Networks, Inc.
233
Layer 2 Bridging and Switching Library for Security Devices
firewall-authentication {
pass-through {
default-profile profile-name;
ftp {
banner {
fail string;
login string;
success string;
}
}
http {
banner {
fail string;
login string;
success string;
}
telnet {
banner {
fail string;
login string;
success string;
}
}
traceoptions {
file {
filename;
files number;
flag flag;
match regular-expression;
no-remote-trace;
size maximum-file-size;
(world-readable | no-world-readable);
}
}
web-authentication {
banner {
success string;
}
default-profile profile-name;
}
}
group-profile profile-name {
ppp {
cell-overhead;
encapsulated-overhead encapsulated-overhead-value;
framed-pool address-pool-name;
idle-timeout seconds;
interface-id interface-identifier;
keepalive seconds;
ppp-options {
chap;
pap;
}
primary-dns name;
primary-wins name;
secondary-dns name;
234
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
secondary-wins name;
}
}
gx-plus {
global {
max-outstanding-requests max-outstanding-requests;
}
partition partition-name {
destination-host gx-plus-destination-host;
destination-realm gx-plus-destination-realm;
diameter-instance gx-plus-diameter-instance;
}
}
ldap-options {
assemble {
common-name common-name;
}
base-distinguished-name base-distinguished-name;
revert-interval seconds;
search {
admin-search {
distinguished-name distinguished-name;
password password;
}
search-filter filter-name;
}
}
ldap-server hostname-or-address; {
port port-number;
retry attempts;
routing-instance routing-instance-name;
source-address source-address;
timeout seconds;
}
ppp-options {
compliance {
rfc(2486 | [rfc-number]);
}
}
profile profile-name {
accounting {
accounting-stop-on-access-deny;
accounting-stop-on-failure;
coa-immediate-update;
duplication;
immediate-update;
order [accounting-method];
statistics (time | volume-time);
update-interval minutes;
}
accounting-order [accounting-method];
address-assignment pool pool-name;
authentication-order [ldap | none | password | radius | securid];
authorization-order [jsrc];
client client-name {
chap-secret chap-secret;
Copyright © 2016, Juniper Networks, Inc.
235
Layer 2 Bridging and Switching Library for Security Devices
client-group [ group-names ];
firewall-user {
password password;
}
no-rfc2486;
pap-password pap-password;
x-auth ip-address;
}
client-name-filter {
count number;
domain-name domain-name;
separator special-character;
}
ldap-options {
assemble {
common-name common-name;
}
base-distinguished-name base-distinguished-name;
revert-interval seconds;
search {
admin-search {
distinguished-name distinguished-name;
password password;
}
search-filter search-filter-name;
}
}
ldap-server server-address {
port port-number;
retry attempts;
routing-instance routing-instance-name;
source-address source-address;
timeout seconds;
}
provisioning-order (gx-plus | jsrc);
radius {
accounting-server [server];
attributes {
exclude {
acc-aggr-cir-id-asc [access-request | accounting-start | accounting-stop];
acc-aggr-cir-id-bin [access-request | accounting-start | accounting-stop];
acc-loop-cir-id [access-request | accounting-start | accounting-stop];
accounting-authentic [accounting-off | accounting-on | accounting-start |
accounting-stop];
accounting-delay-time [accounting-off | accounting-on | accounting-start |
accounting-stop];
accounting-session-id [access-request];
accounting-terminate-cause [accounting-off];
act-data-rate-dn [access-request | accounting-start | accounting-stop];
act-data-rate-up [access-request | accounting-start | accounting-stop];
act-interlv-delay-dn [access-request | accounting-start | accounting-stop];
act-interlv-delay-up [access-request | accounting-start | accounting-stop];
att-data-rate-dn [access-request | accounting-start | accounting-stop];
att-data-rate-up [access-request | accounting-start | accounting-stop];
called-station-id [access-request | accounting-start | accounting-stop];
calling-station-id [access-request | accounting-start | accounting-stop];
236
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
class [access-request | accounting-start | accounting-stop];
delegated-ipv6-prefix [accounting-start | accounting-stop];
dhcp-gi-address [access-request | accounting-start | accounting-stop];
dhcp-mac-address [access-request | accounting-start | accounting-stop];
dhcp-options [access-request | accounting-start | accounting-stop];
downstream-calculated-qos-rate [access-request | accounting-start |
accounting-stop];
dsl-forum-attributes [access-request | accounting-start | accounting-stop];
dsl-line-state [access-request | accounting-start | accounting-stop];
dsl-type [access-request | accounting-start | accounting-stop];
dynamic-iflset-name [accounting-start | accounting-stop];
event-time-stamp [accounting-off | accounting-on | accounting-start |
accounting-stop];
framed-interface-id [access-request | accounting-start | accounting-stop];
framed-ip-address [access-request | accounting-start | accounting-stop];
framed-ip-netmask [access-request | accounting-start | accounting-stop];
framed-ip-route [access-request | accounting-start | accounting-stop];
framed-ipv6-pool [accounting-start | accounting-stop];
framed-ipv6-prefix [accounting-start | accounting-stop];
framed-ipv6-route [accounting-start | accounting-stop];
framed-pool [accounting-start | accounting-stop];
input-filter [accounting-start | accounting-stop];
input-gigapackets [accounting-stop];
input-gigawords [accounting-stop];
input-ipv6-gigawords [accounting-stop];
input-ipv6-octets [accounting-stop];
input-ipv6-packets [accounting-stop];
interface-description [access-request | accounting-start | accounting-stop];
l2c-downstream-data [access-request | accounting-start | accounting-stop];
l2c-upstream-data [access-request | accounting-start | accounting-stop];
max-data-rate-dn [access-request | accounting-start | accounting-stop];
max-data-rate-up [access-request | accounting-start | accounting-stop];
max-interlv-delay-dn [access-request | accounting-start | accounting-stop];
max-interlv-delay-up [access-request | accounting-start | accounting-stop];
min-data-rate-dn [access-request | accounting-start | accounting-stop];
min-data-rate-up [access-request | accounting-start | accounting-stop];
min-lp-data-rate-dn [access-request | accounting-start | accounting-stop];
min-lp-data-rate-up [access-request | accounting-start | accounting-stop];
nas-identifier [access-request | accounting-start | accounting-stop];
nas-port [access-request | accounting-off | accounting-on | accounting-start |
accounting-stop];
nas-port-id [access-request | accounting-start | accounting-stop];
nas-port-type [access-request | accounting-start | accounting-stop];
output-filter [accounting-start | accounting-stop];
output-gigapackets [accounting-stop];
output-gigawords [accounting-stop];
output-ipv6-gigawords [accounting-stop];
output-ipv6-octets [accounting-stop];
output-ipv6-packets [accounting-stop];
upstream-calculated-qos-rate [access-request | accounting-start |
accounting-stop];
}
ignore {
dynamic-iflset-name;
framed-ip-netmask;
input-filter;
Copyright © 2016, Juniper Networks, Inc.
237
Layer 2 Bridging and Switching Library for Security Devices
logical-system-routing-instance;
output-filter;
}
}
authentication-server [server];
radius-options {
request-rate number;
revert-interval seconds;
}
radius-server server-address {
accounting-port port-number
max-outstanding-requests number-of--outstanding-requests;
port port-number;
retry attempts;
routing-instance routing-instance-name;
secret password;
source-address source-address;
timeout seconds;
}
service {
accounting-order {
activation-protocol;
radius;
}
}
session-options {
client-group [group-name];
client-idle-timeout minutes;
client-session-timeout minutes;
}
}
radius-options {
request-rate number;
revert-interval seconds;
}
radius-server server-address {
accounting-port port-number;
max-outstanding-requests number-of-max-outstanding-requests;
port port-number;
retry attempts;
routing-instance routing-instance-name;
secret password;
source-address source-address;
timeout seconds;
}
securid-server server-name {
configuration-file filepath;
}
terminate-code {
aaa {
deny {
authentication-denied {
radius acct-terminate-cause-value;
}
no-resources {
radius acct-terminate-cause-value;
238
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
}
server-request-timeout {
radius acct-terminate-cause-value;
}
}
shutdown {
administrative-reset {
radius acct-terminate-cause-value;
}
remote-reset {
radius acct-terminate-cause-value;
}
}
}
dhcp {
client-request {
radius acct-terminate-cause-value;
}
lost-carrier {
radius acct-terminate-cause-value;
}
nak {
radius acct-terminate-cause-value;
}
nas-logout {
radius acct-terminate-cause-value;
}
no-offers {
radius acct-terminate-cause-value;
}
}
}
}
Related
Documentation
•
Administration Guide for Security Devices
•
Ethernet Port Switching Feature Guide for Security Devices
•
Dynamic VPN Feature Guide for SRX Series Gateway Devices
•
Firewall User Authentication Feature Guide for Security Devices
Class-of-Service Configuration Statement Hierarchy
Supported Platforms
J Series, SRX Series
Use the statements in the class-of-service configuration hierarchy to configure
class-of-services (CoS) features.
class-of-service {
adaptive-shapers adaptive-shaper-name {
trigger becn {
shaping-rate (absolute-rate | percent percent);
}
}
application-traffic-control {
Copyright © 2016, Juniper Networks, Inc.
239
Layer 2 Bridging and Switching Library for Security Devices
rate-limiters rate-limiter-name {
bandwidth-limit kbps;
burst-size-limit bytes;
}
rule-sets rule-set-name {
rule rule-name {
match {
application [application-name];
application-any;
application-group [application-group-name];
application-known;
application-unknown;
}
then {
dscp-code-point dscp-value;
forwarding-class class-name;
log;
loss-priority (high | low |medium-high | medium-low);
rate-limit {
loss-priority-high;
client-to-server rate-limiter;
server-to-client rate-limiter;
}
}
}
}
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
classifiers {
(dscp | dscp-ipv6 | exp | ieee-802.1 | ieee-802.1ad | inet-precedence) classifier name
{
forwarding-class class-name {
loss-priority (high | low | medium-high | medium-low) {
code-points [alias-or-bit-string ];
}
}
import (classifier-name | default);
}
}
code-point-aliases {
(dscp | dscp-ipv6 |exp |ieee-802.1 |ieee-802.1ad |inet-precedence) alias-name{
dscp-bits;
}
}
drop-profiles profile-name {
240
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
fill-level percent {
drop-probability number;
}
interpolate {
drop-probability [number];
fill-level [percent];
}
}
forwarding-classes {
class class-name {
priority (high | low);
queue-num number;
spu-priority (high | low);
}
queue queue-number {
class-name {
priority (high | low);
}
}
}
forwarding-policy {
class class-name {
classification-override {
forwarding-class class-name;
}
}
next-hop-map next-hop-map-name {
forwarding-class class-name {
discard;
lsp-next-hop [lsp-regular-expression];
next-hop [next-hop-identifier];
non-lsp-next-hop;
}
}
}
fragmentation-maps fragmentation-map-name {
forwarding-class forwarding-class-name {
drop-timeout milliseconds;
(fragment-threshold bytes |no-fragmentation) ;
multilink-class number;
}
}
host-outbound-traffic {
dscp-code-point static-dscp-code-point;
forwarding-class class-name;
tcp {
raise-internet-control-priority;
}
}
interfaces interface-name {
input-traffic-control-profile profile-name;
output-traffic-control-profile profile-name;
output-traffic-control-profile-remaining profile-name;
scheduler-map scheduler-map;
shaping-rate bps;
unit logical-unit-number {
Copyright © 2016, Juniper Networks, Inc.
241
Layer 2 Bridging and Switching Library for Security Devices
adaptive-shaper adaptive-shaper-name;
classifiers {
(dscp | dscp-ipv6 | exp | ieee-802.1 | ieee-802.1ad | inet-precedence)
}
forwarding-class class-name;
input-traffic-control-profile {
profile-name;
shared-instance shared-instance-name;
}
loss-priority-maps {
frame-relay-de {
(lpmap-name | default);
}
}
output-traffic-control-profile {
profile-name;
shared-instance shared-instance-name;
}
rewrite-rules {
(dscp |dscp-ipv6 |exp |frame-relay-de |ieee-802.1 |ieee-802.1ad
|inet-precedence)
}
scheduler-map scheduler-map-name;
shaping-rate {
rate;
}
vc-shared-scheduler;
virtual-channel-group group-name;
}
}
}
loss-priority-maps {
frame-relay-de loss-priority-map-name {
loss-priority (high | low | medium-high | medium-low) {
code-points [bit-string];
}
}
}
rewrite-rules {
(dscp |dscp-ipv6 |exp |frame-relay-de |ieee-802.1 |ieee-802.1ad |inet-precedence)
rewrite-rule-name {
forwarding-class forwarding-class-name {
loss-priority (high | low | medium-high | medium-low) {
code-point alias-or-bit-string;
}
import (default | rewrite-rule-name);
}
}
}
scheduler-maps scheduler-map-name {
forwarding-class class-name {
scheduler scheduler-name;
}
}
schedulers scheduler-name {
buffer-size {
242
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
exact;
(percent percent | remainder percent | temporal microseconds) ;
}
drop-profile-map {
loss-priority (any | high | low | medium-high | medium-low);
protocol any ;
drop-profile profile;
}
priority (high | low | medium-high | medium-low | strict-high);
shaping-rate (absolute-rate | percent percent);
transmit-rate <exact> (percent percent | rate bits | remainder percent);
}
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
traffic-control-profiles profile-name {
delay-buffer-rate ( absolute-rate | cps cells-per-second | percent percent);
guaranteed-rate (absolute-rate | percent percent);
overhead-accounting (bytes bytes | cell-mode | frame-mode);
scheduler-map scheduler-map-name;
shaping-rate (absolute-rate | percent percent);
}
tri-color;
virtual-channel-groups virtual-channel-group-name {
virtual-channel-name {
default;
scheduler-map scheduler-map-name;
shaping-rate (absolute-rate | percent percent);
}
}
virtual-channels virtual-channel-name;
}
Related
Documentation
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Application Quality of Service Feature Guide for Security Devices
•
IDP Class of Service Action Feature Guide for Security Devices
•
CoS Virtual Channels and Tunnels Feature Guide for Security Devices
•
CoS and Hierarchical Schedulers Feature Guide for Security Devices
•
Link Services and Special Interfaces Feature Guide for Security Devices
•
Junos OS CoS Library for Security Devices
Copyright © 2016, Juniper Networks, Inc.
243
Layer 2 Bridging and Switching Library for Security Devices
authentication-order (Access Profile)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
J Series, SRX Series
authentication-order [ldap | none | password | radius | securid];
[edit access profile profile-name]
Statement modified in Release 9.1 of Junos OS.
Set the order in which the Junos OS tries different authentication methods when verifying
that a client can access the devices. For each login attempt, the software tries the
authentication methods in order, from first to last.
•
ldap—Verify the client using LDAP.
•
none—Specify no authentication performed.
•
password—Verify the client using the information configured at the [edit access profile
profile-name client client-name] hierarchy level.
Required Privilege
Level
Related
Documentation
244
•
radius—Verify the client using RADIUS authentication services.
•
securid—Verify the client using SecurID authentication services.
access—To view this statement in the configuration.
access-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
code-points (CoS)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
QFX Series
code-points [ aliases ] [ bit-patterns ];
[edit class-of-service classifiers (dscp | ieee-802.1) classifier-name forwarding-class
class-name loss-priority level]
Statement introduced in Junos OS Release 11.1 for the QFX Series.
Configure one or more code-point aliases or bit sets to apply to a forwarding class.
aliases—Name of the alias or aliases.
bit-patterns—Value of the code-point bits, in decimal form.
Required Privilege
Level
Related
Documentation
interfaces—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Ethernet Port Switching Feature Guide for Security Devices
•
Link Services and Special Interfaces Feature Guide for Security Devices
•
Junos OS CoS Library for Security Devices
Copyright © 2016, Juniper Networks, Inc.
245
Layer 2 Bridging and Switching Library for Security Devices
destination-address (Security Policies)
Supported Platforms
Syntax
Hierarchy Level
LN Series
destination-address {
[address];
any;
any-ipv4;
any-ipv6;
}
[edit security policies from-zone zone-name to-zone zone-name policy policy-name match]
Release Information
Statement introduced in Junos OS Release 8.5. Support for IPv6 addresses added in
Junos OS Release 10.2. Support for IPv6 addresses in active/active chassis cluster
configurations (in addition to the existing support of active/passive chassis cluster
configurations) added in Junos OS Release 10.4. Support for wildcard addresses added
in Junos OS Release 11.1.
