Juniper Networks Horizontal Campus Validated Design … · 2014-09-23 · setinterfacesge-0/0/46unit0familyethernet-switching

Juniper Networks Horizontal Campus ValidatedDesign Guide

Published: 2012-05-11

Copyright © 2012, Juniper Networks, Inc.

Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net

This product includes the Envoy SNMPEngine, developed by Epilogue Technology, an IntegratedSystemsCompany. Copyright© 1986-1997,Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no partof them is in the public domain.

This product includes memory allocation software developed by Mark Moraes, copyright © 1988, 1989, 1993, University of Toronto.

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentationand software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright ©1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.

GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed throughrelease 3.0 by Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’sHELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateDsoftware copyright © 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright © 1991, D.L. S. Associates.

This product includes software developed by Maker Communications, Inc., copyright © 1996, 1997, Maker Communications, Inc.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that areowned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Junos OS Juniper Networks Horizontal Campus Validated Design GuideCopyright © 2012, Juniper Networks, Inc.All rights reserved.

Revision HistoryApril 2012—Revision 1

The information in this document is current as of the date on the title page.

ENDUSER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at

http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditionsof that EULA.

Copyright © 2012, Juniper Networks, Inc.ii

http://www.juniper.net/support/eula.html

Table of Contents

Part 1 Overview

Chapter 1 About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Junos OS Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Using the Examples in This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Merging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 2 Juniper Networks Validated Design Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Understanding Validated Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Design Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Design Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Who Should Read This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

How This Guide Is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

LAN Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

WLAN Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Horizontal Campus Topography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Juniper Networks Validated Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Design Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Design Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Wired LAN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Wireless LAN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

SRX Series Services Gateway Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Clustering SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . 22

Virtual Chassis For Collapsed Backbone Design . . . . . . . . . . . . . . . . . . . . . . . 24

Subnets and VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

iiiCopyright © 2012, Juniper Networks, Inc.

Part 2 Network Deployment

Chapter 3 Wired LAN Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Configuring the Core Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Procedure Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Configuring Global Settings for the Core Switch . . . . . . . . . . . . . . . . . . . . . . . 35

Configuring a Virtual Chassis for the Core Switch . . . . . . . . . . . . . . . . . . . . . . 36

Configuring Layer 2 Settings for the Core Switch . . . . . . . . . . . . . . . . . . . . . . 38

Configuring Power over Ethernet (optional) . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Configuring Layer 3 Settings for the Core Switch . . . . . . . . . . . . . . . . . . . . . . 44

Configuring the Access Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Configuring the Access Switch in Extended Mode . . . . . . . . . . . . . . . . . . . . . 46

Procedure Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Configuring Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Configuring the Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Configuring Layer 2 settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Configuring the Access Switch in Dedicated Mode . . . . . . . . . . . . . . . . . . . . . 59

Procedure Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Configuring Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Configuring a Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Configuring Layer 2 settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Chapter 4 Wireless Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Wireless Services Deployment Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Configuring the Primary WLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Configuring the Secondary WLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Chapter 5 SRX Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Configuring the SRX Series Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Part 3 Appendix

Appendix A Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Appendix B Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Virtual Chassis Advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Types of Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Dedicated Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Extended Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Mixed Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Pre-Provisioning the Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Virtual Chassis Base Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Layer 3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Appendix C Configuring DHCP on EX Series Ethernet Switches . . . . . . . . . . . . . . . . . . . 103

Configuring EX Series Ethernet Switches to Provide DHCP . . . . . . . . . . . . . . . . . 103

Copyright © 2012, Juniper Networks, Inc.iv

Juniper Networks Horizontal Campus Validated Design Guide

Appendix D Configurations Used in This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

EX4200vc1 Set Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

EX4200vc1 Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108


EX4200vc2 Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117


EX4200vc3 Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123


EX4542vc1 Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

WLC-1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

WLC-2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

SRX650 Cluster Set Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

SRX650 Cluster Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Appendix E Bill of Materials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

vCopyright © 2012, Juniper Networks, Inc.

Table of Contents

Copyright © 2012, Juniper Networks, Inc.vi


List of Figures

Part 1 Overview


Figure 1: Horizontal Network Topography for a Single Building . . . . . . . . . . . . . . . . 14

Figure 2: Topography Model for the Horizontal Campus Validated Design . . . . . . 15

Figure 3: Horizontal Campus Reference Architecture for the Validated Design . . . 16

Figure 4: Wired LAN Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Figure 5: Centralized Switching for the Wireless LAN Controller . . . . . . . . . . . . . . 20

Figure 6: Clustered Switching for the Wireless LAN Controller . . . . . . . . . . . . . . . . 21

Figure 7: SRX Zone Map (logical) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Figure 8: SRX reth Failure Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Figure 9: SRX reth Failure Scenario – 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Figure 10: Common Access Switch Configurations . . . . . . . . . . . . . . . . . . . . . . . . . 25

Figure 11: Virtual Chassis Advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Figure 12: VLAN-to-Device Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Part 2 Network Deployment

Chapter 3 Wired LAN Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Figure 13: Core Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Figure 14: Extended Mode Access Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Figure 15: Dedicated Mode Access Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Chapter 4 Wireless Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Figure 16: Wireless LAN Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Chapter 5 SRX Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Figure 17: The SRX Series Services Gateway Cluster . . . . . . . . . . . . . . . . . . . . . . . . 77

Figure 18: SRX Series Cluster Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Figure 19: Deployment Complete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

viiCopyright © 2012, Juniper Networks, Inc.

Copyright © 2012, Juniper Networks, Inc.viii


List of Tables

Part 1 Overview

Chapter 1 About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6


Table 3: Equipment and Hardware Used for the Small Campus Validated

Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Table 4: VLAN-to-Device Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Table 5: Devices Mapped Across VLANS and Subnets . . . . . . . . . . . . . . . . . . . . . 28

Part 3 Appendix

Table 6: Hardware List for the Network Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Table 7: Hardware List for Closet 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Table 8: Hardware List for Closet 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162


Table 10: Hardware List for Closet 2.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Appendix E Bill of Materials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Table 6: Hardware List for the Network Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Table 7: Hardware List for Closet 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161



Table 10: Hardware List for Closet 2.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

ixCopyright © 2012, Juniper Networks, Inc.

Copyright © 2012, Juniper Networks, Inc.x


PART 1

Overview

• About This Guide on page 3

• Juniper Networks Validated Design Overview on page 11

1Copyright © 2012, Juniper Networks, Inc.

Copyright © 2012, Juniper Networks, Inc.2


CHAPTER 1

About This Guide

This preface provides the following guidelines for using the Juniper Networks Horizontal

Campus Validated Design Guide.

• Junos OS Documentation and Release Notes on page 3

• Objectives on page 4

• Audience on page 4

• Examples on page 4

• Documentation Conventions on page 6

• Documentation Feedback on page 8

• Technical Support on page 8

Junos OS Documentation and Release Notes

For a list of related Junos OS documentation, see the Junos OS Documentation for EX

Series Ethernet Switches , Junos OS Documentation forWireless LAN Services, and Junos

OS Documentation for SRX Series Services Gateways.

If the information in the latest release notes differs from the information in the

documentation, follow the Junos OS Release Notes.

To obtain the most current version of all Juniper Networks®technical documentation,

see the product documentation page on the Juniper Networks web site at

http://www.juniper.net/techpubs/.

JuniperNetworkssupportsa technicalbookprogramtopublishbooksby JuniperNetworks

engineers and subject matter experts with book publishers around the world. These

books go beyond the technical documentation to explore the nuances of network

architecture, deployment, and administration using the Junos operating system (Junos

OS) and Juniper Networks devices. In addition, the Juniper Networks Technical Library,

published in conjunction with O'Reilly Media, explores improving network security,

reliability, and availability using Junos OS configuration techniques. All the books are for

sale at technical bookstores and book outlets around the world. The current list can be

viewed at http://www.juniper.net/books.


http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/ex-series/product/

http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/ex-series/product/

http://www.juniper.net/techpubs/en_US/release-independent/wireless/information-products/pathway-pages/wireless-lan/index.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/srx-series/product/index.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/srx-series/product/index.html

http://www.juniper.net/techpubs/

http://www.juniper.net/books

Objectives

This guide provides a simple, step-by-step process that businesses can use to rapidly

deploy a small campus solution. The deployment in this guide is based on a tested

reference topology that can easily be scaled and adapted to your specific requirements.

Audience

This guide is designed for network administrators who are tasked with designing and

deploying a small campus network for a small enterprise.

To use this guide, you need to have a broad understanding of networks in general, the

Internet in particular, networking principles, and network configuration.

Examples

• Using the Examples in This Guide on page 4

• Merging a Full Example on page 5

• Merging a Snippet on page 5

Using the Examples in This Guide

This guide provides two types of configuration examples. As you go through the

step-by-stepconfiguration sectionsof theguide, theactual commands thatareprovided

can be cut and pasted onto a device as you go through the guide.

We have also provided the configurations from all the devices in appendix D. The

configurationsectiongives twoexamples for eachof theEXSeriesandSRXSeriesdevices.

• The configuration displayed in a hierarchical format is what you would normally see

when displaying the configuring from the CLI of the device.

• The configuration expressed by set commands like the ones used when configuring

the devices line by line is the format that can be viewed from the CLI by adding the

display setmodifier when issuing a show configuration command.

user@host> show configuration | display set

Both examples are presented here so that you can pick the format that works best for

you.

For the wireless LAN controllers, the configuration commands can be cut and pasted

onto the device. The configuration itself is only available as a list of commands and does

not have a hierarchical equivalent to the EX or SRX series.

If youwant to use the examples in thismanual, you can cut and paste the set commands

at the configuration prompt, or you can use the loadmerge or the loadmerge relative to

add commands in their hierarchical format. These commands cause the software to

merge the incoming configuration into the current candidate configuration. The example

does not become active until you commit the candidate configuration.



If the example configuration contains the top level of the hierarchy (or multiple

hierarchies), the example is a full example. In this case, use the loadmerge command.

If the example configuration does not start at the top level of the hierarchy, the example

is a snippet. In this case, use the loadmerge relative command. These procedures are

described in the following sections.

Merging a Full Example

Tomerge a full example, follow these steps:

1. From the HTML or PDF version of the manual, copy a configuration example into a

text file, save the file with a name, and copy the file to a directory on your EX Series

or SRX Series device.

For example, copy the following configuration toa file andname the file ex-script.conf.

Copy the ex-script.conf file to the /var/tmp directory on your EX Series or SRX Series

device.

system {scripts {commit {file ex-script.xsl;

}}

}interfaces {fxp0 {disable;unit 0 {family inet {address 10.0.0.1/24;

}}

}}

2. Merge the contents of the file into your routing platform configuration by issuing the

loadmerge configuration mode command:

[edit]user@host# loadmerge /var/tmp/ex-script.confload complete

Merging a Snippet

Tomerge a snippet, follow these steps:

1. From the HTML or PDF version of themanual, copy a configuration snippet into a text

file, save the file with a name, and copy the file to a directory on your routing platform.

For example, copy the following snippet to a file and name the file

ex-script-snippet.conf. Copy the ex-script-snippet.conf file to the /var/tmp directory

on your routing platform.

commit {


Chapter 1: About This Guide

file ex-script-snippet.xsl; }

2. Move to the hierarchy level that is relevant for this snippet by issuing the following

configuration mode command:

[edit]user@host# edit system scripts[edit system scripts]

3. Merge the contents of the file into your routing platform configuration by issuing the

loadmerge relative configuration mode command:

[edit system scripts]user@host# loadmerge relative /var/tmp/ex-script-snippet.confload complete

Documentation Conventions

Table 1 on page 6 defines notice icons used in this guide.

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Table 2 on page 6 defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

ExamplesDescriptionConvention

To enter configuration mode, typetheconfigure command:

user@host> configure

Represents text that you type.Bold text like this

user@host> show chassis alarms

No alarms currently active

Represents output that appears on theterminal screen.

Fixed-width text like this



Table 2: Text and Syntax Conventions (continued)

ExamplesDescriptionConvention

• A policy term is a named structurethat defines match conditions andactions.

• JunosOSSystemBasicsConfigurationGuide

• RFC 1997,BGPCommunities Attribute

• Introduces or emphasizes importantnew terms.

• Identifies book names.

• Identifies RFC and Internet draft titles.

Italic text like this

Configure themachine’s domain name:

[edit]root@# set system domain-namedomain-name

Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.

Italic text like this

• To configure a stub area, include thestub statementat the[editprotocolsospf area area-id] hierarchy level.

• The console port is labeledCONSOLE.

Represents names of configurationstatements, commands, files, anddirectories; configurationhierarchy levels;or labels on routing platformcomponents.

Text like this

stub <default-metricmetric>;Enclose optional keywords or variables.< > (angle brackets)

broadcast | multicast

(string1 | string2 | string3)

Indicates a choice between themutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.

| (pipe symbol)

rsvp { # Required for dynamicMPLSonly

Indicates a comment specified on thesame lineas theconfiguration statementto which it applies.

# (pound sign)

community namemembers [community-ids ]

Enclose a variable for which you cansubstitute one or more values.

[ ] (square brackets)

[edit]routing-options {static {route default {nexthop address;retain;

}}

}

Identify a level in the configurationhierarchy.

Indention and braces ( { } )

Identifies a leaf statement at aconfiguration hierarchy level.

; (semicolon)

J-Web GUI Conventions

• In the Logical Interfaces box, selectAll Interfaces.

• To cancel the configuration, clickCancel.

Represents J-Web graphical userinterface (GUI) items you click or select.

Bold text like this

In the configuration editor hierarchy,select Protocols>Ospf.

Separates levels in a hierarchy of J-Webselections.

> (bold right angle bracket)



Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation. You can send your comments to

[email protected], or fill out the documentation feedback form at

https://www.juniper.net/cgi-bin/docbugreport/ . If you are using e-mail, be sure to include

the following information with your comments:

• Document or topic name

• URL or page number

• Software release version (if applicable)

Technical Support

• Requesting Technical Support on page 8

• Self-Help Online Tools and Resources on page 8

• Opening a Case with JTAC on page 9

Requesting Technical Support

Technical product support is available through the JuniperNetworksTechnicalAssistance

Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,

or are covered under warranty, and need post sales technical support, you can access

our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .

• Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/ .

• JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides youwith the

following features:

• Find CSC offerings: http://www.juniper.net/customers/support/

• Find product documentation: http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/



mailto:[email protected]

https://www.juniper.net/cgi-bin/docbugreport

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf

http://www.juniper.net/support/warranty/

http://www.juniper.net/customers/support/

http://www.juniper.net/techpubs/

http://kb.juniper.net/

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

Opening a Casewith JTAC

You can open a case with JTAC on theWeb or by telephone.

• Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, visit us at

http://www.juniper.net/support/requesting-support.html



https://www.juniper.net/alerts/

http://www.juniper.net/company/communities/

http://www.juniper.net/cm/

http://www.juniper.net/cm/





CHAPTER 2

Juniper Networks Validated DesignOverview

• Understanding Validated Designs on page 11

• Design Goals on page 12

• Design Benefits on page 12

• Who Should Read This Guide on page 12

• How This Guide Is Organized on page 13

• Horizontal Campus Topography on page 14

• Juniper Networks Validated Design on page 15

• Design Overview on page 16

• Design Components on page 18

Understanding Validated Designs

Juniper Networks offers validated designs for the campus and branch domain to help

customersstartbuildingandconfiguring their ownnetworks.Avalidateddesign represents

a specific configuration of Juniper Networks hardware and software platforms that has

been tested together and represents a reliable foundationonwhich tobaseacustomized

network for your business.

This document presents a sequential construction and configuration of a validated

(tested) design, so that it canbe reproducedwith success. The first part of thedocument

describes the network elements used and their operation. It also describes a scheme for

a common L2/L3 set of boundaries and network interfaces to be used. The second part

of the document contains specific configurations used to create this network.


Design Goals

The validated design is created with the following design objectives:

• Easy to deploy—Consistent deployment approach for all of the products included in

the design. The examples must provide referencemethodologies and configurations

to enable rapid deployment of a resilient network infrastructure.

• Resilient—Simple and robust design, maximizing user productivity by protecting user

traffic against unplanned outage.

• Flexible—Flexible design, adapted for modular expansion so that users can scale and

adapt the network without requiring extensive changes or forklift upgrades.

• Solidfoundation—Easysupport foradditional technologies (suchasvideo, collaboration,

and so on).

Design Benefits

Some of the advantages of the validated design include:

• Modular deployment. Each technology presentedhere canbedeployed independently

of the others

• Efficient and cost-effective deployment using a standardized design methodology

• Redundant infrastructure for wired, wireless, and Internet connectivity

• Can be deployed by IT professionals with amoderate amount of technical experience

• Easy to manage, with few logical devices and protocols to configure

• Standardizedmethodology reduces deployment time

• Reduced number of hardware and software platforms to learn, maintain, and spare

• Highly available, redundant LAN and wireless access for all applications

Who Should Read This Guide

This guide is intended primarily for network designers and administrators who:

• Have a network that supports 1000 or fewer connected employees

• Need wired and wireless access for their employees

• Need a simple, resilient network infrastructure

• Needahigh-performancenetwork that canbeeasily expandedandadapted tosupport

new technologies

• Are new to Juniper Networks products

• Are systemengineerswhoneeda standardizedprocess to design anddeploy networks

that comprise Juniper Networks LAN, WLAN, and security products.



HowThis Guide Is Organized

The Juniper Networks Horizontal Campus Validated Design Guide provides a simple,

step-by-step process that businesses can use to rapidly deploy a small campus solution.

Thisexampledeploymentuses themostcommonlyusedenterprisenetwork technologies

to provide a simple and scalable network architecture that includes LAN, WLAN, and

Security components.

• LAN Infrastructure on page 13

• WLAN Infrastructure on page 13

• Firewall on page 14

LAN Infrastructure

The LAN section covers all of the base infrastructure requirements included in planning

and deploying VLANs, subnets, and switching and routing protocols.

The core LAN section covers:

• Configuring resilience

• Aggregating all networking components

• Configuring user services

• Deploying servers, WLAN, firewalls, and resilient connections to the access switching

layer

The access layer LAN section covers:

• Configuring trunks and VLANs

• Configuring access switch-specific settings to provide redundant core connections

• Configuring port security

• Configuring wired and wireless connectivity for desktop services andmobile devices

WLAN Infrastructure

The section on wireless LAN (WLAN) explains how to configure and deploy redundant

WLANcontrollers to provide resilientwireless connectivity for enterprise andguest users.

Enterprise and guest users are completely isolated fromone another, allowing enterprise

wireless users to have full access to the network and the Internet,whereaswireless guest

users can access only the Internet.

TheWLAN section covers:

• Clustering of wireless LAN controllers for redundancy and resilience

• Configuring enterprise access using 802.1x

• Configuring guest access using captive portal


Chapter 2: Juniper Networks Validated Design Overview

Firewall

Thesectionon firewalls covers configuringclustered firewalls toprovidesecure, redundant

access to Internet-based services. It also details how to configure security policies for

Internet and guest services.

The Firewall section covers:

• Clustering of SRX Series Services Gateways for redundancy and resilience

• Configuring security zones and policies

• Configuring two Internet/WAN connections in active/passive mode

• Configuring guest security and services

Horizontal Campus Topography

Juniper Networks defines the horizontal network topography as a network in a single

building with up to three floors and low-to-medium user density. The Juniper Networks

Horizontal Campus Validated Design Guide is based on this topography model depicted

in Figure 2 on page 15. The actual validated network differs in some details from the

exact topography in order to provide a wider variety of configuration examples for those

who design and implement networks.

Figure 1: Horizontal Network Topography for a Single Building

The validated network uses the same architecture and network components as the

horizontal topography reference on which it is based, and inherits all of the benefits of

the design principles laid out in the horizontal topography. The benefits of the horizontal

topographymodel include resiliency for LAN/Switching, wireless LAN and security

networkingcomponents.Usinga two-tierednetworkdesigncommonly calleda collapsed

core, reduces network complexity.

The JuniperNetworksVirtualChassis technology reduces thenumberofactivelymanaged

devicesand removes theneed for relyingon legacy redundancyprotocols suchasspanning

tree and VRRP. Virtual Chassis also provides the flexibility to incrementally grow the

network on an as needed basis without concern for compromise of performance or

availability.



Figure 2: TopographyModel for the Horizontal Campus Validated Design

Juniper Networks Validated Design

The Juniper Networks horizontal campus validated design is based on Juniper Networks

switching, wireless LAN and security products. It presents a design with configurations

to construct a campus network for 1000or fewer users. This validated design is intended

to be a starting point for configuring your own network.

The validated design focuses on a proven architecture and addresses themost common

configuration requirements needed to bring up a campus network. For information on

additional functionality for each of the products, please consult the appendixes found

at the end of this document.

This document offers the following information about the validated design:

• Architectureoverview—This sectionexplains theoverall architectureand thenetworking

components.

• Design details—This section gives step-by-step instructions on how to implement the

design and deploy the network.

• Configurationdetails—This section provides all of the exact configurations used. These

can be cut and pasted for use in your own network.

This validateddesignverifies that thenetworkcomponentsallwork togetherasexpected

when configured together according to this guide. Testing was conducted on



interoperability andhighavailability (HA)of thedesign.Scale testingwasnotemphasized,

because the products’ scale characteristics are well documented and in the case of

wireless, may require a site survey to size equipment properly.

Design Overview

At theheart of thenetwork is the switching infrastructure, as shown inFigure3onpage 16.

Juniper Networks EXSeries Ethernet Switches are used here, because they providemany

HA features found in chassis-based solutions such as redundant route engines, power,

andblowers. In addition, up to 10EXSeries EthernetSwitches canbe connected together

withahigh-speed64-Gbpsbackplaneor using 10-GbpsEthernet ports, andbemanaged

as single switch. The flexibility of the EX Series provides an excellent way for users to

easily expand network capacity one switch at a time, as needed. This validated network

exampleusesonlyEX4500andEX4200switches, because theyweregenerally available,

matureproductsat the time these testsweredone, andsupport the sameVirtualChassis

technology.

Figure 3: Horizontal Campus Reference Architecture for the ValidatedDesign

The horizontal campus uses a collapsed core architecture, reducing much of the

management burden with fewer individual devices to manage, andmost of the

configuration is centralized in the core. Resiliency is not compromised by taking this

approach, because the EX Series, using Virtual Chassis provides box-level redundancy

without the overhead of managing multiple devices and keeping their configurations in

sync with every changemade to the network.



The JuniperNetworkswireless infrastructureutilizesaclustering technology that simplifies

managing theentirewireless networkbyusinga single seedcluster controller to configure

andmanage up to 32 wireless LAN controllers (WLC). Clustering also dynamically load

balancesaccesspoints (AP)acrossWLCsandautomaticallyassignsprimaryandbackup

WLCs for each AP. In addition, clustering also provides subsecond failover for wireless

sessions in case ofWLC failure.

Juniper Networks SRX Series Services Gateways provide secure and highly available

Internet access for the validated network. The SRX Series devices are clustered and

configured as a single device, simplifying security management. The SRX Series cluster

replicates a session state so that active sessions can be preserved in case of failure.

The SRX Series and EX Series share a common Junos OS operating system. Using a

common operating system reduces the number of different interfaces that need to be

managed, and simplifies many common operational tasks.

The equipment and software listed in Table 3 on page 17, refer towhatwas used to verify

this design and its included features. Future software releases should support all of the

samefunctionality.Beforedeployingequipmentandsoftware inyourspecificenvironment,

it is always recommended that you check the release notes for the specific version of

software you intend to deploy.

Table 3: Equipment and Hardware Used for the Small Campus Validated Design

SoftwareHardware

11.4r1.6EX4500-40F-FB-C

11.4r1.6EX4200-24PX

n/aEX-UM-2X4SFP

11.4r1.6SRX650-BASE-SRE6-645AP

n/aSRX-GP-16GE

7.6.1.3.0WLC8R*

n/aWLA522

* TheWLC8Rwas sufficient for our validation testing, but it only supports 12 access

points. When planning for your wireless equipment needs, you need to determine the

maximumnumberofaccesspoints you require, and thensizeyourwirelessLANcontroller

to that number.

As a rule of thumb, oneaccesspoint per 10-15 users is a good startingpoint for estimating

your wireless needs.

For example, a small campus that has 1000 userswould typically require 75–100 access

points for wireless coverage, and need a pair of WLC800s orWLC880s to support that

number of access points.



Design Components

The network detailed in this document is divided into three separate components or

modules—LANor switching infrastructure,wireless, and security. These sectionshighlight

the design choices andmain features implemented for each of these components.

Although each section can stand on its own, the sections are presented in the logical

sequence in which the network would be deployed.

• Wired LAN Overview on page 18

• Wireless LAN Overview on page 19

• SRX Series Services Gateway Overview on page 21

• Virtual Chassis For Collapsed Backbone Design on page 24

• Subnets and VLANs on page 26

Wired LANOverview

Forourexampleweuse thevalidatednetworkshown inFigure4onpage 19.Thevalidated

network uses a two-tiered collapsed core network model. This design combines the

distribution and core layers together, reducing the complexity and cost of the network.

You can easily expand the network capacity by adding additional EX Series Ethernet

Switches to any of the existing Virtual Chassis (up to 10 EX4200 Series switches in a

single Virtual Chassis).

NOTE: The different Virtual Chassis in this network are highlighted in blue.



Figure 4:Wired LAN Topology

The core network provides high-density 10-Gigabit Ethernet and 1-Gigabit Ethernet

connectivitybycombiningbothEX4500andEX4200switches together inasingleVirtual

Chassis. This provides the core connectivity and routing for the network, and acts as the

Layer 2 and Layer 3 boundary for the access switches.

The access layer uses EX4200 series switches providing power over Ethernet (PoE) and

Layer 2 connectivity back to the core, using two 10-Gigabit Ethernet ports configured for

Ethernet link aggregation (LAG). Each access switch is connected back to the core on

different line cards, providing protection in case a single device fails on either end.

The first floor of the building operates as a single Virtual Chassis. The two closets are

connected using 10-Gigabit Ethernet ports that are configured to act as Virtual Chassis

Extended ports. The second floor closets do not have available fiber to connect the

Virtual Chassis together, so each closet has its own Virtual Chassis.

Wireless LANOverview

In the validated network design, the wireless network is configured for centralized

switching, as shown in Figure 5 on page 20. In this configuration, wireless user traffic is

received by access points (APs) and then sent to thewireless LAN controller (WLC). The

WLC then identifies the traffic by user profile and places it into the proper VLAN. When

it is on the LAN, traffic is treated according to policies or priorities configured on the LAN.



Figure 5: Centralized Switching for theWireless LAN Controller

On the validated network, guest users are placed on the guest VLAN and can access the

Internet,whereascorporateusersareplacedon theWireless_DataVLANandhaveaccess

to the intranet and the Internet.

TheWLCs can be configured in clusters of up to 32WLCs in a cluster. The validated

design uses a two-WLC cluster, as shown in Figure 6 on page 21. The primaryWLC (also

known as the primary seed controller) is in charge of configuration management for all

WLCs and APs and acts as a central configuration point for all wireless LAN changes.

TheprimaryWLCalsoconfiguresand load-balances theAPsacross theWLCs todistribute

the wireless traffic load. Access points form connections with two separateWLCs—one

connection is active, and the other connection acts as a backup. If the connection to the

activeWLC is interrupted (WLC failure), the backup connection takes over immediately,

preserving all existing wireless sessions so that users are not affected.