Description
Define the matching criteria. You can specify one or more IP addresses, address sets, or
wildcard addresses. You can specify wildcards any, any-ipv4, or any-ipv6.
Options
address—IP address (any, any-ipv4, any-ipv6), IP address set, or address book entry, or
wildcard address (represented as A.B.C.D/wildcard-mask). You can configure multiple
addresses or address prefixes separated by spaces and enclosed in square brackets.
Required Privilege
Level
Related
Documentation
246
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Security Policies Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
family inet (Interfaces)
Supported Platforms
Syntax
J Series, LN Series, SRX Series
inet {
accounting {
destination-class-usage;
source-class-usage {
input;
output;
}
}
address (source–address/prefix) {
arp destination-address {
(mac mac-address | multicast-mac multicast-mac-address);
publish publish-address;
}
broadcast address;
preferred;
primary;
vrrp-group group-id {
(accept-data | no-accept-data);
advertise-interval seconds;
advertisements-threshold number;
authentication-key key-value;
authentication-type (md5 | simple);
fast-interval milliseconds;
inet6-advertise-interval milliseconds
(preempt <hold-timeseconds> | no-preempt );
priority value;
track {
interface interface-name {
bandwidth-threshold bandwidth;
priority-cost value;
}
priority-hold-time seconds;
route route-address{
routing-instance routing-instance;
priority-cost value;
}
}
virtual-address [address];
virtual-link-local-address address;
vrrp-inherit-from {
active-group value;
active-interface interface-name;
}
}
web-authentication {
http;
https;
redirect-to-https;
}
}
dhcp {
Copyright © 2016, Juniper Networks, Inc.
247
Layer 2 Bridging and Switching Library for Security Devices
client-identifier {
(ascii string | hexadecimal string);
}
lease-time (length | infinite);
retransmission-attempt value;
retransmission-interval seconds;
server-address server-address;
update-server;
vendor-id vendor-id ;
}
dhcp-client {
client-identifier {
prefix {
host-name;
logical-system-name;
routing-instance-name;
}
use-interface-description (device | logical);
user-id (ascii string| hexadecimal string);
}
lease-time (length | infinite);
retransmission-attempt value;
retransmission-interval seconds;
server-address server-address;
update-server;
vendor-id vendor-id ;
}
filter {
group number;
input filter-name;
input-list [filter-name];
output filter-name;
output-list [filter-name];
}
mtu value;
no-neighbor-learn;
no-redirects;
policer {
arp arp-name;
input input-name;
output output-name;
}
primary;
rpf-check {
fail-filter filter-name;
mode {
loose;
}
}
sampling {
input;
output;
simple-filter;
}
targeted-broadcast {
(forward-and-send-to-re |forward-only);
248
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
}
unnumbered-address {
interface-name;
preferred-source-address preferred-source-address;
}
}
Hierarchy Level
Release Information
Description
Options
[edit interfaces interface unit unit ]
Statement introduced in a prior release of Junos OS.
Assign an IP address to a logical interface.
ipaddress—Specifies the IP address for the interface.
NOTE: You use family inet to assign an IPv4 address. You use family inet6 to
assign an IPv6 address. An interface can be configured with both an IPv4 and
IPv6 address.
Required Privilege
Level
Related
Documentation
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Junos OS Interfaces Library for Security Devices
Copyright © 2016, Juniper Networks, Inc.
249
Layer 2 Bridging and Switching Library for Security Devices
flow (Security Flow)
Supported Platforms
Syntax
250
flow {
aging {
early-ageout seconds;
high-watermark percent;
low-watermark percent;
}
allow-dns-reply;
bridge {
block-non-ip-all;
bpdu-vlan-flooding;
bypass-non-ip-unicast;
no-packet-flooding {
no-trace-route;
}
}
force-ip-reassembly;
ipsec-performance-acceleration;
load distribution {
session-affinity ipsec;
}
pending-sess-queue-length (high | moderate | normal);
route-change-timeout seconds;
syn-flood-protection-mode (syn-cookie | syn-proxy);
tcp-mss {
all-tcp mss value;
gre-in {
mss value;
}
gre-out {
mss value;
}
ipsec-vpn {
mss value;
}
}
tcp-session {
fin-invalidate-session;
no-sequence-check;
no-syn-check;
no-syn-check-in-tunnel;
rst-invalidate-session;
rst-sequence-check;
strict-syn-check;
tcp-initial-timeout seconds;
time-wait-state {
(session-ageout | session-timeout seconds);
}
}
traceoptions {
file {
filename;
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
packet-filter filter-name {
destination-port port-identifier;
destination-prefix address;
interface interface-name;
protocol protocol-identifier;
source-port port-identifier;
source-prefix address;
}
rate-limit messages-per-second;
}
}
Hierarchy Level
Release Information
Description
Options
Required Privilege
Level
Related
Documentation
[edit security]
Statement modified in Release 9.5 of Junos OS.
Determine how the device manages packet flow. The device can regulate packet flow
in the following ways:
•
Enable or disable DNS replies when there is no matching DNS request.
•
Set the initial session-timeout values.
The remaining statements are explained separately.
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Processing Overview Feature Guide for Security Devices
•
Junos OS Logical Systems Library for Security Devices
Copyright © 2016, Juniper Networks, Inc.
251
Layer 2 Bridging and Switching Library for Security Devices
forwarding-classes (CoS)
Supported Platforms
J Series, SRX Series
Syntax
Hierarchy Level
Release Information
Description
Options
forwarding-classes {
class class-name {
priority (high | low);
queue-num number;
spu-priority (high | low);
}
queue queue-number {
class-name {
priority (high | low);
}
}
}
[edit class-of-service]
Statement introduced in Junos OS Release 8.5. Statement updated in Junos OS Release
11.4. The spu-priority option introduced in Junos OS Release 11.4R2.
Configure forwarding classes and assign queue numbers.
•
class-name—Display the forwarding class name assigned to the internal queue number.
NOTE: This option is supported only on high-end SRX Series devices,
including the SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and
SRX5800.
NOTE: AppQoS forwarding classes must be different from those defined
for interface-based rewriters.
•
policing-priority—Layer 2 policing. One forwarding class can be configured as premium
and others are configured as normal.
•
252
priority—Fabric priority value:
•
high—Forwarding class’s fabric queuing has high priority.
•
low—Forwarding class’s fabric queuing has low priority.
•
queue-number—Specify the internal queue number to which a forwarding class is
assigned.
•
spu-priority—Services Processing Unit (SPU) priority queue, either high or low.
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
NOTE: The spu-priority option is only supported on SRX1400, SRX3000
line, and SRX5000 line devices.
Required Privilege
Level
Related
Documentation
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
CoS Components Feature Guide for Security Devices
•
CoS Virtual Channels and Tunnels Feature Guide for Security Devices
•
Application Quality of Service Feature Guide for Security Devices
host-inbound-traffic
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
Required Privilege
Level
Related
Documentation
J Series, LN Series, SRX Series
host-inbound-traffic {
protocols protocol-name {
except;
}
system-services service-name {
except;
}
}
[edit security zones functional-zone management],
[edit security zones functional-zone management interfaces interface-name],
[edit security zones security-zone zone-name],
[edit security zones security-zone zone-name interfaces interface-name]
Statement introduced in Junos OS Release 8.5.
Control the type of traffic that can reach the device from interfaces bound to the zone.
The remaining statements are explained separately.
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Security Zones and Interfaces Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
253
Layer 2 Bridging and Switching Library for Security Devices
interfaces (CoS)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
Required Privilege
Level
254
J Series, LN Series, SRX Series
interfaces interface-name {
input-traffic-control-profile profile-name;
output-traffic-control-profile profile-name;
output-traffic-control-profile-remaining profile-name;
scheduler-map scheduler-map;
shaping-rate bps;
unit logical-unit-number {
adaptive-shaper adaptive-shaper-name;
classifiers {
(dscp | dscp-ipv6 | exp | ieee-802.1 | ieee-802.1ad | inet-precedence)
}
forwarding-class class-name;
input-traffic-control-profile {
profile-name;
shared-instance shared-instance-name;
}
loss-priority-maps {
frame-relay-de {
(lpmap-name | default);
}
}
output-traffic-control-profile {
profile-name;
shared-instance shared-instance-name;
}
rewrite-rules {
(dscp |dscp-ipv6 |exp |frame-relay-de |ieee-802.1 |ieee-802.1ad |inet-precedence)
}
scheduler-map scheduler-map-name;
shaping-rate {
rate;
}
vc-shared-scheduler;
virtual-channel-group group-name;
}
}
}
[edit class-of-service interface interface-name unit number]
Statement introduced in Junos OS Release 8.5.
Associate the class-of-service configuration elements with an interface.
interface interface-name unit number—The user-specified interface name and unit number.
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
Related
Documentation
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
CoS Components Feature Guide for Security Devices
•
CoS Virtual Channels and Tunnels Feature Guide for Security Devices
•
IDP Class of Service Action Feature Guide for Security Devices
interfaces (Security Zones)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
J Series, LN Series, SRX Series
interfaces interface-name {
host-inbound-traffic {
protocols protocol-name {
except;
}
system-services service-name {
except;
}
}
}
[edit security zones functional-zone management],
[edit security zones security-zone zone-name]
Statement introduced in Junos OS Release 8.5.
Specify the set of interfaces that are part of the zone.
interface-name —Name of the interface.
The remaining statements are explained separately.
Required Privilege
Level
Related
Documentation
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Security Zones and Interfaces Feature Guide for Security Devices
•
Administration Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
255
Layer 2 Bridging and Switching Library for Security Devices
loss-priority (CoS Loss Priority)
Supported Platforms
Syntax
Hierarchy Level
Release Information
[edit class-of-service loss-priority-maps frame-relay-de map-name]
Statement introduced in Junos OS Release 8.5.
Description
Map CoS values to a loss priority.
Options
level can be one of the following:
Required Privilege
Level
Related
Documentation
256
loss-priority level code-points[ values ];
•
high—Packet has high loss priority.
•
medium-high—Packet has medium-high loss priority.
•
medium-low—Packet has medium-low loss priority.
•
low—Packet has low loss priority.
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
CoS Components Feature Guide for Security Devices
•
CoS Virtual Channels and Tunnels Feature Guide for Security Devices
•
Junos OS CoS Library for Security Devices
•
Link Services and Special Interfaces Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
match (Security Policies)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
Required Privilege
Level
Related
Documentation
match {
application {
[application];
any;
}
destination-address {
[address];
any;
any-ipv4;
any-ipv6;
}
source-address {
[address];
any;
any-ipv4;
any-ipv6;
}
source-identity {
[role-name];
any;
authenticated-user;
unauthenticated-user;
unknown-user;
}
}
[edit security policies from-zone zone-name to-zone zone-name policy policy-name]
Statement introduced in Junos OS Release 8.5. Statement updated with source-identity
option in Junos OS Release 12.1.
Configure security policy match criteria.
The remaining statements are explained separately.
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Security Policies Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
257
Layer 2 Bridging and Switching Library for Security Devices
native-vlan-id (Interfaces)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
J Series, SRX Series
native-vlan-idvlan-id;
[edit interfaces interface-name ]
Statement introduced in Release 9.5 of Junos OS.
Configure VLAN identifier for untagged packets received on the physical interface of a
trunk mode interface.
vlan-id—Configure a VLAN identifier for untagged packets. Enter a number from 0 through
4094.
Required Privilege
Level
Related
Documentation
258
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration
•
Ethernet Port Switching Feature Guide for Security Devices
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Junos OS Interfaces Library for Security Devices
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
policy (Security Policies)
Supported Platforms
Syntax
policy policy-name {
description description;
match {
application {
[application];
any;
}
destination-address {
[address];
any;
any-ipv4;
any-ipv6;
}
source-address {
[address];
any;
any-ipv4;
any-ipv6;
}
source-identity {
[role-name];
any;
authenticated-user;
unauthenticated-user;
unknown-user;
}
}
scheduler-name scheduler-name;
then {
count {
alarm {
per-minute-threshold number;
per-second-threshold number;
}
}
deny;
log {
session-close;
session-init;
}
permit {
application-services {
application-firewall {
rule-set rule-set-name;
}
application-traffic-control {
rule-set rule-set-name;
}
gprs-gtp-profile profile-name;
gprs-sctp-profile profile-name;
idp;
Copyright © 2016, Juniper Networks, Inc.
259
Layer 2 Bridging and Switching Library for Security Devices
redirect-wx | reverse-redirect-wx;
ssl-proxy {
profile-name profile-name;
}
uac-policy {
captive-portal captive-portal;
}
utm-policy policy-name;
}
destination-address {
drop-translated;
drop-untranslated;
}
firewall-authentication {
pass-through {
access-profile profile-name;
client-match user-or-group-name;
web-redirect;
}
user-firewall {
access-profile profile-name;
ssl-termination-profile profile-name;
}
web-authentication {
client-match user-or-group-name;
}
}
services-offload;
tcp-options {
sequence-check-required;
syn-check-required;
}
tunnel {
ipsec-group-vpn group-vpn;
ipsec-vpn vpn-name;
pair-policy pair-policy;
}
}
reject;
}
}
Hierarchy Level
Release Information
Description
Options
[edit security policies from-zone zone-name to-zone zone-name]
Statement introduced in Junos OS Release 8.5. The services-offload option added in
Junos OS Release 11.4. Statement updated with the source-identity option and the
description option added in Junos OS Release 12.1. Support for the user-firewall option
added in Junos OS Release 12.1X45-D10.
Define a security policy.
policy-name—Name of the security policy.
The remaining statements are explained separately.
260
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
Required Privilege
Level
Related
Documentation
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Application Quality of Service Feature Guide for Security Devices
•
Security Policies Feature Guide for Security Devices
port (Access RADIUS)
Supported Platforms
Syntax
Hierarchy Level
Release Information
port port-number;
[edit access radius-server server-address],
[edit access profile profile-name radius-server server-address]
Statement modified in Release 8.5 of Junos OS.
Description
Configure the port number on which to contact the RADIUS server.
Options
port-number—Port number on which to contact the RADIUS server.
Default: 1812 (as specified in RFC 2865)
Required Privilege
Level
Related
Documentation
secret—To view this statement in the configuration.
secret-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
261
Layer 2 Bridging and Switching Library for Security Devices
profile (Access)
Supported Platforms
Syntax
262
J Series, LN Series, SRX Series
profile profile-name {
accounting {
accounting-stop-on-access-deny;
accounting-stop-on-failure;
coa-immediate-update;
duplication;
immediate-update;
order [accounting-method];
statistics (time | volume-time);
update-interval minutes;
}
accounting-order [accounting-method];
address-assignment pool pool-name;
authentication-order [ldap | none | password | radius | securid];
authorization-order [jsrc];
client client-name {
chap-secret chap-secret;
client-group [ group-names ];
firewall-user {
password password;
}
no-rfc2486;
pap-password pap-password;
x-auth ip-address;
}
client-name-filter {
count number;
domain-name domain-name;
separator special-character;
}
ldap-options {
assemble {
common-name common-name;
}
base-distinguished-name base-distinguished-name;
revert-interval seconds;
search {
admin-search {
distinguished-name distinguished-name;
password password;
}
search-filter search-filter-name;
}
}
ldap-server server-address {
port port-number;
retry attempts;
routing-instance routing-instance-name;
source-address source-address;
timeout seconds;
}
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
provisioning-order (gx-plus | jsrc);
radius {
accounting-server [server];
attributes {
exclude {
acc-aggr-cir-id-asc [access-request | accounting-start | accounting-stop];
acc-aggr-cir-id-bin [access-request | accounting-start | accounting-stop];
acc-loop-cir-id [access-request | accounting-start | accounting-stop];
accounting-authentic [accounting-off | accounting-on | accounting-start |
accounting-stop];
accounting-delay-time [accounting-off | accounting-on | accounting-start |
accounting-stop];
accounting-session-id [access-request];
accounting-terminate-cause [accounting-off];
act-data-rate-dn [access-request | accounting-start | accounting-stop];
act-data-rate-up [access-request | accounting-start | accounting-stop];
act-interlv-delay-dn [access-request | accounting-start | accounting-stop];
act-interlv-delay-up [access-request | accounting-start | accounting-stop];
att-data-rate-dn [access-request | accounting-start | accounting-stop];
att-data-rate-up [access-request | accounting-start | accounting-stop];
called-station-id [access-request | accounting-start | accounting-stop];
calling-station-id [access-request | accounting-start | accounting-stop];
class [access-request | accounting-start | accounting-stop];
delegated-ipv6-prefix [accounting-start | accounting-stop];
dhcp-gi-address [access-request | accounting-start | accounting-stop];
dhcp-mac-address [access-request | accounting-start | accounting-stop];
dhcp-options [access-request | accounting-start | accounting-stop];
downstream-calculated-qos-rate [access-request | accounting-start |
accounting-stop];
dsl-forum-attributes [access-request | accounting-start | accounting-stop];
dsl-line-state [access-request | accounting-start | accounting-stop];
dsl-type [access-request | accounting-start | accounting-stop];
dynamic-iflset-name [accounting-start | accounting-stop];
event-time-stamp [accounting-off | accounting-on | accounting-start |
accounting-stop];
framed-interface-id [access-request | accounting-start | accounting-stop];
framed-ip-address [access-request | accounting-start | accounting-stop];
framed-ip-netmask [access-request | accounting-start | accounting-stop];
framed-ip-route [access-request | accounting-start | accounting-stop];
framed-ipv6-pool [accounting-start | accounting-stop];
framed-ipv6-prefix [accounting-start | accounting-stop];
framed-ipv6-route [accounting-start | accounting-stop];
framed-pool [accounting-start | accounting-stop];
input-filter [accounting-start | accounting-stop];
input-gigapackets [accounting-stop];
input-gigawords [accounting-stop];
input-ipv6-gigawords [accounting-stop];
input-ipv6-octets [accounting-stop];
input-ipv6-packets [accounting-stop];
interface-description [access-request | accounting-start | accounting-stop];
l2c-downstream-data [access-request | accounting-start | accounting-stop];
l2c-upstream-data [access-request | accounting-start | accounting-stop];
max-data-rate-dn [access-request | accounting-start | accounting-stop];
max-data-rate-up [access-request | accounting-start | accounting-stop];
max-interlv-delay-dn [access-request | accounting-start | accounting-stop];
max-interlv-delay-up [access-request | accounting-start | accounting-stop];
Copyright © 2016, Juniper Networks, Inc.