Figure 6: Clustered Switching for theWireless LAN Controller

The configuration examples in this document use local authentication for theWLAN

authorization. This is toprovidea simpleway to verifyWLAN functionality. In aproduction

environment, local authentication is generally used only for testing or as a last resort

authenticationmethod.UseofaRADIUSserver forauthentication ishighly recommended.

SRX Series Services Gateway Overview

The Juniper Networks SRX Series Services Gateway is a zone-based firewall in which

different traffic networks are classified as logical zones for easier management.

Figure 7: SRX ZoneMap (logical)

Figure 7 on page 21 illustrates the logical zones that are defined for the validated design.

The smaller text inside each zone bubble is a list of the VLANs contained in each of these

zones. In the figure, to provide a clearer logical view, the Guest Zone is set apart from the

EX Series Switches because the EX Series Switches only provide Layer 2 connectivity for

these zones. The Guest VLANs use the SRX Series Services Gateway as their default

gateway to obtain IP addresses using DHCP.

The Internet Edge zone is where most of the validated network VLANs reside. Each of

these VLANs uses the EX Series core switch as its gateway. The Internet_Edge VLAN



listed in this zone network is where the EX Series forwards any traffic requests intended

for the Internet to the SRX Series. TheManagement Zone is the Management VLAN and

is kept separate by specifying security policies on theSRXSeries from theother networks

because this is used for management of network devices.

The Untrust Zone is where the SRX Series connects to the Internet and NAT takes place.

This zone is highly restrictive about what traffic is allowed to come from the Internet.

Clustering SRX Series Services Gateways

The Juniper Networks SRX Series Services Gateways can be configured as a cluster in

which they operate as a single device, and are configured from a single point. Traffic

states are maintained between each pair of devices. When the SRX series devices are

clustered, youcanconfigure special interfaces called redundantEthernet (reth) interfaces

in the configuration. A reth interfacehasaprimary andsecondaryowner. Traffic is directed

to theprimaryowner.Thesecondaryowner takesover incaseofa failure.Whenclustered,

the SRX Series devices have a control link to maintain state, configuration, and so on.

They also have a fabric link that can be used to forward traffic to each other. In the

validated network, the SRX Services Gateways are configured to use the fabric link to

forward traffic in caseof failures. This is useful in networks similar to the validatednetwork

design, in which two service providers are used and NAT is configured, resulting in two

possible source addresses for Internet-bound traffic.

Figure 8 on page 23 and Figure 9 on page 24 illustrate normal traffic flowandwhat traffic

flow looks like in a few different failure scenarios. The SRX devices on the validated

network are configured in an active or passivemodewhere Service Provider 1 has a better

route preference and is used for all Internet traffic unless there is an outage. We also

allow traffic to be routed across the fabric link so that in case of a local interface outage

service provider 1 is still used. This removes the need for sessions to be reset, because

the source addresses do not change.



Figure 8: SRX reth Failure Scenario 1

In the examples illustrated in Figure 8 on page 23, no session is reset in the case of local

link failure since there is no change in the source address for the sessions, because they

continue to use the same service provider. In the examples illustrated in Figure 9 on

page 24, where the source address for SRX650-1 or service provider 1 is lost completely,

traffic switches to service provider 2. When this occurs, the source IP address for the

traffic changes, resulting in existing sessions being reset due to the change in source

address.



Figure 9: SRX reth Failure Scenario – 2

Virtual Chassis For Collapsed Backbone Design

Thevalidatednetworkdesigndocumented in thisguidecansupportup to 1000connected

users. The same design principles can be used for larger networks, by replacing the core

switch with a larger-capacity switch. This document, however, only covers the smaller

network deployment in detail.

Traditional networks achieve high availability and performance by configuring redundant

devices and complex protocols in multiple tiers that each require independent

configuration, thereby greatly increasing network complexity. This design uses a two-tier

model commonly called a collapsed core, as shown in Figure 10 on page 25. A collapsed

core combines the distribution and core layers together, thereby reducing both the

complexity and cost of the network. Even though the tiers are reduced, the network

provides the redundancy benefits typically associated with multiple-tiered designs.

Thekey tool that enables this simpleand resilient design is the implementationof Juniper

Networks Virtual Chassis technology. Virtual Chassis allowsmultiple EX Series Ethernet

Switches to operate as a single device, with a high-speed network fabric connecting

themtogether.Thisprovidesdevice-level redundancywithout thecomplexityofmanaging

multiple devices and protocols. It also provides a simple-pay-as-you-growmodel of

network deployment and expansion. Up to 10 EX Series Ethernet Switches can be

aggregated in a single Virtual Chassis.



Figure 10: Common Access Switch Configurations

The core and distribution layer is commonly configured as the Layer 2 and Layer 3

boundary. The simplest of these designs uses access switches that are configured as

Layer 2 devices and requires very little configuration. Reusing the same VLAN and other

settings allows for simple replication across multiple switches and closets. This reuse

significantly reduces the time it takes to deploy the network, and keeps things simple at

the access layer.

The drawbackswith this design are that it often creates loops, and is very inefficient from

a bandwidth perspective, because only half of the links can forward traffic. Although

Spanning Tree Protocol (STP) is used to manage redundancy, it has slow convergence

times, and in case of a faulty configuration, STPmay take down part of the network and

can be difficult to troubleshoot.

A design using VRRP or HSRP removes the loops and can help provide better link

utilization. This design removes STP from the design and has improved reliability and

failover, but cangetcomplicatedquicklybymanually load-balancingper-VLANor subnet

traffic across the switches. This approach requiresmore configurationper switch for both

access layer and distribution layer devices. More VLAN, interface, protocol, and switch

configurations at the core and distribution layer must bemanually kept in sync.

Layer 3 at the access layer eliminates loops and provides load balancing. This could,

however, translate into additional license fees, and additional, redundant hardware,

thereby increasing the cost of the solution. Using VRRP or HSRP is also the most

configuration-intensive approach, because it increases the number of devices thatmust

bemanaged at the access layer, and introduces routing protocols as another layer. This

also means that each switch configuration would havemany unique items, resulting in

increased overall deployment complexity andmanagement overhead.



Figure 11: Virtual Chassis Advantage

A Virtual Chassis allowsmultiple Juniper Networks EX Series Ethernet Switches to act

asasingledevice.Thismeans thatbox-level redundancycanbeachievedwithoutcreating

loops in the network, or requiring additional protocols or tedious configuration

management between devices. All of the links can be fully utilized, which reduces the

costs associated with bandwidth upgrades and providing improved resiliency and

performance. In Figure 11 on page 26 the highlighted chassis represent Virtual Chassis (a

single logical unit made up of two or more EX Series Switches). In the core/distribution

picture, access switches are connected using link aggregation group (LAG) uplinks to

thecore/distributionVirtualChassis connected toseparateswitchesprovidingdevice-level

redundancy, without the usual complexity.

By taking this even further and using a Virtual Chassis in both the core and access layer,

wecan further simplify thenetworkby reducing thenumber of activelymanageddevices.

NOTE: A Virtual Chassis is unique in its ability to span distances of up to40 kmbetween devices. Thismeans thatmultiplewiring closets in the sameorevendifferentbuildingscanbeeasily combined to reduce the total numberof managed devices.

Subnets and VLANs

This section on subnetting and VLANs is intended to be used as a reference for

implementing a network foundation that is easy to understand andmaintain. Although

based on the validated network design, this configuration can be easily adapted to any

network environment. This configurationmatches the VLAN IDwith the third octet of the

subnet used where applicable, to simplify the network andmaintain consistency. We

highly recommend that you consistently implement the VLAN and subnetting system

throughout, because each exception increases the complexity of the network.



We also recommended leaving some room between VLANs to allow for possible future

expansion, while maintaining a consistent range of VLANs for specific functions.

• LANs 10–17 are dedicated forwired voice and data. In our validated design, we use only

four VLANs for wired data and voice, leaving plenty of room for future expansion.

• VLANs 18–21 are dedicated for corporate wireless access. This design uses only VLAN

18.

• VLANs 22–29 are dedicated for network infrastructure. This example allocates only

three VLANS—Management, Servers, and Internet Edge.

• TheManagementVLAN isused tomanageall of thenetworkdevicessuchasswitches

and routers. In the validated network, this is also where the wireless APs reside.

• TheServersVLAN iswherenetworkserversandservicesareconnected to thenetwork

(DHCP, file services, and so on).

• The Internet EdgeVLAN iswhere the EXSeries Ethernet Switch connects to the SRX

Series Services Gateway and further out to the Internet. This is where the majority

of security policies on the SRX Series are enforced.

• VLANs 30–32 are used for guest wired and wireless access.

• The guest VLANs connect directly to the SRX Series Services Gateway. The core EX

Series switch does not have any interfaces on these VLANs—it only acts as an Layer

2 switch.

The validated network uses private addressing, which enables flexible IP address

allocation. In this design, all of the networks use a 24-bit subnet mask, but larger subnet

masks can be used if desired to further simplify configuration by reducing the number of

subnets required, and allowing more hosts to participate in each subnet.

You should also reserve some addresses on each subnet for networking devices. This is

typically the first few or last few addresses in a subnet. In this design, we reserve the first

10 IP addresses of the subnet for network devices and the last IP address (.254) for the

SRX Series interface if it resides on a subnet (See Table 4 on page 27).

Table 4: VLAN-to-DeviceMapping

SubnetPurpose/VLAN NameVLAN

10.10.10.0/24Data_Wired_110

10.10.12.0/24Data_Wired_212

10.10.14.0/24VOIP_Wired_114

10.10.16.0/24VOIP_Wired_216

10.10.18.0/24Data_Wireless_118

10.10.22.0/24Internet_Edge22



Table 4: VLAN-to-DeviceMapping (continued)

SubnetPurpose/VLAN NameVLAN

10.10.24.0/24Servers24

10.10.28.0/24Management28

10.10.30.0/24Guest_Wired30

10.10.32.0/24Guest_Wireless32

Figure 12: VLAN-to-DeviceMapping

Table 5: Devices Mapped Across VLANS and Subnets

SRXAPWLCEX4200-vc3EX4200-vc2EX4200-vc1EX4542-vc1SubnetIDVLAN Name

XX10 10.10.10.0 /2410Data_Wired_1

XXX10 10.10.12.0 /2412Data_Wired_2

XX10 10.10.14.0 /2414VOIP_Wired_1

XXX10 10.10.16.0 /2416VOIP_Wired_2

XX10 10.10.18.0 /2418Data_Wireless_1

XX10 10.10.22.0 /2422Internet_Edge

X10 10.10.24.0 /2424Servers



Table 5: Devices Mapped Across VLANS and Subnets (continued)

SRXAPWLCEX4200-vc3EX4200-vc2EX4200-vc1EX4542-vc1SubnetIDVLAN Name

XXXXXXX10 10.10.28.0 /2428Management

XXXXX10 10.10.30.0 /2430Guest_Wired

XXX10 10.10.32.0 /2432Guest_Wireless

NOTE:

• EX4542-vc1 is .1 on all subnets except for the guest networks, on which itonlyactsasaLayer2switchandtheSRXSerieshandleall routing functions.

• SRX Series Services Gateways use address .254 on all subnets to whichthey are connected.

Figure 12 on page 28maps the VLANs that are configured on each device in the network.

The core switch is configured to support all VLANs. Each of the access switches are

configured with theManagement and Guest VLANs. In addition, Data_Wired_1 and

VOIP_Wired_1areconfiguredonaccessswitchessupporting the first floorandData_Wired_2

and VOIP_Wired_2 are configured on access switches supporting the second floor.

TheWireless access Points will be on theManagement VLAN and communicate to the

wireless LAN controllers on the same subnet.Wireless traffic from theAPswill be placed

in their proper VLAN once they have been received by theWLC. TheWLCs each have

trunk ports configured, and are configured on the following VLANs: Data_Wireless_1,

Management, and Guest_Wireless.

The SRX Series Services Gateways are clustered, and each has a trunk port configured

for the following VLANs: Internet Edge,Management, Guest_Wired, and Guest_Wireless.





PART 2

Network Deployment

• Wired LAN Deployment on page 33

• Wireless Deployment on page 67

• SRX Deployment on page 77




CHAPTER 3

Wired LAN Deployment

Each of the following network deployment sections provides detailed step-by-step

processes about how to set up each of the network components—wired LANs using

JuniperNetworksEXSeriesSwitches,wirelessLAN,anda firewall, using JuniperNetworks

SRX Series Services Gateways. This is intended to act as a base configuration focusing

on getting the main components up and running and functioning together.

Although each section can stand independently of the others and could be configured

in any order, they are presented here in a logical chronology where each section builds

upon the previous one. When you deploy a network from scratch, we recommend that

you follow the order outlined here.

In our examples, we refer to the network as the validated network, and as you progress

through the deployment sections, different checkpoints correspond to diagrams that

indicate the components being configured. The You are here labels point to where you

are in the configuration process.

The contents in this section are intended to provide a basic guideline for configuring EX

Series Switches that can be applied in any network. In the core switch and access switch

examples later in this document we will step through these processes for each switch

in the validated network.

This section includes the following topics:

• Configuring the Core Switch on page 33

• Configuring the Access Switch on page 45

Configuring the Core Switch

All configuration components (VLANs, IP Addresses, and so on) are from the validated

network example andmay need to be changed to conform to your network.

The core switch is responsible for connecting all networking components together. In

the validated network, it is responsible for routing all traffic on the intranet and is the

default gateway for all user networks except the Guest VLANs, which route directly to

the SRX Series tomaintain clear separation between the guest and user network traffic.

TheWLCs, SRX Series and network servers and services are also connected directly to

the core.


Figure 13: Core Switch

1. Procedure Overview on page 34

2. Configuring Global Settings for the Core Switch on page 35

3. Configuring a Virtual Chassis for the Core Switch on page 36

4. Configuring Layer 2 Settings for the Core Switch on page 38

5. Configuring Power over Ethernet (optional) on page 44

6. Configuring Layer 3 Settings for the Core Switch on page 44

Procedure Overview

1. Unpack and perform the initial setup of the first switch.

2. Configure global configuration items

3. Configure the Virtual Chassis

• Identify the type of Virtual Chassis

• Pre-provision the Virtual Chassis

• Perform the Virtual Chassis type-specific configuration

• Perform the Virtual Chassis standard configuration

4. Configure Layer 2 settings




Configuring Global Settings for the Core Switch

To configure global settings on the core switch:

1. Unpack and boot up the core switch, and then configure global settings.

2. Connect to the Console port of the EX4200 switch (Setting: s9600, 8, 1, none).

Press Enter. The following prompt appears.

Amnesiac (ttyu0)login

a. Log in as root and press Enter .

Because no password is configured, you are not prompted for one.

login: rootLogging tomaster.– – – JUNOS 11.4R1.6 built 2011-11-15 11:14:01 UTCroot@:RE:0%

b. Type cli at the% prompt.

root@:RE:0% cli{master:0}root>

You should now be at the >prompt.

3. Configure the date and time in the format: YYYYMMDDhhmm.ss.

set date 201201220830.00

4. Enter configuration mode by typing configure or edit.

root> configureEntering configurationmode{master:0}[edit]root#

You should now be at the # prompt and ready to start configuring the switch.

5. Configure the password.

root# set system root-authentication plain-text-passwordNew password:*******Retype new password:*******{master:0}[edit]root#

6. Configure the time zone.

root# set system time-zone America/Los_Angeles

7. Configure the hostname.

root# set system host-name EX4542-vc1

8. Configure the management and vme interface (optional).


Chapter 3: Wired LAN Deployment

NOTE: This optional item is only recommended if you plan on having aseparateout-of-bandnetwork just formanagingdevices. If youareunsure,you can always add this item later. For more information on the VMEinterface, see “VirtualChassis”onpage95,or theDayOnebook,Configuring

EX Series Ethernet Switches.

set interfaces vme unit 0 family inet address 10.94.188.101/24

9. Configure management access.

root@EX4542-vc1# set system services web-management httpssystem-generated-certificate

set system services sshdelete system services web-management httpdelete system services telnet

10. Configure DNS.

root@EX4542-vc1# set system name-server 10.10.24.100set system domain-name xyzcompany.com

Configuring a Virtual Chassis for the Core Switch

To configure a Virtual Chassis for the core switch

1. Identify the Virtual Chassis type.

In the case of the validated network, the core switch is a mixedmode Virtual Chassis

(bothEX4500andEX4200switches in thesameVirtualChassis). Formore information

aboutVirtualChassis, see “VirtualChassis”onpage95,or theDayOnebook,Configuring


2. Configure a pre-provisioned Virtual Chassis.

The recommendedsetupprocess for aVirtualChassis is calledpre-provisioned,which

is the processwewill use here. To pre-provision a Virtual Chassis, you need to identify

the serial numbers of each device that will be part of the Virtual Chassis, the device

function, and the order in which you want each switch to be placed.

Here we have configured the EX4500 switches to be in slot 0 and slot 1, and act as

the Routing Engines. The EX4200 switches are in slot 2 and slot 3, and configured as

line cards. Later when all the switches are connected and powered up, they will

automatically be assigned the proper function and slot. Make sure you pay attention

to the serial numbers and ordering of each switch when you connect them together

later.

The EX Series Switches by default automatically form a Virtual Chassis, but because

the ordering is nondeterministic, and so the switches may not be numbered

sequentially, making things confusing. For more information about Virtual Chassis,

see “Virtual Chassis” on page 95, or the Day One book, Configuring EX Series Ethernet

Switches.

root@EX4542-vc1# set virtual-chassis preprovisionedset virtual-chassis member 0 role routing-engine



http://www.juniper.net/us/en/community/junos/training-certification/day-one/fabric-switching-tech-series/config-ex-series/






set virtual-chassis member 0 serial-number GX0211411253set virtual-chassis member 1 role routing-engineset virtual-chassis member 1 serial-number GX0211411250set virtual-chassis member 2 role line-cardset virtual-chassis member 2 serial-number FP0211333181set virtual-chassis member 3 role line-cardset virtual-chassis member 3 serial-number FP0211333260

Now commit the configuration.

root@EX4542-vc1# commitconfiguration check succeedscommit complete

3. Configure specific Virtual Chassis commands.

NOTE: Because this is amixedmode chassis, we need to configure it toaccept amix of EX4500andEX4200devices in the sameVirtual Chassis.Exit configurationmodeby typingexitat the#prompt.Thenextcommand

is an operational command.

root@EX4542-vc1> request virtual-chassis modemixed

a. Verify that the mode is correct, by typing show virtual-chassis.

root@EX4542-vc1> show virtual-chassisPreprovisioned Virtual ChassisVirtual Chassis ID: 8c7a.9353.df56Virtual Chassis Mode: MixedMstr Mixed Neighbor ListMember ID Status Serial NoModel prio Role Mode ID Interface0 (FPC 0) Prsnt GX0211411253 ex4500-40f 129Master* Y

Using theVCPportsat thebackof theunits, cable the remainingmembers together

in a daisy-chained configuration. When all of the units are cabled properly, power

them up. Remember to pay attention to the serial number of each switch when

connecting them together to ensure they are in the right position.

b. After the switches finish booting up, verify that all of the members of the Virtual

Chassis are active by running the show virtual-chassis command.

Preprovisioned Virtual ChassisVirtual Chassis ID: 8c7a.9353.df56Virtual Chassis Mode: MixedMstr Mixed Neighbor ListMember ID Status Serial NoModel prio Role Mode ID Interface0 (FPC 0) Prsnt GX0211411253 ex4500-40f 129Master* Y 3 vcp-11 vcp-0 1(FPC 1) Prsnt GX0211411250 ex4500-40f 129 Backup Y 0 vcp-12 vcp-0 2 (FPC 2) Prsnt FP0211333181 ex4200-48px 0 Linecard Y1 vcp-03 vcp-1 3 (FPC 3) Prsnt FP0211333260 ex4200-48px 0 Linecard Y 2 vcp-00 vcp-1

Enter configuration mode again.



4. Configure global Virtual Chassis commands.

root@EX4542-vc1# set system commit synchronizeset ethernet-switching-options nonstop-bridgingset chassis redundancy graceful-switchover

5. Configure default settings.

The following items should be enabled by default in the configuration. Youmay wish

to review and verify that these setting are desired for your specific network.

root@EX4542-vc1# set protocols igmp-snooping vlan allset protocols rstpset protocols lldp interface allset protocols lldp-med interface allset poe interface allset ethernet-switching-options storm-control interface all

Configuring Layer 2 Settings for the Core Switch

To configure Layer 2 parameters and settings on the core switch:

1. Set the bridge priority on the core switch.

NOTE: We enable Spanning Tree Protocol to prevent loops from formingin the network, even though we do not use it as a topology protocol. Asan extra precaution, we set the bridge priority on the core switch to 8192,so that is the default root bridge in the event another bridging device isconnected to the network for some reason.

Juniper Networks EX Series Switches run RSTP by default.

root@EX4542-vc1# set protocols rstp bridge-priority 8k

2. Configure VLANs and IP interfaces.

NOTE: We configure all of the inter-VLAN routing on the core switch,except for our guest VLANs. This makes it easier to simultaneouslyconfigure the VLANs and IP interfaces for those VLANs. When creatingVLAN names, it is important to note that these names are case sensitive.

The first command creates the VLANData_Wired_1with a VLAN ID of 10

and then assigns a Layer 3 interface called vlan.10 to that VLAN. The

second line creates the vlan.10 interface and assigns an IP address.

root@EX4542-vc1# set vlans Data_Wired_1 vlan-id 10 l3-interface vlan.10set interfaces vlan unit 10 family inet address 10.10.10.1/24

Youmay notice that the VLAN ID and the interface VLAN unit number match (both

are number 10). This is not mandatory, but it is a recommended practice, because it

keeps things easier to understand later, when you havemany VLANs and interfaces

to track.



Wealso used a compound command for the first line.We created theVLAN, assigned

the VLAN ID, and assigned a Layer 3 interface all at the same time. This can save you

some time but does not have to be done in a single statement. When you look at the

configuration, you will notice that this is separated into two disparate statements.

NOTE: When you issue a large number of commands at once, werecommend that you issue a commit command to verify that thecommands take effectwith no configuration errors. Alternatively, you candoacommitcheck instead,whichverifies theconfigurationwithoutmaking

it active.

The complete set of VLAN and Layer 3 interface statements for the core switch in the

validated network example follows. We have also added the guest VLANs here, but

we have not assigned any Layer 3 interfaces to these VLANs, because routing for the

VLANs will be done using the SRX Series firewall.

VLAN Configurations

root@EX4542-vc1# set vlans Data_Wired_1 vlan-id 10set vlans Data_Wired_1 l3-interface vlan.10set vlans Data_Wired_2 vlan-id 12set vlans Data_Wired_2 l3-interface vlan.12set vlans Data_Wireless_1 vlan-id 18set vlans Data_Wireless_1 l3-interface vlan.18set vlans Guest_Wired vlan-id 30set vlans Guest_Wireless vlan-id 32set vlans Internet_Edge vlan-id 22set vlans Internet_Edge l3-interface vlan.22set vlansManagement vlan-id 28set vlansManagement l3-interface vlan.28set vlans Servers vlan-id 24set vlans Servers l3-interface vlan.24set vlans VOIP_Wired_1 vlan-id 14set vlans VOIP_Wired_1 l3-interface vlan.14set vlans VOIP_Wired_2 vlan-id 16set vlans VOIP_Wired_2 l3-interface vlan.16

Interface Configurations

root@EX4542-vc1# set interfaces vlan unit 10 family inet address 10.10.10.1/24set interfaces vlan unit 12 family inet address 10.10.12.1/24set interfaces vlan unit 14 family inet address 10.10.14.1/24set interfaces vlan unit 16 family inet address 10.10.16.1/24set interfaces vlan unit 18 family inet address 10.10.18.1/24set interfaces vlan unit 20 family inet address 10.10.20.1/24set interfaces vlan unit 22 family inet address 10.10.22.1/24set interfaces vlan unit 24 family inet address 10.10.24.1/24set interfaces vlan unit 28 family inet address 10.10.28.1/24

3. Configure LAG (aggregated Ethernet) ports.



In the validated network configuration, the only LAG ports configured will be used to

connect to access switches. This means that we need to configure three of these on

the core switch.

Junos OS requires that you configure the number of LAG interfaces you want to use

before you begin configuring the interfaces. We suggest picking a number slightly

larger than youmight need, in case you need to addmore LAG interfaces later. You

can change this value in the future. We need three aggregated Ethernet ports for the

validated network example, so we will configure the core chassis with four, in case

we add another access switch.

root@EX4542-vc1#set chassis aggregated-devices ethernet device-count 4

To provide the highest level of resilience, you need to configure the LAG to span

multiple EX Series Switches. In the validated network example, we use xe-0/0/0

through xe-0/0/2and xe-1/0/0 through xe-1/0/2 for theLAGconnections to theaccess

switches. We need to assign the LAG ports in matching pairs (For example, xe-0/0/0

and xe-1/0/0) between the EX4500 switches so that they will be part of the same

LAG interface. This provides link-level and hardware-level redundancy and provides

consistency, making things easier to remember.

a. First, we need to remove any port-specific configuration on the physical ports that

we want to aggregate. Interfaces have unit 0 defined by default, but this is not

allowed on an interface that is part of an aggregated interface, because it would

conflict with unit 0 on the logical aggregated interface.

root@EX4542-vc1# delete interfaces xe-0/0/0 unit 0delete interfaces xe-1/0/0 unit 0delete interfaces xe-0/0/1 unit 0delete interfaces xe-1/0/1 unit 0delete interfaces xe-0/0/2 unit 0delete interfaces xe-1/0/2 unit 0

b. Thenweconfigure the interfaces tobepart of the respectiveaggregated interfaces.

root@EX4542-vc1# set interfaces xe-0/0/0 ether-options 802.3ad ae0set interfaces xe-1/0/0 ether-options 802.3ad ae0set interfaces xe-0/0/1 ether-options 802.3ad ae1set interfaces xe-1/0/1 ether-options 802.3ad ae1set interfaces xe-0/0/2 ether-options 802.3ad ae2set interfaces xe-1/0/2 ether-options 802.3ad ae2

c. Nextwewant to add LACP to each LAG interface to provide somehealth checking.

NOTE: You need to configure LACP on the interfaces at both ends forthe LAG port to become active.

root@EX4542-vc1# set interfaces ae0 aggregated-ether-options lacp activeset interfaces ae0 aggregated-ether-options lacp periodic slowset interfaces ae1 aggregated-ether-options lacp activeset interfaces ae1 aggregated-ether-options lacp periodic slowset interfaces ae2 aggregated-ether-options lacp activeset interfaces ae2 aggregated-ether-options lacp periodic slow



4. Disable RSTP on LAG connections to access switches.

Because we are not using STP, we can disable it on the LAG ports going to our access

switches. This also reduces potential convergence times in case a LAGmember fails,

because fewer protocols need to converge.

NOTE: All access switches have RSTP enabled locally to prevent looping.

root@EX4542-vc1# set protocols rstp interface ae0.0 disableset protocols rstp interface ae1.0 disableset protocols rstp interface ae2.0 disable

5. Configure trunk and VLAN settings.

Weneed toconfigure theLAGportsas trunksandadd theVLANs thatwill besupported

on the individual access switches.

root@EX4542-vc1# set interfaces ae0 unit 0 family ethernet-switching port-modetrunk

set interfaces ae1 unit 0 family ethernet-switching port-mode trunkset interfaces ae2 unit 0 family ethernet-switching port-mode trunk

Now commit the configuration.

6. Configure VLANs on the trunk ports.

You can configure port-to-VLANmapping in two different ways:

• You can configure the VLANs directly as part of the port configuration.

• You can configure the ports included in the VLAN under the VLAN configuration.

Each of these has different advantages and disadvantages.

Generally, it makes sense to configure access ports (client-facing) under the VLAN

configuration and configure VLANs directly on the port for trunk port configuration.

You cannot configure the VLANmapping in both places, because that might result in

errors when doing a configuration commit operation.

As discussed previously, we need to configure the VLANs that the trunk port will carry

directly on the interface configuration section. Thismakes it easier to tell what VLANs

aspecific trunk ispart ofwhenviewing theconfiguration.WhenyouaddVLANsdirectly

to a trunk port you have the option of adding them by their VLAN ID or by the VLAN

name. In this example, we will add them by VLAN name, because this makes the

overall configuration more readable.

When adding several VLANs to a trunk, you can either specify them one at a time or

you can specify several VLANs at the same time by enclosing them in [] brackets and

separating themwith spaces.

a. The VLAN configuration for ae0which connects to EX4200-vc1 in the case of the

validated network EX4200-vc1 has four EX4200s that cover the first floor using

theextendedVirtualChassis feature. This floor usesData_Wired_1andVOIP_Wired_1

for data and voice and be part of the Management VLAN for access points and



switchmanagement. In the case of Guests requiringwired access theGuest_Wired

VLANwill also be configured on this trunk.

root@EX4542-vc1# set interfaces ae0 unit 0 family ethernet-switching vlanmembers [Data_Wired_1 VOIP_Wired_1 Management Guest_Wired]

b. TheVLANconfiguration forae1andae2connecting toEX4200-vc2andEX4200-vc3

these two switches handle the second floor and will use the Data_Wired_2 and

VOIP_Wired_2 VLANs for data and voice and be part of the Management VLAN for

accesspointsandswitchmanagement. In thecaseofGuests requiringwiredaccess

the Guest_Wired VLANwill also be configured on these trunks.

root@EX4542-vc1#set interfacesae1unit0familyethernet-switchingvlanmembers[Data_Wired_2 VOIP_Wired_2Management Guest_Wired]

set interfaces ae2 unit 0 family ethernet-switching vlanmembers [Data_Wired_2VOIP_Wired_2Management Guest_Wired]

7. Configure dual-homed or other network device connections

Configuring connections for other devices that are dual homed, but do not use LAG

connections or other network equipment typically involves connecting to the core and

requires trunk ports. In the validated network, the SRX Series and wireless LAN

controllers both use clustering technologies to provide High Availability and in this

case are not configured with LAG connections to the core. Each of these devices

require two identical port configurations on separate EX Series Switches to provide

link-level and box-level redundancy.

8. Configure wireless LAN controllers

Connect wireless LAN controllers (WLCs) to ports ge-2/0/1 and ge-3/0/1 and add

them to the following VLANs: Data_Wireless_1,Management, and Guest_Wireless.

root@EX4542-vc1#set interfacesge-2/0/1unit0familyethernet-switchingport-modetrunk

set interfacesge-2/0/1unit0familyethernet-switchingvlanmembers[Data_Wireless_1Management Guest_Wireless]

set interfaces ge-3/0/1 unit 0 family ethernet-switching port-mode trunkset interfacesge-3/0/1unit0familyethernet-switchingvlanmembers[Data_Wireless_1Management Guest_Wireless]

9. Configure SRX firewalls.

Connect the SRX firewalls to ports ge-2/0/47 and ge-3/0/47 andmake them part of

the following VLANs: Internet_Edge,Management, Guest_Wired and Guest_Wireless.

root@EX4542-vc1# set interfaces ge-2/0/47 unit 0 family ethernet-switchingport-mode trunk

set interfacesge-2/0/47unit0familyethernet-switchingvlanmembers[Internet_EdgeManagement Guest_Wired Guest_Wireless]

set interfaces ge-3/0/47 unit 0 family ethernet-switching port-mode trunkset interfacesge-3/0/47unit0familyethernet-switchingvlanmembers[Internet_EdgeManagement Guest_Wired Guest_Wireless]

Commit the configuration.

10. Configure the server port



Server ports are typically configured as access ports that have a single VLAN. In the

validated network example, we have a VLAN called Serverswhere servers would

typically reside. To configure a server port that is part of a single VLAN, it must first

be configured as an access port.

a. Set port ge-2/0/5 into access mode:

root@EX4542-vc1#set interfaces ge-2/0/5 unit 0 family ethernet-switchingport-mode access

b. Assign theport toaVLAN.Asageneral rule,weassignaccessportsunder theVLAN

configuration instead of the port configuration, but either can be used. In this case

we need to assign the server port to the VLAN Servers.

root@EX4542-vc1# set vlans Servers interface ge-2/0/5.0

In some cases, it maymakemore sense to assign the VLAN directly in the port

configuration because servers are different from a standard network host.

11. Enable BPDU-Block for server interfaces.

Because we do not expect to connect any bridges to the network, the bpdu-block

command protects the network should anyone connect a bridge to the core switch

that may shut down any ports sending BPDUs. This commandmaintains network

stability if someone connects an unauthorized bridge to the network.

root@EX4542-vc1# set ethernet-switching-options bpdu-block interface ge-2/0/5

If interfaces become blocked, you need to clear themmanually. The following

commands can be used to clear a blocked port condition:

• root@EX4542-vc1> clear ethernet-switching bpdu-error

• root@EX4542-vc1> clear ethernet-switching port-error

To view the current state of interfaces run the following command:

root@EX4542-vc1> show ethernet-switching interfaces

12. Configure server port in trunk mode (optional).

Many servers reside onmore than one VLAN and require a trunk port. In this case,

configure the port for trunking and assign the VLANs it should belong to directly in the

port configuration like we did for the LAG ports. Below is an example of an interface

configured as a trunk that belongs to the VLANs Servers andManagement.

root@EX4542-vc1# set interfaces <interface> unit 0 family ethernet-switchingport-mode trunk

set interfaces <interface> unit 0 family ethernet-switching vlanmembers [ServersManagement]

13. Configure secure access port features

Most ports on the core switch do not need any secure access port features enabled

because these may bemore work than they are worth. The reason is that statically

assigned IP addresses are typically used for servers and other networking devices,

and each of these would require exceptions to bemanually entered in order to work

if these features are enabled. There are some VLANs on the core switch, however, on



which we recommend enabling these features: the Data_Wireless_1, Guest_Wireless

and Guest_Wired are all client-facing VLANs that are configured on the core.

root@EX4542-vc1# set ethernet-switching-options secure-access-port vlanData_Wireless_1 arp-inspection

setethernet-switching-optionssecure-access-portvlanData_Wireless_1examine-dhcpset ethernet-switching-options secure-access-port vlan Data_Wireless_1ip-source-guard

set ethernet-switching-options secure-access-port vlan Guest_Wired arp-inspectionset ethernet-switching-options secure-access-port vlan Guest_Wired examine-dhcpsetethernet-switching-optionssecure-access-portvlanGuest_Wired ip-source-guardsetethernet-switching-optionssecure-access-portvlanGuest_Wirelessarp-inspectionsetethernet-switching-optionssecure-access-portvlanGuest_Wirelessexamine-dhcpset ethernet-switching-options secure-access-port vlan Guest_Wirelessip-source-guard

Configuring Power over Ethernet (optional)

If you havePoE-capable EX4200switches, you canenablePoEon the system.Bydefault

this is disabled, because the default configuration is derived from the EX4500 switch,

which does not have PoE support. To enable PoE on the core switch you can just type

set poe interface all.

root@EX4542-vc1# set poe interface all

Configuring Layer 3 Settings for the Core Switch

To configure Layer 3 parameters on the core switch:

1. Configure DHCP

The validated network example uses DHCP forwarding and a central DHCP server for

all IP address allocation except the Guest_Wireless and Guest_Wired VLANs that are

allocated IP addresses directly from the SRX Series Gateways to keep these isolated

from the rest of the network. DHCP services can be set up directly on the EX Series

Switches if desired (See Appendix C). DHCP forwarding is essentially a broadcast

forwarding system for DHCP requests that allows users to consolidate their DHCP

services in a centralized location instead of having a DHCP server for every subnet.

The following configuration enables DHCP forwarding on the VLAN interfaces listed,

and forwards DHCP requests to the DHCP server 10.10.24.100.

root@EX4542-vc1# set forwarding-optionshelpersbootpdescriptionDHCP-SERVERset forwarding-options helpers bootp server 10.10.24.100set forwarding-options helpers bootp interface vlan.24set forwarding-options helpers bootp interface vlan.10set forwarding-options helpers bootp interface vlan.12set forwarding-options helpers bootp interface vlan.14set forwarding-options helpers bootp interface vlan.16set forwarding-options helpers bootp interface vlan.18set forwarding-options helpers bootp interface vlan.20set forwarding-options helpers bootp interface vlan.26set forwarding-options helpers bootp interface vlan.28

2. Configure default gateway and static routes

root@EX4542-vc1# set routing-options static route 0.0.0.0/0 next-hop 10.10.22.254



3. Configure OSPF.

We need to configure a single OSPF area that will be the backbone area 0.0.0.0 and

add the interfaces/subnets we wish to advertise to the SRX Series Gateway.

NOTE: The subnet is all that is required to add the interface to the area.Mask information will be automatically imported into OSPF andredistributed.

root@EX4542-vc1# set protocols ospf area 0.0.0.0 interface vlan.22set protocols ospf area 0.0.0.0 interface vlan.10set protocols ospf area 0.0.0.0 interface vlan.12set protocols ospf area 0.0.0.0 interface vlan.14set protocols ospf area 0.0.0.0 interface vlan.16set protocols ospf area 0.0.0.0 interface vlan.18set protocols ospf area 0.0.0.0 interface vlan.20set protocols ospf area 0.0.0.0 interface vlan.24

4. Configure non-stop routing.

Configure non-stop routing to keep the Routing Engines in sync with routing protocol

state.

root@EX4542-vc1# set routing-options nonstop-routing


Configuring the Access Switch

• Configuring the Access Switch in Extended Mode on page 46

• Configuring the Access Switch in Dedicated Mode on page 59



Configuring the Access Switch in ExtendedMode

Figure 14: ExtendedMode Access Switch

Configuringaccess switches is simpler thanconfiguring thecore switch.Weonly configure

Layer 2 services on the access switches, and an IP address on the Management VLAN in

order to provide remote access. This section covers the configuration for EX4200-vc1,

which is anextendedmodeVirtualChassis in thevalidatednetwork. This section includes

the following topics:

• Procedure Overview on page 46

• Configuring Global Settings on page 47

• Configuring the Virtual Chassis on page 48

• Configuring Layer 2 settings on page 53

Procedure Overview


2. Configure global configuration items.

3. Configure the Virtual Chassis.

• Identify the type of Virtual Chassis.

• Pre-provision the Virtual Chassis.

• Perform the Virtual Chassis type-specific configuration

• Perform the Virtual Chassis standard configuration.





Configuring Global Settings

To configure global settings on the access switch in extendedmode:

1. Unpack and boot up the access switch, and then configure global settings

2. Connect to the Console port of the EX4200 switch (setting: s9600, 8, 1, none)

Press Enter. The following prompt appears.


a. Log in as root and press Enter. Because no password is configured, you are not

prompted for one.


b. Type cli at the% prompt.


You should now be at the > prompt.

3. Configure the date and time in the format: YYYYMMDDhhmm.ss.

root> set date 201201220830.00

NOTE: There is a known issue where the followingmessage appears, butthe date is actually set:

root> set date 201202101339.00date: connect: Can't assign requested addressFri Feb 10 13:39:00 UTC 2012Enter configuration mode


Type

root> configureEntering configurationmode{master:0}[edit]root#



root# set system root-authentication plain-text-password



New password:*******Retype new password:*******{master:0}[edit]root#




root# set system host-name EX4200-vc1

8. Configure management or vme interface.

NOTE: This is optional, and is only recommended if you plan on having aseparate out-of-band network just for managing devices. If you are notsure, you can always add this item later. Formore information on the VMEinterface, see “VirtualChassis”onpage95,or theDayOnebook,Configuring


root@EX4200-vc1# set interfaces vme unit 0 family inet address 10.94.188.91/24




10. Configure DNS.


Configuring the Virtual Chassis

To configure the Virtual Chassis for the access switch in extendedmode:


In the case of the validated network, the access switch EX4200-vc1 is an extended

mode Virtual Chassis (it uses 10-Gigabit Ethernet links to extend the Virtual Chassis

between wiring closets and is managed as a single logical switch).

2. Configure the pre-provisioned Virtual Chassis

To pre-provision a Virtual Chassis, you need to identify the serial number of each

device that will be part of the Virtual Chassis, the device function, and in what order

youwant each switch to be placed. Later, when all of the switches are connected and

powered up, they will automatically be assigned the proper function and slot. Pay

attention to the serial numbers and ordering of each switch when you connect them

together later.

By default, the EX Series devices automatically form a Virtual Chassis, but because

the ordering is nondeterministic and so switches may not be numbered sequentially.





For more information about Virtual Chassis, see “Virtual Chassis” on page 95, or the

Day One book, Configuring EX Series Ethernet Switches.

root@EX4200-vc1# set virtual-chassis preprovisionedset virtual-chassis member 0 role routing-engineset virtual-chassis member 0 serial-number FP0211333190set virtual-chassis member 1 role line-cardset virtual-chassis member 1 serial-number FP0211333201set virtual-chassis member 2 role routing-engineset virtual-chassis member 2 serial-number FP0211333173set virtual-chassis member 3 role line-cardset virtual-chassis member 3 serial-number FP0211333265

3. Set the Virtual Chassis to support fast failover on 10-Gigabit Ethernet Virtual Chassis

interfaces.

root@EX4200-vc1# set virtual-chassis fast-failover xe




root@EX4200-vc1# commit

If you see an error message like the following, you can ignore it. The configuration

commit operation has been completed.


error: Could not connect to fpc-1 : Can't assign requested addresswarning: Cannot connect to other RE, ignoring itconfiguration check succeedscommit complete

Using the VCP ports at the back of the units, cable each pair of EX Series switches

together. Remember to pay careful attention to the serial numbers of each switch

before cabling them together.

WARNING: Do not connect the 10-Gigabit Ethernet ports at this time.

When all of the switches are cabled properly, power them up. You should now have

two Virtual Chassis each, with twomembers. One of the two-member chassis will be

pre-provisioned.Verify that this isworkingproperlyby running theshowvirtual-chassiscommand. Output similar to the one shown here indicates that the chassis members

are present, theVirtual Chassis is pre-provisioned, and that themembers are correctly

identified. Here, member 0 is supposed to be a Routing Engine andmember 1 is

supposed to be in linecardmode. We can verify that from the output.

root@EX4200-vc1> show virtual-chassis

Preprovisioned Virtual ChassisVirtual Chassis ID: e3d7.6832.7772Virtual Chassis Mode: Enabled Mstr Mixed Neighbor List




Member ID Status Serial No Model prio Role Mode ID Interface0 (FPC 0) Prsnt FP0211333190 ex4200-48px 129 Master* N 1 vcp-0 1 vcp-11 (FPC 1) Prsnt FP0211333201 ex4200-48px 0 Linecard N 0 vcp-0 0 vcp-1

5. Configure Virtual Chassis extended ports.

Since this is an extendedmode chassis, we need to configure it to use some of the

10-Gigabit Ethernet ports as Virtual Chassis extended ports so the switches can form

a single Virtual Chassis. In our example, we use the EX-UM-2x4SFP uplinkmodule on

our chassis that supports either two 10-Gbps or four 1-Gbps ports . The first and third

positions coincide with the 10-Gigabit Ethernet ports and are filled on the uplink

module, so we will configure ports xe-x/1/0 and xe-x/1/2. We will use port 0 in our

case for each switch.

NOTE: The port definition in your example could be different if you use adifferentmodel of EXSeries device as your uplinkmodule, but as it shouldstill have port 0, this part of the configuration does not change.

root@EX4200-vc1> request virtual-chassis vc-port set pic-slot 1 port 0member 0request virtual-chassis vc-port set pic-slot 1 port 0member 1

a. Use the showvirtual-chassisvc-portcommandtoverify that theportsareconfigured

correctly. Here we can see that interface 1/0 on each switch is configured and up

but has no neighbors.

root@EX4200-vc1> show virtual-chassis vc-port

fpc0:--------------------------------------------------------------------------Interface Type Trunk Status Speed Neighboror ID (mbps) ID InterfacePIC / Portvcp-0 Dedicated 1 Up 32000 1 vcp-1vcp-1 Dedicated 2 Up 32000 1 vcp-01/0 Configured -1 Up 10000

fpc1:--------------------------------------------------------------------------Interface Type Trunk Status Speed Neighboror ID (mbps) ID InterfacePIC / Portvcp-0 Dedicated 1 Up 32000 0 vcp-1vcp-1 Dedicated 2 Up 32000 0 vcp-01/0 Configured -1 Up 10000

b. Connect your console to the second pair of switches. Press Enter and you should

see the following prompt:

Amnesiac (ttyu0)login:

c. Log in as root and press Enter. There should be no password configured, so you

should not be prompted for one.



You should now be at the% prompt of the switch.

login: rootLogging tomaster.- - - JUNOS 11.4R1.6 built 2011-11-15 11:14:01 UTCroot@:RE:0%

d. Type cli at the% prompt.


You should now be at the > prompt.

e. Use the show virtual-chassis command to verify that the switches are up andrunning.When both of the switches show up, we can configure the Virtual Chassis

ports on these switches.

root> show virtual-chassis

Virtual Chassis ID: b155.0783.e272Virtual Chassis Mode: Enabled Mstr Mixed Neighbor ListMember ID Status Serial No Model prio Role Mode ID Interface0 (FPC 0) Prsnt FP0211333265 ex4200-48px 128 Master* N 1 vcp-0 1 vcp-11 (FPC 1) Prsnt FP0211333173 ex4200-48px 128 Backup N 0 vcp-0 0 vcp-1

6. Configure the second set of Virtual Chassis extended ports.

root>request virtual-chassis vc-port set pic-slot 1 port 0member 0request virtual-chassis vc-port set pic-slot 1 port 0member 1

Use the show virtual-chassis vc-port command to verify the ports are configuredcorrectly. Here we can see that interface 1/0 on each switch is configured and up but

has no neighbors.

root> show virtual-chassis vc-port

fpc0:--------------------------------------------------------------------------Interface Type Trunk Status Speed Neighboror ID (mbps) ID InterfacePIC / Portvcp-0 Dedicated 1 Up 32000 1 vcp-1vcp-1 Dedicated 2 Up 32000 1 vcp-01/0 Configured -1 Down 10000

fpc1:--------------------------------------------------------------------------Interface Type Trunk Status Speed Neighboror ID (mbps) ID InterfacePIC / Portvcp-0 Dedicated 1 Up 32000 0 vcp-1



vcp-1 Dedicated 2 Up 32000 0 vcp-01/0 Configured -1 Down 10000

7. Connect the Virtual Chassis extended ports.

a. Connect switches 1 and 3 together using the 10-Gigabit Ethernet port xe-x/1/0 on

each switch.

b. Connect switches 2 and 4 together using the 10-Gigabit Ethernet port xe-x/1/0 on

each switch.

8. Verify Virtual Chassis extended ports.

a. Connect the console back to the first pair of switches.

b. Use the show virtual-chassis vc-port command to verify the port configuration iscorrect. All of the four switches are visible, with one configured 1/0 port that has a

neighbor listed.

{master:0}root@EX4200-vc1> show virtual-chassis vc-port

fpc0:--------------------------------------------------------------------------Interface Type Trunk Status Speed Neighboror ID (mbps) ID InterfacePIC / Portvcp-0 Dedicated 1 Up 32000 1 vcp-1vcp-1 Dedicated 2 Up 32000 1 vcp-01/0 Configured -1 Up 10000 2 vcp-255/1/0



fpc3:--------------------------------------------------------------------------Interface Type Trunk Status Speed Neighboror ID (mbps) ID InterfacePIC / Port



vcp-0 Dedicated 1 Up 32000 2 vcp-1vcp-1 Dedicated 2 Up 32000 2 vcp-01/0 Configured -1 Up 10000 1 vcp-255/1/0

c. Use the show virtual-chassis command to verify that the Virtual Chassis is builtas expected, based on the pre-provisioning configuration we did earlier.


Preprovisioned Virtual ChassisVirtual Chassis ID: e3d7.6832.7772Virtual Chassis Mode: Enabled Mstr Mixed Neighbor ListMember ID Status Serial No Model prio Role Mode ID Interface0 (FPC 0) Prsnt FP0211333190 ex4200-48px 129 Master* N 1 vcp-0 1 vcp-1 2 vcp-255/1/01 (FPC 1) Prsnt FP0211333201 ex4200-48px 0 Linecard N 0 vcp-0 0 vcp-1 3 vcp-255/1/02 (FPC 2) Prsnt FP0211333173 ex4200-48px 129 Backup N 3 vcp-0 3 vcp-1 0 vcp-255/1/03 (FPC 3) Prsnt FP0211333265 ex4200-48px 0 Linecard N 2 vcp-0 2 vcp-1 1 vcp-255/1/0


The following commands show items that should be enabled by default in the

configuration. Youmay wish to review and verify that these setting are desired for

your specific network.

root@EX4200-vc1# set protocols igmp-snooping vlan allset protocols rstpset protocols lldp interface allset protocols lldp-med interface allset poe interface allset ethernet-switching-options storm-control interface all

Configuring Layer 2 settings

To configure Layer 2 parameters and settings on the access switch in extendedmode:

1. Configure VLANs.

TheEX4200-vc1chassishas the followingVLANsassigned:Data_Wired_1,VOIP_Wired_1,

Management and Guest_Wired. It has only one IP interface defined, which is on the

Management VLAN.

root@EX4200-vc1# set vlans Data_Wired_1 vlan-id 10set vlans VOIP_Wired_1 vlan-id 14set vlansManagement vlan-id 28



set vlansManagement l3-interface vlan.28set vlans Guest_Wired vlan-id 30

2. Configure Interfaces.

We need to configure one IP interface on theManagement VLAN.

set interfaces vlan unit 28 family inet address 10.10.28.244/24


The EX4200-vc1 chassis has only one LAG port configured to connect to the core

switch.


before youbegin configuring the LAG interfaces .We suggest picking anumber slightly

larger than what you need in case you addmore LAG interfaces later. You can change

this value in the future.

a. Because we need one LAG interface for this configuration, we will configure the

EX4200-vc1 chassis with two in case we add another LAG connection later.

root@EX4200-vc1# set chassis aggregated-devices ethernet device-count 2

The 10-Gigabit Ethernetportson theEX4200-vc1 areonlyavailableusing theuplink

module ports. We have uplinkmodules on each of the four switches. However, the

first port xe-x/1/0 is already in use on each switch to form the extended Virtual

Chassis. We need to configure the LAG connection on switch members 1 and 3,

using ports xe-1/1/2 and xe-3/1/2.

b. First, we need to remove any port-specific configuration on the physical ports we

want toaggregate. Bydefault, interfaceshaveunit0defined, but this is not allowed

on an interface that is part of an aggregate interface because it would conflict with

unit 0 on the logical aggregate interface.

root@EX4200-vc1# delete interfaces xe-0/1/2 unit 0delete interfaces xe-2/1/2 unit 0

root@EX4200-vc1# set interfaces xe-0/1/2 ether-options 802.3ad ae0set interfaces xe-2/1/2 ether-options 802.3ad ae0

c. Next,weneed to addLACP to each LAG interface to provide somehealth checking.

NOTE: LACPmust be configured on both sides for the LAG port tobecome active.

root@EX4200-vc1# set interfaces ae0 aggregated-ether-options lacp activeset interfaces ae0 aggregated-ether-options lacp periodic slow


Because we are not using RSTP as a topology protocol, we can disable it on the LAG

portsgoing toouraccess switches.DisablingRSTPalso reducespotential convergence

times in case of a LAGmember failure, because fewer protocols need to converge.



NOTE: All access switches will have RSTP enabled for loop protectionlocally.

root@EX4200-vc1# set protocols rstp interface ae0.0 disable

5. Configure the trunk port and VLAN configuration.

Next, we need to configure the LAG port as a trunk and add the VLANs that will be

supported going to the core switch. To enable the LAG port as a trunk port, use the

set interfaces command.


6. Configure VLANs on trunk ports.

VLAN configuration for ae0, which connects to the EX4542-vc1 has Data_Wired_1,

VOIP_Wired_1, and theManagementVLAN for access points and switchmanagement.

TheGuest_WiredVLANwill also be configured on this trunk to support guests needing

a wired connection (conference rooms, and so on).

root@EX4200-vc1#set interfacesae0unit0 familyethernet-switchingvlanmembers[Data_Wired_1 VOIP_Wired_1 Management Guest_Wired]

a. Commit the configuration.

commit

You should see the commit operation finish on each of the EX Series switches in

the Virtual Chassis.

root@ex4200-vc1# commitfpc0:configuration check succeedsfpc1:commit completefpc2:commit completefpc3:commit completefpc0:commit complete

b. Now connect the LAG connections to the core switch.

Run the show lldp neighbors command to verify that the connection is up and you

can see the other side of the connection.

root@ex4200-vc1> show lldp neighbors

Local Interface Parent Interface Chassis Id Port info System Namevme.0 - 5c:5e:ab:79:bc:c0 ge-0/0/38.0xe-0/1/2.0 ae0.0 88:e0:f3:74:55:c0 xe-0/0/0.0 EX4542-vc1xe-2/1/2.0 ae0.0 88:e0:f3:74:55:c0 xe-1/0/0.0 EX4542-vc1

c. Run the show lacp interfaces command to verify that lacp is running



root@ex4200-vc1> show lacp interfaces

Aggregated interface: ae0 LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity xe-0/1/2 Actor No No Yes Yes Yes Yes Fast Active xe-0/1/2 Partner No No Yes Yes Yes Yes Fast Active xe-2/1/2 Actor No No Yes Yes Yes Yes Fast Active xe-2/1/2 Partner No No Yes Yes Yes Yes Fast Active LACP protocol: Receive State Transmit State Mux State xe-0/1/2 Current Fast periodic Collecting distributing xe-2/1/2 Current Fast periodic Collecting distributing

7. Configure secure access port features.

We recommendconfiguring thesebasic security featureson themajorityof theVLANs

on access switches. We need to enable these features on the Data_Wired_1,

VOIP_Wired_1, and Guest_Wired VLANs.

Youmaynotice thatwedonotenable these featureson theManagementVLAN.There

is a greater tendency to have statically configured devices onmanagement VLANs.

Each devicewith a static IP address attached to a port on aVLAN,with these features

enabled, requires a static port configuration with an IP address and a MAC address

in order to communicate with the rest of the network. If required, this additional level

of security can be configured, but it will add some overhead when network changes

are made.

root@EX4200-vc1# set ethernet-switching-options secure-access-port vlanData_Wired_1 arp-inspection

set ethernet-switching-options secure-access-port vlan Data_Wired_1 examine-dhcpsetethernet-switching-optionssecure-access-portvlanData_Wired_1 ip-source-guardsetethernet-switching-optionssecure-access-port vlanVOIP_Wired_1arp-inspectionset ethernet-switching-options secure-access-port vlanVOIP_Wired_1 examine-dhcpsetethernet-switching-optionssecure-access-portvlanVOIP_Wired_1 ip-source-guardset ethernet-switching-options secure-access-port vlan Guest_Wired arp-inspectionset ethernet-switching-options secure-access-port vlan Guest_Wired examine-dhcpsetethernet-switching-optionssecure-access-portvlanGuest_Wired ip-source-guard

For more information about port security features, see the Day One book, Configuring

EX Series Ethernet Switches, or Port Security on EX Series Switches Guide at

www.juniper.net/techpubs.





http://www.juniper.net/techpubs/en_US/junos11.4/information-products/pathway-pages/ex-series/port-security.html

NOTE: Using the interface-range statement.