263
Layer 2 Bridging and Switching Library for Security Devices
min-data-rate-dn [access-request | accounting-start | accounting-stop];
min-data-rate-up [access-request | accounting-start | accounting-stop];
min-lp-data-rate-dn [access-request | accounting-start | accounting-stop];
min-lp-data-rate-up [access-request | accounting-start | accounting-stop];
nas-identifier [access-request | accounting-start | accounting-stop];
nas-port [access-request | accounting-off | accounting-on | accounting-start |
accounting-stop];
nas-port-id [access-request | accounting-start | accounting-stop];
nas-port-type [access-request | accounting-start | accounting-stop];
output-filter [accounting-start | accounting-stop];
output-gigapackets [accounting-stop];
output-gigawords [accounting-stop];
output-ipv6-gigawords [accounting-stop];
output-ipv6-octets [accounting-stop];
output-ipv6-packets [accounting-stop];
upstream-calculated-qos-rate [access-request | accounting-start | accounting-stop];
}
ignore {
dynamic-iflset-name;
framed-ip-netmask;
input-filter;
logical-system-routing-instance;
output-filter;
}
}
authentication-server [server];
radius-options {
request-rate number;
revert-interval seconds;
}
radius-server server-address {
accounting-port port-number
max-outstanding-requests number-of--outstanding-requests;
port port-number;
retry attempts;
routing-instance routing-instance-name;
secret password;
source-address source-address;
timeout seconds;
}
service {
accounting-order {
activation-protocol;
radius;
}
}
session-options {
client-group [group-name];
client-idle-timeout minutes;
client-session-timeout minutes;
}
}
Hierarchy Level
264
[edit access]
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
Release Information
Description
Required Privilege
Level
Related
Documentation
Statement introduced in Junos OS Release 10.4.
Create a profile containing a set of attributes that define device management access.
access—To view this statement in the configuration.
access-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Dynamic VPN Feature Guide for SRX Series Gateway Devices
•
Master Administrator for Logical Systems Feature Guide for Security Devices
•
Modem Interfaces Feature Guide for Security Devices
•
Junos OS Interfaces Library for Security Devices
radius-server (Access)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
J Series, LN Series, SRX Series
radius-server server-address {
port port-number;
retry attempts;
routing-instance routing-instance-name;
secret password;
source-address source-address;
timeout seconds;
}
[edit access],
[edit access profile profile-name]
Statement modified in Junos OS Release 8.5.
Configure RADIUS for Layer 2 Tunneling Protocol (L2TP) or Point-to-Point Protocol
(PPP) authentication.
To configure multiple RADIUS servers, include multiple radius-server statements. The
servers are tried in order and in a round-robin fashion until a valid response is received
from one of the servers or until all the configured retry limits are reached.
Options
server-address—Address of the RADIUS authentication server.
The remaining statements are explained separately.
Required Privilege
Level
Related
Documentation
access—To view this statement in the configuration.
access-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Firewall User Authentication Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
265
Layer 2 Bridging and Switching Library for Security Devices
redundancy-group (Interfaces)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
redundancy-group number;
[edit interfaces interface-name redundant-ether-options]
Statement introduced in Release 9.0 of Junos OS.
Specify the redundancy group that a redundant Ethernet interface belongs to.
number —Number of the redundancy group that the redundant interface belongs to.
Failover properties of the interface are inherited from the redundancy group.
Range: 1 through 255
Required Privilege
Level
Related
Documentation
266
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Junos OS Interfaces Library for Security Devices
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
source-address (Security Policies)
Supported Platforms
Syntax
Hierarchy Level
source-address {
[address];
any;
any-ipv4;
any-ipv6;
}
[edit security policies from-zone zone-name to-zone zone-name policy policy-name match]
Release Information
Statement introduced in Junos OS Release 8.5. Support for IPv6 addresses added in
Junos OS Release 10.2. Support for IPv6 addresses in active/active chassis cluster
configurations (in addition to the existing support of active/passive chassis cluster
configurations) added in Junos OS Release 10.4. Support for wildcard addresses added
in Junos OS Release 11.1.
Description
Define the matching criteria. You can specify one or more IP addresses, address sets, or
wildcard addresses. You can specify wildcards any, any-ipv4, or any-ipv6.
Options
address—IP addresses, address sets, or wildcard addresses (represented as
A.B.C.D/wildcard-mask). You can configure multiple addresses or address prefixes
separated by spaces and enclosed in square brackets.
Required Privilege
Level
Related
Documentation
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Security Policies Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
267
Layer 2 Bridging and Switching Library for Security Devices
source-address (Access RADIUS)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
Required Privilege
Level
Related
Documentation
268
J Series, LN Series, SRX Series
source-address source-address;
[edit access radius-server server-address],
[edit access profile profile-name radius-server server-address]
Statement modified in Junos OS Release 8.5.
Configure a source address for each configured RADIUS server. Each RADIUS request
sent to a RADIUS server uses the specified source address.
source-address—Valid IP address configured on one of the device interfaces.
secret—To view this statement in the configuration.
secret-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Firewall User Authentication Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
security-zone
Supported Platforms
Syntax
Hierarchy Level
Release Information
security-zone zone-name {
address-book {
address address-name {
ip-prefix {
description text;
}
description text;
dns-name domain-name {
ipv4-only;
ipv6-only;
}
range-address lower-limit to upper-limit;
wildcard-address ipv4-address/wildcard-mask;
}
address-set address-set-name {
address address-name;
address-set address-set-name;
description text;
}
}
application-tracking;
description text;
host-inbound-traffic {
protocols protocol-name {
except;
}
system-services service-name {
except;
}
}
interfaces interface-name {
host-inbound-traffic {
protocols protocol-name {
except;
}
system-services service-name {
except;
}
}
}
screen screen-name;
tcp-rst;
}
[edit security zones]
Statement introduced in Junos OS Release 8.5. Support for wildcard addresses added
in Junos OS Release 11.1. The description option added in Junos OS Release 12.1.
Copyright © 2016, Juniper Networks, Inc.
269
Layer 2 Bridging and Switching Library for Security Devices
Description
Options
Define a security zone, which allows you to divide the network into different segments
and apply different security options to each segment.
zone-name —Name of the security zone.
The remaining statements are explained separately.
Required Privilege
Level
Related
Documentation
270
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Application Tracking Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
system-services (Security Zones Interfaces)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
system-services service-name {
except;
}
[edit security zones security-zone zone-name interfaces interface-name host-inbound-traffic]
Statement introduced in Junos OS Release 8.5.
Specify the types of traffic that can reach the device on a particular interface.
•
service-name —Service for which traffic is allowed. The following services are supported:
•
all—Enable all possible system services available on the Routing Engine (RE).
•
any-service—Enable services on entire port range.
•
bootp—Enable traffic destined to BOOTP and DHCP relay agents.
•
dhcp—Enable incoming DHCP requests.
•
dhcpv6—Enable incoming DHCP requests for IPv6.
•
dns—Enable incoming DNS services.
•
finger—Enable incoming finger traffic.
•
ftp—Enable incoming FTP traffic.
•
http—Enable incoming J-Web or clear-text Web authentication traffic.
•
https—Enable incoming J-Web or Web authentication traffic over Secure Sockets
Layer (SSL).
•
ident-reset—Enable the access that has been blocked by an unacknowledged
identification request.
•
ike—Enable Internet Key Exchange traffic.
•
netconf SSH—Enable incoming NetScreen Security Manager (NSM) traffic over SSH.
•
ntp—Enable incoming Network Time Protocol (NTP) traffic.
•
ping—Allow the device to respond to ICMP echo requests.
•
r2cp—Enable incoming Radio Router Control Protocol traffic.
•
reverse-ssh—Reverse SSH traffic.
•
reverse-telnet—Reverse Telnet traffic.
•
rlogin—Enable incoming rlogin (remote login) traffic.
•
rpm—Enable incoming real-time performance monitoring (RPM) traffic.
•
rsh—Enable incoming Remote Shell (rsh) traffic.
Copyright © 2016, Juniper Networks, Inc.
271
Layer 2 Bridging and Switching Library for Security Devices
•
snmp—Enable incoming SNMP traffic (UDP port 161).
•
snmp-trap—Enable incoming SNMP traps (UDP port 162).
•
ssh—Enable incoming SSH traffic.
•
telnet—Enable incoming Telnet traffic.
•
tftp—Enable TFTP services.
•
traceroute—Enable incoming traceroute traffic (UDP port 33434).
•
xnm-clear-text—Enable incoming Junos XML protocol traffic for all specified
interfaces.
•
xnm-ssl— Enable incoming Junos XML protocol-over-SSL traffic for all specified
interfaces.
•
Required Privilege
Level
Related
Documentation
272
except—(Optional) except can only be used if all has been defined.
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Security Zones and Interfaces Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
vlan-id (Bridge Domain)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
MX Series, SRX Series
vlan-id (all | none | vlan-id);
[edit bridge-domains bridge-domain-name],
[edit logical-systems logical-system-name bridge-domains bridge-domain-name],
[edit logical-systems logical-system-name routing-instances routing-instance-name
bridge-domains bridge-domain-name],
[edit routing-instances routing-instance-name bridge-domains bridge-domain-name]
Statement introduced in Junos OS Release 8.4.
Support for Layer 2 trunk ports added in Junos OS Release 9.2.
Support for logical systems added in Junos OS Release 9.6.
(MX Series routers only) Specify a VLAN identifier (VID) to include in the packets sent
to and from the bridge domain or a VPLS routing instance.
NOTE: When configuring a VLAN identifier for provider backbone bridge
(PBB) routing instances, dual-tagged VIDs and the none option are not
permitted.
Options
all—Specify that the bridge domain spans all the VLAN identifiers configured on the
member logical interfaces.
NOTE: You cannot specify the all option if you include a routing interface in
the bridge domain.
none—Specify to enable shared VLAN learning or to send untagged frames over VPLS
VT interfaces.
vlan-id—A valid VLAN identifier. If you configure multiple bridge domains with a valid
VLAN identifier, you must specify a unique VLAN identifier for each domain. However,
you can use the same VLAN identifier for bridge domains that belong to different
virtual switches. Use this option to send singly tagged frames with the specified
VLAN identifier over VPLS VT interfaces.
NOTE: If you specify a VLAN identifier, you cannot also use the all option.
They are mutually exclusive.
Copyright © 2016, Juniper Networks, Inc.
273
Layer 2 Bridging and Switching Library for Security Devices
Required Privilege
Level
Related
Documentation
routing—To view this statement in the configuration.
routing-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
vlan-id-list (Bridge Domains)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
SRX Series
vlan-id-list [vlan-id];
[edit bridge-domains bridge-domain-name]
Statement modified in Release 9.5 of Junos OS.
Specify multiple VLAN identifiers to create a bridge domain for each VLAN identifier.
vlan-id—A list of valid VLAN identifiers. A bridge domain is created for each VLAN identifier
in the list.
NOTE: If you specify a VLAN identifier list, you cannot configure an IRB
interface in the bridge domain.
Required Privilege
Level
Related
Documentation
274
routing—To view this statement in the configuration.
routing-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuration
vlan-tagging (Interfaces)
Supported Platforms
Syntax
Hierarchy Level
Release Information
Description
Options
LN Series, SRX Series
vlan-tagging native-vlan-id vlan-id;
[edit interfaces interface ]
Statement introduced in Release 9.5 of Junos OS.
Configure VLAN identifier for untagged packets received on the physical interface of a
trunk mode interface.
native-vlan-id—Configures a VLAN identifier for untagged packets. Enter a number from
0 through 4094.
NOTE: The native-vlan-id can be configured only when either
flexible-vlan-tagging mode or interface-mode trunk is configured.
Required Privilege
Level
Related
Documentation
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
•
Ethernet Port Switching Feature Guide for Security Devices
•
Junos OS Interfaces Library for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
Copyright © 2016, Juniper Networks, Inc.
275
Layer 2 Bridging and Switching Library for Security Devices
276
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 6
Administration
•
Operational Commands on page 277
Operational Commands
•
clear oam ethernet connectivity-fault-management path-database
•
clear oam ethernet connectivity-fault-management statistics
•
show interfaces (View J Series and SRX Series)
•
show ethernet-switching table (View)
•
show ethernet-switching mac-learning-log (View)
•
show oam ethernet connectivity-fault-management adjacencies
•
show oam ethernet connectivity-fault-management forwarding-state
•
show oam ethernet connectivity-fault-management interfaces
•
show oam ethernet connectivity-fault-management mep-database
•
show oam ethernet connectivity-fault-management mep-statistics
•
show oam ethernet connectivity-fault-management mip
•
show oam ethernet connectivity-fault-management path-database
•
show oam ethernet connectivity-fault-management routes
•
show oam ethernet link-fault-management
•
show security flow statistics
•
show security flow status
•
show security policies
•
show security zones
Copyright © 2016, Juniper Networks, Inc.
277
Layer 2 Bridging and Switching Library for Security Devices
clear oam ethernet connectivity-fault-management path-database
Supported Platforms
Syntax
Release Information
Description
Options
SRX210, SRX220, SRX240, SRX550, SRX650
clear oam ethernet connectivity-fault-management path-database maintenance-domain
md-name maintenance-association ma-name host <mac-addr>
Statement introduced in Junos OS Release 12.1X44-D10.
Clear the relevant path information from the database for the specified remote host.
host—(Optional) MAC address of remote host in xx:xx:xx:xx:xx:xx format.
maintenance-association —Name of the maintenance association.
maintenance-domain —Name of the maintenance domain.
Required Privilege
Level
Related
Documentation
List of Sample Output
clear
•
Ethernet Port Switching Feature Guide for Security Devices
•
show oam ethernet connectivity-fault-management path-database on page 308
clear oam ethernet connectivity-fault- management path-database on page 278
Sample Output
clear oam ethernet connectivity-fault- management path-database
user@host> clear oam ethernet connectivity-fault-management path-database
maintenance-domain private maintenance-association private-ma
Path database entries cleared for the remote-host
278
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
clear oam ethernet connectivity-fault-management statistics
Supported Platforms
Syntax
Release Information
Description
Options
SRX210, SRX220, SRX240, SRX550, SRX650
clear oam ethernet connectivity-fault-management statistics
interface
level
Statement introduced in Junos OS Release 12.1X44-D10.
Clear connectivity-fault-management statistics.
Interface—Clear the statistics on an interface.
Level—The maintenance-domain level (0 through 7).
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
View
•
Ethernet Port Switching Feature Guide for Security Devices
•
show oam ethernet connectivity-fault-management mep-statistics on page 304
clear oam ethernet connectivity-fault- management statistics on page 279
When you enter this command, you are provided feedback on the status of your request.
Sample Output
clear oam ethernet connectivity-fault- management statistics
user@host> clear oam ethernet connectivity-fault-management statistics
Cleared statistics of all CFM sessions
Copyright © 2016, Juniper Networks, Inc.
279
Layer 2 Bridging and Switching Library for Security Devices
show interfaces (View J Series and SRX Series)
Supported Platforms
Syntax
Release Information
Description
show interfaces
< interface-name | brief | controller | descriptions | destination-class | detail | diagnostics |
extensive | far-end-interval | filters | flow-statistics | interval | load-balancing |
mac-database | mc-ae | media | policers | queue | redundancy | routing | routing-instance
| snmp-index | source-class | statistics | switch-port | terse | transport | zone>
Command modified in Release 9.5 of Junos OS.
Display status information and statistics about interfaces on J Series and SRX Series
devices running Junos OS.
On SRX Series devices, on configuring identical IPs on a single interface, you will not see
a warning message; instead, you will see a syslog message.
Options
•
interface-name —(Optional) Display standard information about the specified interface.
Following is a list of typical interface names. Replace pim with the PIM slot and port
with the port number. For a complete list, see the Junos OS Layer 2 Bridging and
Switching Library for Security Devices.
•
at- pim/0/port—ATM-over-ADSL or ATM-over-SHDSL interface.
•
br-pim/0/port—Basic Rate Interface for establishing ISDN connections.
•
ce1-pim/0/ port—Channelized E1 interface.
•
cl-0/0/8—3G wireless modem interface for SRX210 devices.
•
ct1-pim/0/port—Channelized T1 interface.
•
dl0—Dialer Interface for initiating ISDN and USB modem connections.
•
e1-pim/0/port—E1 interface.
•
e3-pim/0/port—E3 interface.
•
fe-pim/0/port—Fast Ethernet interface.
•
ge-pim/0/port—Gigabit Ethernet interface.
•
se-pim/0/port—Serial interface.
•
t1-pim/0/port—T1 (also called DS1) interface.
•
t3-pim/0/port—T3 (also called DS3) interface.
•
wx-slot/0/0—WAN acceleration interface, for the WXC Integrated Services Module
(ISM 200).
280
•
brief—(Optional) Display brief output.
•
controller—(Optional) Show controller information.
•
descriptions—(Optional) Display interface description strings.
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
Required Privilege
Level
Related
Documentation
List of Sample Output
•
destination-class—(Optional) Show statistics for destination class.
•
detail—(Optional) Display detailed output.
•
diagnostics—(Optional) Show interface diagnostics information.
•
extensive—(Optional) Display extensive output.
•
far-end-interval—(Optional) Show far end interval statistics.
•
filters—(Optional) Show interface filters information.
•
flow-statistics—(Optional) Show security flow counters and errors.
•
interval—(Optional) Show interval statistics.
•
load-balancing—(Optional) Show load-balancing status.
•
mac-database—(Optional) Show media access control database information.
•
mc-ae—(Optional) Show MC-AE configured interface information.
•
media—(Optional) Display media information.
•
policers—(Optional) Show interface policers information.
•
queue—(Optional) Show queue statistics for this interface.
•
redundancy—(Optional) Show redundancy status.
•
routing—(Optional) Show routing status.
•
routing-instance—(Optional) Name of routing instance.
•
snmp-index—(Optional) SNMP index of interface.
•
source-class—(Optional) Show statistics for source class.
•
statistics—(Optional) Display statistics and detailed output.
•
switch-port—(Optional) Front end port number (0..15).
•
terse—(Optional) Display terse output.
•
transport—(Optional) Show interface transport information.
•
zone—(Optional) Interface's zone.
view
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Junos OS Layer 2 Bridging and Switching Library for Security Devices
•
Junos OS Interfaces Library for Security Devices
show interfaces Gigabit Ethernet on page 282
show interfaces extensive (Gigabit Ethernet) on page 282
show interfaces terse on page 285
Copyright © 2016, Juniper Networks, Inc.
281
Layer 2 Bridging and Switching Library for Security Devices
show interfaces extensive (WAN Acceleration) on page 286
show interfaces extensive (3G Wireless Modem) on page 287
Output Fields
Table 8 on page 129 lists the output fields for the show interfaces command. Output fields
are listed in the approximate order in which they appear.
Table 35: show interfaces Output Fields
Field Name
Field Description
Allowed host inbound traffic
The allowed traffic through the interface.
Traffic statistics
Number of packets and bytes transmitted and received on the physical interface.
Local statistics
Number of packets and bytes transmitted and received on the physical interface.
Transit statistics
Number of packets and bytes transiting the physical interface.
Flow input statistics
Statistics on packets received by flow module.
Flow output statistics
Statistics on packets sent by flow module.
Flow error statistics
Statistics on errors in the flow module.
Admin
The interface is enabled (up) or disabled (down).
Sample Output
show interfaces Gigabit Ethernet
user@host> show interfaces ge-0/0/1.0
Logical interface ge-0/0/1.0 (Index 67) (SNMP ifIndex 36)
Flags: Device-Down SNMP-Traps Encapsulation: ENET2
Protocol inet, MTU: 1500
Flags: None
Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
Destination: 4.4.4/24, Local: 4.4.4.254, Broadcast: 4.4.4.255
Security: Zone: Untrust, ident-reset: on
Allowed host-inbound traffic: bfd bgp bootp dhcp dvmrp finger ftp
http https ike ident-reset igmp ldp mld
msdp netconf ospf ospf3 pgm pim ping rip
ripng rlogin router-discovery rpm rsh
rsvp sap snmp snmp-trap ssh telnet
traceroute vrrp xnm-clear xnm-sslshow
interfaces <interface-name> extensive
Sample Output
show interfaces extensive (Gigabit Ethernet)
user@host> show interfaces ge-0/0/1.0 extensive
Physical interface: ge-0/0/1, Enabled, Physical link is Down
Interface index: 135, SNMP ifIndex: 510, Generation: 138
Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps,
BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
282
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
Remote fault: Online
Device flags
: Present Running Down
Interface flags: Hardware-Down SNMP-Traps Internal: 0x0
Link flags
: None
CoS queues
: 8 supported, 8 maximum usable queues
Hold-times
: Up 0 ms, Down 0 ms
Current address: 00:1f:12:e4:b1:01, Hardware address: 00:1f:12:e4:b1:01
Last flapped
: 2015-05-12 08:36:59 UTC (1w1d 22:57 ago)
Statistics last cleared: Never
Traffic statistics:
Input bytes :
0
0 bps
Output bytes :
0
0 bps
Input packets:
0
0 pps
Output packets:
0
0 pps
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0,
L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0,
FIFO errors: 0, Resource errors: 0
Output errors:
Carrier transitions: 0, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0,
FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0
Egress queues: 8 supported, 4 in use
Queue counters:
Queued packets Transmitted packets
Dropped packets
0 best-effort
0
0
0
1 expedited-fo
0
0
0
2 assured-forw
0
0
0
3 network-cont
0
0
0
Queue number:
Mapped forwarding classes
0
best-effort
1
expedited-forwarding
2
assured-forwarding
3
network-control
Active alarms : LINK
Active defects : LINK
MAC statistics:
Receive
Total octets
0
Total packets
0
Unicast packets
0
Broadcast packets
0
Multicast packets
0
CRC/Align errors
0
FIFO errors
0
MAC control frames
0
MAC pause frames
0
Oversized frames
0
Jabber frames
0
Fragment frames
0
VLAN tagged frames
0
Code violations
0
Filter statistics:
Input packet count
0
Input packet rejects
0
Input DA rejects
0
Input SA rejects
0
Copyright © 2016, Juniper Networks, Inc.
Transmit
0
0
0
0
0
0
0
0
0
283
Layer 2 Bridging and Switching Library for Security Devices
Output packet count
Output packet pad count
Output packet error count
CAM destination filters: 2, CAM source filters: 0
Autonegotiation information:
Negotiation status: Incomplete
Packet Forwarding Engine configuration:
Destination slot: 0
CoS information:
Direction : Output
CoS transmit queue
Bandwidth
Limit
%
bps
%
0 best-effort
95
950000000
95
none
3 network-control
5
50000000
5
none
Interface transmit statistics: Disabled
Logical interface ge-0/0/1.0 (Index 71) (SNMP ifIndex 514)
Flags: Device-Down SNMP-Traps 0x0 Encapsulation: ENET2
Traffic statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Local statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Transit statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Security: Zone: public
Flow Statistics :
Flow Input statistics :
Self packets :
0
ICMP packets :
0
VPN packets :
0
Multicast packets :
0
Bytes permitted by policy :
0
Connections established :
0
Flow Output statistics:
Multicast packets :
0
Bytes permitted by policy :
0
Flow error statistics (Packets dropped due to):
Address spoofing:
0
Authentication failed:
0
Incoming NAT errors:
0
Invalid zone received packet:
0
Multiple user authentications:
0
Multiple incoming NAT:
0
No parent for a gate:
0
No one interested in self packets: 0
No minor session:
0
No more sessions:
0
No NAT gate:
0
No route present:
0
284
0
0
0
Buffer Priority
usec
0
low
0
low
(Generation 136)
0
0
0
0
bps
bps
pps
pps
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
No SA for incoming SPI:
0
No tunnel found:
0
No session for a gate:
0
No zone or NULL zone binding
0
Policy denied:
0
Security association not active:
0
TCP sequence number out of window: 0
Syn-attack protection:
0
User authentication errors:
0
Protocol inet, MTU: 1500, Generation: 150, Route table: 0
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
Destination: 1.1.1/24, Local: 1.1.1.1, Broadcast: 1.1.1.255,
Generation: 150
Sample Output
show interfaces terse
user@host> show interfaces terse
Interface
Admin
ge-0/0/0
up
ge-0/0/0.0
up
gr-0/0/0
up
ip-0/0/0
up
st0
up
st0.1
up
ls-0/0/0
up
lt-0/0/0
up
mt-0/0/0
up
pd-0/0/0
up
pe-0/0/0
up
e3-1/0/0
up
t3-2/0/0
up
e1-3/0/0
up
se-4/0/0
up
t1-5/0/0
up
br-6/0/0
up
dc-6/0/0
up
dc-6/0/0.32767
up
bc-6/0/0:1
down
bc-6/0/0:1.0
up
dl0
up
dl0.0
up
dsc
up
gre
up
ipip
up
lo0
up
lo0.16385
up
lsi
mtun
pimd
pime
pp0
Copyright © 2016, Juniper Networks, Inc.
up
up
up
up
up
Link Proto
up
up
inet
up
up
up
ready inet
up
up
up
up
up
up
up
up
down
up
up
up
up
up
down
up
up
inet
up
up
up
up
up
inet
Local
Remote
10.209.4.61/18
10.0.0.1
10.0.0.16
--> 0/0
--> 0/0
up
up
up
up
up
285
Layer 2 Bridging and Switching Library for Security Devices
Sample Output
show interfaces extensive (WAN Acceleration)
user@host> show interfaces wx-6/0/0 extensive
Physical interface: wx-6/0/0, Enabled, Physical link is Up
Interface index: 142, SNMP ifIndex: 41, Generation: 143
Type: PIC-Peer, Link-level type: PIC-Peer, MTU: 1522, Clocking: Unspecified,
Speed: 1000mbps
Device flags
: Present Running
Interface flags: Point-To-Point Promiscuous SNMP-Traps Internal: 0x4000
Link type
: Full-Duplex
Link flags
: None
Physical info : Unspecified
Hold-times
: Up 0 ms, Down 0 ms
Current address: Unspecified, Hardware address: Unspecified
Alternate link address: Unspecified
Last flapped
: 2007-08-01 05:19:35 UTC (02:12:04 ago)
Statistics last cleared: Never
Traffic statistics:
Input bytes :
58427
0 bps
Output bytes :
115078
0 bps
Input packets:
847
0 pps
Output packets:
972
0 pps
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Giants: 0,
Policed discards: 0, Resource errors: 0
Output errors:
Carrier transitions: 0, Errors: 0, Drops: 0, MTU errors: 0,
Resource errors: 0
Logical interface wx-6/0/0.0 (Index 68) (SNMP ifIndex 43) (Generation 135)
Flags: Point-To-Point SNMP-Traps Encapsulation: PIC-Peering
Security: Zone: wx-zone
Allowed host-inbound traffic : any-service bootp bfd bgp dns dvmrp
igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp
finger ftp tftp ident-reset http https ike netconf ping rlogin rpm rsh snmp
snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl
Flow Statistics :
Flow Input statistics :
Self packets :
0
ICMP packets :
0
VPN packets :
0
Bytes permitted by policy :
70137
Connections established :
4
Flow Output statistics:
Multicast packets :
0
Bytes permitted by policy :
2866
Flow error statistics (Packets dropped due to):
Address spoofing:
0
Authentication failed:
0
Incoming NAT errors:
0
Invalid zone received packet:
0
Multiple user authentications:
0
Multiple incoming NAT:
0
No parent for a gate:
0
No one interested in self packets: 0
No minor session:
0
No more sessions:
0
No NAT gate:
0
No route present:
0
No SA for incoming SPI:
0
286
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
No tunnel found:
0
No session for a gate:
0
No zone or NULL zone binding
0
Policy denied:
0
Security association not active:
0
TCP sequence number out of window: 0
Syn-attack protection:
0
User authentication errors:
0
Protocol inet, MTU: 1500, Generation: 141, Route table: 0
Flags: None
Addresses, Flags: Is-Preferred Is-Primary
Destination: 10.87.13.2, Local: 3.3.3.3, Broadcast: Unspecified,
Generation: 142
Sample Output
show interfaces extensive (3G Wireless Modem)
user@host> show interfaces cl-0/0/8 extensive
Physical interface: cl-0/0/8, Enabled, Physical link is Up
Interface index: 67, SNMP ifIndex: 25, Generation: 4
Type: Async-Serial, Link-level type: PPP-Subordinate, MTU: 1504,
Clocking: Unspecified, Speed: MODEM
Device flags
: Present Running
Interface flags: Point-To-Point SNMP-Traps Internal: 0x4000
Link flags
: None
Hold-times
: Up 0 ms, Down 0 ms
CoS queues
: 8 supported, 8 maximum usable queues
Last flapped
: Never
Statistics last cleared: Never
Traffic statistics:
Input bytes :
0
0 bps
Output bytes :
868
0 bps
Input packets:
0
0 pps
Output packets:
16
0 pps
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Giants: 0,
Policed discards: 0, Resource errors: 0
Output errors:
Carrier transitions: 0, Errors: 0, Drops: 0, MTU errors: 0,
Resource errors: 0
Egress queues: 8 supported, 4 in use
Queue counters:
Queued packets Transmitted packets
Dropped packets
0 best-effort
6
6
1 expedited-fo
0
0
2 assured-forw
0
0
3 network-cont
10
10
MODEM status:
Modem type
: Sierra-USB-3G Data/Fax Modem Version
Initialization command string : ATS0=2
Initialization status
: Ok
Call status
: Connected to 14591
Call duration
: 134316 seconds
Call direction
: Dialout
Baud rate
: <x> bps
Copyright © 2016, Juniper Networks, Inc.
0
0
0
0
2.27m
287
Layer 2 Bridging and Switching Library for Security Devices
show ethernet-switching table (View)
Supported Platforms
Syntax
Release Information
Description
Options
Required Privilege
Level
Related
Documentation
Output Fields
LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
show ethernet-switching table (brief |detail |extensive) interface interface-name
Command introduced in Release 9.5 of Junos OS.
Displays the Ethernet switching table.
•
none—(Optional) Display brief information about the Ethernet-switching table.
•
brief | detail | extensive—(Optional) Display the specified level of output.
•
interface-name—(Optional) Display the Ethernet-switching table for a specific interface.
view
•
Port Security Overview on page 184
•
Understanding MAC Limiting on page 185
Table 36 on page 288 lists the output fields for the show ethernet-switching table
command. Output fields are listed in the approximate order in which they appear.
Table 36: show ethernet-switching table Output Fields
Field Name
Field Description
VLAN
The name of a VLAN.
MAC address
The MAC address associated with the VLAN.
Type
The type of MAC address. Values are:
•
static—The MAC address is manually created.
•
learn—The MAC address is learned dynamically from a packet's source MAC address.
•
flood—The MAC address is unknown and flooded to all members.
Age
The time remaining before the entry ages out and is removed from the Ethernet switching
table.
Interfaces
Interface associated with learned MAC addresses or All-members (flood entry).
Learned
For learned entries, the time which the entry was added to the Ethernet-switching table.