Junos OS supports a feature called interface-range, which allows you to

group several interfaces together so that you can configure the entiregroup using one statement. This can be helpful when you havemanysimilar ports that will sharemuch of the same configuration, and thisstatement can be used to simplify configurations.

With the access switches in the validated network, eachmember in theVirtual Chassis is divided up by port type. Ports 0–4 are reserved forwireless access points, Ports 5–26 are reserved for Data and 27–47reserved for Voice. Since these ports are typically configured identically,you use the interface-range statement to simplify operations and createthree different port groups: Access_Points,Wired_Data andWired_Voice.

root@EX4200-vc1#set interfaces interface-rangeWired_Datamember-rangege-0/0/5to ge-0/0/26

set interfaces interface-rangeWired_Datamember-range ge-1/0/5 to ge-1/0/26set interfaces interface-rangeWired_Datamember-range ge-2/0/5 to ge-2/0/26set interfaces interface-rangeWired_Datamember-range ge-3/0/5 to ge-3/0/26set interfaces interface-rangeWired_Voicemember-range ge-0/0/27 to ge-0/0/47set interfaces interface-rangeWired_Voicemember-range ge-1/0/27 to ge-1/0/47set interfaces interface-rangeWired_Voicemember-range ge-2/0/27 to ge-2/0/47set interfaces interface-rangeWired_Voicemember-range ge-3/0/27 to ge-3/0/47set interfaces interface-range Access_Pointsmember-range ge-0/0/0 to ge-0/0/4set interfaces interface-range Access_Pointsmember-range ge-1/0/0 to ge-1/0/4set interfaces interface-range Access_Pointsmember-range ge-2/0/0 to ge-2/0/4set interfaces interface-range Access_Pointsmember-range ge-3/0/0 to ge-3/0/4

8. Set the port mode.

Set the port mode to access. Because we have used the interface-ranges statement,

we only need to set the portmode at the interface-range instead of editing every port.

root@EX4200-vc1# set interfaces interface-rangeWired_Data unit 0 familyethernet-switching port-mode access

set interfaces interface-rangeWired_Voiceunit0 familyethernet-switchingport-modeaccess

set interfaces interface-range Access_Points unit 0 family ethernet-switchingport-mode access

9. Configure port to VLAN.

root@EX4200-vc1# set vlans Data_Wired_1 interfaceWired_Dataset vlansManagement interface Access_Pointsset vlans VOIP_Wired_1 interfaceWired_Voice

10. Configure Layer 3 settings.

Layer 3 configuration for the access switch involves setting a default route in the case

of the validated network. In this case, it points to 10.10.28.1 which is the core switch

IP interface on theManagement VLAN.

root@EX4200-vc1# set routing-options static route 0.0.0.0/0 next-hop 10.10.28.1





11. Verify IP reachability.

Next, you need to verify IP reachability by pinging the core switch management IP

address fromtheaccess switch. This also indicates that trunking is configuredproperly

on the interface and working properly.

root@EX4200-vc1> ping 10.10.28.1

PING 10.10.28.1 (10.10.28.1): 56 data bytes64 bytes from 10.10.28.1: icmp_seq=0 ttl=64 time=4.441 ms64 bytes from 10.10.28.1: icmp_seq=1 ttl=64 time=4.383 ms64 bytes from 10.10.28.1: icmp_seq=2 ttl=64 time=4.134 ms

12. Verify VLANs and trunking.

a. To verify that the proper VLANs are configured for trunking on the ae0 interface,

you can use the show ethernet-switching interfaces ae0 command.

root@EX4200-vc1> show ethernet-switching interfaces ae0

Interface State VLAN members Tag Tagging Blockingae0.0 up Data_Wired_1 10 tagged unblocked Guest_Wired 30 tagged unblocked Management 28 tagged unblocked VOIP_Wired_1 14 tagged unblocked

b. To seewhat ports are configured for specific VLANs use the showvlans command.

NOTE: Because of the large number of ports in ex4200-vc1, the show

command output below show the first VLAN’s output.

root@EX4200-vc1>show vlans

Name Tag InterfacesData_Wired_1 10 ae0.0*, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0*, ge-0/0/11.0, ge-0/0/12.0, ge-0/0/13.0, ge-0/0/14.0, ge-0/0/15.0, ge-0/0/16.0, ge-0/0/17.0, ge-0/0/18.0, ge-0/0/19.0, ge-0/0/20.0, ge-0/0/21.0, ge-0/0/22.0, ge-0/0/23.0, ge-0/0/24.0, ge-0/0/25.0, ge-0/0/26.0, ge-1/0/5.0, ge-1/0/6.0, ge-1/0/7.0, ge-1/0/8.0, ge-1/0/9.0, ge-1/0/10.0*, ge-1/0/11.0, ge-1/0/12.0, ge-1/0/13.0, ge-1/0/14.0, ge-1/0/15.0, ge-1/0/16.0, ge-1/0/17.0, ge-1/0/18.0, ge-1/0/19.0, ge-1/0/20.0, ge-1/0/21.0, ge-1/0/22.0, ge-1/0/23.0, ge-1/0/24.0, ge-1/0/25.0, ge-1/0/26.0, ge-2/0/5.0, ge-2/0/6.0, ge-2/0/7.0, ge-2/0/8.0, ge-2/0/9.0, ge-2/0/10.0*, ge-2/0/11.0*, ge-2/0/12.0,

ge-2/0/13.0, ge-2/0/14.0, ge-2/0/15.0, ge-2/0/16.0, ge-2/0/17.0, ge-2/0/18.0, ge-2/0/19.0, ge-2/0/20.0, ge-2/0/21.0, ge-2/0/22.0, ge-2/0/23.0, ge-2/0/24.0, ge-2/0/25.0, ge-2/0/26.0, ge-3/0/5.0, ge-3/0/6.0, ge-3/0/7.0, ge-3/0/8.0, ge-3/0/9.0, ge-3/0/10.0, ge-3/0/11.0, ge-3/0/12.0, ge-3/0/13.0, ge-3/0/14.0,



ge-3/0/15.0, ge-3/0/16.0, ge-3/0/17.0, ge-3/0/18.0, ge-3/0/19.0, ge-3/0/20.0, ge-3/0/21.0, ge-3/0/22.0, ge-3/0/23.0, ge-3/0/24.0, ge-3/0/25.0, ge-3/0/26.0

Configuring the Access Switch in DedicatedMode

The configuration for the remaining access switches EX4200-vc2 and EX4200-vc3 are

identical to that of the extendedmode access switchwith the exception of IP addressing

differences. In this section, we only step through the setup of EX4200-vc2, as shown in

Figure 15 on page 59.

Figure 15: DedicatedMode Access Switch

This configuration includes the following topics.

• Procedure Overview on page 60

• Configuring Global Settings on page 60

• Configuring a Virtual Chassis on page 61

• Configuring Layer 2 settings on page 63



Procedure Overview

Procedure Overview


2. Configure global configuration items.

3. Configure the Virtual Chassis.

• Identify the type of Virtual Chassis.

• Pre-provision the Virtual Chassis.

• Perform the Virtual Chassis type-specific configuration.

• Perform the Virtual Chassis standard configuration.



Configuring Global Settings

To configure global settings on the access switch in dedicatedmode:


2. Connect to the console port of the EX4200 switch (setting: s9600, 8, 1, none).

a. Press Enter. The following prompt appears:


b. Log in as root and press Enter. Because no password is configured, you are not

prompted for one.


c. Type cli at the% prompt.


You should now be at the >prompt.

3. Configure the date and time in the following format: YYYYMMDDhhmm.ss

root> set date 201201220830.00


root> configureEntering configurationmode



{master:0}[edit]root#



root# set system root-authentication plain-text-passwordNew password:*******Retype new password:*******{master:0}[edit]root#




set system host-name EX4200-vc2

8. Configure the management and VME interface.

NOTE: This is optional, and is only recommended if you plan on having aseparate out-of-band network just for managing devices. If you are notsure, you can add this item later. For more information on the VMEinterface, see “VirtualChassis”onpage95,or theDayOnebook,Configuring


root@EX4200-vc2# set interfaces vme unit 0 family inet address 10.94.188.95/24




10. Configure DNS.


Configuring a Virtual Chassis

To configure the Virtual Chassis for the access switch in dedicatedmode:


In the case of the validated network access switch EX4200-vc2 is a dedicatedmode

Virtual Chassis using only the VCPports to form the switching fabric interconnect and

all switches are the samemodel.

2. Configure a pre-provisioned Virtual Chassis.

To pre-provision a Virtual Chassis you need to identify the serial numbers of each

device that will be part of the Virtual Chassis, the device function, and the order in





whichyouwanteachswitch tobeplaced. Later,whenall of the switchesareconnected

and powered up, they will automatically be assigned the proper function and slot.

Make sure you pay attention to the serial numbers and ordering of each switch when

you connect them together later.

By default, the EX Series devices automatically form a Virtual Chassis, but because

the ordering is nondeterministic, the switchesmay not be numbered sequentially. For

more information about Virtual Chassis, see “Virtual Chassis” on page 95, or the Day

One book, Configuring EX Series Ethernet Switches.

root@EX4200-vc2# set virtual-chassis preprovisionedset virtual-chassis member 0 role routing-engineset virtual-chassis member 0 serial-number FP0211333274set virtual-chassis member 1 role routing-engineset virtual-chassis member 1 serial-number FP0211333245

3. Configure specific Virtual Chassis commands.

Because this is only a two-member Virtual Chassis and both members are located

together, we need to disable split detection.

root@EX4200-vc2# set virtual-chassis no-split-detection





b. Using the VCP ports at the back of the units, cable each pair of EX Series Switches

together. When all of the switches are cabled properly, power up the remaining

switch. Once all the switches are powered up, verify that all of th members are

active by running the Commit the configurationshow virtual-chassis command.

root@EX4200-vc-2> show virtual-chassis

Preprovisioned Virtual ChassisVirtual Chassis ID: 77df.abcc.3e2fVirtual Chassis Mode: Enabled Mstr Mixed Neighbor ListMember ID Status Serial No Model prio Role Mode ID Interface0 (FPC 0) Prsnt FP0211333274 ex4200-48px 129 Backup N 1 vcp-0 1 vcp-11 (FPC 1) Prsnt FP0211333245 ex4200-48px 129 Master* N 0 vcp-0 0 vcp-1


The following commands show items that should be enabled by default in the

configuration. Youmay wish to review and verify that these setting are desired for

your specific network.

root@EX4200-vc2# set protocols igmp-snooping vlan allset protocols rstpset protocols lldp interface all




set protocols lldp-med interface allset poe interface allset ethernet-switching-options storm-control interface all

Configuring Layer 2 settings

To configure Layer 2 parameters and settings on the access switch in dedicatedmode:

1. Configure VLANs.

The EX4200-vc2 chassis has the following VLANs assigned: Data_Wired_2,

VOIP_Wired_2 ,Management and Guest_Wired. It has only one IP interface defined,

which is on theManagement VLAN

root@EX4200-vc2# set vlans Data_Wired_2 vlan-id 12set vlans VOIP_Wired_2 vlan-id 16set vlansManagement vlan-id 28set vlansManagement l3-interface vlan.28set vlans Guest_Wired vlan-id 30

2. Configure interfaces.

We need to configure one IP interface on theManagementVLAN.

root@EX4200-vc2# set interfaces vlan unit 28 family inet address 10.10.28.243/24


The EX4200-vc2 chassis has only one LAG port configured to connect to the core

switch.


before youbegin configuring the LAG interfaces .We suggest picking anumber slightly

larger than what you need in case you addmore LAG interfaces later. You can change

this value in the future.

a. Because we need one LAG interface for this configuration, we will configure the

EX4200-vc2 chassis with two in case we add another LAG connection later.

root@EX4200-vc2# set chassis aggregated-devices ethernet device-count 2

The 10-Gigabit Ethernetportson theEX4200-vc1 areonlyavailableusing theuplink

module ports. We have uplinkmodules on each of the four switches. However, the

first port xe-x/1/0 is already in use on each switch to form the extended Virtual

Chassis. We need to configure the LAG connection on switch members 1 and 3,

using ports xe-1/1/2 and xe-3/1/2.

b. First, we need to remove any port-specific configuration on the physical ports we

want toaggregate. Bydefault, interfaceshaveunit0defined, but this is not allowed

on an interface that is part of an aggregate interface because it would conflict with

unit 0 on the logical aggregate interface.

root@EX4200-vc2# delete interfaces xe-0/1/0 unit 0delete interfaces xe-1/1/0 unit 0

root@EX4200-vc2# set interfaces xe-0/1/2 ether-options 802.3ad ae0set interfaces xe-2/1/2 ether-options 802.3ad ae0



c. Next,weneed to addLACP to each LAG interface to provide somehealth checking.

NOTE: LACPmust be configured on both sides for the LAG port tobecome active.

root@EX4200-vc2# set interfaces ae0 aggregated-ether-options lacp activeset interfaces ae0 aggregated-ether-options lacp periodic slow


Because we do not use RSTP as a topology protocol, we can disable it on the LAG

portsgoing toouraccess switches.DisablingRSTPalso reducespotential convergence

times in case a LAGmember fails, because fewer protocols need to converge.

NOTE: Note all access switches have RSTP enabled locally for loopprotection.

root@EX4200-vc2# set protocols rstp interface ae0.0 disable

5. Configure the trunk port and VLAN.

Next, we need to configure the LAG port as a trunk and add the VLANs that will be

supported going to the core switch. To enable the LAG port as a trunk port, use the

set interfaces command.


6. Configure VLANs on trunk ports.

VLAN configuration for ae0, which connects to the EX4542-vc1 switch, has

Data_Wired_2,VOIP_Wired_2, and theManagementVLAN for access points and switch

management. The Guest_Wired VLANwill also be configured on this trunk to support

guests needing a wired connection (conference rooms, and so on).

root@EX4200-vc2#set interfacesae0unit0 familyethernet-switchingvlanmembers[Data_Wired_2 VOIP_Wired_2Management Guest_Wired]



b. Connect the LAG connections to the core switch using the show lldp neighbors

command to verify that the connection is up and you can see the other side of the

connection.

root@EX4200-vc2> show lldp neighborsLocal Interface Parent Interface Chassis Id Port info System Namevme.0 - 5c:5e:ab:79:bc:c0 ge-0/0/12.0xe-0/1/0.0 ae0.0 88:e0:f3:74:55:c0 xe-0/0/1.0 EX4542-vc1xe-1/1/0.0 ae0.0 88:e0:f3:74:55:c0 xe-1/0/1.0 EX4542-vc1ge-0/0/0.0 - 10.10.28.52 port 1



MP-522ge-1/0/0.0 - 10.10.28.53 port 1 MP-522

c. Run the show lacp interfaces command to verify that LACP is running.

root@EX4200-vc2> show lacp interfacesAggregated interface: ae0 LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity xe-0/1/0 Actor No No Yes Yes Yes Yes Slow Active xe-0/1/0 Partner No No Yes Yes Yes Yes Slow Active xe-1/1/0 Actor No No Yes Yes Yes Yes Slow Active xe-1/1/0 Partner No No Yes Yes Yes Yes Slow Active LACP protocol: Receive State Transmit State Mux State xe-0/1/0 Current Slow periodic Collecting distributing xe-1/1/0 Current Slow periodic Collecting distributing

7. Configure secure access port features

We recommend configuring these basic security features onmost VLANs on access

switches. We need to enable these features on the Data_Wired_2, VOIP_Wired_2, and

Guest_Wired VLANs.

Youmaynotice thatwedonotenable these featureson theManagementVLAN.There

is a greater tendency to have statically configured devices onmanagement VLANs.

Each devicewith a static IP address attached to a port on aVLAN,with these features

enabled, requires a static port configuration with an IP address and a MAC address

in order to communicate with the rest of the network. If required, this additional level

of security can be configured, but it will add some overhead when network changes

are made.

root@EX4200-vc2# set ethernet-switching-options secure-access-port vlanData_Wired_2 arp-inspection

set ethernet-switching-options secure-access-port vlanData_Wired_2examine-dhcpsetethernet-switching-optionssecure-access-portvlanData_Wired_2 ip-source-guardsetethernet-switching-optionssecure-access-portvlanVOIP_Wired_2arp-inspectionsetethernet-switching-optionssecure-access-portvlanVOIP_Wired_2examine-dhcpsetethernet-switching-optionssecure-access-portvlanVOIP_Wired_2 ip-source-guardset ethernet-switching-options secure-access-port vlan Guest_Wired arp-inspectionset ethernet-switching-options secure-access-port vlan Guest_Wired examine-dhcpsetethernet-switching-optionssecure-access-portvlanGuest_Wired ip-source-guard

For more information on the VME interface, see “Virtual Chassis” on page 95, or the

Day One book, Configuring EX Series Ethernet Switches.




NOTE: Using the interface-range statement.

Junos OS supports a feature called interface-range, which allows you to

group several interfaces together so that you can configure the entiregroup using one statement. This can be helpful when you havemanysimilar ports that sharemuch of the same configuration. This statementcan be used to simplify configurations.

Withaccessswitches in thevalidatednetwork, eachmember in theVirtualChassis is divided up by port type. Ports 0–4 are reserved forWirelessaccess points, ports 5–26 are reserved for Data, and ports 27–47 arereserved for voice.Because theseportsare typically configured identically,they use the interface-range statement to simplify operations and create

three different port groups Access_Points,Wired_Data andWired_Voice.

root@EX4200-vc2#set interfaces interface-rangeWired_Datamember-rangege-1/0/5to ge-1/0/26

set interfaces interface-rangeWired_Datamember-range ge-0/0/5 to ge-0/0/26set interfaces interface-rangeWired_Voicemember-range ge-0/0/27 to ge-0/0/47set interfaces interface-rangeWired_Voicemember-range ge-1/0/27 to ge-1/0/47set interfaces interface-range Access_Pointsmember-range ge-0/0/0 to ge-0/0/4set interfaces interface-range Access_Pointsmember-range ge-1/0/0 to ge-1/0/4

8. Set the port mode.

We need to set the port mode to access. Because we have used the interface-ranges

statement, we only need to set the port mode at the interface-range level, instead of

editing every port.

root@EX4200-vc2# set interfaces interface-rangeWired_Data unit 0 familyethernet-switching port-mode access

set interfaces interface-rangeWired_Voiceunit0 familyethernet-switchingport-modeaccess

set interfaces interface-range Access_Points unit 0 family ethernet-switchingport-mode access

9. Configure port to VLAN.

root@EX4200-vc2# set vlans Data_Wired_2 interfaceWired_Dataset vlansManagement interface Access_Pointsset vlans VOIP_Wired_2 interfaceWired_Voice


Layer 3 configuration for the access switch involves setting a default route in the case

of the validated network. In this case, it points to 10.10.28.1 which is the core switch

IP interface on theMangement VLAN

set routing-options static route 0.0.0.0/0 next-hop 10.10.28.1


commit



CHAPTER 4

Wireless Deployment

• Wireless Services Deployment Overview on page 67

• Configuring the PrimaryWLC on page 68

• Configuring the SecondaryWLC on page 73

Wireless Services Deployment Overview

Figure 16:Wireless LAN Controllers

This section covers the essential steps involved in setting up a wireless network for

corporate users using local authentication and wireless guest access. Wireless LAN

Controllers (WLCs) are clustered to provide high availability (HA) and dynamic load

balancing of access points (APs).

NOTE: Guest access enables guest users to connect to the Internet, and isisolated from the corporate network.


For the setup process, we assume that your WLC is running the factory default

configuration.

Configuring the PrimaryWLC

To configure wireless services on the network:

1. Run Quick Start.

The Quick Start configuration script guides you through the initial setup ofWLC-1.

NOTE: You can configuremore items using the quick start script than thisprocedure outlines, butmanually stepping through the process allows forgreater control. You can change configuration settings later if needed.

a. Connect to the console port of theWLC using the settings: 9600, 8, N, 1, None.

b. Press the Enter key a few times until you get a prompt.

c. Log in without providing a username or password.

d. Type enable at the prompt.

Because no password is configured by default, just press the Enter key when

prompted for a password.

e. Type quickstart at the prompt.

MXR-2-5BF3A6# quickstartThis will erase any existing config. Continue? [n]: yAnswer the following questions. Enter '?' for help. ^C to break outSystem Name [MXR-2]: WLC-1Country Code [US]:System IP address []: 10.10.28.100System IP address netmask []: 255.255.255.0Default route []: 10.10.28.1Do you need to use 802.1Q tagged ports for connectivity on the defaultVLAN? [n]:Enable Webview [y]:Admin username [admin]: adminAdmin password [mandatory]:Enable password [optional]:Do you wish to set the time? [y]: yEnter the date (dd/mm/yy) []: 15/06/11Is daylight saving time (DST) in effect [n]: yEnter the time (hh:mm:ss) []: 12:27:00Enter the timezone []: PSTEnter the offset (without DST) from GMT for ‘PST’ in hh:mm [0:0]: -08:00Do you wish to configure wireless? [y]: nsuccess: created keypair for sshsuccess: Type "save config" to save the configuration

f. Save your configuration.



WLC-1# save config

g. Connect port 8 onWLC-1 to EX4542-vc1 port ge-2/0/1.

2. Configure VLANs and 802.1q trunking.

You need to configure the VLANs and enable them on the trunk port. TheWLCs are

configured as part of the following VLANs.

NOTE: TheWLCs can be configured with a different VLAN ID from theactual 802.1q tag. This is specific to theWLC and should not be confusedwith the 802.1q tag. For example, you could have a VLAN ID of 5 on theWLC, but it is sent out as 802.1q tag 13 so, to the network it is VLAN ID13.There are advantages to this in more complex deployments, but that isoutside the scope of this document. Tomake things easier to understand,we will configure the internal VLAN ID to correspond with the 802.1q tagthat the rest of the network uses.

We need to configure the following VLANs onWLC-1

• Management: vlan-id 28

• Data_Wireless_1: vlan-id 18

• Guest_Wireless: vlan-id 32

a. Create VLANs.

WLC-1# set vlan 28 nameManagementset vlan 18 name Data_Wireless_1set vlan 32 nameGuest_Wireless

b. Assign VLANs to ports.

WLC-1# set vlanManagement port 8 tag 28set vlan Data_Wireless_1 port 8 tag 18set vlan Guest_Wireless port 8 tag 32

c. Assign IP interfaces to VLANs.

When you use the Quick Start script, the system IP address is automatically

assigned to VLAN 1 . In our case, this needs to beVLAN28, theManagement VLAN,

so we need to first delete the IP address association with VLAN 1 and then add it

to VLAN 28.

NOTE: This is still thesystemIPaddress,which is thesource IPaddressit uses to communicate with the APs andWLCs.

WLC-1# clear interface 1 ip

WLC-1# set interfaceManagement ip 10.10.28.100/24set interface Data_Wireless_1 ip 10.10.18.100/24set interface Guest_Wireless ip 10.10.32.100/24


Chapter 4: Wireless Deployment

d. Save your configuration.

WLC-1# save config

e. You should now be able to ping the IP address of the EX4542-vc1 on the

Management VLAN.

WLC-1# ping 10.10.28.1

NOTE: Youmaynotice thatwehaveconfiguredthe IPaddress 10.10.28.100twice.We actually first configured this as the system IP address, and thenassigned it to a VLAN. The system IP address needs to reside on theManagement network because that is the address that will be used to

communicate to the access point and with otherWLCs.

3. Configure wireless SSIDs.

You need to create two different types of SSIDs:

• The SSID for corporate users usesWPA2 encryption and 802.1x authentication.

• The SSID for guest users uses an open network that relies on a captive portal to

authenticate users.

a. Configure the Data_Wireless_1 SSID.

The following commands create the SSID Data_Wireless_1, configure 802.1 x

authentication for the SSID, and configures traffic encryption over the SSID.

WLC-1# set service-profile Secure-802.1X ssid-name Data_Wireless_1set service-profile Secure-802.1X rsn-ie cipher-ccmp enableset service-profile Secure-802.1X rsn-ie enableset service-profile Secure-802.1X attr vlan-name Data_Wireless_1set authentication dot1x ssid Data_Wireless_1 ** peap-mschapv2 local

b. Configure the Guest_Wireless SSID.

The followingcommandsconfigure theGuest_WirelessSSIDandset it up for captive

portal authentication.

WLC-1# set service-profileWeb-Portal ssid-name Guest_Wirelessset service-profileWeb-Portal ssid-type clearset service-profileWeb-Portal auth-fallthru web-portalset service-profileWeb-Portal wpa-ie auth-dot1x disableset service-profileWeb-Portal rsn-ie auth-dot1x disableset service-profileWeb-Portal attr vlan-name Guest_Wirelessset authentication web ssid Guest_Wireless ** local



NOTE:

The portal lines do the following.

• The first rule permitsUDP traffic fromeveryone towards port 68and67 only, which is used for DHCP.

• The second rule creates a capture by the controller for all trafficmatching this rule. In this case,weblockall traffic and force the trafficto the capture portal for authentication.

4. Configure service profiles.

WLC-1# set radio-profile default service-profile Secure-802.1Xset radio-profile default service-profileWeb-Portal

5. Add local users for wireless services.

NOTE: We recommend that you only use local authentication to verifyinitial operation and for last-resort authentication. Use a RADIUS serveras the preferredmethod for user authentication.

a. To create local users, you need to use the command set user username password.

NOTE: You are prompted to provide a password.

WLC-1# set user bob passwordEnter new password:Retype new password:success: change accepted.

WLC-1# set user guest passwordEnter new password:Retype new password:success: change accepted.

b. Assign users to specific SSIDs.

WLC-1# set user bob attr ssid Data_Wireless_1set user guest attr ssid Guest_Wireless

NOTE: Because each user ismapped to a specific SSID, different rulesapply to themwhen they log on to the network. For example, the userbobmustauthenticate via802.1x to logon to thewirelessnetwork. The

user guest can log on to the Guest_Wireless network, but has to

authenticateagainst thecaptiveportal toget to the Internet, otherwisethey can do nothing.

c. Configure the access points.



You need to use the auto setup to configure the access points. On the console, you

can see several messages while the access points are configured and booted.

WLC-1# set ap automode enable


WLC-1# save config

e. After theaccesspoints havebootedup, youcanverify that theyareactiveby issuing

the command, show ap status.