Sample Output
show ethernet-switching table
user@host> show ethernet-switching table
288
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
Ethernet-switching table: 57 entries, 17 learned
VLAN MAC address Type Age Interfaces
F2 * Flood - All-members
F2 00:00:05:00:00:03 Learn 0 ge-0/0/44.0
F2 00:19:e2:50:7d:e0 Static - Router
Linux * Flood - All-members
Linux 00:19:e2:50:7d:e0 Static - Router
Linux 00:30:48:90:54:89 Learn 0 ge-0/0/47.0
T1 * Flood - All-members
T1 00:00:05:00:00:01 Learn 0 ge-0/0/46.0
T1 00:00:5e:00:01:00 Static - Router
T1 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0
T1 00:19:e2:50:7d:e0 Static - Router
T10 * Flood - All-members
T10 00:00:5e:00:01:09 Static - Router
T10 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0
T10 00:19:e2:50:7d:e0 Static - Router
T111 * Flood - All-members
T111 00:19:e2:50:63:e0 Learn 0 ge-0/0/15.0
T111 00:19:e2:50:7d:e0 Static - Router
T111 00:19:e2:50:ac:00 Learn 0 ge-0/0/15.0
T2 * Flood - All-members
T2 00:00:5e:00:01:01 Static - Router
T2 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0
T2 00:19:e2:50:7d:e0 Static - Router
T3 * Flood - All-members
T3 00:00:5e:00:01:02 Static - Router
T3 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0
T3 00:19:e2:50:7d:e0 Static - Router
T4 * Flood - All-members
T4 00:00:5e:00:01:03 Static - Router
T4 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0
[output truncated]
Sample Output
show ethernet-switching table brief
user@host> show ethernet-switching table brief
Ethernet-switching table: 57 entries, 17 learned
VLAN MAC address Type Age Interfaces
F2 * Flood - All-members
F2 00:00:05:00:00:03 Learn 0 ge-0/0/44.0
F2 00:19:e2:50:7d:e0 Static - Router
Linux * Flood - All-members
Linux 00:19:e2:50:7d:e0 Static - Router
Linux 00:30:48:90:54:89 Learn 0 ge-0/0/47.0
T1 * Flood - All-members
T1 00:00:05:00:00:01 Learn 0 ge-0/0/46.0
T1 00:00:5e:00:01:00 Static - Router
T1 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0
T1 00:19:e2:50:7d:e0 Static - Router
T10 * Flood - All-members
T10 00:00:5e:00:01:09 Static - Router
T10 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0
T10 00:19:e2:50:7d:e0 Static - Router
T111 * Flood - All-members
T111 00:19:e2:50:63:e0 Learn 0 ge-0/0/15.0
T111 00:19:e2:50:7d:e0 Static - Router
T111 00:19:e2:50:ac:00 Learn 0 ge-0/0/15.0
T2 * Flood - All-members
Copyright © 2016, Juniper Networks, Inc.
289
Layer 2 Bridging and Switching Library for Security Devices
T2 00:00:5e:00:01:01 Static - Router
T2 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0
T2 00:19:e2:50:7d:e0 Static - Router
T3 * Flood - All-members
T3 00:00:5e:00:01:02 Static - Router
T3 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0
T3 00:19:e2:50:7d:e0 Static - Router
T4 * Flood - All-members
T4 00:00:5e:00:01:03 Static - Router
T4 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0
[output truncated]
Sample Output
show ethernet-switching table detail
user@host> show ethernet-switching table detail
Ethernet-switching table: 57 entries, 17 learned
F2, *
Interface(s): ge-0/0/44.0
Type: Flood
F2, 00:00:05:00:00:03
Interface(s): ge-0/0/44.0
Type: Learn, Age: 0, Learned: 2:03:09
F2, 00:19:e2:50:7d:e0
Interface(s): Router
Type: Static
Linux, *
Interface(s): ge-0/0/47.0
Type: Flood
Linux, 00:19:e2:50:7d:e0
Interface(s): Router
Type: Static
Linux, 00:30:48:90:54:89
Interface(s): ge-0/0/47.0
Type: Learn, Age: 0, Learned: 2:03:08
T1, *
Interface(s): ge-0/0/46.0
Type: Flood
T1, 00:00:05:00:00:01
Interface(s): ge-0/0/46.0
Type: Learn, Age: 0, Learned: 2:03:07
T1, 00:00:5e:00:01:00
Interface(s): Router
Type: Static
T1, 00:19:e2:50:63:e0
Interface(s): ge-0/0/46.0
Type: Learn, Age: 0, Learned: 2:03:07
T1, 00:19:e2:50:7d:e0
Interface(s): Router
Type: Static
T10, *
Interface(s): ge-0/0/46.0
Type: Flood
T10, 00:00:5e:00:01:09
Interface(s): Router
Type: Static
T10, 00:19:e2:50:63:e0
Interface(s): ge-0/0/46.0
Type: Learn, Age: 0, Learned: 2:03:08
T10, 00:19:e2:50:7d:e0
290
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
Interface(s): Router
Type: Static
T111, *
Interface(s): ge-0/0/15.0
Type: Flood
[output truncated]
Sample Output
show ethernet-switching table extensive
user@host> show ethernet-switching table extensive
Ethernet-switching table: 57 entries, 17 learned
F2, *
Interface(s): ge-0/0/44.0
Type: Flood
F2, 00:00:05:00:00:03
Interface(s): ge-0/0/44.0
Type: Learn, Age: 0, Learned: 2:03:09
F2, 00:19:e2:50:7d:e0
Interface(s): Router
Type: Static
Linux, *
Interface(s): ge-0/0/47.0
Type: Flood
Linux, 00:19:e2:50:7d:e0
Interface(s): Router
Type: Static
Linux, 00:30:48:90:54:89
Interface(s): ge-0/0/47.0
Type: Learn, Age: 0, Learned: 2:03:08
T1, *
Interface(s): ge-0/0/46.0
Type: Flood
T1, 00:00:05:00:00:01
Interface(s): ge-0/0/46.0
Type: Learn, Age: 0, Learned: 2:03:07
T1, 00:00:5e:00:01:00
Interface(s): Router
Type: Static
T1, 00:19:e2:50:63:e0
Interface(s): ge-0/0/46.0
Type: Learn, Age: 0, Learned: 2:03:07
T1, 00:19:e2:50:7d:e0
Interface(s): Router
Type: Static
T10, *
Interface(s): ge-0/0/46.0
Type: Flood
T10, 00:00:5e:00:01:09
Interface(s): Router
Type: Static
T10, 00:19:e2:50:63:e0
Interface(s): ge-0/0/46.0
Type: Learn, Age: 0, Learned: 2:03:08
T10, 00:19:e2:50:7d:e0
Interface(s): Router
Type: Static
T111, *
Interface(s): ge-0/0/15.0
Copyright © 2016, Juniper Networks, Inc.
291
Layer 2 Bridging and Switching Library for Security Devices
Type: Flood
[output truncated]
Sample Output
show ethernet-switching table interface ge-0/0/1
user@host> show ethernet-switching table interface ge-0/0/1
Ethernet-switching table: 1 unicast entries
VLAN
MAC address
Type
Age Interfaces
V1
*
Flood
- All-members
V1
00:00:05:00:00:05
Learn
0 ge-0/0/1.0
292
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
show ethernet-switching mac-learning-log (View)
Supported Platforms
Syntax
LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
show ethernet-switching mac-learning-log
Release Information
Command introduced in Release 9.5 of Junos OS.
Description
Displays the event log of learned MAC addresses.
Required Privilege
Level
Related
Documentation
Output Fields
view
•
Understanding MAC Limiting on page 185
•
Ethernet Interfaces Feature Guide for Security Devices
Table 37 on page 293 lists the output fields for the show ethernet-switching
mac-learning-log command. Output fields are listed in the approximate order in which
they appear.
Table 37: show interfaces Output Fields
Field Name
Field Description
Date and Time
Timestamp when the MAC address was added or deleted from the log.
VLAN-IDX
VLAN index. An internal value assigned by Junos OS for each VLAN.
MAC
Learned MAC address.
Deleted | Added
MAC address deleted or added to the MAC learning log.
Blocking
The forwarding state of the interface:
•
blocked—Traffic is not being forwarded on the interface.
•
unblocked—Traffic is forwarded on the interface.
Sample Output
show ethernet-switching mac-learning-log
user@host> show ethernet-switching mac-learning-log
Wed Mar 18 08:07:05 2009
vlan_idx 7 mac 00:00:00:00:00:00 was deleted
Wed Mar 18 08:07:05 2009
vlan_idx 9 mac 00:00:00:00:00:00 was deleted
Wed Mar 18 08:07:05 2009
vlan_idx 10 mac 00:00:00:00:00:00 was deleted
Wed Mar 18 08:07:05 2009
vlan_idx 11 mac 00:00:00:00:00:00 was deleted
Wed Mar 18 08:07:05 2009
vlan_idx 12 mac 00:00:00:00:00:00 was deleted
Copyright © 2016, Juniper Networks, Inc.
293
Layer 2 Bridging and Switching Library for Security Devices
Wed Mar 18 08:07:05 2009
vlan_idx 13 mac 00:00:00:00:00:00 was deleted
Wed Mar 18 08:07:05 2009
vlan_idx 14 mac 00:00:00:00:00:00 was deleted
Wed Mar 18 08:07:05 2009
vlan_idx 15 mac 00:00:00:00:00:00 was deleted
Wed Mar 18 08:07:05 2009
vlan_idx 16 mac 00:00:00:00:00:00 was deleted
Wed Mar 18 08:07:05 2009
vlan_idx 4 mac 00:00:00:00:00:00 was added
Wed Mar 18 08:07:05 2009
vlan_idx 6 mac 00:00:00:00:00:00 was added
Wed Mar 18 08:07:05 2009
vlan_idx 7 mac 00:00:00:00:00:00 was added
Wed Mar 18 08:07:05 2009
vlan_idx 9 mac 00:00:00:00:00:00 was added
Wed Mar 18 08:07:05 2009
vlan_idx 10 mac 00:00:00:00:00:00 was added
Wed Mar 18 08:07:05 2009
vlan_idx 11 mac 00:00:00:00:00:00 was added
Wed Mar 18 08:07:05 2009
vlan_idx 12 mac 00:00:00:00:00:00 was added
Wed Mar 18 08:07:05 2009
vlan_idx 13 mac 00:00:00:00:00:00 was added
Wed Mar 18 08:07:05 2009
vlan_idx 14 mac 00:00:00:00:00:00 was added
Wed Mar 18 08:07:05 2009
vlan_idx 15 mac 00:00:00:00:00:00 was added
Wed Mar 18 08:07:05 2009
vlan_idx 16 mac 00:00:00:00:00:00 was added
Wed Mar 18 08:07:05 2009
vlan_idx 5 mac 00:00:00:00:00:00 was added
Wed Mar 18 08:07:05 2009
vlan_idx 18 mac 00:00:05:00:00:05 was learned
Wed Mar 18 08:07:05 2009
vlan_idx 5 mac 00:30:48:90:54:89 was learned
Wed Mar 18 08:07:05 2009
vlan_idx 6 mac 00:00:5e:00:01:00 was learned
Wed Mar 18 08:07:05 2009
vlan_idx 16 mac 00:00:5e:00:01:08 was learned
Wed Mar 18 08:07:05 2009
vlan_idx 7 mac 00:00:5e:00:01:09 was learned
Wed Mar 18 08:07:05 2009
vlan_idx 8 mac 00:19:e2:50:ac:00 was learned
Wed Mar 18 08:07:05 2009
vlan_idx 12 mac 00:00:5e:00:01:04 was learned
[output truncated]
294
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
show oam ethernet connectivity-fault-management adjacencies
Supported Platforms
Syntax
Release Information
Description
Options
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
SRX210, SRX220, SRX240, SRX550, SRX650
show oam ethernet connectivity-fault-management adjacencies
<interface-name>
Statement introduced in Junos OS Release 12.1X44-D10.
Display connectivity-fault-management adjacencies.
interface-name—Dispalys the name of the interface.
view
•
Ethernet Port Switching Feature Guide for Security Devices
show oam ethernet connectivity-fault- management adjacencies on page 295
Table 38 on page 295 lists the output fields for the show oam ethernet
connectivity-fault-management adjacencies command. Output fields are listed in the
approximate order in which they appear
Table 38: show oam ethernet connectivity-fault-management adjacencies Output Fields
Field Name
Field Description
Mep-id
Maintenance association end point (MEP) identifier.
Interface
Interface identifier.
State
Indicates if the connectivity check protocol is up.
Timer to Expire
Indicates the expiration time.
Sample Output
show oam ethernet connectivity-fault- management adjacencies
user@host> show oam ethernet connectivity-fault-management adjacencies
Mep-id
Interface
State
Timer to Expire
101
fe-0/0/4.0
ok
29
Copyright © 2016, Juniper Networks, Inc.
295
Layer 2 Bridging and Switching Library for Security Devices
show oam ethernet connectivity-fault-management forwarding-state
Supported Platforms
Syntax
Release Information
Description
Options
Required Privilege
Level
Related
Documentation
SRX210, SRX220, SRX240, SRX550, SRX650
show oam ethernet connectivity-fault-management forwarding-state
<interface>
Statement introduced in Junos OS Release 12.1X44-D10.
Display the Ethernet OAM forwarding state for received packets.
<interface>—Displays the Ethernet OAM state for an interface.
view
•
Ethernet Port Switching Feature Guide for Security Devices
List of Sample Output
show oam ethernet connectivity-fault- management forwarding-state on page 296
Output Fields
Table 39 on page 296 lists the output fields for the show oam ethernet
connectivity-fault-management forwarding-state command. Output fields are listed in
the approximate order in which they appear.
Table 39: show oam ethernet connectivity-fault-management forwarding-state Output Fields
Field Name
Field Description
Interface name
Interface identifier.
Level
Maintenance domain level.
Direction
MEP direction configured.
Filter action
Filter action for messages at the level.
Nexthop type
Next-hop type.
Nexthop index
Next-hop index number.
Sample Output
show oam ethernet connectivity-fault- management forwarding-state
user@host> show oam ethernet connectivity-fault-management forwarding-state interface
Interface name: ge-0/0/1.0 vlan:100
Instance name: INSTANCE_0 bd_vlan_100
Maintenance domain forwarding state:
Level
0
296
Direction
Filter action
Drop
Nexthop
type
Discard
Nexthop
index
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
1
2
3
4
5
6
7
Copyright © 2016, Juniper Networks, Inc.
down
Drop
Drop
Drop
Drop
Drop
Drop
Receive
Discard
Discard
Discard
Discard
Discard
Discard
Receive
297
Layer 2 Bridging and Switching Library for Security Devices
show oam ethernet connectivity-fault-management interfaces
Supported Platforms
Syntax
Release Information
Description
Options
SRX210, SRX220, SRX240, SRX550, SRX650
show oam ethernet connectivity-fault-management interfaces
<interface name>
Statement introduced in Junos OS Release 12.1X44-D10.
Display Ethernet OAM information for the specified interface.
<interface name>—Displays connectivity fault management information for the specified
interface.
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
view
•
Ethernet Port Switching Feature Guide for Security Devices
show oam ethernet connectivity-fault- management interfaces on page 298
Table 40 on page 298 lists the output fields for the show oam ethernet
connectivity-fault-management interfaces command. Output fields are listed in the
approximate order in which they appear.
Table 40: show oam ethernet connectivity-fault-management interfaces Output Fields
Field Name
Field Description
Interfaces
Interface identifier.
Link
The local link status is Up, down, or oam-down.
Status
The status is active or inactive.
Level
Maintenance domain level configured.
MEP Identifier
Maintenance association end point (MEP) identifier.
Neighbors
Number of MEP neighbors.
Sample Output
show oam ethernet connectivity-fault- management interfaces
user@host> show oam ethernet connectivity-fault-management interfaces
Interfaces
Link
Status
Level
MEP
Neighbours
Identifier
ge-0/0/1.0
298
Up
Active
7
1000
0
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
Copyright © 2016, Juniper Networks, Inc.
299
Layer 2 Bridging and Switching Library for Security Devices
show oam ethernet connectivity-fault-management mep-database
Supported Platforms
Syntax
Release Information
Description
Options
SRX210, SRX220, SRX240, SRX550, SRX650
show oam ethernet connectivity-fault-management mep-database
Statement introduced in Junos OS Release 12.1X44-D10.
Displays Ethernet OAM maintenance endpoint database information.
<local-mep>—Identifier for local maintenance endpoint (1 through 8191).
maintenance-association —Name of the maintenance association.
maintenance-domain —Name of the maintenance domain.
remote-mep —Identifier for remote maintenance endpoint (1 through 8191).
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
View
•
Ethernet Port Switching Feature Guide for Security Devices
show oam ethernet connectivity-fault- management mep-database on page 302
Table 41 on page 300 lists the output fields for the show oam ethernet
connectivity-fault-management mep-database command. Output fields are listed in the
approximate order in which they appear.
Table 41: show oam ethernet connectivity-fault-management mep-database Output Fields
Field Name
Field Description
Maintenance domain name
Maintenance domain name.
Format (Maintenance domain)
Maintenance domain name format configured.
Level
Maintenance domain level configured.
Maintenance association name
Maintenance association name.
Format (Maintenance association)
Maintenance association name format configured.
Continuity-check status
Continuity check status.
Interval
Continuity check message interval.
MEP identifier
Maintenance association end point (MEP) identifier.
Direction
MEP direction configured.
300
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
Table 41: show oam ethernet connectivity-fault-management mep-database Output
Fields (continued)
Field Name
Field Description
MAC address
MAC address configured for the MEP.
Auto-discovery
Indicates whether automatic discovery is enabled or disabled.
Priority
Priority used for CCMs and linktrace messages transmitted by the MEP.
Interface name
Interface identifier.
Interface status
Local interface status.
Link status
Local link status.
Remote MEP not receiving CCM
Indicates that the remote MEP is not receiving CCMs.
Erroneous CCM received
Indicates that erroneous CCMs have been received.
Cross-connect CCM received
Indicates that cross-connect CCMs have been received.
RDI sent by some MEP
Indicates that the remote defect indication (RDI) bit is set in messages that have
been received. The absence of the RDI bit in a CCM indicates that the transmitting
MEP is receiving CCMs from all configured MEPs.
CCMs sent
Number of CCMs transmitted.
CCMs received out of sequence
Number of CCMs received out of sequence.
LBMs sent
Number of loopback messages (LBMs) sent.
Valid in-order LBRs received
Number of loopback response messages (LBRs) received that were valid messages
and in sequence.
Valid out-of-order LBRs received
Number of LBRs received that were valid messages and not in sequence.
LBRs received with corrupted data
Number of LBRs received that were corrupted.
LBRs sent
Number of LBRs transmitted.
LTMs sent
Linktrace messages (LTMs) transmitted.
LTMs received
Linktrace messages received.
LTRs sent
Linktrace responses (LTRs) transmitted.
LTRs received
Linktrace responses received.
Sequence number of next LTM request
Sequence number of the next linktrace message request to be transmitted.
Copyright © 2016, Juniper Networks, Inc.
301
Layer 2 Bridging and Switching Library for Security Devices
Table 41: show oam ethernet connectivity-fault-management mep-database Output
Fields (continued)
Field Name
Field Description
1DMs sent
If the MEP is an initiator for a one-way ETH-DM session, then this is the number of
one-way delay measurement (1DM) PDU frames sent to the peer MEP in this
session.
For all other cases, this field displays 0.
Valid 1DMs received
If the MEP is a receiver for a one-way ETH-DM session, then this is the number of
valid 1DM frames received.
For all other cases, this field displays 0.
Invalid 1DMs received
If the MEP is a receiver for a one-way ETH-DM session, then this is the number of
invalid 1DM frames received.
For all other cases, this field displays 0.
DMMs sent
If the MEP is an initiator for a two-way ETH-DM session, then this is the number of
Delay Measurement Message (DMM) PDU frames sent to the peer MEP in this
session. For all other cases, this field displays 0.
DMRs sent
If the MEP is a responder for a ETH-DM session, then this is the number of Delay
Measurement Reply (DMR) frames sent.
For all other cases, this field displays 0.
Valid DMRs received
If the MEP is an initiator for a two-way ETH-DM session, then this is the number of
valid DMRs received.
For all other cases, this field displays 0.
Invalid DMRs received
If the MEP is an initiator for a two-way ETH-DM session, then this is the number of
invalid DMRs received.
For all other cases, this field displays 0.
Sample Output
show oam ethernet connectivity-fault- management mep-database
user@host> show oam ethernet connectivity-fault-management mep-database
maintenance-domain Customer1
Maintenance domain name: Customer1, Format: string, Level: 7
Maintenance association name: Track_vlan_100, Format: string
Continuity-check status: enabled, Interval: 1s
MEP identifier: 1000, Direction: down, MAC address: 80:71:1f:ad:53:81
Auto-discovery: disabled, Priority: 0
Interface name: ge-0/0/1.0, Interface status: Active, Link status: Up
Defects:
Remote MEP not receiving CCM
: no
Erroneous CCM received
: no
Cross-connect CCM received
: no
RDI sent by some MEP
: no
302
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
Statistics:
CCMs sent
CCMs received out of sequence
LBMs sent
Valid in-order LBRs received
Valid out-of-order LBRs received
LBRs received with corrupted data
LBRs sent
LTMs sent
LTMs received
LTRs sent
LTRs received
Sequence number of next LTM request
1DMs sent
Valid 1DMs received
Invalid 1DMs received
DMMs sent
DMRs sent
Valid DMRs received
Invalid DMRs received
Copyright © 2016, Juniper Networks, Inc.
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
170114
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
303
Layer 2 Bridging and Switching Library for Security Devices
show oam ethernet connectivity-fault-management mep-statistics
Supported Platforms
Syntax
SRX210, SRX220, SRX240, SRX550, SRX650
show oam ethernet connectivity-fault-management mep-statistics
count
local-mep
maintenance-association
maintenance-domain
remote-mep
Release Information
Statement introduced in Junos OS Release 12.1X44-D10.
Description
Display Ethernet OAM maintenance endpoint statistics.
NOTE: The delay measurement (DM) statistics are not valid for SRX Series
devices, which supports only the IEEE 802.1ag standard.
Options
count —Number of statistics per maintenance endpoint (1 through 100).
local-mep —Identifier for local maintenance endpoint (1 through 8191).
maintenance-association—Name of maintenance association.
maintenance-domain—Name of maintenance domain.
remote-mep —Identifier for remote maintenance endpoint (1 through 8191).
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
view
•
Ethernet Port Switching Feature Guide for Security Devices
show oam ethernet connectivity-fault- management mep-statistics on page 306
Table 42 on page 304 lists the output fields for the show oam ethernet
connectivity-fault-management mep-statistics command. Output fields are listed in the
approximate order in which they appear.
Table 42: show oam ethernet connectivity-fault-management mep-statistics Output Fields
Field Name
Field Description
MEP identifier
Maintenance association end point (MEP) identifier.
CCMs sent
Number of CCMs transmitted.
CCMs received out of sequence
Number of CCMs received out of sequence.
304
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
Table 42: show oam ethernet connectivity-fault-management mep-statistics Output
Fields (continued)
Field Name
Field Description
LBMs sent
Number of loopback messages (LBMs) sent.
Valid in-order LBRs received
Number of loopback response messages (LBRs) received that were valid messages
and in sequence.
Valid out-of-order LBRs received
Number of LBRs received that were valid messages and not in sequence.
LBRs received with corrupted data
Number of LBRs received that were corrupted.
LBRs sent
Number of LBRs transmitted.
LTMs sent
Linktrace messages (LTMs) transmitted.
LTMs received
Linktrace messages received.
LTRs sent
Linktrace responses (LTRs) transmitted.
LTRs received
Linktrace responses received.
Sequence number of next LTM request
Sequence number of the next linktracemessage request to be transmitted.
1DMs sent
If the MEP is an initiator in a one-way ETH-DM session, then this is the number of
one-way delay measurement (1DM) PDU frames sent to the peer MEP in this session.
For all other cases, this field displays 0.
Valid 1DMs received
If the MEP is a receiver for a one-way ETH-DM session, then this is the number of valid
1DM frames received.
For all other cases, this field displays 0.
Invalid 1DMs received
If the MEP is a receiver for a one-way ETH-DM session, then this is the number of invalid
1DM frames received.
For all other cases, this field displays 0.
DMMs sent
If the MEP is an initiator for a two-way ETH-DM session, then this is the number of
Delay Measurement Message (DMM) PDU frames sent to the peer MEP in this session.
For all other cases, this field displays 0.
DMRs sent
If the MEP is a responder for a ETH-DM session, then this is the number of Delay
Measurement Reply (DMR) frames sent. For all other cases, this field displays 0.
Valid DMRs received
If the MEP is an initiator for a two-way ETH-DM session, then this is the number of
valid DMRs received.
For all other cases, this field displays 0.
Copyright © 2016, Juniper Networks, Inc.
305
Layer 2 Bridging and Switching Library for Security Devices
Table 42: show oam ethernet connectivity-fault-management mep-statistics Output
Fields (continued)
Field Name
Field Description
Invalid DMRs received
If the MEP is an initiator for a two-way ETH-DM session, then this is the number of
invalid DMRs received.
For all other cases, this field displays 0.
Sample Output
show oam ethernet connectivity-fault- management mep-statistics
user@host> show oam ethernet connectivity-fault-management mep-statistics
maintenance-domain private maintenance-association private-ma remote-mep 100
MEP identifier: 101, MAC address: 80:71:1f:ad:53:81
CCMs sent
: 83
CCMs received out of sequence
: 0
LBMs sent
: 0
Valid in-order LBRs received
: 0
Valid out-of-order LBRs received
: 0
LBRs received with corrupted data
: 0
LBRs sent
: 0
LTMs sent
: 0
LTMs received
: 0
LTRs sent
: 0
LTRs received
: 0
Sequence number of next LTM request
: 0
1DMs sent
: 0
Valid 1DMs received
: 0
Invalid 1DMs received
: 0
DMMs sent
: 0
DMRs sent
: 0
Valid DMRs received
: 0
Invalid DMRs received
: 0
306
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
show oam ethernet connectivity-fault-management mip
Supported Platforms
Syntax
Release Information
Description
Options
SRX210, SRX220, SRX240, SRX550, SRX650
show oam ethernet connectivity-fault-management mip
interface-name
vlan
Statement introduced in Junos OS Release 12.1X44-D10.
Display MIP information.
interface-name —Displays information of the specified logical interface.
vlan—Displays information about the specified VLAN (1 through 4094).
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
view
•
Ethernet Port Switching Feature Guide for Security Devices
show oam ethernet connectivity-fault- management mip on page 307
Table 43 on page 307 lists the output fields for the show oam ethernet
connectivity-fault-management mip command. Output fields are listed in the approximate
order in which they appear.
Table 43: show oam ethernet connectivity-fault-management mip Output Fields
Field Name
Field Description
Default Maintenance-domain
The default maintenance domain name.
Interface
Interface identifier.
Level
Maintenance domain level configured.
Sample Output
show oam ethernet connectivity-fault- management mip
user@host> show oam ethernet connectivity-fault-management mip vlan 100
default maintenance-domain mhf
: default
Interface
ge-0/0/1.0
fe-0/0/4.0
Copyright © 2016, Juniper Networks, Inc.
Level
5
5
307
Layer 2 Bridging and Switching Library for Security Devices
show oam ethernet connectivity-fault-management path-database
Supported Platforms
Syntax
Release Information
Description
Options
SRX210, SRX220, SRX240, SRX550, SRX650
show oam ethernet connectivity-fault-management path-database
<host>
maintenance-association
maintenance-domain
Statement introduced in Junos OS Release 12.1X44-D10.
Display the linktrace path-database for a remote host.
<host>—MAC address of the remote host in xx:xx:xx:xx:xx:xx format.
maintenance-association —Name of the maintenance association.
maintenance-domain —Name of the maintenance domain.
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
view
•
Ethernet Port Switching Feature Guide for Security Devices
show oam ethernet connectivity-fault- management path-database on page 309
Table 44 on page 308 lists the output fields for the show oam ethernet
connectivity-fault-management path-database command. Output fields are listed in the
approximate order in which they appear.
Table 44: show oam ethernet connectivity-fault-management path-database Output Fields
Field Name
Field Description
Interface
Interface Identifier.
Maintenance Domain
Maintenance domain name.
Maintenance Association
Maintenance association name.
Level
Maintenance domain level configured for the maintenance domain.
Hop
Sequential hop count of the linktrace path.
TTL
Number of hops remaining in the linktrace message (LTM). The time to live (TTL) is
decremented at each hop.
Source MAC Address
MAC address of the 802.1ag maintenance association intermediate point (MIP) that is
forwarding the LTM.
Next-hop MAC Address
MAC address of the 802.1ag node that is the next hop in the LTM path.
308
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
Table 44: show oam ethernet connectivity-fault-management path-database Output
Fields (continued)
Field Name
Field Description
Transaction Identifier
Identifier maintained by the MEP. Each LTM uses a transaction identifier. The transaction
identifier is maintained globally across all maintenance domains. Use the transaction
identifier to match an incoming linktrace response (LTR) with a previously sent LTM.
Sample Output
show oam ethernet connectivity-fault- management path-database
user@host> show oam ethernet connectivity-fault-management path-database
Interface : fe-0/0/4
Maintenance Domain: private, Level: 5
Maintenance Association: private-ma, Local Mep: 100
Hop
TTL
Transaction
1
63
2
62
Transaction
1
63
2
62
Transaction
1
63
2
62
Transaction
1
63
2
62
Copyright © 2016, Juniper Networks, Inc.
Source MAC address
Identifier:0
80:71:1f:ad:50:04
80:71:1f:ad:53:81
Identifier:1
80:71:1f:ad:50:04
80:71:1f:ad:53:81
Identifier:2
80:71:1f:ad:50:04
80:71:1f:ad:53:81
Identifier:3
80:71:1f:ad:50:04
80:71:1f:ad:53:81
Next-hop MAC address
80:71:1f:ad:50:01
00:00:00:00:00:00
80:71:1f:ad:50:01
00:00:00:00:00:00
80:71:1f:ad:50:01
00:00:00:00:00:00
80:71:1f:ad:50:01
00:00:00:00:00:00
309
Layer 2 Bridging and Switching Library for Security Devices
show oam ethernet connectivity-fault-management routes
Supported Platforms
Syntax
Release Information
Description
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
SRX210, SRX220, SRX240, SRX550, SRX650
show oam ethernet connectivity-fault-management routes
Statement introduced in Junos OS Release 12.1X44-D10.
Display connectivity-fault-management bridge routes.
view
•
Ethernet Port Switching Feature Guide for Security Devices
show oam ethernet connectivity-fault- management routes on page 310
Table 45 on page 310 lists the output fields for the show oam ethernet
connectivity-fault-management routes command. Output fields are listed in the
approximate order in which they appear.
Table 45: show oam ethernet connectivity-fault-management routes Output Fields
Field Name
Field Description
VLAN
The configured VLAN interface.
MAC
MAC address configured for the route.
Next-hop index
Software index of the next hop that is used to route the traffic for a given prefix.
Action
The next-hop action.
Sample Output
show oam ethernet connectivity-fault- management routes
user@host> show oam ethernet connectivity-fault-management routes
VLAN
MAC
Next-hop index Action
vlan1
00:00:00:00:00:00
563
vlan1
01:80:c2:00:00:30
vlan1
01:80:c2:00:00:31
vlan1
01:80:c2:00:00:32
vlan1
01:80:c2:00:00:33
vlan1
01:80:c2:00:00:34
vlan1
01:80:c2:00:00:35
vlan1
01:80:c2:00:00:36
563
vlan1
01:80:c2:00:00:37
563
vlan1
01:80:c2:00:00:38
vlan1
01:80:c2:00:00:39
vlan1
01:80:c2:00:00:3a
vlan1
01:80:c2:00:00:3b
vlan1
01:80:c2:00:00:3c
vlan1
01:80:c2:00:00:3d
310
Flood
Discard
Discard
Discard
Discard
Discard
Receive
Flood
Flood
Discard
Discard
Discard
Discard
Discard
Receive
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
vlan1
vlan1
vlan2
Copyright © 2016, Juniper Networks, Inc.
01:80:c2:00:00:3e
01:80:c2:00:00:3f
00:00:00:00:00:00
563
563
563
Flood
Flood
Flood
311
Layer 2 Bridging and Switching Library for Security Devices
show oam ethernet link-fault-management
Supported Platforms
Syntax
Release Information
Description
Options
LN Series, SRX100, SRX210, SRX220, SRX240, SRX550, SRX650
show oam ethernet link-fault-management
<brief | detail>
<interface-name>
Statement for branch SRX Series devices introduced in Junos OS Release 9.5.
Display Operation, Administration, and Maintenance (OAM) link fault management (LFM)
information for Ethernet interfaces.
brief | detail—(Optional) Display the specified level of output.
interface-name —(Optional) Display link fault management information for the specified
Ethernet interface only.