WLC-1# show ap status

Flags: o = operational[8], c = configure[0], d = download[0], b = boot[0] a = auto AP, m = mesh AP, p/P = mesh portal (ena/actv), r = redundant[0] z = remote AP in outage, i/I = insecure (control/control+data) u = unencrypted, e/E = encrypted (control/control+data)Radio: E = enabled - 20MHz channel, S = sentry, s = spectral-data W/w = enabled - 40MHz wide channel (HTplus/HTminus) D = admin disabled, U = mesh uplinkIP Address: * = AP behind NAT

AP Flag IP Address Model MAC Address Radio 1 Radio 2 Uptime---- ---- --------------- ------------ ----------------- ------- ------- ------9992 oa-i 10.10.28.56 MP-522 00:26:3e:e3:e5:80 E 6/18 W 36/10 01m05s9993 oa-i 10.10.28.54 MP-522 00:26:3e:e5:59:c0 E 6/12 W 44/10 01m06s9994 oa-i 10.10.28.52 MP-522 00:26:3e:e5:19:00 E 11/12 W 44/10 01m06s9995 oa-i 10.10.28.57 MP-522 00:26:3e:e3:e5:c0 E 11/12 W 36/10 01m06s9996 oa-i 10.10.28.53 MP-522 00:26:3e:e5:1e:80 E 11/12 W 44/10 01m07s9997 oa-i 10.10.28.58 MP-522 00:26:3e:e4:8d:00 E 1/14 W 36/10 01m08s9998 oa-i 10.10.28.55 MP-522 00:26:3e:e3:e2:40 E 11/12 W 44/10 01m09s9999 oa-i 10.10.28.59 MP-522 00:26:3e:e5:57:40 E 11/12 W 36/10 01m10s

6. Set up a cluster.

To enable clustering, you need to create amobility domain on the primary seed

controller and then add the secondary seed to that cluster.

a. Create amobility domain.

The first line sets up the domain xyzcompany. The second line adds a secondary

to the cluster on the primary seed controller. This example uses the IP address

10.10.28.101, which we will configure later.

WLC-1# setmobility-domainmode seed domain-name xyzcompanysetmobility-domainmember 10.10.28.101

b. Enable clustering.



When you enable clustering, you receive a warning message that this action will

overwrite the configuration of other devices.

WLC-1# set cluster mode enableWLC-1# set cluster mode enableThis will cause loss of configuration onmember devices. Are you sure? (y/n) [n]y

c. Save your configuration.

WLC-1# save config

This will cause the access points to reboot. You will seemessages on the console.

Configuring the SecondaryWLC

The configuration steps for the secondaryWLC are similar to that of the primaryWLC.

This section covers only those configuration steps that are essential to the secondary

WLC. Refer to the previous section if you have any questions while configuring the

secondaryWLC.

To configure wireless services on the secondaryWLC:

1. Run Quick Start.

The Quick Start configuration script guides you through the initial setup ofWLC-2.

a. Connect to the console port of theWLC using the settings: 9600, 8, N, 1, None.

b. Press the Enter key a few times until you get a prompt.

c. Log in without providing a username or password.

d. Type enable at the prompt.

Because no password is configured by default, just press the Enter key when you

are prompted for a password.

e. Type quickstart at the prompt.

MXR-2-5BF3A6# quickstartThis will erase any existing config. Continue? [n]: yAnswer the following questions. Enter '?' for help. ^C to break outSystem Name [MXR-2]: WLC-2Country Code [US]:System IP address []: 10.10.28.101System IP address netmask []: 255.255.255.0Default route []: 10.10.28.1Do you need to use 802.1Q tagged ports for connectivity on the defaultVLAN? [n]:Enable Webview [y]:Admin username [admin]: adminAdmin password [mandatory]:Enable password [optional]:Do you wish to set the time? [y]: yEnter the date (dd/mm/yy) []: 15/06/11Is daylight saving time (DST) in effect [n]: yEnter the time (hh:mm:ss) []: 12:27:00Enter the timezone []: PSTEnter the offset (without DST) from GMT for ‘PST’ in hh:mm [0:0]: -08:00



Do you wish to configure wireless? [y]: nsuccess: created keypair for sshsuccess: Type "save config" to save the configuration

f. Save your configuration.

WLC-2# save config

g. Connect port 8 onWLC-2 to EX4542-vc1 port ge-2/0/1.

2. Configure VLANs and 802.1q trunking.

You need to configure the VLANs and enable them on the trunk port. TheWLCs are

configured as part of the VLANs.

We need to configure the following VLANs onWLC-2

• Management: vlan-id 28

• Data_Wireless_1: vlan-id 18

• Guest_Wireless: vlan-id 32

a. Create VLANs.

WLC-2# set vlan 28 nameManagementset vlan 18 name Data_Wireless_1set vlan 32 nameGuest_Wireless

b. Assign VLANs to ports.

WLC-2# set vlanManagement port 8 tag 28set vlan Data_Wireless_1 port 8 tag 18set vlan Guest_Wireless port 8 tag 32

c. Assign IP interfaces to VLANs.

When you use the Quick Start script, the system IP address is automatically

assigned toVLAN 1 . In this case, this needs to beVLAN28, theManagementVLAN,

so you need to first delete the IP address association with VLAN 1 and then add it

to VLAN 28.

NOTE: This is still thesystemIPaddress,which is thesource IPaddressit uses to communicate with the APs andWLCs.

WLC-2# clear interface 1 ip

WLC-2# set interfaceManagement ip 10.10.28.101/24set interface Data_Wireless_1 ip 10.10.18.101/24set interface Guest_Wireless ip 10.10.32.101/24


WLC-2# save config

e. You should now be able to ping the IP address of the EX4542-vc1 on the

Management VLAN.



WLC-2# ping 10.10.28.1

f. Join a mobility domain.

When you enable cluster mode, the system displays a warning that this will

overwrite the configuration.

WLC-2# setmobility-domainmode secondary-seed domain-name xyzcompanyseed-ip 10.10.28.100

set cluster mode enable

g. Save your configuration.

WLC-2# save config

At this point the secondaryWLC automatically copies the remaining configuration

from the primaryWLC, except for user information. You need to add the users to the

secondaryWLCso that it canalsoauthenticateusers for theaccesspoints itmanages.

You can do this by adding users with the process described in the next section.

NOTE: We recommend that you only use local authentication to verifyinitial operation and for last-resort authentication. Use a RADIUS serveras the preferredmethod for user authentication.

3. Add local users for wireless services.

NOTE:• When you add users to the secondaryWLC, we recommend that youcopy theuser information fromtheconfiguration fileof theprimaryWLC.This eliminates the possibility of errors that may prevent users fromgetting access because of mismatching user/password/VLANinformation.

• If user information is changed later, itmust be changed on both devicesto keep them in sync.

a. Copy user information from the primaryWLC to the secondaryWLC.

On the primaryWLC, type show configuration.

Find the lines associated with the users you have created, in this case bob and

guest are the users you had created previously and each one has two lines. You

need to copy that information from the primaryWLC to the secondaryWLC.

NOTE: This example has only one attribute associated with the users,but youmay have several in a production environment. Make sure youcopy all of theattributes associated with each user.

WLC-1# set user bob password encrypted 06160e325f59060b01set user bob attr ssid Data_Wireless_1set user guest password encrypted 12090404011c03162e



set user guest attr ssid Guest_Wireless

b. Paste the information into the SecondaryWLC.

WLC-2# set user bob password encrypted 06160e325f59060b01set user bob attr ssid Data_Wireless_1set user guest password encrypted 12090404011c03162eset user guest attr ssid Guest_Wireless

c. Save the configuration.

WLC-2# save config

All users should now be able to access the wireless network.



CHAPTER 5

SRX Deployment

• Prerequisites on page 77

• Configuring the SRX Series Cluster on page 78

Prerequisites

Figure 17: The SRX Series Services Gateway Cluster

Before you begin configuring the SRX Series Services Gateway for the validated network

design, ensure the following:

• That all of theSRXSeries devices to be configured in the cluster are of the samemodel

and comprise the samemodules.

• That all of the SRX Series devices have the same version of Junos OS installed.

The configuration procedure provided in this section is for the SRX650. Althoughmost

of the steps are common across all SRX Series Services Gateways, the ports used to

connect the SRX Series devices together to form a cluster may vary across SRX Series


models. See the Juniper Networks support site for clustering details on your specific

model of SRX Series Services Gateway.

Figure 18: SRX Series Cluster Setup

Figure 18 on page 78 shows the SRX Series cluster setup for the validated network. To

keep it simple, each device identifies the fabric and control links as local physical ports,

because these are connected before configuring the SRX Series cluster (After the SRX

Series cluster is configured, SRX650-2 will see these ports as ge-9/0/2 and 9/0/1). The

remaining port identifiers are listed in the clustering context.

Configuring the SRX Series Cluster

To configure the SRX Series Gateway devices for the validated network, you need to first

perform the following initial setup procedure for both SRX Series devices that will make

up the cluster.



To perform the initial setup for the SRX650 devices:

1. Unpack the SRX650 and connect a console cable to the serial port with the following

settings: 9600, 8, 1 and none.

2. To access the SRX650 using the Junos OS CLI:

a. Connect one end of the console cable to the serial port adapter, plug the adapter

into a serial port on the PC or laptop, and plug the other end of the cable into the

console port on the SRX Series device.

b. Start the terminal emulation program on the PC or laptop, select the COM port,

and configure the following port settings: 9600 (bits per second), 8 (data bits),

none (parity), 1 (stop bits), and none (flow control).

c. Press thePOWERbuttonon the router, andverify that thePOWERLEDturnsgreen.

d. Log in as root, and press Enter at the Password prompt. (When booting the factory

default configuration, you do not need to enter a password.)

e. Enter the UNIX shell after you are authenticated through the CLI:

Amnesiac (ttyu0)login: rootPassword:- - - JUNOS 10.0R1.8 built 2009-08-01 09:23:09 UTC

f. At the% prompt, type “cli” to start the CLI and press Enter. The prompt changes

to an angle bracket (>) when you enter CLI operational mode.

root@%cli root>

g. At the (>) prompt, type configure and press Enter. The prompt changes from > to

# when you enter configuration mode.

root> configureEntering configurationmode[edit]root#

h. Create a password for the root user to manage the SRX Series device.

root# set system root authentication plain-text-password (will prompt forpassword)

i. Remove some default configuration items from the SRX devices. This is done to

make later configuration simpler.

NOTE: Not all of these settingsmay actually be configured on yourdevice, but we include all these items for completeness.

root# delete interfacesdelete protocolsdelete vlans


Chapter 5: SRX Deployment

delete system services dhcpdelete system services web-management http interfacedelete system services web-management https interfacedelete security zonesdelete security policiesdelete security nat

j. Use the commit command at the CLI prompt to activate the configuration.

commit

Now repeat this process with the other SRX650.

3. Connect the two SRX devices.

NOTE: The following process is for the SRX650. If you use another SRXmodel, the ports used to connect the two SRXs will be different than theprocess described below. Please see the Juniper Networks support sitefor clustering details on your specific model of SRX.

a. On the SRX650, connect ge-0/0/1 on device A to ge-0/0/1 on device B. The

ge-0/0/1 interface on device B will change to ge-9/0/1 after clustering happens.

TIP:

To connect the devices, it is helpful to know that after we create thecluster, the following interface assignments will occur:

• ge-0/0/0will be used as fxp0 for individual management of eachof the devices

• ge-0/0/1 will become fxp1 and used as the control link between thetwo devices (This is also documented inKB15356.).

This is not configurable.

The other interfaces are also renamed on the secondary device. For example, on

aSRX650device, thege-0/0/0 interface is renamed toge-9/0/0on thesecondary

node 1. Refer to the completemapping for eachSRXSeries device: Node Interfaces

on Active SRX Series Chassis Clusters.

NOTE: The interfacesusedfor thecontrol link, in thisexamplege-0/0/1,mustbeconnectedwithacable.Aswitchcannotbeused for thecontrollink connection. Also, you will need to decide on a third link to connectthe devices, which will be used for the fabric link between the devices.In this case wewill use ge-0/0/2, but you could use any other openport either onboard or on a gPIM.



b. Now connect ge-0/0/2 on SRX650-1 to ge-0/0/2 on SRX650-2.

4. Enable clustering on the SRX devices.

a. Set thedevices inclustermodewith the followingcommandand reboot thedevices.

NOTE: This is an operational mode command.

root> set chassis cluster cluster-id 0-15 node 0-1 reboot

For example:

root> set chassis cluster cluster-id 1 node 0 reboot

root> set chassis cluster cluster-id 1 node 1 reboot

The cluster ID is the same on both devices, but the node ID should be different,

with the node ID as node0 on one device, at node1 on the other device .

This command should be issued on both devices at the same time so that they

boot up together.

The range for theCluster ID is0–15. Setting it to0effectively disables clustermode.

After rebooting, the ge-0/0/0 and ge-0/0/1 interfaces become as fxp0 and fxp1,respectively.

b. Check both SRX Series devices to ensure that the cluster is active and that the

primary and secondary devices are both active.

NOTE: It may take aminute or two for the status to complete afterbooting, so youmay need to enter this commandmore than once. Theprompt on each SRX Series device displays the status and nodeinformation for the respective device.

{primary:node0}root> show chassis cluster statusCluster ID: 1Node Priority Status Preempt Manual failover

Redundancy group: 0 , Failover count: 1 node0 1 primary no no node1 1 secondary no no

{secondary:node1}root> show chassis cluster statusCluster ID: 1Node Priority Status Preempt Manual failover

Redundancy group: 0 , Failover count: 0 node0 1 primary no no node1 1 secondary no no



When the primary and secondary status is confirmed,move to the next step. If you

encounter any problems during this step, the following KB articles may be of use

in diagnosing clustering problems. KB–15503, KB–20672 and KB–20641.

5. Configure the SRX Series cluster.

NOTE:• The following steps are all performedon theprimarySRXSeries device.The configuration is automatically copied over to the secondary SRXSeries device when a configuration is committed.

• We use the Junos OS group configuration feature for this operation. For

more information on the group configuration feature, see the Day One

book, Configuring Junos Basics, at

www.juniper.net/us/en/community/junos/training-certification/day-one.

• Configuring device-specific properties using the group command

Set up device-specific settings such as hostnames andmanagementIP addresses. This is specific to each device and is the only part of theconfiguration that is unique to specific nodes. This is done by enteringthe following commands (all on the primary node):

a. On device srx650-1: Enter configuration mode

root# config

root# set group node0 system host-name srx650-1set group node0 interfaces fxp0 unit 0 family inet address 10.94.188.103/24set group node1 system host-name srx650-2set group node1 interfaces fxp0 unit 0 family inet address 10.94.188.104/24

NOTE: The apply groups command is set so that the individual configs

for each node set by the above commands applies only to that node.

root@srx650-1# set apply-groups [ node0 node1 ]

b. Commit the configuration

root@srx650-1# commit

You should see the configuration applied to node0 and node1 when you issue a

commit

{primary:node0}[edit]root# commitnode0:configuration check succeedsnode1:commit completenode0:commit complete

c. Configure the Fabric Link



http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/basics/

Create FAB links (data plane links for RTO sync, etc).

You need to first delete any specific configuration related to the interfaces. Iin this

case ge-0/0/2 has an address assigned by default so we will delete it.

root@srx650-1# set interfaces fab0 fabric-optionsmember-interfaces ge-0/0/2set interfaces fab1 fabric-optionsmember-interfaces ge-9/0/2

d. Configuring redundancy groups

Set up the Redundancy Group 0 for the Routing Engine failover properties. Also

setup Redundancy Group 1 (all the interfaces will be in one Redundancy Group in

this example) to define the failover properties for the Reth interfaces.

NOTE: If you want to usemultiple Redundancy Groups for theinterfaces, refer to the Security Configuration Guide. For moreinformation, see the Security Configuration Guide .

root@srx650-1# set chassis cluster redundancy-group 0 node 0 priority 100set chassis cluster redundancy-group 0 node 1 priority 1set chassis cluster redundancy-group 1 node 0 priority 100set chassis cluster redundancy-group 1 node 1 priority 1

e. Configuring interface monitoring

Set up the Interfacemonitoring. Monitoring the health of the interfaces is one way

to trigger Redundancy group failover.

NOTE: Interfacemonitoring isnot recommendedfor redundancy-group0.

root@srx650-1#setchassiscluster redundancy-group1 interface-monitorge-2/0/0weight 255

set chassis cluster redundancy-group 1 interface-monitor ge-11/0/0weight 255

f. Set up the reth interface

Setup theRedundantEthernet interfaces (reth interface)andassign theRedundant

interface to a zone. Make sure that you setup your redundant interfaces as follows:

root@srx650-1# {primary:node0}set chassis cluster reth-count 1set interfaces ge-2/0/0 gigether-options redundant-parent reth0set interfaces ge-11/0/0 gigether-options redundant-parent reth0set interfaces reth0 redundant-ether-options redundancy-group 1

g. Configure VLANs and IP interfaces on the reth interface

root@srx650-1# set interfaces reth0 vlan-taggingset interfaces reth0 unit 0 description "Unit 0must be given a VLAN tag so usinga dummy tag to align units to tags"

set interfaces reth0 unit 0 vlan-id 1set interfaces reth0 unit 22 description "Internet Edge"set interfaces reth0 unit 22 vlan-id 22



http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/security/software-all/security/index.html

set interfaces reth0 unit 22 family inet address 10.10.22.254/24set interfaces reth0 unit 28 descriptionManagementset interfaces reth0 unit 28 vlan-id 28set interfaces reth0 unit 28 family inet address 10.10.28.254/24set interfaces reth0 unit 30 description "GuestWired"set interfaces reth0 unit 30 vlan-id 30set interfaces reth0 unit 30 family inet address 10.10.30.254/24set interfaces reth0 unit 32 description "GuestWireless"set interfaces reth0 unit 32 vlan-id 32set interfaces reth0 unit 32 family inet address 10.10.32.254/24

Commit the configuration to activate it.

h. Configure the Internet connections

root@srx650-1# set interfaces ge-2/0/1 description "primary internet connection"set interfaces ge-2/0/1 unit 0 family inet address 10.94.191.233/24set interfaces ge-11/0/2 description "Backup Internet Connection"set interfaces ge-11/0/2 unit 0 family inet address 10.94.194.56/24

i. Commit the configuration.

The configuration is copied to the secondary node srx650-2


NOTE: Even though we have configured interfaces, we will not havereachability because no security polices are in place yet.

6. Configuring Security Zones

The SRX Series Services Gateways use a zone-basedmodel for security. Themost

basic configurations typically have just two zones: Trust (the inside) and Untrust (the

outside). In our case we have four: Untrust, Guest, Management, and Internet_Edge.

a. Configure the Untrust security zone.

TheUntrust zone is where the SRX Series devices connect to the Internet. This isconsidered the least trusted zone. We have configured our internet-facing ports in

this zone.

root@srx650-1# set security zones security-zone untrust screen untrust-screenset security zones security-zone untrust interfaces ge-11/0/2.0set security zones security-zone untrust interfaces ge-2/0/1.0

b. Configure the Guest security zone.

root@srx650-1# set security zones security-zone Guest address-book addressGuest_Wired 10.10.30.0/24

set security zones security-zone Guest address-book address Guest_Wireless10.10.32.0/24

set security zones security-zone Guest host-inbound-traffic system-services pingset security zones security-zone Guest host-inbound-traffic system-servicestraceroute

set security zones security-zone Guest interfaces reth0.30 host-inbound-trafficsystem-services dhcp



set security zones security-zone Guest interfaces reth0.30 host-inbound-trafficsystem-services bootp



c. Configure theManagement security zone.

root@srx650-1#setsecurityzonessecurity-zoneManagementhost-inbound-trafficsystem-services ssh

setsecurityzonessecurity-zoneManagementhost-inbound-trafficsystem-serviceshttp

setsecurityzonessecurity-zoneManagementhost-inbound-trafficsystem-serviceshttps

setsecurityzonessecurity-zoneManagementhost-inbound-trafficsystem-servicesping

setsecurityzonessecurity-zoneManagementhost-inbound-trafficsystem-servicessnmp

setsecurityzonessecurity-zoneManagementhost-inbound-trafficsystem-servicestraceroute

set security zones security-zoneManagement interfaces reth0.28

d. Configure the Internet Edge security zone.

Themajority of the networks are contained in the Internet_Edge zone. We use a

feature called address-book to map our networks in this zone to user-friendly

names for easier management. That should be easier to understand when we

configure our policies that just use subnet designations. We also need to allow

OSPF in this zone, because we will communicate routing information with the EX

series switch in this zone.

root@srx650-1# set security zones security-zone Internet_Edge address-bookaddress Data_Wired_1 10.10.10.0/24

setsecurityzonessecurity-zone Internet_Edgeaddress-bookaddressData_Wired_210.10.12.0/24

setsecurity zonessecurity-zone Internet_Edgeaddress-bookaddressVOIP_Wired_110.10.14.0/24

setsecurityzonessecurity-zone Internet_Edgeaddress-bookaddressVOIP_Wired_210.10.16.0/24

set security zones security-zone Internet_Edge address-book addressData_Wireless_1 10.10.18.0/24

set security zones security-zone Internet_Edge address-book address Servers10.10.24.0/24

setsecurityzonessecurity-zone Internet_Edgeaddress-bookaddressAccess_Points10.10.26.0/24

setsecurity zonessecurity-zone Internet_Edgeaddress-bookaddressManagement10.10.28.0/24

set security zonessecurity-zone Internet_Edgeaddress-bookaddressGuest_Wired10.10.30.0/24

setsecurityzonessecurity-zoneInternet_Edgeaddress-bookaddressGuest_Wireless10.10.32.0/24

setsecurityzonessecurity-zone Internet_Edgehost-inbound-trafficsystem-servicesping

setsecurityzonessecurity-zone Internet_Edgehost-inbound-trafficsystem-servicestraceroute



set security zonessecurity-zone Internet_Edgehost-inbound-trafficprotocolsospfset security zones security-zone Internet_Edge interfaces reth0.22

7. Configuring Security Policies.

a. ConfigureGuest user policy.

root@srx650-1# set security policies from-zone Guest to-zone untrust policyallow-guest-to-internetmatch source-address Guest_Wireless

setsecuritypolicies from-zoneGuest to-zoneuntrustpolicyallow-guest-to-internetmatch source-address Guest_Wired

setsecuritypolicies from-zoneGuest to-zoneuntrustpolicyallow-guest-to-internetmatch destination-address any

setsecuritypolicies from-zoneGuest to-zoneuntrustpolicyallow-guest-to-internetmatch application any

setsecuritypolicies from-zoneGuest to-zoneuntrustpolicyallow-guest-to-internetthen permit

b. Configure Internet Edge security policy.

root@srx650-1# set security policies from-zone Internet_Edge to-zone untrustpolicy allow-Internet_Edge-to-internetmatch source-address Data_Wired_1

set security policies from-zone Internet_Edge to-zone untrust policyallow-Internet_Edge-to-internetmatch source-address Data_Wired_2

set security policies from-zone Internet_Edge to-zone untrust policyallow-Internet_Edge-to-internetmatch source-address Data_Wireless_1

set security policies from-zone Internet_Edge to-zone untrust policyallow-Internet_Edge-to-internetmatch source-address Servers

set security policies from-zone Internet_Edge to-zone untrust policyallow-Internet_Edge-to-internetmatch source-address VOIP_Wired_1


set security policies from-zone Internet_Edge to-zone untrust policyallow-Internet_Edge-to-internetmatch destination-address any

set security policies from-zone Internet_Edge to-zone untrust policyallow-Internet_Edge-to-internetmatch application any

set security policies from-zone Internet_Edge to-zone untrust policyallow-Internet_Edge-to-internet then permit

8. Configuring routing and OSPF.

a. Configure routes.

root@srx650-1# set routing-options static route 0.0.0.0/0 qualified-next-hop10.94.194.254 preference 20

set routing-options static route 0.0.0.0/0 qualified-next-hop 10.94.191.254preference 10

b. Configure OSPF.

root@srx650-1# set protocols ospf area 0.0.0.0 interface reth0.22

c. Commit the configuration.


d. You can see the internal networks advertised by OSPF by using the show route

command.



{primary:node0}root@srx650-1> show route

inet.0: 27 destinations, 29 routes (27 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/10] 00:05:35 > to 10.94.191.254 via ge-2/0/1.0 [Static/20] 00:05:35 > to 10.94.194.254 via ge-11/0/2.010.0.0.4/32 *[OSPF/10] 00:05:20, metric 1 > to 10.10.22.1 via reth0.2210.10.10.0/24 *[OSPF/10] 00:05:20, metric 2 > to 10.10.22.1 via reth0.2210.10.12.0/24 *[OSPF/10] 00:05:20, metric 2 > to 10.10.22.1 via reth0.2210.10.14.0/24 *[OSPF/10] 00:05:20, metric 2 > to 10.10.22.1 via reth0.2210.10.16.0/24 *[OSPF/10] 00:05:20, metric 2 > to 10.10.22.1 via reth0.2210.10.18.0/24 *[OSPF/10] 00:05:20, metric 2 > to 10.10.22.1 via reth0.2210.10.20.0/24 *[OSPF/10] 00:05:20, metric 2 > to 10.10.22.1 via reth0.2210.10.22.0/24 *[Direct/0] 00:27:10

9. Verifying internal reachability.

After configuring the zones and policies you can reach your internal interfaces and

external gateways.

Use the ping command to verify basic reachability.

10. Configuring NAT

a. Configure theGuest NAT policy.

root@srx650-1# set security nat source rule-setGuest-to-untrust fromzoneGuestset security nat source rule-set Guest-to-untrust to zone untrustset security nat source rule-set Guest-to-untrust rule Guest-source-natmatchsource-address 0.0.0.0/0

set security nat source rule-set Guest-to-untrust rule Guest-source-nat thensource-nat interface

b. Configure the Internet Edge NAT policy.

root@srx650-1# set security nat source rule-set Internet_Edge-to-untrust fromzone Internet_Edge

set security nat source rule-set Internet_Edge-to-untrust to zone untrustset security nat source rule-set Internet_Edge-to-untrust ruleInternet_Edge-source-natmatch source-address 0.0.0.0/0

set security nat source rule-set Internet_Edge-to-untrust ruleInternet_Edge-source-nat then source-nat interface

11. Configuring DHCP services for guest VLANs

To configure DHCP services for guest VLANS:

root@srx650-1# set system services dhcp pool 10.10.30.0/24 address-range low10.10.30.11

set system services dhcp pool 10.10.30.0/24 address-range high 10.10.30.250



set system services dhcp pool 10.10.30.0/24 domain-name xyzcompany.comset system services dhcp pool 10.10.30.0/24 name-server 208.67.220.220set system services dhcp pool 10.10.30.0/24 name-server 208.67.222.222set system services dhcp pool 10.10.30.0/24 router 10.10.30.254set system services dhcp pool 10.10.32.0/24 address-range low 10.10.32.11set system services dhcp pool 10.10.32.0/24 address-range high 10.10.32.250set system services dhcp pool 10.10.32.0/24 domain-name xyzcompany.comset system services dhcp pool 10.10.32.0/24 name-server 208.67.220.220set system services dhcp pool 10.10.32.0/24 name-server 208.67.222.222set system services dhcp pool 10.10.32.0/24 router 10.10.32.254


12. Verifying NAT.

You are now configured to be able to access the Internet from your internal user

networks. When connecting to the internet from inside the network traffic will be

NATed. To view the network sessions and verify that NAT is taking place properly you

can issue the command show security flow session nat (To see all flows, remove the

keyword nat).