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
view
•
Ethernet Port Switching Feature Guide for Security Devices
•
Understanding Ethernet OAM Link Fault Management for SRX Series Services Gateways
on page 190
•
Example: Configuring Ethernet OAM Link Fault Management on page 226
show oam ethernet link-fault-management brief on page 316
show oam ethernet link-fault-management detail on page 316
Table 46 on page 312 lists the output fields for the show oam ethernet
link-fault-management command. Output fields are listed in the approximate order in
which they appear.
Table 46: show oam ethernet link-fault-management Output Fields
Field Name
Field Description
Level of Output
Status
Status of the established link.
All levels
Discovery state
Peer address
312
•
Fail—A link fault condition exists.
•
Running—A link fault condition does not exist.
State of the discovery mechanism:
•
Passive Wait
•
Send Any
•
Send Local Remote
•
Send Local Remote Ok
Address of the OAM peer.
All levels
All levels
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
Table 46: show oam ethernet link-fault-management Output Fields (continued)
Field Name
Field Description
Level of Output
Flags
Information about the interface.
All levels
•
Remote-Stable—Indicates remote OAM client acknowledgment of, and
satisfaction with, local OAM state information. False indicates that remote
DTE has either not seen or is unsatisfied with local state information. True
indicates that remote DTE has seen and is satisfied with local state
information.
•
Local-Stable—Indicates local OAM client acknowledgment of, and satisfaction
with, remote OAM state information. False indicates that local DTE either
has not seen or is unsatisfied with remote state information. True indicates
that local DTE has seen and is satisfied with remote state information.
•
Remote-State-Valid—Indicates the OAM client has received remote state
information found within local information TLVs (type, length, values) of
received Information OAM PDUs. False indicates that the OAM client has not
seen remote state information. True indicates that the OAM client has seen
remote state information.
Remote loopback
status
An OAM entity can put its remote peer into loopback mode using the Loopback
control OAM PDU. In loopback mode, every frame received is transmitted back
on the same port (except for OAM PDUs, which are needed to maintain the
OAM session).
All levels
Remote entity
information
Remote entity information.
All levels
•
Remote MUX action—Indicates the state of the multiplexer functions of the
OAM sublayer. Device is forwarding non-OAM PDUs to the lower sublayer or
discarding non-OAM PDUs.
•
Remote parser action—Indicates the state of the parser function of the OAM
sublayer. Device is forwarding non-OAM PDUs to the higher sublayer, looping
back non-OAM PDUs to the lower sublayer, or discarding non-OAM PDUs.
•
Discovery mode—Indicates whether discovery mode is active or inactive.
•
Unidirectional mode—Indicates the ability to operate a link in unidirectional
mode for diagnostic purposes.
•
Remote loopback mode—Indicates whether remote loopback is supported or
not supported.
•
Link events—Indicates whether interpreting link events is supported or not
supported on the remote peer.
•
Variable requests—Indicates whether variable requests are supported or not
supported. The Variable Request OAM PDU, is used to request one or more
MIB variables from the remote peer.
OAM Receive Statistics
Information
Number of information PDUs received.
detail
Event
Number of loopback control PDUs received.
detail
Variable request
Number of variable request PDUs received.
detail
Variable response
Number of variable response PDUs received.
detail
Loopback control
Number of loopback control PDUs received.
detail
Copyright © 2016, Juniper Networks, Inc.
313
Layer 2 Bridging and Switching Library for Security Devices
Table 46: show oam ethernet link-fault-management Output Fields (continued)
Field Name
Field Description
Level of Output
Organization
specific
Number of vendor organization specific PDUs received.
detail
OAM Transmit Statistics
Information
Number of information PDUs transmitted.
detail
Event
Number of event notification PDUs transmitted.
detail
Variable request
Number of variable request PDUs transmitted.
detail
Variable response
Number of variable response PDUs transmitted.
detail
Loopback control
Number of loopback control PDUs transmitted.
detail
Organization
specific
Number of vendor organization specific PDUs transmitted.
detail
OAM Received Symbol Error Event information
Events
Number of symbol error event TLVs that have been received after the OAM
sublayer was reset.
detail
Window
Symbol error event window in the received PDU.
detail
The protocol default value is the number of symbols that can be received in
one second on the underlying physical layer.
Threshold
Number of errored symbols in the period required for the event to be generated.
detail
Errors in period
Number of symbol errors in the period reported in the received event PDU.
detail
Total errors
Number of errored symbols that have been reported in received event TLVs
after the OAM sublayer was reset.
detail
Symbol errors are coding symbol errors.
OAM Received Frame Error Event Information
Events
Number of errored frame event TLVs that have been received after the OAM
sublayer was reset.
detail
Window
Duration of the window in terms of the number of 100 ms period intervals.
detail
Threshold
Number of detected errored frames required for the event to be generated.
detail
Errors in period
Number of detected errored frames in the period.
detail
314
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
Table 46: show oam ethernet link-fault-management Output Fields (continued)
Field Name
Field Description
Level of Output
Total errors
Number of errored frames that have been reported in received event TLVs after
the OAM sublayer was reset.
detail
A frame error is any frame error on the underlying physical layer.
OAM Received Frame Period Error Event Information
Events
Number of frame seconds errors event TLVs that have been received after the
OAM sublayer was reset.
detail
Window
Duration of the frame seconds window.
detail
Threshold
Number of frame seconds errors in the period.
detail
Errors in period
Number of frame seconds errors in the period.
detail
Total errors
Number of frame seconds errors that have been reported in received event TLVs
after the OAM sublayer was reset.
detail
OAM Transmitted Symbol Error Event Information
Events
Number of symbol error event TLVs that have been transmitted after the OAM
sublayer was reset.
detail
Window
The symbol error event window in the transmitted PDU.
detail
Threshold
Number of errored symbols in the period required for the event to be generated.
detail
Errors in period
Number of symbol errors in the period reported in the transmitted event PDU.
detail
Total errors
Number of errored symbols reported in event TLVs that have been transmitted
after the OAM sublayer was reset.
detail
OAM Transmitted Frame Error Event Information
Events
Number of errored frame event TLVs that have been transmitted after the OAM
sublayer was reset.
detail
Window
Duration of the window in terms of the number of 100-ms period intervals.
detail
Threshold
Number of detected errored frames required for the event to be generated.
detail
Errors in period
Number of detected errored frames in the period.
detail
Total errors
Number of errored frames that have been detected after the OAM sublayer was
reset.
detail
Copyright © 2016, Juniper Networks, Inc.
315
Layer 2 Bridging and Switching Library for Security Devices
Sample Output
show oam ethernet link-fault-management brief
user@host> show oam ethernet link-fault-management brief
Interface: ge-0/0/1
Status: Running, Discovery state: Send Any
Peer address: 00:90:69:72:2c:83
Flags:Remote-Stable Remote-State-Valid Local-Stable 0x50
Remote loopback status: Disabled on local port, Enabled on peer port
Remote entity information:
Remote MUX action: discarding, Remote parser action: loopback
Discovery mode: active, Unidirectional mode: unsupported
Remote loopback mode: supported, Link events: supported
Variable requests: unsupported
show oam ethernet link-fault-management detail
user@host> show oam ethernet link-fault-management detail
Interface: ge-0/0/1
Status: Running, Discovery state: Send Any
Peer address: 00:90:69:0a:07:14
Flags:Remote-Stable Remote-State-Valid Local-Stable 0x50
OAM receive statistics:
Information: 186365, Event: 0, Variable request: 0, Variable response: 0
Loopback control: 0, Organization specific: 0
OAM transmit statistics:
Information: 186347, Event: 0, Variable request: 0, Variable response: 0
Loopback control: 0, Organization specific: 0
OAM received symbol error event information:
Events: 0, Window: 0, Threshold: 0
Errors in period: 0, Total errors: 0
OAM received frame error event information:
Events: 0, Window: 0, Threshold: 0
Errors in period: 0, Total errors: 0
OAM received frame period error event information:
Events: 0, Window: 0, Threshold: 0
Errors in period: 0, Total errors: 0
OAM transmitted symbol error event information:
Events: 0, Window: 0, Threshold: 1
Errors in period: 0, Total errors: 0
OAM transmitted frame error event information:
Events: 0, Window: 0, Threshold: 1
Errors in period: 0, Total errors: 0
Remote entity information:
Remote MUX action: forwarding, Remote parser action: forwarding
Discovery mode: active, Unidirectional mode: unsupported
Remote loopback mode: supported, Link events: supported
Variable requests: unsupported
316
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
show security flow statistics
Supported Platforms
Syntax
Release Information
Description
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
J Series, LN Series, SRX Series
show security flow statistics
Command introduced in Release 10.2 of Junos OS.
Display flow-related system statistics.
view
•
Flow-Based Processing Feature Guide for Security Devices
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
show security flow statistics on page 317
Table 12 on page 146 lists the output fields for the show security flow statistics command.
Output fields are listed in the approximate order in which they appear.
Table 47: show security flow statistics Output Fields
Field Name
Field Description
Current sessions
Number of current sessions.
Packets forwarded
Number of packets forwarded.
Packets dropped
Number of Packets dropped.
Fragment packets
Number of fragment packets.
Sample Output
show security flow statistics
root> show security flow statistics
Flow Statistics of FPC4 PIC1:
Current sessions: 63
Packets forwarded: 3001
Packets dropped: 1281
Fragment packets: 0
Flow Statistics of FPC5 PIC0:
Current sessions: 22
Packets forwarded: 859
Packets dropped: 0
Fragment packets: 0
Flow Statistics of FPC5 PIC1:
Copyright © 2016, Juniper Networks, Inc.
317
Layer 2 Bridging and Switching Library for Security Devices
Current sessions: 22
Packets forwarded: 858
Packets dropped: 0
Fragment packets: 0
Flow Statistics Summary:
System total valid sessions: 107
Packets forwarded: 4718
Packets dropped: 1281
Fragment packets: 0
318
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
show security flow status
Supported Platforms
Syntax
Release Information
Description
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
J Series, LN Series, SRX Series
show security flow status
Command introduced in Junos OS Release 10.2 ; session distribution mode option added
in Junos OS Release 12.1X44-D10; enhanced route scaling mode option added in Junos
OS Release 12.1X45-D10.
Display the flow processing modes and logging status.
view
•
Flow-Based Processing Feature Guide for Security Devices
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
MPLS Feature Guide for Security Devices
show security flow status on page 320
show security flow status (IPsec Performance Acceleration) on page 320
Table 13 on page 148 lists the output fields for the show security flow status command.
Output fields are listed in the approximate order in which they appear.
Table 48: show security flow status Output Fields
Field Name
Field Description
Flow forwarding mode
Flow processing mode.
Flow trace status
flow session distribution
Copyright © 2016, Juniper Networks, Inc.
•
Inet forwarding mode
•
Inet6 forwarding mode
•
MPLS forwarding mode
•
ISO forwarding mode
•
Session distribution mode
•
Enhanced route scaling mode
Flow logging status.
•
Flow tracing status
•
Flow tracing options
SPU load distribution mode.
•
RR-based
•
Hash-based
319
Layer 2 Bridging and Switching Library for Security Devices
Table 48: show security flow status Output Fields (continued)
Field Name
Field Description
Flow packet ordering
packet-ordering mode.
Flow ipsec performance acceleration
•
Hardware
•
Software
IPsec VPN performance acceleration status.
Sample Output
show security flow status
root> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: flow based
MPLS forwarding mode: drop
ISO forwarding mode: drop
+Enhanced route scaling mode: Enabled (reboot needed to disable)
Flow trace status
Flow tracing status: on
Flow tracing options: all
Flow session distribution
Distribution mode: Hash-based
Flow packet ordering
Ordering mode: Software (reboot needed to change to software)
show security flow status (IPsec Performance Acceleration)
root> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: RR-based
Flow packet ordering
Ordering mode: Software (reboot needed to change to software)
Flow ipsec performance acceleration: on
320
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
show security policies
Supported Platforms
Syntax
show security policies
<detail>
<none>
policy-name policy-name
<detail>
<global>
Release Information
Command modified in Junos OS Release 9.2. Support for IPv6 addresses added in Junos
OS Release 10.2. Support for IPv6 addresses in active/active chassis cluster configurations
in addition to the existing support of active/passive chassis cluster configurations added
in Junos OS Release 10.4. Support for wildcard addresses added in Junos OS Release
11.1. Support for global policy added in Junos OS Release 11.4. Support for services
offloading added in Junos OS Release 11.4. Support for source-identities added in Junos
OS Release 12.1. The Description output field added in Junos OS Release 12.1. Support for
negated address added in Junos OS Release 12.1X45-D10.
Description
Display a summary of all security policies configured on the device. If a particular policy
is specified, display information particular to that policy.
Options
Required Privilege
Level
Related
Documentation
List of Sample Output
•
none—Display basic information about all configured policies.
•
detail—(Optional) Display a detailed view of all of the policies configured on the device.
•
policy-name policy-name—(Optional) Display information about the specified policy.
•
global—Display information about global policies.
view
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Infranet Authentication Feature Guide for Security Devices
•
Junos OS UTM Library for Security Devices
•
Security Policies Feature Guide for Security Devices
•
Junos OS Logical Systems Library for Security Devices
show security policies on page 324
show security policies policy-name p1 detail on page 324
show security policies (services-offload) on page 325
show security policies detail on page 326
show security policies policy-name p1 (Negated Address) on page 326
show security policies policy-name p1 detail (Negated Address) on page 327
Copyright © 2016, Juniper Networks, Inc.
321
Layer 2 Bridging and Switching Library for Security Devices
Output Fields
Table 14 on page 151 lists the output fields for the show security policies command. Output
fields are listed in the approximate order in which they appear.
Table 49: show security policies Output Fields
Field Name
Field Description
From zone
Name of the source zone.
To zone
Name of the destination zone.
Policy
Name of the applicable policy.
Description
Description of the applicable policy.
State
Status of the policy:
•
enabled: The policy can be used in the policy lookup process, which determines access
rights for a packet and the action taken in regard to it.
•
disabled: The policy cannot be used in the policy lookup process, and therefore it is
not available for access control.
Index
An internal number associated with the policy.
Sequence number
Number of the policy within a given context. For example, three policies that are applicable
in a from-zoneA-to-zoneB context might be ordered with sequence numbers 1, 2, and 3.
Also, in a from-zoneC-to-zoneD context, four policies might have sequence numbers 1,
2, 3, and 4.
Source addresses
For standard display mode, the names of the source addresses for a policy. Address sets
are resolved to their individual names.
For detail display mode, the names and corresponding IP addresses of the source
addresses for a policy. Address sets are resolved to their individual address name-IP
address pairs.
Destination addresses
Name of the destination address (or address set) as it was entered in the destination
zone’s address book. A packet’s destination address must match this value for the policy
to apply to it.
Source addresses (excluded)
Name of the source address excluded from the policy.
Destination addresses (excluded)
Name of the destination address excluded from the policy.
Source identities
One or more user roles specified for a policy.
322
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
Table 49: show security policies Output Fields (continued)
Field Name
Field Description
Applications
Name of a preconfigured or custom application whose type the packet matches, as
specified at configuration time.
•
IP protocol: The IP protocol used by the application—for example, TCP, UDP, ICMP.
•
ALG: If an ALG is explicitly associated with the policy, the name of the ALG is displayed.
If application-protocol ignore is configured, ignore is displayed. Otherwise, 0 is displayed.
However, even if this command shows ALG: 0, ALGs might be triggered for packets
destined to well-known ports on which ALGs are listening, unless ALGs are explicitly
disabled or when application-protocol ignore is not configured for custom applications.
•
Inactivity timeout: Elapsed time without activity after which the application is
terminated.
•
Destination Address Translation
Application Firewall
Source port range: The low-high source port range for the session application.
Status of the destination address translation traffic:
•
drop translated—Drop the packets with translated destination addresses.
•
drop untranslated—Drop the packets without translated destination addresses.
An application firewall includes the following:
•
Rule-set—Name of the rule set.
•
Rule—Name of the rule.
•
Dynamic applications—Name of the applications.
•
Dynamic application groups—Name of the application groups.
•
Action—The action taken with respect to a packet that matches the application
firewall rule set. Actions include the following:
•
•
permit
•
deny
Default rule—The default rule applied when the identified application is not specified
in any rules of the rule set.
Action or Action-type
Session log
Copyright © 2016, Juniper Networks, Inc.
•
The action taken in regard to a packet that matches the policy’s tuples. Actions include
the following:
•
permit
•
firewall-authentication
•
tunnel ipsec-vpn vpn-name
•
pair-policy pair-policy-name
•
source-nat pool pool-name
•
pool-set pool-set-name
•
interface
•
destination-nat name
•
deny
•
reject
•
services-offload
Session log entry that indicates whether the at-create and at-close flags were set at
configuration time to log session information.