The followingexample showsNATperformed for a session. Sourceaddress 10.10.10.52

is translated to an external address of 10.94.191.233 and the destination address is

173.194.79.104.

root@srx650-1> show security flow session natnode0:--------------------------------------------------------------------------Session ID: 15945, Policy name: allow-Internet_Edge-to-internet/5, State: Active, Timeout: 1798, Valid In: 10.10.10.52/3296 --> 173.194.79.104/80;tcp, If: reth0.22, Pkts: 0, Bytes: 0 Out: 173.194.79.104/80 --> 10.94.191.233/60064;tcp, If: ge-2/0/1.0, Pkts: 36, Bytes: 37380Total sessions: 1

13. Configuring General Settings.

Set the date and time in the format: YYYYMMDDhhmm.ss

root@srx650-1> set date 201201220830.00

Enter configuration mode

Configure the time zone.

root@srx650-1# set system time-zone America/Los_Angeles

Configure DNS.

root@srx650-1# set system name-server 10.10.24.100set system domain-name xyzcompany.com

Configure management access.

root@srx650-1# set system services web-management httpssystem-generated-certificate

set system services sshdelete system services telnetdelete system services web-management http



Configure LLDP.

root@srx650-1# set protocols lldp interface ge-2/0/0.0set protocols lldp interface ge-11/0/0.0



Figure 19: Deployment Complete





PART 3

Appendix

• Next Steps on page 93

• Virtual Chassis on page 95

• Configuring DHCP on EX Series Ethernet Switches on page 103

• Configurations Used in This Guide on page 105

• Bill of Materials on page 161




APPENDIX A

Next Steps

• Next Steps on page 93

Next Steps

Thebasenetwork infrastructure is now inplaceand ready for site-specific customization.

Some of the common items you will likely want to configure are listed below. We have

also identified some additional reading materials that may be helpful.

• Set up RADIUS server and configure wireless LAN controllers to use RADIUS

authentication of wireless users. (See the Juniper Networks Mobility System Software

Configuration Guide).

• Configure NTP for all devices to keep network devices in sync.

• Configure QoS.

• Configure additional security policies.

Additional documentation and support:

• Juniper Networks support websitewww.Juniper Networks.net/support.

• Product manuals

• Juniper Networks Mobility System Software Configuration Guide.

• Complete Software Guide for Junos OS for EX Series Ethernet Switches: Release 11.4.

• Junos OS for SRX Series: Release 11.4.

• Day One Books

• Configuring EX Series Ethernet Switches.

• Deploying Basic QoS.

• Deploying SRX Series Services Gateways.


http://www.juniper.net/support

http://www.juniper.net/techpubs/en_US/release-independent/wireless/information-products/topic-collections/wireless-lan/software/7.6/mss-76-config.pdf

www.juniper.net/techpubs/en_US/junos12.1/information-products/topic-collections/ex-series/software-all/book-software-ex-series-121-all.pdf

http://www.juniper.net/techpubs/en_US/junos11.4/information-products/pathway-pages/srx-series/index.html


http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/deploying-basic-qos/

http://www.juniper.net/us/en/community/junos/training-certification/day-one/dynamic-services-series/deploying-srx-series/



APPENDIX B

Virtual Chassis

• Virtual Chassis Advantage on page 95

• Types of Virtual Chassis on page 95

• Pre-Provisioning the Virtual Chassis on page 98

• Virtual Chassis Base Configuration on page 101

• Layer 3 Configuration on page 101

Virtual Chassis Advantage

Using theVirtual Chassis flexible scaling solution, you canconnect twoormore individual

switches together to formoneunit andmanage theunit asasingle chassis. VirtualChassis

is supported on the Juniper Networks EX3300, EX4200, EX4500, and EX8200 Series

Ethernet Switches. In this guide, however, we discuss only the EX4500 and EX4200

switches.

You can interconnect EX4200 and EX4500Series switches in a Virtual Chassis using the

dedicated Virtual Chassis ports (VCPs) on the rear panel of the EX4200 switches, and

the dedicated VCPs on the Virtual Chassis modules in the EX4500 switches. You can

easily expand theVirtualChassis configuration to includemoremember switches.Simply

addmember switches to an EX4200 or EX4500 Virtual Chassis by cabling together the

dedicated VCPs.

You can also expand a Virtual Chassis configuration beyond a single wiring closet.

Interconnect switches located in multiple wiring closets or in multiple data center racks

by installing SFP, SFP+, or XFP uplink modules and connecting the uplink module ports

on EX4200member switches or by connecting the 10-Gigabit Ethernet SFP+ network

interfaces on the EX4500member switches.

Types of Virtual Chassis

We assume that you are configuring at least two or more EX Series switches as a single

VirtualChassis. If youare configuringa standaloneEXSeries switch, then youcanperform


the basic setup as listed in theQuick Start guide that comeswith the switch. After setup,

go to the section “Global Setup for EX Series Switches.”

• Dedicated Mode on page 96

• Extended Mode on page 96

• Mixed Mode on page 96

DedicatedMode

The dedicatedmode is the most commonmethod of connecting adjacent EX4500 or

EX4200 Series switches into a single Virtual Chassis. As mentioned earlier, dedicated

mode involves interconnecting theswitchesusing thespecialVirtualChassisports (VCPs)

at the back of the switch. This is the most common type of EX Series Virtual Chassis

configuration. There are two commonly usedmethods of cabling when connecting EX

Series Switches together—daisy chained and braided ring.

NOTE: AlthoughJuniperNetworks recommendsusingoneof thesetwoswitchtopologies, other topologies are supported, but that is beyond the scope ofthis document.

ExtendedMode

The Extended Virtual Chassis method enables switches to be part of a single Virtual

Chassis even when the switches are far apart. You can use the optional uplink modules

on the EX4200 switch to connect multiple switches, using 1-Gigabit Ethernet and

10-Gigabit Ethernet links, to provide great flexibility in how a network is configured.

For example, you could havemultiplewiring closets on a single floormanaged as a single

device. This simplifies many operational tasks, because this reduces the number of

individual devices that must bemanaged.

MixedMode

Themixedmode Virtual Chassis enables you to interconnect more than one type of

switch to act as a single Virtual Chassis. Currently only supported between the EX4500

and EX4200 Series switches, this provides the ability to have high-density 10-Gigabit

Ethernet and 1-Gigabit Ethernet in the same Virtual Chassis. This topic provides

configuration examples for each of these Virtual Chassis types.



NOTE: The Juniper Networks EX3300 Series switch and Juniper NetworksEX8200 series switches also support the Virtual Chassis flexible scalingsolution, but this information lies outside the scope of this document.

Other Virtual Chassis notes:

• When you have a two-member Virtual Chassis, we recommend that youdisable split detection.

• Whenyouhavethreeormoremembers inaVirtualChassis,werecommendthat you do not place uplinks on themaster Routing Engine.


Appendix B: Virtual Chassis

Pre-Provisioning the Virtual Chassis

When you create a Virtual Chassis configurationwithmultiplemembers, youmightwant

to deterministically control the role andmember ID assigned to eachmember switch.

You can do this by creating a pre-provisioned configuration. You can add switches to a

pre-provisioned configuration by using the autoprovisioning feature to automatically

configure the uplink ports as VCPs on the switches being added.

Although it is not mandatory to pre-provision each Virtual Chassis, we recommend it,

and this is the process we use in this guide.

NOTE: If you do not pre-provision the Virtual Chassis, the devices arenumbered in the order in which they come up.

For example, if you have five switches in a Virtual Chassis and you turn onthemiddle switch, say #3, this will be slot 0, then you turn on the top switchnext, and that will be slot 1 and you turn on the other switches at about thesame time the rest of the slotswill be randomly filled so youmayendupwithchassis numbering something like this.

Slot1Slot4Slot0Slot3Slot2

This is quite confusing, but completely operational. You can re-assign slotslater tomake amore logical chassis, but it is easier to avoid this in the firstplace. If you do end up doing something like this or are just curious, see theinstructions in “Virtual Chassis” on page 95.

Prerequisites: The switches need to be set at factory defaults to follow this process.

To pre-provision the Virtual Chassis:

1. Understand what type of Virtual Chassis you will be setting up: Dedicated, Extended

or Mixed. If you are unsure, see “Dedicated Mode” on page 96.

2. Unpack and power up the switch you intend to be Slot 0.

Go through the initial setup process for the switch as described in “Virtual Chassis”

on page 95.

3. Identify the serial numbersof theother switches thatwill bepart of thisVirtualChassis.

Then decide what their function will be—either Routing Engine or line card. You can

only have two switches configured as Routing Engines and onewill be slot 0 (the first

device we booted up). You can change the roles for devices later if required.

The following is a sample set of configuration statements for a four-member Virtual

Chassis specifying eachmember role and slot by serial number.

root@EX4542-vc1> set virtual-chassis preprovisioned



set virtual-chassis member 0 role routing-engineset virtual-chassis member 0 serial-number GX0211411253set virtual-chassis member 1 role routing-engineset virtual-chassis member 1 serial-number GX0211411250set virtual-chassis member 2 role line-cardset virtual-chassis member 2 serial-number FP0211333181set virtual-chassis member 3 role line-cardset virtual-chassis member 3 serial-number FP0211333260

4. Determine if you need to disable split detection.

• If your Virtual Chassis has only twomembers, go to step 5, Disable split detection.

• If your Virtual Chassis has more than twomembers, go to Step 6, Step 7, and Step

8, asappropriate for the typeofVirtualChassis youwant to set up (dedicatedmode,

extendedmode, or mixedmode).

5. Disable split detection.

root@EX4542-vc1# set virtual-chassis no-split-detection

NOTE: Virtual Chassis Split Detection

Split detection is designed to avoid a possible dual active-or split-braincondition where the chassis losesmultiple Virtual Chassis connectionsand -becomes partitioned into two separate Virtual Chassis. The defaultbehavior is for the primaryRouting Engine to disable itself and thebackupRouting Engine (RE) to promote itself to master.

Ina two-switchVirtualChassis, however, this is notdesirable. For example,if the backupRE is powered off, themaster REwill stop forwarding traffic.Therefore we recommend disabling this feature in a two-switchconfiguration. For more information, read about Virtual Chassis in theJunos OS documentation for Juniper Networks EX Series Ethernet Switches

The below command disables split detection.

6. Set up a dedicatedmode Virtual Chassis.

If you have a dedicated Virtual Chassis (that is, if the members are all of the same

type say all EX4200or all EX4500 switches) no additional commands are necessary.

a. You can cable up the remaining members using the VCP ports on the back of the

units and power them up.

b. Verify that all members are active by running the show virtual-chassis command.


Preprovisioned Virtual ChassisVirtual Chassis ID: 762b.b071.4181Virtual Chassis Mode: Mixed Mstr Mixed Neighbor ListMember ID Status Serial No Model prio Role Mode ID Interface0 (FPC 0) Prsnt GX0211411253 ex4500-40f 129 Master* Y 3 vcp-1 1 vcp-0



http://www.juniper.net/techpubs/en_US/junos11.4/information-products/pathway-pages/ex-series/virtual-chassis-4200-4500.html

1 (FPC 1) Prsnt GX0211411250 ex4500-40f 129 Backup Y 0 vcp-1 2 vcp-02 (FPC 2) Prsnt FP0211333181 ex4200-48px 0 Linecard Y 1 vcp-0 3 vcp-13 (FPC 3) Prsnt FP0211333260 ex4200-48px 0 Linecard Y 2 vcp-0 0 vcp-1

c. Proceed to “Virtual Chassis Base Configuration” on page 101.

7. Set up an extendedmode Virtual Chassis.

Some Virtual Chassis members are connected together using 1-Gigabit Ethernet or

10-Gigabit Ethernet ports configured as Virtual Chassis extended (VCe) ports.

NOTE: 10-Gigabit Ethernet uplink portsmust be configured as VCe ports.

The following is an operational mode command that will not appear in the

configuration.Once this is set, theoption toconfigure theseportswhen in configuration

mode will not appear.

request virtual-chassis vc-port set pic-slot pic-slot port portmember-idmemberid.

8. Set up amixedmode Virtual Chassis.

(EX4500 and EX4200 combined chassis)

a. When setting up a combined EX4500 and EX4200 chassis, the chassis must be

specifically configured to support mixedmode operation. If not, the entire chassis

will be active. The command to changemodes is an operational command and

therefore does not show up in the configuration.

request virtual-chassis modemixed

b. To verify that the chassis is indeed in mixedmode, you can view the status by

issuing the operational command show virtual-chassis and look for line Virtual

Chassis Mode:

root@EX4542-vc1> show virtual-chassisPreprovisioned Virtual ChassisVirtual Chassis ID: 762b.b071.4181Virtual Chassis Mode: Mixed

c. You can now cable up the remainingmembers using the VCP ports on the back of

the units and power them up. Verify that all of the members are active by running

the show virtual-chassis command.


Preprovisioned Virtual ChassisVirtual Chassis ID: 762b.b071.4181Virtual Chassis Mode: Mixed Mstr Mixed Neighbor ListMember ID Status Serial No Model prio Role Mode ID Interface0 (FPC 0) Prsnt GX0211411253 ex4500-40f 129 Master* Y 3 vcp-1 1 vcp-01 (FPC 1) Prsnt GX0211411250 ex4500-40f 129 Backup Y 0 vcp-1



2 vcp-02 (FPC 2) Prsnt FP0211333181 ex4200-48px 0 Linecard Y 1 vcp-0 3 vcp-13 (FPC 3) Prsnt FP0211333260 ex4200-48px 0 Linecard Y 2 vcp-0 0 vcp-1

d. TochangeaVirtualChassisback tonon-mixedmode issue the followingcommand

request virtual-chassis modemixed disable

e. Proceed to “Virtual Chassis Base Configuration” on page 101.

Virtual Chassis Base Configuration

Enter the following commands for all Virtual Chassis:

1. commit synchronize

This ensures that whenever you issue a commit command, it is synchronized with all

of the other members of the Virtual Chassis. Without this command in the

configuration, you should issue a commit synchronize command after every change

instead of just the commit command.

set system commit synchronize

2. non-stop bridging

This command replicates bridging protocol information betweenmaster and backup

Routing Engines.

set ethernet-switching-options nonstop-bridging

3. graceful switchover

Graceful switchover shouldbeconfiguredonanymultichassisVirtualChassis toensure

that the master and backup Routing Engines are in sync.

root@EX4542-vc1# set chassis redundancy graceful-switchover

Layer 3 Configuration

To configure DHCP on a Virtual Chassis:

1. Configure DHCP forwarding.

root@host# set forwarding-options helpers bootp dhcp-option82set forwarding-options helpers bootp server server ipset forwarding-options helpers bootp interface ip interface

2. Configure DHCP services.

root@host# set system services dhcp pool network and subnet mask address rangelow starting ip address

set system services dhcp pool network and subnet mask address range high ending ipaddress

setsystemservicesdhcppoolnetworkandsubnetmaskdomain-namexyzcompany.comset system services dhcp pool network and subnet mask name-server name-serverset system services dhcp pool network and subnet mask router def gw ip address



3. Configure the default static route

root@host# set routing-options static route 0.0.0.0/0 next-hop et routing-optionsstatic route 0.0.0.0/0 next-hop ip address

4. Configure routing protocols

root@host# set protocols ospf area 0.0.0.0 interface interface

5. Configure nonstop active routing

root@host# set routing-options nonstop-routing



APPENDIX C

Configuring DHCP on EX Series EthernetSwitches

• Configuring EX Series Ethernet Switches to Provide DHCP on page 103

Configuring EX Series Ethernet Switches to Provide DHCP

If you do not have a central DHCP server or need a temporary DHCP solution, you can

configure the EX Series Ethernet Switches to act as a DHCP server.

In the validated network design presented in this document, the core switch would be

usedasaDHCPserver because it has IP addresses oneachof the subnets in the network.

To enable the EX Series to act as a DHCP server you need the following:

• IP interface configured on each VLAN to receive DHCP

• IP address pool and pool range to be allocated to users on eachVLAN to receive DHCP

• Default gateway for users on each VLAN

• Domain name for users

• Name server for users

The sample that follows shows DHCP configured for the management VLAN presented

in this guide. We already have the IP address configured as 10.10.28.1 for this VLAN. (See

the core switch setup for more details. )

set system services dhcp pool 10.10.28.0/24set system services dhcp pool 10.10.28.0/24 address-range low 10.10.28.11 high10.10.28.250

set system services dhcp pool 10.10.28.0/24 router 10.10.28.1set system services dhcp pool 10.10.28.0/24 domain-name xyzcompany.comset system services dhcp pool 10.10.28.0/24 name-server 10.10.24.100

To view statistics:

show system services dhcp statistics

To view DHCP bindings:

show system services dhcp binding




APPENDIX D

Configurations Used in This Guide

• EX4200vc1 Set Commands on page 105

• EX4200vc1 Configuration Statements on page 108







• WLC-1 Configuration on page 147

• WLC-2 Configuration on page 148

• SRX650 Cluster Set Commands on page 149

• SRX650 Cluster Configuration Statements on page 152

EX4200vc1 Set Commands

set version 11.4R1.6set system host-name ex4200-vc1set system domain-name xyxcompany.comset system root-authentication encrypted-password"$1$mPpJfHUh$TJPBhlJWIuQNFWBaR2LPY0"

set system name-server 10.10.24.100set system services sshset system services web-management https system-generated-certificateset system syslog user * any emergencyset system syslog file messages any noticeset system syslog file messages authorization infoset system syslog file interactive-commands interactive-commands anyset system commit synchronizeset chassis redundancy graceful-switchoverset chassis aggregated-devices ethernet device-count 2set interfaces interface-rangeWired_Datamember-range ge-0/0/5 to ge-0/0/26set interfaces interface-rangeWired_Datamember-range ge-1/0/5 to ge-1/0/26set interfaces interface-rangeWired_Datamember-range ge-2/0/5 to ge-2/0/26set interfaces interface-rangeWired_Datamember-range ge-3/0/5 to ge-3/0/26set interfaces interface-rangeWired_Data unit 0 family ethernet-switching port-modeaccess


set interfaces interface-rangeWired_Voicemember-range ge-0/0/27 to ge-0/0/47set interfaces interface-rangeWired_Voicemember-range ge-1/0/27 to ge-1/0/47set interfaces interface-rangeWired_Voicemember-range ge-2/0/27 to ge-2/0/47set interfaces interface-rangeWired_Voicemember-range ge-3/0/27 to ge-3/0/47set interfaces interface-rangeWired_Voice unit 0 family ethernet-switching port-modeaccess

set interfaces interface-range Access_Pointsmember-range ge-0/0/0 to ge-0/0/4set interfaces interface-range Access_Pointsmember-range ge-1/0/0 to ge-1/0/4set interfaces interface-range Access_Pointsmember-range ge-2/0/0 to ge-2/0/4set interfaces interface-range Access_Pointsmember-range ge-3/0/0 to ge-3/0/4set interfaces interface-rangeAccess_Points unit 0 family ethernet-switchingport-modeaccess

set interfaces ge-0/0/0 unit 0 family ethernet-switchingset interfaces ge-0/0/1 unit 0 family ethernet-switchingset interfaces ge-0/0/2 unit 0 family ethernet-switchingset interfaces ge-0/0/3 unit 0 family ethernet-switchingset interfaces ge-0/0/4 unit 0 family ethernet-switchingset interfaces ge-0/0/5 unit 0 family ethernet-switchingset interfaces ge-0/0/6 unit 0 family ethernet-switchingset interfaces ge-0/0/7 unit 0 family ethernet-switchingset interfaces ge-0/0/8 unit 0 family ethernet-switchingset interfaces ge-0/0/9 unit 0 family ethernet-switchingset interfaces ge-0/0/10 unit 0 family ethernet-switchingset interfaces ge-0/0/11 unit 0 family ethernet-switchingset interfaces ge-0/0/12 unit 0 family ethernet-switchingset interfaces ge-0/0/13 unit 0 family ethernet-switchingset interfaces ge-0/0/14 unit 0 family ethernet-switchingset interfaces ge-0/0/15 unit 0 family ethernet-switchingset interfaces ge-0/0/16 unit 0 family ethernet-switchingset interfaces ge-0/0/17 unit 0 family ethernet-switchingset interfaces ge-0/0/18 unit 0 family ethernet-switchingset interfaces ge-0/0/19 unit 0 family ethernet-switchingset interfaces ge-0/0/20 unit 0 family ethernet-switchingset interfaces ge-0/0/21 unit 0 family ethernet-switchingset interfaces ge-0/0/22 unit 0 family ethernet-switchingset interfaces ge-0/0/23 unit 0 family ethernet-switchingset interfaces ge-0/0/24 unit 0 family ethernet-switchingset interfaces ge-0/0/25 unit 0 family ethernet-switchingset interfaces ge-0/0/26 unit 0 family ethernet-switchingset interfaces ge-0/0/27 unit 0 family ethernet-switchingset interfaces ge-0/0/28 unit 0 family ethernet-switchingset interfaces ge-0/0/29 unit 0 family ethernet-switchingset interfaces ge-0/0/30 unit 0 family ethernet-switchingset interfaces ge-0/0/31 unit 0 family ethernet-switchingset interfaces ge-0/0/32 unit 0 family ethernet-switchingset interfaces ge-0/0/33 unit 0 family ethernet-switchingset interfaces ge-0/0/34 unit 0 family ethernet-switchingset interfaces ge-0/0/35 unit 0 family ethernet-switchingset interfaces ge-0/0/36 unit 0 family ethernet-switchingset interfaces ge-0/0/37 unit 0 family ethernet-switchingset interfaces ge-0/0/38 unit 0 family ethernet-switchingset interfaces ge-0/0/39 unit 0 family ethernet-switchingset interfaces ge-0/0/40 unit 0 family ethernet-switchingset interfaces ge-0/0/41 unit 0 family ethernet-switchingset interfaces ge-0/0/42 unit 0 family ethernet-switchingset interfaces ge-0/0/43 unit 0 family ethernet-switching



set interfaces ge-0/0/44 unit 0 family ethernet-switchingset interfaces ge-0/0/45 unit 0 family ethernet-switchingset interfaces ge-0/0/46 unit 0 family ethernet-switchingset interfaces ge-0/0/47 unit 0 family ethernet-switchingset interfaces xe-0/1/0 unit 0 family ethernet-switchingset interfaces xe-0/1/2 ether-options 802.3ad ae0set interfaces ge-1/0/0 unit 0 family ethernet-switchingset interfaces xe-2/1/2 ether-options 802.3ad ae0set interfaces ae0 aggregated-ether-options lacp activeset interfaces ae0 aggregated-ether-options lacp periodic slowset interfaces ae0 unit 0 family ethernet-switching port-mode trunkset interfaces ae0 unit 0 family ethernet-switching vlanmembers Data_Wired_1set interfaces ae0 unit 0 family ethernet-switching vlanmembers VOIP_Wired_1set interfaces ae0 unit 0 family ethernet-switching vlanmembers Managementset interfaces ae0 unit 0 family ethernet-switching vlanmembers Guest_Wiredset interfaces vlan unit 28 family inet address 10.10.28.244/24set interfaces vme unit 0 family inet address 10.94.188.91/24set routing-options static route 0.0.0.0/0 next-hop 10.10.28.1set protocols igmp-snooping vlan allset protocols rstp interface ae0.0 disableset protocols lldp interface allset protocols lldp-med interface allset ethernet-switching-options secure-access-port vlan Data_Wired_1 arp-inspectionset ethernet-switching-options secure-access-port vlan Data_Wired_1 examine-dhcpset ethernet-switching-options secure-access-port vlan Data_Wired_1 ip-source-guardset ethernet-switching-options secure-access-port vlan Guest_Wired arp-inspectionset ethernet-switching-options secure-access-port vlan Guest_Wired examine-dhcpset ethernet-switching-options secure-access-port vlan Guest_Wired ip-source-guardset ethernet-switching-options secure-access-port vlan VOIP_Wired_1 arp-inspectionset ethernet-switching-options secure-access-port vlan VOIP_Wired_1 examine-dhcpset ethernet-switching-options secure-access-port vlan VOIP_Wired_1 ip-source-guardset ethernet-switching-options nonstop-bridgingset ethernet-switching-options storm-control interface allset vlans Data_Wired_1 vlan-id 10set vlans Data_Wired_1 interfaceWired_Dataset vlans Guest_Wired vlan-id 30set vlansManagement vlan-id 28set vlansManagement interface Access_Pointsset vlansManagement l3-interface vlan.28set vlans VOIP_Wired_1 vlan-id 14set vlans VOIP_Wired_1 interfaceWired_Voiceset poe interface allset virtual-chassis preprovisionedset virtual-chassis member 0 role routing-engineset virtual-chassis member 0 serial-number FP0211333190set virtual-chassis member 1 role line-cardset virtual-chassis member 1 serial-number FP0211333201set virtual-chassis member 2 role routing-engineset virtual-chassis member 2 serial-number FP0211333173set virtual-chassis member 3 role line-cardset virtual-chassis member 3 serial-number FP0211333265set virtual-chassis fast-failover xe


Appendix D: Configurations Used in This Guide

EX4200vc1 Configuration Statements

## Last changed: 2011-12-18 13:35:19 UTCversion 11.4R1.6;system {host-name ex4200-vc1;domain-name xyxcompany.com;root-authentication {encrypted-password"$1$mPpJfHUh$TJPBhlJWIuQNFWBaR2LPY0";##SECRET-DATA

}name-server {10.10.24.100;

}services {ssh;web-management {https {system-generated-certificate;

}}

}syslog {user * {any emergency;

}file messages {any notice;authorization info;

}file interactive-commands {interactive-commands any;

}}commit synchronize;

}chassis {redundancy {graceful-switchover;

}aggregated-devices {ethernet {device-count 2;

}}

}interfaces {interface-rangeWired_Data {member-range ge-0/0/5 to ge-0/0/26;member-range ge-1/0/5 to ge-1/0/26;member-range ge-2/0/5 to ge-2/0/26;member-range ge-3/0/5 to ge-3/0/26;unit 0 {family ethernet-switching {port-mode access;



}}

}interface-rangeWired_Voice {member-range ge-0/0/27 to ge-0/0/47;member-range ge-1/0/27 to ge-1/0/47;member-range ge-2/0/27 to ge-2/0/47;member-range ge-3/0/27 to ge-3/0/47;unit 0 {family ethernet-switching {port-mode access;

}}

}interface-range Access_Points {member-range ge-0/0/0 to ge-0/0/4;member-range ge-1/0/0 to ge-1/0/4;member-range ge-2/0/0 to ge-2/0/4;member-range ge-3/0/0 to ge-3/0/4;unit 0 {family ethernet-switching {port-mode access;

}}

}ge-0/0/0 {unit 0 {family ethernet-switching;

}}ge-0/0/1 {unit 0 {family ethernet-switching;





}}ge-0/0/6 {



unit 0 {family ethernet-switching;











}}ge-0/0/17 {unit 0 {



family ethernet-switching;}

























}











}}xe-0/1/0 {unit 0 {family ethernet-switching;

}}xe-0/1/2 {ether-options {802.3ad ae0;


}}



xe-2/1/2 {ether-options {802.3ad ae0;

}}ae0 {aggregated-ether-options {lacp {active;periodic slow;

}}unit 0 {family ethernet-switching {port-mode trunk;vlan {members [ Data_Wired_1 VOIP_Wired_1 Management Guest_Wired ];

}}

}}vlan {unit 28 {family inet {address 10.10.28.244/24;

}}

}vme {unit 0 {family inet {address 10.94.188.91/24;

}}

}}routing-options {static {route 0.0.0.0/0 next-hop 10.10.28.1;

}}protocols {igmp-snooping {vlan all;

}rstp {interface ae0.0 {disable;

}}lldp {interface all;

}lldp-med {interface all;

}



}ethernet-switching-options {secure-access-port {vlan Data_Wired_1 {arp-inspection;examine-dhcp;ip-source-guard;

}vlan Guest_Wired {arp-inspection;examine-dhcp;ip-source-guard;