323
Layer 2 Bridging and Switching Library for Security Devices
Table 49: show security policies Output Fields (continued)
Field Name
Field Description
Scheduler name
Name of a preconfigured scheduler whose schedule determines when the policy is active
(or inactive) to check an incoming packet to determine how to treat the packet.
Policy statistics
Policy statistics include the following:
•
Input bytes—The number of bytes presented for processing by the device.
•
Output bytes—The number of bytes actually processed by the device.
•
Input packets—The number of packets presented for processing by the device.
•
Active sessions—The number of sessions currently present because of access control
lookups that used this policy.
•
Session deletions—The number of sessions deleted since system startup.
•
Policy lookups—Number of times the policy was accessed to check for a match.
NOTE: Configure the Policy P1 with the count option to display policy statistics.
Sample Output
show security policies
user@host> show security policies
From zone: trust, To zone: untrust
Policy: p1, State: enabled, Index: 4, Sequence number: 1
Source addresses:
sa-1-ipv4: 2.2.2.0/24
sa-2-ipv6: 2001:0db8::/32
sa-3-ipv6: 2001:0db6/24
sa-4-wc: 192.168.0.11/255.255.0.255
Destination addresses:
da-1-ipv4: 2.2.2.0/24
da-2-ipv6: 2400:0af8::/32
da-3-ipv6: 2400:0d78:0/24
da-4-wc: 192.168.22.11/255.255.0.255
Source identities: role1, role2, role4
Applications: any
Action: permit, application services, log, scheduled
Application firewall : my_ruleset1
Policy: p2, State: enabled, Index: 5, Sequence number: 2
Source addresses:
sa-1-ipv4: 2.2.2.0/24
sa-2-ipv6: 2001:0db8::/32
sa-3-ipv6: 2001:0db6/24
Destination addresses:
da-1-ipv4: 2.2.2.0/24
da-2-ipv6: 2400:0af8::/32
da-3-ipv6: 2400:0d78:0/24
Source identities: role1, role4
Applications: any
Action: deny, scheduled
show security policies policy-name p1 detail
user@host> show security policies policy-name p1 detail
Policy: p1, action-type: permit, State: enabled, Index: 4
Description: The policy p1 is for the sales team
324
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
Sequence number: 1
From zone: trust, To zone: untrust
Source addresses:
sa-1-ipv4: 2.2.2.0/24
sa-2-ipv6: 2001:0db8::/32
sa-3-ipv6: 2001:0db6/24
sa-4-wc: 192.168.0.11/255.255.0.255
Destination addresses:
da-1-ipv4: 2.2.2.0/24
da-2-ipv6: 2400:0af8::/32
da-3-ipv6: 2400:0d78:0/24
da-4-wc: 192.168.22.11/255.255.0.255
Source identities:
role1
role2
role4
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Destination Address Translation: drop translated
Application firewall :
Rule-set: my_ruleset1
Rule: rule1
Dynamic Applications: junos:FACEBOOK, junos:YSMG
Dynamic Application groups: junos:web, junos:chat
Action: deny
Default rule: permit
Session log: at-create, at-close
Scheduler name: sch20
Policy statistics:
Input bytes
:
50000
Output bytes
:
40000
Input packets
:
200
Output packets
:
100
Session rate
:
2
Active sessions :
11
Session deletions:
20
Policy lookups
:
12
100
100
200
100
1
bps
bps
pps
pps
sps
show security policies (services-offload)
user@host> show security policies
Default policy: deny-all
From zone: trust, To zone: untrust
Policy: p1, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Source identities: role1, role2, role4
Applications: any
Action: permit, services-offload, count
From zone: untrust, To zone: trust
Policy: p2, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Source identities: role1, role2, role4
Applications: any
Action: permit, services-offload
Copyright © 2016, Juniper Networks, Inc.
325
Layer 2 Bridging and Switching Library for Security Devices
show security policies detail
user@host> show security policies detail
Default policy: deny-all
Policy: p1, action-type: permit, services-offload:enabled , State:
4, Scope Policy: 0
Policy Type: Configured
Description: The policy p1 is for the sales team
Sequence number: 1
From zone: trust, To zone: untrust
Source addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Destination addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Source identities:
role1
role2
role4
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No
Policy statistics:
Input bytes
:
500
0
Output bytes
:
408
0
Input packets
:
8
0
Output packets
:
6
0
Session rate
:
3
0
Active sessions :
1
Session deletions:
2
Policy lookups
:
3
Policy: p2, action-type: permit, services-offload:enabled , State:
5, Scope Policy: 0
Policy Type: Configured
Description: The policy p2 is for the sales team
Sequence number: 1
From zone: untrust, To zone: trust
Source addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Destination addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Source identities:
role1
role2
role4
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No
enabled, Index:
bps
bps
pps
pps
sps
enabled, Index:
show security policies policy-name p1 (Negated Address)
user@host>show security policies policy-name p1
node0:
--------------------------------------------------------------------------
326
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
From zone: trust, To zone: untrust
Policy: p1, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses(excluded): as1
Destination addresses(excluded): as2
Applications: any
Action: permit
show security policies policy-name p1 detail (Negated Address)
user@host>show security policies policy-name p1 detail
node0:
-------------------------------------------------------------------------Policy: p1, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: trust, To zone: untrust
Source addresses(excluded):
ad1(ad): 255.255.255.255/32
ad2(ad): 1.1.1.1/32
ad3(ad): 15.100.199.56 ~ 15.200.100.16
ad4(ad): 15.100.196.0/22
ad5(ad): 15.1.7.199 ~ 15.1.8.19
ad6(ad): 15.1.8.0/21
ad7(ad): 15.1.7.0/24
Destination addresses(excluded):
ad13(ad2): 20.1.7.0/24
ad12(ad2): 20.1.4.1/32
ad11(ad2): 20.1.7.199 ~ 20.1.8.19
ad10(ad2): 50.1.4.0/22
ad9(ad2): 20.1.1.11 ~ 50.1.5.199
ad8(ad2): 2.1.1.1/32
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No
Copyright © 2016, Juniper Networks, Inc.
327
Layer 2 Bridging and Switching Library for Security Devices
show security zones
Supported Platforms
Syntax
Release Information
Description
Options
Required Privilege
Level
Related
Documentation
List of Sample Output
Output Fields
show security zones
<detail | terse>
< zone-name >
Command introduced in Junos OS Release 8.5. The Description output field added in
Junos OS Release 12.1.
Display information about security zones.
•
none—Display information about all zones.
•
detail | terse—(Optional) Display the specified level of output.
•
zone-name —(Optional) Display information about the specified zone.
view
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
security-zone on page 109
•
Security Zones and Interfaces Feature Guide for Security Devices
•
Junos OS Logical Systems Library for Security Devices
show security zones on page 329
show security zones abc on page 329
show security zones abc detail on page 329
show security zones terse on page 330
Table 15 on page 157 lists the output fields for the show security zones command. Output
fields are listed in the approximate order in which they appear.
Table 50: show security zones Output Fields
Field Name
Field Description
Security zone
Name of the security zone.
Description
Description of the security zone.
Policy configurable
Whether the policy can be configured or not.
Interfaces bound
Number of interfaces in the zone.
Interfaces
List of the interfaces in the zone.
328
Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Administration
Table 50: show security zones Output Fields (continued)
Field Name
Field Description
Zone
Name of the zone.
Type
Type of the zone.
Sample Output
show security zones
user@host> show security zones
Functional zone: management
Description: This is the management zone.
Policy configurable: No
Interfaces bound: 1
Interfaces:
ge-0/0/0.0
Security zone: Host
Description: This is the host zone.
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
fxp0.0
Security zone: abc
Description: This is the abc zone.
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/1.0
Security zone: def
Description: This is the def zone.
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/2.0
Sample Output
show security zones abc
user@host> show security zones abc
Security zone: abc
Description: This is the abc zone.
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/1.0
Sample Output
show security zones abc detail
user@host> show security zones abc detail
Copyright © 2016, Juniper Networks, Inc.
329
Layer 2 Bridging and Switching Library for Security Devices
Security zone: abc
Description: This is the abc zone.
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/1.0
Sample Output
show security zones terse
user@host> show security zones terse
Zone
Type
my-internal
Security
my-external
Security
dmz
Security
330
Copyright © 2016, Juniper Networks, Inc.
PART 3
Index
•
Index on page 333
Copyright © 2016, Juniper Networks, Inc.
331
Layer 2 Bridging and Switching Library for Security Devices
332
Copyright © 2016, Juniper Networks, Inc.
Index
Symbols
#, comments in configuration statements...................xvi
( ), in syntax descriptions....................................................xvi
802.1X
configuring......................................................................199
< >, in syntax descriptions...................................................xvi
[ ], in configuration statements.........................................xvi
{ }, in configuration statements........................................xvi
| (pipe), in syntax descriptions..........................................xvi
A
Access Configuration Statement Hierarchy................231
authentication-order statement .............................71, 244
B
braces, in configuration statements................................xvi
brackets
angle, in syntax descriptions.....................................xvi
square, in configuration statements.......................xvi
bridge domain
routing interface...........................................................108
VLAN identifier......................................................116, 273
VLAN identifier list................................................117, 274
bridge domains..........................................................................5
forwarding tables............................................................14
integrated routing and bridging interface..............10
SRX Series device support............................................4
transparent mode................................................3, 6, 36
bridge statement.....................................................................72
Bridge-Domains Configuration Statement
Hierarchy...............................................................................46
bridge-domains statement.................................................73
bridge-options statement...................................................78
bridging
transparent mode................................................3, 6, 36
C
CCM interval...........................................................................224
CFM
maintenance association.........................................222
Copyright © 2016, Juniper Networks, Inc.
chassis clusters
transparent mode...........................................................16
class name......................................................................90, 252
Class of Service
transparent mode...........................................................19
Class-of-Service Configuration Statement
Hierarchy.......................................................................51, 239
classifiers
transparent mode..........................................................20
clear oam ethernet connectivity-fault-management
path-database command............................................278
clear oam ethernet connectivity-fault-management
statistics command........................................................279
clear security flow ip-action command........................120
clear security flow session family ...................................122
code-points statement...............................................79, 245
comments, in configuration statements.......................xvi
configuring
IGMP snooping.............................................................208
LACP.........................................................................175, 198
Configuring CFM.....................................................................212
Connectivity Fault Management....................................189
Continuity Check Protocol........................................189
Loopback Protocol......................................................189
Continuity Check Protocol................................................224
conventions
text and syntax................................................................xv
CoS (class of service)
transparent mode...........................................................19
curly braces, in configuration statements.....................xvi
customer support..................................................................xvii
contacting JTAC.............................................................xvii
D
destination-address statement
(Security Policies)...............................................80, 246
documentation
comments on.................................................................xvii
domain-type statement.......................................................79
E
encapsulation statement.....................................................81
Ethernet OAM link fault management................190, 226
Ethernet ports switching
overview...........................................................................163
F
family inet statement...................................................82, 247
family inet6 statement.........................................................85
333
Layer 2 Bridging and Switching Library for Security Devices
firewall filters
statistics
displaying......................................................157, 328
firewall user authentication
transparent mode...........................................................14
flow statement
(Security Flow).....................................................88, 250
flow-based processing
enabling.............................................................................35
font conventions......................................................................xv
forwarding tables
Layer 2 bridge domain...................................................14
forwarding-classes (Cos)..........................................90, 252
Layer 2 forwarding tables.....................................................14
Layer 2 interfaces
security zones...................................................................13
SRX3400, SRX3600, SRX5600, and SRX5800
devices.............................................................................9
Layer 2 security zones............................................................13
Layer 2 switching
supported devices.......................................................164
link fault management.............................................190, 226
configuring.....................................................................226
understanding...............................................................190
Linktrace Protocol................................................................225
M
G
GVRP
configuring......................................................................210
understanding...............................................................188
H
host-inbound-traffic statement...............................91, 253
I
IGMP snooping
configuring.....................................................................208
understanding...............................................................186
working.............................................................................186
inet6 statement......................................................................95
integrated routing and bridging interface.......................10
interface (Cos)...............................................................93, 254
interface statement
bridge domain.................................................................92
Interfaces Configuration Statement Hierarchy...........55
interfaces statement...................................................94, 255
IPv6
enabling.............................................................................35
IPv6 flows
transparent mode.....................................................6, 36
L
LACP
configuring..............................................................175, 198
Layer 2 bridging
integrated routing and bridging interface..............10
IPv6 flows....................................................................6, 36
SRX3400, SRX3600, SRX5600, SRX5800
devices.............................................................................4
SRX3400, SRX3600, SRX5600, SRX5800
services gateways........................................................3
334
Maintenance association...................................................189
Maintenance association end point..............................222
Maintenance association intermediate point............224
Maintenance domain..........................................................189
manuals
comments on.................................................................xvii
match statement
(Security Policies)................................................97, 257
MIP half function .................................................................224
N
native-vlan-id statement..........................................98, 258
network interfaces
verifying properties of uPIM switch ports...........194
no-unframed option .............................................................115
P
parentheses, in syntax descriptions................................xvi
ping ethernet...........................................................................221
policers, displaying.......................................................150, 321
policy statement:
(Security Policies)...............................................101, 259
port statement
(RADIUS)................................................................103, 261
ports
verifying status of uPIM ports in switching
mode............................................................................194
profile statement........................................................104, 262
R
radius-server statement....................................................265
redundancy-group statement................................107, 266
rewrite rules
transparent mode...........................................................21
routing-interface statement.............................................108
Copyright © 2016, Juniper Networks, Inc.
Index
S
security policies
transparent mode...........................................................12
security-zone statement.........................................109, 269
show ethernet-switching mac-learning-log
command...........................................................................293
show ethernet-switching table command................288
show igmp-snooping route command.........................123
show igmp-snooping vlans command.........................125
show interfaces command......................................127, 280
show interfaces switch-port command.......................194
show oam ethernet connectivity-fault-management
adjacencies.........................................................................218
show oam ethernet connectivity-fault-management
adjacencies command..................................................295
show oam ethernet connectivity-fault-management
forwarding-state command........................................296
show oam ethernet connectivity-fault-management
interfaces.............................................................................218
show oam ethernet connectivity-fault-management
interfaces command......................................................298
show oam ethernet connectivity-fault-management
mep-database command...........................................300
show oam ethernet connectivity-fault-management
mep-statistics command............................................304
show oam ethernet connectivity-fault-management
mip..........................................................................................219
show oam ethernet connectivity-fault-management
mip command...................................................................307
show oam ethernet connectivity-fault-management
path-database command...........................................308
show oam ethernet connectivity-fault-management
routes command..............................................................310
show oam ethernet link-fault-management
command.............................................................................312
show security flow gate family command...................135
show security flow ip-action.............................................137
show security policies command..........................150, 321
show security zones command..............................157, 328
source-address statement
(RADIUS).......................................................................268
(Security Policies)................................................112, 267
Spanning Tree Protocol
configuring......................................................................196
understanding.................................................................171
static-mac statement...........................................................113
support, technical See technical support
Copyright © 2016, Juniper Networks, Inc.
switching
configuring.....................................................................208
supported devices.......................................................164
switching mode
verifying............................................................................194
switching modes
understanding...............................................................168
syntax conventions.................................................................xv
system-services statement
(Interface Host-Inbound Traffic)....................114, 271
T
t3-options statement
no-unframed option.....................................................115
unframed option ...........................................................115
technical support
contacting JTAC.............................................................xvii
traceroute ethernet.............................................................220
transparent mode
BA classifier......................................................................20
blocking non-ARP traffic..............................................12
blocking non-IP traffic...................................................12
broadcast traffic..............................................................12
chassis clusters................................................................16
Class of Service...............................................................19
conditions............................................................................8
firewall user authentication........................................14
rewrite rules.......................................................................21
security policies................................................................12
VLAN retagging...............................................................10
U
unframed option ....................................................................115
uPIMs
verifying port status....................................................194
user authentication
transparent mode...........................................................14
V
verification
interface properties for uPIM switches................194
virtual switch
VLAN identifier......................................................116, 273
VLAN retagging
transparent mode..........................................................10
vlan-id statement.........................................................116, 273
vlan-id-list statement..................................................117, 274
vlan-tagging statement.............................................118, 275
335
Layer 2 Bridging and Switching Library for Security Devices
VLANs
configuring......................................................................195
understanding...............................................................169
336
Copyright © 2016, Juniper Networks, Inc.