}vlan VOIP_Wired_1 {arp-inspection;examine-dhcp;ip-source-guard;

}}nonstop-bridging;storm-control {interface all;

}}vlans {Data_Wired_1 {vlan-id 10;interface {Wired_Data;

}}Guest_Wired {vlan-id 30;

}Management {vlan-id 28;interface {Access_Points;

}l3-interface vlan.28;

}VOIP_Wired_1 {vlan-id 14;interface {Wired_Voice;

}}

}poe {interface all;

}virtual-chassis {preprovisioned;member 0 {role routing-engine;serial-number FP0211333190;



}member 1 {role line-card;serial-number FP0211333201;

}member 2 {role routing-engine;serial-number FP0211333173;


}fast-failover {xe;

}}


set version 11.4R1.6set system host-name EX4200-vc2set system domain-name xyxcompany.comset system time-zone America/Los_Angelesset system root-authentication encrypted-password"$1$gqkkDA9K$mm4F9rV/dCNDU4gJ8w0wE."

set system name-server 10.10.24.100set system services sshset system services web-management https system-generated-certificateset system syslog file messages any anyset system syslog file messages authorization infoset system syslog file messages archive size 10mset system commit synchronizeset chassis redundancy graceful-switchoverset chassis aggregated-devices ethernet device-count 2set interfaces interface-rangeWired_Datamember-range ge-0/0/5 to ge-0/0/26set interfaces interface-rangeWired_Datamember-range ge-1/0/5 to ge-1/0/26set interfaces interface-rangeWired_Data unit 0 family ethernet-switching port-modeaccess

set interfaces interface-rangeWired_Voicemember-range ge-1/0/27 to ge-1/0/47set interfaces interface-rangeWired_Voicemember-range ge-0/0/27 to ge-0/0/47set interfaces interface-rangeWired_Voice unit 0 family ethernet-switching port-modeaccess

set interfaces interface-range Access_Pointsmember-range ge-1/0/0 to ge-1/0/4set interfaces interface-range Access_Pointsmember-range ge-0/0/0 to ge-0/0/4set interfaces interface-rangeAccess_Points unit 0 family ethernet-switchingport-modeaccess

set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode accessset interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode accessset interfaces xe-0/1/0 ether-options 802.3ad ae0set interfaces ge-1/0/0 unit 0 family ethernet-switching port-mode accessset interfaces ge-1/0/1 unit 0 family ethernet-switchingset interfaces xe-1/1/0 ether-options 802.3ad ae0set interfaces ae0 aggregated-ether-options lacp activeset interfaces ae0 aggregated-ether-options lacp periodic slow



set interfaces ae0 unit 0 family ethernet-switching port-mode trunkset interfaces ae0 unit 0 family ethernet-switching vlanmembers Data_Wired_2set interfaces ae0 unit 0 family ethernet-switching vlanmembers VOIP_Wired_2set interfaces ae0 unit 0 family ethernet-switching vlanmembers Managementset interfaces ae0 unit 0 family ethernet-switching vlanmembers Guest_Wiredset interfaces lo0 unit 0 family inet address 10.0.0.2/32set interfaces vlan unit 28 family inet address 10.10.28.243/24set interfaces vme unit 0 family inet address 10.94.188.95/24set routing-options static route 0.0.0.0/0 next-hop 10.10.28.1set protocols rstp interface ae0.0 disableset protocols lldp interface allset protocols lldp-med interface allset ethernet-switching-options secure-access-port vlan Data_Wired_2 arp-inspectionset ethernet-switching-options secure-access-port vlan Data_Wired_2 examine-dhcpset ethernet-switching-options secure-access-port vlan Data_Wired_2 ip-source-guardset ethernet-switching-options secure-access-port vlan Guest_Wired arp-inspectionset ethernet-switching-options secure-access-port vlan Guest_Wired examine-dhcpset ethernet-switching-options secure-access-port vlan Guest_Wired ip-source-guardset ethernet-switching-options secure-access-port vlan VOIP_Wired_2 arp-inspectionset ethernet-switching-options secure-access-port vlan VOIP_Wired_2 examine-dhcpset ethernet-switching-options secure-access-port vlan VOIP_Wired_2 ip-source-guardset ethernet-switching-options nonstop-bridgingset vlans Data_Wired_2 vlan-id 12set vlans Data_Wired_2 interfaceWired_Dataset vlans Guest_Wired vlan-id 30set vlansManagement vlan-id 28set vlansManagement interface Access_Pointsset vlansManagement l3-interface vlan.28set vlans VOIP_Wired_2 vlan-id 16set vlans VOIP_Wired_2 interfaceWired_Voiceset poe interface allset virtual-chassis preprovisionedset virtual-chassis no-split-detectionset virtual-chassis member 0 role routing-engineset virtual-chassis member 0 serial-number FP0211333245set virtual-chassis member 1 role routing-engineset virtual-chassis member 1 serial-number FP0211333274


## Last changed: 2012-03-21 13:26:09 PDTversion 11.4R1.6;system {host-name EX4200-vc2;domain-name xyxcompany.com;time-zone America/Los_Angeles;root-authentication {encrypted-password "$1$gqkkDA9K$mm4F9rV/dCNDU4gJ8w0wE."; ##SECRET-DATA

}name-server {10.10.24.100;

}services {ssh;



web-management {https {system-generated-certificate;

}}

}syslog {file messages {any any;authorization info;archive size 10m;




}}

}interfaces {interface-rangeWired_Data {member-range ge-0/0/5 to ge-0/0/26;member-range ge-1/0/5 to ge-1/0/26;unit 0 {family ethernet-switching {port-mode access;

}}

}interface-rangeWired_Voice {member-range ge-1/0/27 to ge-1/0/47;member-range ge-0/0/27 to ge-0/0/47;unit 0 {family ethernet-switching {port-mode access;

}}

}interface-range Access_Points {member-range ge-1/0/0 to ge-1/0/4;member-range ge-0/0/0 to ge-0/0/4;unit 0 {family ethernet-switching {port-mode access;

}}

}ge-0/0/0 {unit 0 {family ethernet-switching {



port-mode access;}

}}ge-0/0/2 {unit 0 {family ethernet-switching {port-mode access;

}}

}xe-0/1/0 {ether-options {802.3ad ae0;


}}





}}

}}lo0 {unit 0 {family inet {address 10.0.0.2/32;

}}

}



vlan {unit 28 {family inet {address 10.10.28.243/24;

}}


}}


}}protocols {rstp {interface ae0.0 {disable;



}}ethernet-switching-options {secure-access-port {vlan Data_Wired_2 {arp-inspection;examine-dhcp;ip-source-guard;



}}nonstop-bridging;

}vlans {Data_Wired_2 {vlan-id 12;



interface {Wired_Data;





}}


}virtual-chassis {preprovisioned;no-split-detection;member 0 {role routing-engine;serial-number FP0211333245;


}}


set version 11.4R1.6set system host-name EX4200-vc3set system domain-name xyxcompany.comset system time-zone America/Los_Angelesset system root-authentication encrypted-password"$1$969yUWx3$TVCNJ5iVJbezE5uiau7a50"

set system name-server 10.10.24.100set system services sshset system services web-management https system-generated-certificateset system syslog file messages any anyset system syslog file messages authorization infoset system syslog file messages archive size 10mset system commit synchronizeset chassis redundancy graceful-switchoverset chassis aggregated-devices ethernet device-count 2set interfaces interface-rangeWired_Datamember-range ge-1/0/5 to ge-1/0/26



set interfaces interface-rangeWired_Datamember-range ge-0/0/5 to ge-0/0/26set interfaces interface-rangeWired_Data unit 0 family ethernet-switching port-modeaccess

set interfaces interface-rangeWired_Voicemember-range ge-0/0/27 to ge-0/0/47set interfaces interface-rangeWired_Voicemember-range ge-1/0/27 to ge-1/0/47set interfaces interface-rangeWired_Voice unit 0 family ethernet-switching port-modeaccess

set interfaces interface-range Access_Pointsmember-range ge-0/0/0 to ge-0/0/4set interfaces interface-range Access_Pointsmember-range ge-1/0/0 to ge-1/0/4set interfaces interface-rangeAccess_Points unit 0 family ethernet-switchingport-modeaccess

set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode accessset interfaces ge-0/0/1 unit 0 family ethernet-switchingset interfaces xe-0/1/0 ether-options 802.3ad ae0set interfaces ge-1/0/0 unit 0 family ethernet-switching port-mode accessset interfaces ge-1/0/2 unit 0 family ethernet-switching port-mode accessset interfaces xe-1/1/0 ether-options 802.3ad ae0set interfaces ae0 aggregated-ether-options lacp activeset interfaces ae0 aggregated-ether-options lacp periodic slowset interfaces ae0 unit 0 family ethernet-switching port-mode trunkset interfaces ae0 unit 0 family ethernet-switching vlanmembers Data_Wired_2set interfaces ae0 unit 0 family ethernet-switching vlanmembers VOIP_Wired_2set interfaces ae0 unit 0 family ethernet-switching vlanmembers Managementset interfaces ae0 unit 0 family ethernet-switching vlanmembers Guest_Wiredset interfaces lo0 unit 0 family inet address 10.0.0.3/32set interfaces vlan unit 28 family inet address 10.10.28.242/24set interfaces vme unit 0 family inet address 10.94.188.97/24set routing-options static route 0.0.0.0/0 next-hop 10.10.28.1set protocols rstp interface ae0.0 disableset protocols lldp interface allset protocols lldp-med interface allset ethernet-switching-options secure-access-port vlan Data_Wired_2 arp-inspectionset ethernet-switching-options secure-access-port vlan Data_Wired_2 examine-dhcpset ethernet-switching-options secure-access-port vlan Data_Wired_2 ip-source-guardset ethernet-switching-options secure-access-port vlan Guest_Wired arp-inspectionset ethernet-switching-options secure-access-port vlan Guest_Wired examine-dhcpset ethernet-switching-options secure-access-port vlan Guest_Wired ip-source-guardset ethernet-switching-options secure-access-port vlan VOIP_Wired_2 arp-inspectionset ethernet-switching-options secure-access-port vlan VOIP_Wired_2 examine-dhcpset ethernet-switching-options secure-access-port vlan VOIP_Wired_2 ip-source-guardset ethernet-switching-options nonstop-bridgingset vlans Data_Wired_2 vlan-id 12set vlans Data_Wired_2 interfaceWired_Dataset vlans Guest_Wired vlan-id 30set vlansManagement vlan-id 28set vlansManagement interface Access_Pointsset vlansManagement l3-interface vlan.28set vlans VOIP_Wired_2 vlan-id 16set vlans VOIP_Wired_2 interfaceWired_Voiceset poe interface allset virtual-chassis preprovisionedset virtual-chassis no-split-detectionset virtual-chassis member 0 role routing-engineset virtual-chassis member 0 serial-number FP0211333208set virtual-chassis member 1 role routing-engineset virtual-chassis member 1 serial-number FP0211333280




## Last changed: 2012-03-21 13:27:29 PDTversion 11.4R1.6;system {host-name EX4200-vc3;domain-name xyxcompany.com;time-zone America/Los_Angeles;root-authentication {encrypted-password "$1$969yUWx3$TVCNJ5iVJbezE5uiau7a50"; ##SECRET-DATA

}name-server {10.10.24.100;


}}

}syslog {file messages {any any;authorization info;archive size 10m;




}}

}interfaces {interface-rangeWired_Data {member-range ge-1/0/5 to ge-1/0/26;member-range ge-0/0/5 to ge-0/0/26;unit 0 {family ethernet-switching {port-mode access;

}}

}interface-rangeWired_Voice {member-range ge-0/0/27 to ge-0/0/47;member-range ge-1/0/27 to ge-1/0/47;



unit 0 {family ethernet-switching {port-mode access;

}}

}interface-range Access_Points {member-range ge-0/0/0 to ge-0/0/4;member-range ge-1/0/0 to ge-1/0/4;unit 0 {family ethernet-switching {port-mode access;

}}

}ge-0/0/0 {unit 0 {family ethernet-switching {port-mode access;

}}




}}


}}

}xe-1/1/0 {ether-options {802.3ad ae0;





}}

}}lo0 {unit 0 {family inet {address 10.0.0.3/32;

}}

}vlan {unit 28 {family inet {address 10.10.28.242/24;

}}


}}


}}protocols {rstp {interface ae0.0 {disable;



}}ethernet-switching-options {secure-access-port {vlan Data_Wired_2 {arp-inspection;examine-dhcp;



ip-source-guard;}vlan Guest_Wired {arp-inspection;examine-dhcp;ip-source-guard;


}}nonstop-bridging;

}vlans {Data_Wired_2 {vlan-id 12;interface {Wired_Data;





}}


}virtual-chassis {preprovisioned;no-split-detection;member 0 {role routing-engine;serial-number FP0211333208;


}}




set version 11.4R1.6set system host-name EX4542-vc1set system domain-name xyzcompany.comset system time-zone America/Los_Angelesset system root-authentication encrypted-password"$1$EJ1MQEjU$OyN4dCFy5fUYYeegQcpwi/"

set system name-server 10.10.24.100set system services sshset system services web-management https system-generated-certificateset system syslog user * any emergencyset system syslog file messages any noticeset system syslog file messages authorization infoset system syslog file interactive-commands interactive-commands anyset system commit synchronizeset chassis redundancy graceful-switchoverset chassis aggregated-devices ethernet device-count 4set interfaces ge-0/0/0 unit 0 family ethernet-switchingset interfaces xe-0/0/0 ether-options 802.3ad ae0set interfaces ge-0/0/1 unit 0 family ethernet-switchingset interfaces xe-0/0/1 ether-options 802.3ad ae1set interfaces ge-0/0/2 unit 0 family ethernet-switchingset interfaces xe-0/0/2 ether-options 802.3ad ae2set interfaces ge-0/0/3 unit 0 family ethernet-switchingset interfaces xe-0/0/3 unit 0 family ethernet-switchingset interfaces ge-0/0/4 unit 0 family ethernet-switchingset interfaces xe-0/0/4 unit 0 family ethernet-switchingset interfaces ge-0/0/5 unit 0 family ethernet-switchingset interfaces xe-0/0/5 unit 0 family ethernet-switchingset interfaces ge-0/0/6 unit 0 family ethernet-switchingset interfaces xe-0/0/6 unit 0 family ethernet-switchingset interfaces ge-0/0/7 unit 0 family ethernet-switchingset interfaces xe-0/0/7 unit 0 family ethernet-switchingset interfaces ge-0/0/8 unit 0 family ethernet-switchingset interfaces xe-0/0/8 unit 0 family ethernet-switchingset interfaces ge-0/0/9 unit 0 family ethernet-switchingset interfaces xe-0/0/9 unit 0 family ethernet-switchingset interfaces ge-0/0/10 unit 0 family ethernet-switchingset interfaces xe-0/0/10 unit 0 family ethernet-switchingset interfaces ge-0/0/11 unit 0 family ethernet-switchingset interfaces xe-0/0/11 unit 0 family ethernet-switchingset interfaces ge-0/0/12 unit 0 family ethernet-switchingset interfaces xe-0/0/12 unit 0 family ethernet-switchingset interfaces ge-0/0/13 unit 0 family ethernet-switchingset interfaces xe-0/0/13 unit 0 family ethernet-switchingset interfaces ge-0/0/14 unit 0 family ethernet-switchingset interfaces xe-0/0/14 unit 0 family ethernet-switchingset interfaces ge-0/0/15 unit 0 family ethernet-switchingset interfaces xe-0/0/15 unit 0 family ethernet-switchingset interfaces ge-0/0/16 unit 0 family ethernet-switchingset interfaces xe-0/0/16 unit 0 family ethernet-switchingset interfaces ge-0/0/17 unit 0 family ethernet-switchingset interfaces xe-0/0/17 unit 0 family ethernet-switching



set interfaces ge-0/0/18 unit 0 family ethernet-switchingset interfaces xe-0/0/18 unit 0 family ethernet-switchingset interfaces ge-0/0/19 unit 0 family ethernet-switchingset interfaces xe-0/0/19 unit 0 family ethernet-switchingset interfaces ge-0/0/20 unit 0 family ethernet-switchingset interfaces xe-0/0/20 unit 0 family ethernet-switchingset interfaces ge-0/0/21 unit 0 family ethernet-switchingset interfaces xe-0/0/21 unit 0 family ethernet-switchingset interfaces ge-0/0/22 unit 0 family ethernet-switchingset interfaces xe-0/0/22 unit 0 family ethernet-switchingset interfaces ge-0/0/23 unit 0 family ethernet-switchingset interfaces xe-0/0/23 unit 0 family ethernet-switchingset interfaces ge-0/0/24 unit 0 family ethernet-switchingset interfaces xe-0/0/24 unit 0 family ethernet-switchingset interfaces ge-0/0/25 unit 0 family ethernet-switchingset interfaces xe-0/0/25 unit 0 family ethernet-switchingset interfaces ge-0/0/26 unit 0 family ethernet-switchingset interfaces xe-0/0/26 unit 0 family ethernet-switchingset interfaces ge-0/0/27 unit 0 family ethernet-switchingset interfaces xe-0/0/27 unit 0 family ethernet-switchingset interfaces ge-0/0/28 unit 0 family ethernet-switchingset interfaces xe-0/0/28 unit 0 family ethernet-switchingset interfaces ge-0/0/29 unit 0 family ethernet-switchingset interfaces xe-0/0/29 unit 0 family ethernet-switchingset interfaces ge-0/0/30 unit 0 family ethernet-switchingset interfaces xe-0/0/30 unit 0 family ethernet-switchingset interfaces ge-0/0/31 unit 0 family ethernet-switchingset interfaces xe-0/0/31 unit 0 family ethernet-switchingset interfaces ge-0/0/32 unit 0 family ethernet-switchingset interfaces xe-0/0/32 unit 0 family ethernet-switchingset interfaces ge-0/0/33 unit 0 family ethernet-switchingset interfaces xe-0/0/33 unit 0 family ethernet-switchingset interfaces ge-0/0/34 unit 0 family ethernet-switchingset interfaces xe-0/0/34 unit 0 family ethernet-switchingset interfaces ge-0/0/35 unit 0 family ethernet-switchingset interfaces xe-0/0/35 unit 0 family ethernet-switchingset interfaces ge-0/0/36 unit 0 family ethernet-switchingset interfaces xe-0/0/36 unit 0 family ethernet-switchingset interfaces ge-0/0/37 unit 0 family ethernet-switchingset interfaces xe-0/0/37 unit 0 family ethernet-switchingset interfaces ge-0/0/38 unit 0 family ethernet-switchingset interfaces xe-0/0/38 unit 0 family ethernet-switchingset interfaces ge-0/0/39 unit 0 family ethernet-switchingset interfaces xe-0/0/39 unit 0 family ethernet-switchingset interfaces ge-0/1/0 unit 0 family ethernet-switchingset interfaces xe-0/1/0 unit 0 family ethernet-switchingset interfaces ge-0/1/1 unit 0 family ethernet-switchingset interfaces xe-0/1/1 unit 0 family ethernet-switchingset interfaces ge-0/1/2 unit 0 family ethernet-switchingset interfaces xe-0/1/2 unit 0 family ethernet-switchingset interfaces ge-0/1/3 unit 0 family ethernet-switchingset interfaces xe-0/1/3 unit 0 family ethernet-switchingset interfaces ge-0/2/0 unit 0 family ethernet-switchingset interfaces xe-0/2/0 unit 0 family ethernet-switchingset interfaces ge-0/2/1 unit 0 family ethernet-switchingset interfaces xe-0/2/1 unit 0 family ethernet-switching



set interfaces ge-0/2/2 unit 0 family ethernet-switchingset interfaces xe-0/2/2 unit 0 family ethernet-switchingset interfaces ge-0/2/3 unit 0 family ethernet-switchingset interfaces xe-0/2/3 unit 0 family ethernet-switchingset interfaces xe-1/0/0 ether-options 802.3ad ae0set interfaces xe-1/0/1 ether-options 802.3ad ae1set interfaces xe-1/0/2 ether-options 802.3ad ae2set interfaces ge-2/0/1 unit 0 family ethernet-switching port-mode trunkset interfaces ge-2/0/1 unit 0 family ethernet-switching vlanmembers Data_Wireless_1set interfaces ge-2/0/1 unit 0 family ethernet-switching vlanmembers Data_Wireless_2set interfaces ge-2/0/1 unit 0 family ethernet-switching vlanmembers Managementset interfaces ge-2/0/1 unit 0 family ethernet-switching vlanmembers Guest_Wirelessset interfaces ge-2/0/5 unit 0 family ethernet-switching port-mode accessset interfaces ge-2/0/9 unit 0 family ethernet-switching port-mode accessset interfaces ge-2/0/9 unit 0 family ethernet-switching vlanmembers Serversset interfaces ge-2/0/47 unit 0 family ethernet-switching port-mode trunkset interfaces ge-2/0/47 unit 0 family ethernet-switching vlanmembers Internet_Edgeset interfaces ge-2/0/47 unit 0 family ethernet-switching vlanmembers Managementset interfaces ge-2/0/47 unit 0 family ethernet-switching vlanmembers Guest_Wiredset interfaces ge-2/0/47 unit 0 family ethernet-switching vlanmembers Guest_Wirelessset interfaces ge-3/0/1 unit 0 family ethernet-switching port-mode trunkset interfaces ge-3/0/1 unit 0 family ethernet-switching vlanmembers Data_Wireless_1set interfaces ge-3/0/1 unit 0 family ethernet-switching vlanmembers Data_Wireless_2set interfaces ge-3/0/1 unit 0 family ethernet-switching vlanmembers Managementset interfaces ge-3/0/1 unit 0 family ethernet-switching vlanmembers Guest_Wirelessset interfaces ge-3/0/5 unit 0 family ethernet-switching port-mode accessset interfaces ge-3/0/9 unit 0 family ethernet-switching port-mode accessset interfaces ge-3/0/9 unit 0 family ethernet-switching vlanmembers Serversset interfaces ge-3/0/47 unit 0 family ethernet-switching port-mode trunkset interfaces ge-3/0/47 unit 0 family ethernet-switching vlanmembers Internet_Edgeset interfaces ge-3/0/47 unit 0 family ethernet-switching vlanmembers Managementset interfaces ge-3/0/47 unit 0 family ethernet-switching vlanmembers Guest_Wiredset interfaces ge-3/0/47 unit 0 family ethernet-switching vlanmembers Guest_Wirelessset interfaces ae0 aggregated-ether-options lacp activeset interfaces ae0 aggregated-ether-options lacp periodic slowset interfaces ae0 unit 0 family ethernet-switching port-mode trunkset interfaces ae0 unit 0 family ethernet-switching vlanmembers Data_Wired_1set interfaces ae0 unit 0 family ethernet-switching vlanmembers VOIP_Wired_1set interfaces ae0 unit 0 family ethernet-switching vlanmembers Managementset interfaces ae0 unit 0 family ethernet-switching vlanmembers Guest_Wiredset interfaces ae1 aggregated-ether-options lacp activeset interfaces ae1 aggregated-ether-options lacp periodic slowset interfaces ae1 unit 0 family ethernet-switching port-mode trunkset interfaces ae1 unit 0 family ethernet-switching vlanmembers Data_Wired_2set interfaces ae1 unit 0 family ethernet-switching vlanmembers VOIP_Wired_2set interfaces ae1 unit 0 family ethernet-switching vlanmembers Managementset interfaces ae1 unit 0 family ethernet-switching vlanmembers Guest_Wiredset interfaces ae2 aggregated-ether-options lacp activeset interfaces ae2 aggregated-ether-options lacp periodic slowset interfaces ae2 unit 0 family ethernet-switching port-mode trunkset interfaces ae2 unit 0 family ethernet-switching vlanmembers Data_Wired_2set interfaces ae2 unit 0 family ethernet-switching vlanmembers VOIP_Wired_2set interfaces ae2 unit 0 family ethernet-switching vlanmembers Managementset interfaces ae2 unit 0 family ethernet-switching vlanmembers Guest_Wiredset interfaces vlan unit 10 family inet address 10.10.10.1/24set interfaces vlan unit 12 family inet address 10.10.12.1/24



set interfaces vlan unit 14 family inet address 10.10.14.1/24set interfaces vlan unit 16 family inet address 10.10.16.1/24set interfaces vlan unit 18 family inet address 10.10.18.1/24set interfaces vlan unit 20 family inet address 10.10.20.1/24set interfaces vlan unit 22 family inet address 10.10.22.1/24set interfaces vlan unit 24 family inet address 10.10.24.1/24set interfaces vlan unit 28 family inet address 10.10.28.1/24set interfaces vme unit 0 family inet address 10.94.188.101/24set forwarding-options helpers bootp dhcp-option82set forwarding-options helpers bootp description DHCP-SERVERset forwarding-options helpers bootp server 10.10.24.100set forwarding-options helpers bootp interface vlan.24set forwarding-options helpers bootp interface vlan.10set forwarding-options helpers bootp interface vlan.12set forwarding-options helpers bootp interface vlan.14set forwarding-options helpers bootp interface vlan.16set forwarding-options helpers bootp interface vlan.18set forwarding-options helpers bootp interface vlan.20set forwarding-options helpers bootp interface vlan.26set forwarding-options helpers bootp interface vlan.28set routing-options nonstop-routingset routing-options static route 0.0.0.0/0 next-hop 10.10.22.254set protocols ospf area 0.0.0.0 interface vlan.22set protocols ospf area 0.0.0.0 interface vlan.10set protocols ospf area 0.0.0.0 interface vlan.12set protocols ospf area 0.0.0.0 interface vlan.14set protocols ospf area 0.0.0.0 interface vlan.16set protocols ospf area 0.0.0.0 interface vlan.18set protocols ospf area 0.0.0.0 interface vlan.20set protocols ospf area 0.0.0.0 interface vlan.24set protocols igmp-snooping vlan allset protocols dcbx interface allset protocols rstp bridge-priority 8kset protocols rstp interface ae0.0 disableset protocols rstp interface ae1.0 disableset protocols rstp interface ae2.0 disableset protocols lldp interface allset protocols lldp-med interface allset policy-options prefix-list test fd00::0214/128set ethernet-switching-options secure-access-port vlan Data_Wireless_1 arp-inspectionset ethernet-switching-options secure-access-port vlan Data_Wireless_1 examine-dhcpsetethernet-switching-optionssecure-access-portvlanData_Wireless_1 ip-source-guardset ethernet-switching-options secure-access-port vlanData_Wireless_2 arp-inspectionset ethernet-switching-options secure-access-port vlan Data_Wireless_2 examine-dhcpsetethernet-switching-optionssecure-access-portvlanData_Wireless_2 ip-source-guardset ethernet-switching-options secure-access-port vlan Guest_Wired arp-inspectionset ethernet-switching-options secure-access-port vlan Guest_Wired examine-dhcpset ethernet-switching-options secure-access-port vlan Guest_Wired ip-source-guardset ethernet-switching-options secure-access-port vlan Guest_Wireless arp-inspectionset ethernet-switching-options secure-access-port vlan Guest_Wireless examine-dhcpsetethernet-switching-optionssecure-access-port vlanGuest_Wireless ip-source-guardset ethernet-switching-options nonstop-bridgingset ethernet-switching-options storm-control interface allset ethernet-switching-options bpdu-block interface ge-2/0/5.0set vlans Data_Wired_1 vlan-id 10set vlans Data_Wired_1 l3-interface vlan.10



set vlans Data_Wired_2 vlan-id 12set vlans Data_Wired_2 l3-interface vlan.12set vlans Data_Wireless_1 vlan-id 18set vlans Data_Wireless_1 l3-interface vlan.18set vlans Data_Wireless_2 vlan-id 20set vlans Data_Wireless_2 l3-interface vlan.20set vlans Guest_Wired vlan-id 30set vlans Guest_Wireless vlan-id 32set vlans Internet_Edge vlan-id 22set vlans Internet_Edge l3-interface vlan.22set vlansManagement vlan-id 28set vlansManagement l3-interface vlan.28set vlans Servers vlan-id 24set vlans Servers interface ge-2/0/5.0set vlans Servers interface ge-3/0/5.0set vlans Servers l3-interface vlan.24set vlans VOIP_Wired_1 vlan-id 14set vlans VOIP_Wired_1 l3-interface vlan.14set vlans VOIP_Wired_2 vlan-id 16set vlans VOIP_Wired_2 l3-interface vlan.16set poe interface allset virtual-chassis preprovisionedset virtual-chassis member 0 role routing-engineset virtual-chassis member 0 serial-number GX0211411253set virtual-chassis member 1 role routing-engineset virtual-chassis member 1 serial-number GX0211411250set virtual-chassis member 2 role line-cardset virtual-chassis member 2 serial-number FP0211333181set virtual-chassis member 3 role line-cardset virtual-chassis member 3 serial-number FP0211333260


## Last changed: 2012-03-28 13:43:13 PDTversion 11.4R1.6;system {host-name EX4542-vc1;domain-name xyzcompany.com;time-zone America/Los_Angeles;root-authentication {encrypted-password"$1$EJ1MQEjU$OyN4dCFy5fUYYeegQcpwi/";##SECRET-DATA

}name-server {10.10.24.100;


}}

}syslog {user * {



any emergency;}file messages {any notice;authorization info;

}file interactive-commands {interactive-commands any;




}}

}interfaces {ge-0/0/0 {unit 0 {family ethernet-switching;




















}














}}



xe-0/0/14 {unit 0 {family ethernet-switching;











}}ge-0/0/20 {



unit 0 {family ethernet-switching;











}}xe-0/0/25 {unit 0 {



family ethernet-switching;}

























}














}}



xe-0/1/2 {unit 0 {family ethernet-switching;











}}xe-1/0/0 {



ether-options {802.3ad ae0;



}}ge-2/0/1 {unit 0 {family ethernet-switching {port-mode trunk;vlan {members [ Data_Wireless_1 Data_Wireless_2 Management Guest_Wireless ];

}}


}}

}ge-2/0/9 {unit 0 {family ethernet-switching {port-mode access;vlan {members Servers;

}}

}}ge-2/0/47 {unit 0 {family ethernet-switching {port-mode trunk;vlan {members [ Internet_EdgeManagement Guest_Wired Guest_Wireless ];

}}

}}ge-3/0/1 {unit 0 {family ethernet-switching {port-mode trunk;vlan {



members [ Data_Wireless_1 Data_Wireless_2 Management Guest_Wireless ];}

}}


}}

}ge-3/0/9 {unit 0 {family ethernet-switching {port-mode access;vlan {members Servers;

}}

}}ge-3/0/47 {unit 0 {family ethernet-switching {port-mode trunk;vlan {members [ Internet_EdgeManagement Guest_Wired Guest_Wireless ];

}}



}}


}}unit 0 {



family ethernet-switching {port-mode trunk;vlan {members [ Data_Wired_2 VOIP_Wired_2 Management Guest_Wired ];

}}



}}

}}vlan {unit 10 {family inet {address 10.10.10.1/24;

}}unit 12 {family inet {address 10.10.12.1/24;





}}unit 22 {



family inet {address 10.10.22.1/24;



}}


}}

}}forwarding-options {helpers {bootp {dhcp-option82;description DHCP-SERVER;server 10.10.24.100;interface {vlan.24;vlan.10;vlan.12;vlan.14;vlan.16;vlan.18;vlan.20;vlan.26;vlan.28;

}}

}}routing-options {nonstop-routing;static {route 0.0.0.0/0 next-hop 10.10.22.254;

}}protocols {ospf {area 0.0.0.0 {interface vlan.22;interface vlan.10;interface vlan.12;interface vlan.14;



interface vlan.16;interface vlan.18;interface vlan.20;interface vlan.24;

}}igmp-snooping {vlan all;

}dcbx {interface all;

}rstp {bridge-priority 8k;interface ae0.0 {disable;

}interface ae1.0 {disable;

}interface ae2.0 {disable;



}}policy-options {prefix-list test {fd00::0214/128;

}}ethernet-switching-options {secure-access-port {vlan Data_Wireless_1 {arp-inspection;examine-dhcp;ip-source-guard;

}vlan Data_Wireless_2 {arp-inspection;examine-dhcp;ip-source-guard;


}vlan Guest_Wireless {arp-inspection;examine-dhcp;



ip-source-guard;}

}nonstop-bridging;storm-control {interface all;

}bpdu-block {interface ge-2/0/5.0;

}}vlans {Data_Wired_1 {vlan-id 10;l3-interface vlan.10;

}Data_Wired_2 {vlan-id 12;l3-interface vlan.12;

}Data_Wireless_1 {vlan-id 18;l3-interface vlan.18;

}Data_Wireless_2 {vlan-id 20;l3-interface vlan.20;

}Guest_Wired {vlan-id 30;

}Guest_Wireless {vlan-id 32;

}Internet_Edge {vlan-id 22;l3-interface vlan.22;

}Management {vlan-id 28;l3-interface vlan.28;

}Servers {vlan-id 24;interface {ge-2/0/5.0;ge-3/0/5.0;


}VOIP_Wired_1 {vlan-id 14;l3-interface vlan.14;

}VOIP_Wired_2 {vlan-id 16;



l3-interface vlan.16;}


}virtual-chassis {preprovisioned;member 0 {role routing-engine;serial-number GX0211411253;

}member 1 {role routing-engine;serial-number GX0211411250;



}}

WLC-1 Configuration

# Configuration nvgen'd at 2012-3-21 09:57:49# Image 7.6.1.3.0#Model MX-8# Last change occurred at 2012-3-13 12:27:32set ip route default 10.10.28.1 1set system nameWLC-1set system ip-address 10.10.28.9set system countrycode USset timezone pst -8 0set service-profile Secure-802.1X ssid-name Data_Wireless_1set service-profile Secure-802.1X rsn-ie cipher-ccmp enableset service-profile Secure-802.1X rsn-ie enableset service-profile Secure-802.1X attr vlan-name Data_Wireless_1set service-profileWeb-Portal ssid-name Guest_Wirelessset service-profileWeb-Portal ssid-type clearset service-profileWeb-Portal auth-fallthru web-portalset service-profileWeb-Portal web-portal-acl portalaclset service-profileWeb-Portal wpa-ie auth-dot1x disableset service-profileWeb-Portal rsn-ie auth-dot1x disableset service-profileWeb-Portal attr vlan-name Guest_Wirelessset enablepass password 28358f9656229c67a90632e745efe4a11b48set authentication web ssid Guest_Wireless ** localset authentication dot1x ssid Data_Wireless_1 ** peap-mschapv2 localset user admin password encrypted 044b0a151c36435c0dset user bob password encrypted 08314d5d1a0e0a0516set user bob attr ssid Data_Wireless_1set user guest password encrypted 044b0a151c36435c0d



set user guest attr ssid Guest_Wirelessset radio-profile default service-profile Secure-802.1Xset radio-profile default service-profileWeb-Portalset ap automode enableset ip telnet server enableset vlan 1 port 1set vlan 1 port 2set vlan 1 port 3set vlan 1 port 4set vlan 1 port 5set vlan 1 port 6set vlan 1 port 7set vlan 1 port 8set vlan 28 nameManagementset vlan 28 port 8 tag 28set vlan 18 name Data_Wireless_1set vlan 18 port 8 tag 18set vlan 32 nameGuest_Wirelessset vlan 32 port 8 tag 32set interface 28 ip 10.10.28.9 255.255.255.0set interface 32 ip 10.10.32.9 255.255.255.0setmobility-domainmode seed domain-name xyzcompanysetmobility-domainmember 10.10.28.10set security acl name portalacl permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0255.255.255.255 eq 67

set security acl name portalacl deny 0.0.0.0 255.255.255.255 capture commit securityacl portalacl


WLC-2 Configuration

# Configuration nvgen'd at 2012-3-21 09:59:08# Image 7.6.1.3.0#Model MX-8# Last change occurred at 2012-3-13 12:28:17set ip route default 10.10.28.1 1set system nameWLC-2set system ip-address 10.10.28.10set system countrycode USset timezone pst -8 0set service-profile Secure-802.1X ssid-name Data_Wireless_1set service-profile Secure-802.1X rsn-ie cipher-ccmp enableset service-profile Secure-802.1X rsn-ie enableset service-profile Secure-802.1X attr vlan-name Data_Wireless_1set service-profileWeb-Portal ssid-name Guest_Wirelessset service-profileWeb-Portal ssid-type clearset service-profileWeb-Portal auth-fallthru web-portalset service-profileWeb-Portal web-portal-acl portalaclset service-profileWeb-Portal wpa-ie auth-dot1x disableset service-profileWeb-Portal rsn-ie auth-dot1x disableset service-profileWeb-Portal attr vlan-name Guest_Wirelessset enablepass password 0a8eaea60ebf415168c5f6b0fbaa524fe17cset authentication web ssid Guest_Wireless ** localset authentication dot1x ssid Data_Wireless_1 ** peap-mschapv2 localset user admin password encrypted 140713181f13253920



set user bob password encrypted 15020a1f173d24362cset user bob attr ssid Data_Wireless_1set user guest password encrypted 12090404011c03162eset user guest attr ssid Guest_Wirelessset radio-profile default service-profile Secure-802.1Xset radio-profile default service-profileWeb-Portalset ap automode enableset vlan 1 port 1set vlan 1 port 2set vlan 1 port 3set vlan 1 port 4set vlan 1 port 5set vlan 1 port 6set vlan 1 port 7set vlan 1 port 8set vlan 28 nameManagementset vlan 28 port 8 tag 28set vlan 18 name Data_Wireless_1set vlan 18 port 8 tag 18set vlan 32 nameGuest_Wirelessset vlan 32 port 8 tag 32set interface 28 ip 10.10.28.10 255.255.255.0set interface 32 ip 10.10.32.10 255.255.255.0setmobility-domainmodesecondary-seeddomain-namexyzcompanyseed-ip 10.10.28.9set security acl name portalacl permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0255.255.255.255 eq 67

set security acl name portalacl deny 0.0.0.0 255.255.255.255 capture commit securityacl portalacl


SRX650 Cluster Set Commands

set groups node0 system host-name srx650-1set groups node0 interfaces fxp0 unit 0 family inet address 10.94.188.103/24set groups node1 system host-name srx650-2set groups node1 interfaces fxp0 unit 0 family inet address 10.94.188.104/24set apply-groups node0set apply-groups node1set system domain-name xyxcompany.comset system time-zone America/Los_Angelesset system root-authentication encrypted-password"$1$/BmrTFS/$7BfLGntduS8.fj3BYVuuQ0"

set system name-server 208.67.222.222set system name-server 208.67.220.220set system name-server 10.10.24.100set system services sshset system services xnm-clear-textset system services web-management https system-generated-certificateset system services dhcp pool 10.10.30.0/24 address-range low 10.10.30.11set system services dhcp pool 10.10.30.0/24 address-range high 10.10.30.250set system services dhcp pool 10.10.30.0/24 domain-name xyzcompany.comset system services dhcp pool 10.10.30.0/24 name-server 208.67.220.220set system services dhcp pool 10.10.30.0/24 name-server 208.67.222.222set system services dhcp pool 10.10.30.0/24 router 10.10.30.254set system services dhcp pool 10.10.32.0/24 address-range low 10.10.32.11



set system services dhcp pool 10.10.32.0/24 address-range high 10.10.32.250set system services dhcp pool 10.10.32.0/24 domain-name xyzcompany.comset system services dhcp pool 10.10.32.0/24 name-server 208.67.220.220set system services dhcp pool 10.10.32.0/24 name-server 208.67.222.222set system services dhcp pool 10.10.32.0/24 router 10.10.32.254set system syslog user * any emergencyset system syslog file messages any criticalset system syslog file messages authorization infoset system syslog file interactive-commands interactive-commands errorset systemmax-configurations-on-flash 5set systemmax-configuration-rollbacks 5set system license autoupdate url https://ae1.juniper.net/junos/key_retrievalset chassis cluster reth-count 1set chassis cluster redundancy-group 0 node 0 priority 100set chassis cluster redundancy-group 0 node 1 priority 1set chassis cluster redundancy-group 1 node 0 priority 100set chassis cluster redundancy-group 1 node 1 priority 1set chassis cluster redundancy-group 1 interface-monitor ge-2/0/0weight 255set chassis cluster redundancy-group 1 interface-monitor ge-11/0/0weight 255set interfaces ge-2/0/0 gigether-options redundant-parent reth0set interfaces ge-2/0/1 description "primary internet connection"set interfaces ge-2/0/1 unit 0 family inet address 10.94.191.233/24set interfaces ge-11/0/0 gigether-options redundant-parent reth0set interfaces ge-11/0/2 description "Backup Internet Connection"set interfaces ge-11/0/2 unit 0 family inet address 10.94.194.56/24set interfaces fab0 fabric-optionsmember-interfaces ge-0/0/2set interfaces fab1 fabric-optionsmember-interfaces ge-9/0/2set interfaces reth0 vlan-taggingset interfaces reth0 redundant-ether-options redundancy-group 1set interfaces reth0unit0description"Unit0mustbegivenaVLANtagsousingadummytag to align units to tags"

set interfaces reth0 unit 0 vlan-id 1set interfaces reth0 unit 22 description "Internet Edge"set interfaces reth0 unit 22 vlan-id 22set interfaces reth0 unit 22 family inet address 10.10.22.254/24set interfaces reth0 unit 28 descriptionManagementset interfaces reth0 unit 28 vlan-id 28set interfaces reth0 unit 28 family inet address 10.10.28.254/24set interfaces reth0 unit 30 description "GuestWired"set interfaces reth0 unit 30 vlan-id 30set interfaces reth0 unit 30 family inet address 10.10.30.254/24set interfaces reth0 unit 32 description "GuestWireless"set interfaces reth0 unit 32 vlan-id 32set interfaces reth0 unit 32 family inet address 10.10.32.254/24set routing-options static route 0.0.0.0/0 qualified-next-hop 10.94.194.254 preference20

set routing-options static route 0.0.0.0/0 qualified-next-hop 10.94.191.254 preference10

set protocols ospf area 0.0.0.0 interface reth0.22set protocols lldp interface ge-2/0/0.0set protocols lldp interface ge-11/0/0.0set security screen ids-option untrust-screen icmp ping-deathset security screen ids-option untrust-screen ip source-route-optionset security screen ids-option untrust-screen ip tear-dropset security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200



set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048set security screen ids-option untrust-screen tcp syn-flood timeout 20set security screen ids-option untrust-screen tcp landset security nat source rule-set Guest-to-untrust from zone Guestset security nat source rule-set Guest-to-untrust to zone untrustset security nat source rule-set Guest-to-untrust rule Guest-source-natmatchsource-address 0.0.0.0/0

set security nat source rule-set Guest-to-untrust rule Guest-source-nat then source-natinterface

set security nat source rule-set Internet_Edge-to-untrust from zone Internet_Edgeset security nat source rule-set Internet_Edge-to-untrust to zone untrustset security nat source rule-set Internet_Edge-to-untrust rule Internet_Edge-source-natmatch source-address 0.0.0.0/0

set security nat source rule-set Internet_Edge-to-untrust rule Internet_Edge-source-natthen source-nat interface

set security policies from-zone Guest to-zone untrust policy allow-guest-to-internetmatch source-address Guest_Wireless

set security policies from-zone Guest to-zone untrust policy allow-guest-to-internetmatch source-address Guest_Wired

set security policies from-zone Guest to-zone untrust policy allow-guest-to-internetmatch destination-address any

set security policies from-zone Guest to-zone untrust policy allow-guest-to-internetmatch application any

set securitypolicies from-zoneGuest to-zoneuntrustpolicyallow-guest-to-internet thenpermit





set security policies from-zone Internet_Edge to-zone untrust policyallow-Internet_Edge-to-internetmatch source-address Servers



set security policies from-zone Internet_Edge to-zone untrust policyallow-Internet_Edge-to-internetmatch destination-address any

set security policies from-zone Internet_Edge to-zone untrust policyallow-Internet_Edge-to-internetmatch application any

set security policies from-zone Internet_Edge to-zone untrust policyallow-Internet_Edge-to-internet then permit

set security zones security-zone untrust screen untrust-screenset security zones security-zone untrust interfaces ge-11/0/2.0set security zones security-zone untrust interfaces ge-2/0/1.0set security zones security-zoneGuestaddress-bookaddressGuest_Wired 10.10.30.0/24setsecurityzonessecurity-zoneGuestaddress-bookaddressGuest_Wireless10.10.32.0/24set security zones security-zone Guest host-inbound-traffic system-services pingset security zones security-zone Guest host-inbound-traffic system-services tracerouteset security zones security-zone Guest interfaces reth0.30 host-inbound-trafficsystem-services dhcp






set security zones security-zoneManagement host-inbound-traffic system-services sshset security zones security-zoneManagement host-inbound-traffic system-services httpsetsecurity zonessecurity-zoneManagementhost-inbound-traffic system-serviceshttpsset security zones security-zoneManagementhost-inbound-traffic system-servicespingsetsecurityzonessecurity-zoneManagementhost-inbound-trafficsystem-servicessnmpset security zones security-zoneManagement host-inbound-traffic system-servicestraceroute

set security zones security-zoneManagement interfaces reth0.28set security zones security-zone Internet_Edge address-book address Data_Wired_110.10.10.0/24

set security zones security-zone Internet_Edge address-book address Data_Wired_210.10.12.0/24

set security zones security-zone Internet_Edge address-book address VOIP_Wired_110.10.14.0/24

set security zones security-zone Internet_Edge address-book address VOIP_Wired_210.10.16.0/24

set security zones security-zone Internet_Edge address-book address Data_Wireless_110.10.18.0/24

set security zones security-zone Internet_Edge address-book address Data_Wireless_210.10.20.0/24

setsecurityzonessecurity-zone Internet_Edgeaddress-bookaddressServers 10.10.24.0/24set security zones security-zone Internet_Edge address-book address Access_Points10.10.26.0/24

set security zones security-zone Internet_Edge address-book address Management10.10.28.0/24

set security zones security-zone Internet_Edge address-book address Guest_Wired10.10.30.0/24

set security zones security-zone Internet_Edge address-book address Guest_Wireless10.10.32.0/24

setsecurity zonessecurity-zone Internet_Edgehost-inbound-traffic system-servicespingset security zones security-zone Internet_Edge host-inbound-traffic system-servicestraceroute

set security zones security-zone Internet_Edge host-inbound-traffic protocols ospfset security zones security-zone Internet_Edge interfaces reth0.22

SRX650 Cluster Configuration Statements

## Last changed: 2012-03-21 10:56:20 PDTversion 11.4R1.6;groups {node0 {system {host-name srx650-1;

}interfaces {fxp0 {unit 0 {family inet {address 10.94.188.103/24;



}}

}}

}node1 {system {host-name srx650-2;

}interfaces {fxp0 {unit 0 {family inet {address 10.94.188.104/24;

}}

}}

}}

apply-groups [ node0 node1 ];system {domain-name xyxcompany.com;time-zone America/Los_Angeles;root-authentication {encrypted-password"$1$/BmrTFS/$7BfLGntduS8.fj3BYVuuQ0";##SECRET-DATA

}name-server {208.67.222.222;208.67.220.220;10.10.24.100;

}services {ssh;xnm-clear-text;web-management {https {system-generated-certificate;

}}dhcp {pool 10.10.30.0/24 {address-range low 10.10.30.11 high 10.10.30.250;domain-name xyzcompany.com;name-server {208.67.220.220;208.67.222.222;

}router {10.10.30.254;

}}pool 10.10.32.0/24 {address-range low 10.10.32.11 high 10.10.32.250;domain-name xyzcompany.com;name-server {



208.67.220.220;208.67.222.222;

}router {10.10.32.254;

}}

}}syslog {user * {any emergency;

}file messages {any critical;authorization info;

}file interactive-commands {interactive-commands error;

}}max-configurations-on-flash 5;max-configuration-rollbacks 5;license {autoupdate {url https://ae1.juniper.net/junos/key_retrieval;

}}

}chassis {cluster {reth-count 1;redundancy-group 0 {node 0 priority 100;node 1 priority 1;

}redundancy-group 1 {node 0 priority 100;node 1 priority 1;interface-monitor {ge-2/0/0weight 255;ge-11/0/0weight 255;

}}

}}interfaces {ge-2/0/0 {gigether-options {redundant-parent reth0;

}}ge-2/0/1 {description "primary internet connection";unit 0 {family inet {



address 10.94.191.233/24;}

}}ge-11/0/0 {gigether-options {redundant-parent reth0;

}}ge-11/0/2 {description "Backup Internet Connection";unit 0 {family inet {address 10.94.194.56/24;

}}

}fab0 {fabric-options {member-interfaces {ge-0/0/2;

}}

}fab1 {fabric-options {member-interfaces {ge-9/0/2;

}}

}reth0 {vlan-tagging;redundant-ether-options {redundancy-group 1;

}unit 0 {description "Unit 0must be given a VLAN tag so using a dummy tag to align unitsto tags";

vlan-id 1;}unit 22 {description "Internet Edge";vlan-id 22;family inet {address 10.10.22.254/24;

}}unit 28 {description Management;vlan-id 28;family inet {address 10.10.28.254/24;

}}unit 30 {



description "GuestWired";vlan-id 30;family inet {address 10.10.30.254/24;

}}unit 32 {description "GuestWireless";vlan-id 32;family inet {address 10.10.32.254/24;

}}

}}routing-options {static {route 0.0.0.0/0 {qualified-next-hop 10.94.194.254 {preference 20;

}qualified-next-hop 10.94.191.254 {preference 10;

}}

}}protocols {ospf {area 0.0.0.0 {interface reth0.22;

}}lldp {interface ge-2/0/0.0;interface ge-11/0/0.0;

}}security {screen {ids-option untrust-screen {icmp {ping-death;

}ip {source-route-option;tear-drop;

}tcp {syn-flood {alarm-threshold 1024;attack-threshold 200;source-threshold 1024;destination-threshold 2048;timeout 20;

}



land;}

}}nat {source {rule-set Guest-to-untrust {from zone Guest;to zone untrust;rule Guest-source-nat {match {source-address 0.0.0.0/0;

}then {source-nat {interface;

}}

}}rule-set Internet_Edge-to-untrust {from zone Internet_Edge;to zone untrust;rule Internet_Edge-source-nat {match {source-address 0.0.0.0/0;

}then {source-nat {interface;

}}

}}

}}policies {from-zone Guest to-zone untrust {policy allow-guest-to-internet {match {source-address [ Guest_Wireless Guest_Wired ];destination-address any;application any;

}then {permit;

}}

}from-zone Internet_Edge to-zone untrust {policy allow-Internet_Edge-to-internet {match {source-address[Data_Wired_1Data_Wired_2Data_Wireless_1Data_Wireless_2Servers VOIP_Wired_1 VOIP_Wired_2 ];

destination-address any;application any;



}then {permit;

}}

}}zones {security-zone untrust {screen untrust-screen;interfaces {ge-11/0/2.0;ge-2/0/1.0;

}}security-zone Guest {address-book {address Guest_Wired 10.10.30.0/24;address Guest_Wireless 10.10.32.0/24;

}host-inbound-traffic {system-services {ping;traceroute;

}}interfaces {reth0.30 {host-inbound-traffic {system-services {dhcp;bootp;

}}

}reth0.32 {host-inbound-traffic {system-services {dhcp;bootp;

}}

}}

}security-zone Management {host-inbound-traffic {system-services {ssh;http;https;ping;snmp;traceroute;

}}



interfaces {reth0.28;

}}security-zone Internet_Edge {address-book {address Data_Wired_1 10.10.10.0/24;address Data_Wired_2 10.10.12.0/24;address VOIP_Wired_1 10.10.14.0/24;address VOIP_Wired_2 10.10.16.0/24;address Data_Wireless_1 10.10.18.0/24;address Data_Wireless_2 10.10.20.0/24;address Servers 10.10.24.0/24;address Access_Points 10.10.26.0/24;address Management 10.10.28.0/24;address Guest_Wired 10.10.30.0/24;address Guest_Wireless 10.10.32.0/24;

}host-inbound-traffic {system-services {ping;traceroute;

}protocols {ospf;

}}interfaces {reth0.22;

}}

}}





APPENDIX E

Bill of Materials

The tables in this Appendix list the hardware required to assemble and deploy the

validated network.

Table 6: Hardware List for the Network Core

Network Core (resides in closet 1.1) WLCs, Firewalls, Switching/Routing

DescriptionQuantityHardware

40-port 1-GigabitEthernetor 10-GigabitEthernetSFP/SFP+front-tobackairflow, hardware support forDataCenterBridging, andsupport for eightPFC (802.1Qbb) queues

2EX4500-40F-FB-C

48-port 10/100/1000BASE-T (48 PoE+ ports) + 930WAC PSU.Includes 50cm Virtual Chassis cable.

2EX4200-48PX

SFP+ 10GBASE-SR; LC connector; 850nm; 300m reach on 50micronsmultimode fiber; 33m on 62.5 microns multimode fiber.

40EX-SFP-10GE-SR

SRX650 Services Gateway with SRE 6, 645WAC PoE PSU; includes 4onboard 10/100/1000BASE-T ports, 2 GB DRAM, 2 GB CF, 247W PoEpower, fan tray, power cord and rack-mount kit.

2SRX650-BASE-SRE6-645AP

16-port 10/100/1000BASE-T XPIM.2SRX-GP-16GE

Wireless LAN controller with 8 x 10/100BASE-T ports (6 PoE), dualintegrated PSU and support for 12 access points.

2WLC8R

Table 7: Hardware List for Closet 1.1

Closet 1.1 Access Switches andWLAN



2EX4200-48PX

2-port 10G SFP+ / 4-port 1G SFP Uplink Module2EX-UM-2X4SFP


Table 7: Hardware List for Closet 1.1 (continued)



SFP+ 10GBASE-SR; LC connector; 850nm; 300m reach on 50micronsmultimode fiber; 33m on 62.5 microns multimode fiber

3EX-SFP-10GE-SR

Access point with dual radios 802.11a/b/g/n 2x2 MIMO (2SS), single1000BASE-T 802.3af PoE Ethernet port, 4 internal antennas. Not ratedfor plenum use. Ceiling/wall mount bracket included. Required foroperation in USA.

2WLA522-US





2EX4200-48PX



3EX-SFP-10GE-SR


2WLA522-US





2EX4200-48PX



3EX-SFP-10GE-SR


2WLA522-US







2EX4200-48PX


SFP+ 10GBASE-SR; LC connector; 850nm; 300m reach on 50micronsmultimode fiber; 33m on 62.5 microns multimode fiber.

3EX-SFP-10GE-SR


2WLA522-US


Appendix E: Bill of Materials



Documents

Juniper Networks Horizontal Campus Validated Design … · 2014-09-23 · setinterfacesge-0/0/46unit0familyethernet-switching