Using an EX switch as a gigabit network hub

Leave a reply

We’ve come a long way since network hubs were common but there are still cases where they are useful, I recently ran into an issue that required the functionality of a hub and it took me longer than I am prepared to admit to realise that I could use a Juniper EX switch for what I needed. I did however come to a pretty solid conclusion that no one makes gigabit newtwork hubs.

In this case my need was related to a POC we are currently running between 2 IDS/IPS vendors – to get the best comparison we wanted both products to be able to inspect the same traffic so we could do a true apples to apples test with reporting, work flows, etc.. and to do this we decided that we needed a hub that we could connect to our analyzer output port and then connect the IDS inputs to, because a hub will just forward the traffic out of every port other than the one it receives the data on both IDS solutions would get a copy of anything coming into the hub from the analyzer. After spending a period of time looking for a network hub capable of gigabit speeds and coming up short I was reminded that I could disable MAC learning on a VLAN on an EX2200 and have that VLAN behave just like a hub. Because the ports in that VLAN are not keeping any record of the MAC addresses connected to it, it will always forward the traffic it receives on those ports to all the other ports.

Configuration time! To get the most interesting data we could to the IDS devices we actually ran 2 analyzers, one carrying internal traffic in our “Trust” zone and traffic going to-from the internet in our “DMZ zone” so we actually created 2 3-port “Hub” VLANs on the EX2200 and cabled them accordingly with each analyzer connecting to the appropriate VLAN and then a cable from each VLAN going to the IDS appliances.

DMZ-HUB {
    interface {
        ge-0/0/0.0;
        ge-0/0/1.0;
        ge-0/0/2.0;
    }
    no-mac-learning;
}
Inside-HUB {
    interface {
        ge-0/0/9.0;
        ge-0/0/10.0;
        ge-0/0/11.0;
    }
    no-mac-learning;
}

I have to admit that when I figured this out I felt pretty good until it was pointed out (jokingly) that it probably took so long to get to this conclusion because no one else was talking about it, mostly because everyone else knows so I’m putting it up here for the next person that needs a gigabit hub and just can’t find one no matter how hard they look.

Juniper LACP configuration

1 Reply

Following on from the previous post about the VC configuration, this post is a quick and dirty look at link aggregation in JunOS. For such a flat network there wasn’t really much to consider with spanning tree other than making sure the right switch became the root and that the redundant path was used when necessary so there isn’t much to write about leaving more time for LACP.

We’ll start at the beginning with the configuration of ports for LACP between the three switches to make use of as many of those fancy 10G ports as we can. Since it’s exactly the same network as the previous post, it will look exactly the same.

Similar to Cisco port channel interfaces, JunOS allows each aggregated interface to have a total of 8 member links and the EX4200 virtual chassis allows for a maximum of 128 aggregated interfaces. I’m not going to get anywhere near the limits with what I’m doing here but it’s good to know what you can do.

I think the virtual chassis will be a good place to start and I’m looking forward to trying out LACP across different member switches and the first configuration change we need to make is to define how many logical devices we are going to need:

[edit chassis]
aggregated-devices {
ethernet {
device-count 2;
}
}

Once you have defined the number of logical interfaces you are going to be using you can add the physical ports to them at the interface level configuration. To add interfaces to a LACP group you simply need to add the logical interface number that it will be a part of (as with all things JunOS, the counting starts at 0). One thing to remember when adding a port to an LACP group is to remove the unit configuration from that port or your config will fail to commit. Once added to an LACP group all unit level commands are configured on the aggregated interface.

[edit interfaces]
xe-0/1/2 {
ether-options {
802.3ad ae0;
}

xe-1/1/0 {
ether-options {
802.3ad ae1;
}
}

Now we have 2 interfaces as members on the aggregated link we can configure some options there.

[edit interfaces}
ae0 {
aggregated-ether-options {
minimum-links 1;
link-speed 10g;
lacp {
active;
}
}
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members all;
}
}
}
}

For anyone that has worked on aggregated links on Cisco devices everything here should be pretty obvious but I'll explain the commands and my reasons for using them. There's nothing ground breaking here

minimum links - This defines how many member links need to be available for the aggregated link to be "up". This is a useful configuration option when you're using redundant links on a larger network and want to make sure you have the necessary bandwidth available throughout the entire flow of traffic. Here we wont be gaining much by failing over to a secondary path if one of the two member links fail.

link-speed 10g - Here we define the speed that the individual member links will be operating it, in this case it wouldnt be a problem to omit this command but connecting a 1000 switch to a 10/100 switch would require you to set this to "link-speed 100".

lacp { active } - The LACP protocol requires a link to be either active or passive for the link to come up. Active links initiate the LACP link and passive links respond to LACP packets so you will need to consider this when configuring both sides of the link.

Once you have configured the aggregated link portion of the interface you can move to the unit configuration just as you would with any other interface and since these links are connecting switches they will be trunk links passing traffic for all vlans.

For the other side of the link you will repeat the same configuration and should see the links come up shortly after commiting the changes.

To confirm that a member link is configured to be part of a correct aggreagated link you can use the command

> show interfaces terse | match ae

To verify that the LACP links are operating correctly you can use the command:

> show lacp interfaces

For further verification you can use LLDP to see the links!

>show lldp neighbors

From the outputs you can see that I have configured LACP to span the virtual chassis and have no two links on the same chassis member, this means that the LACP link will survive if any one of the chassis members fail. Tell me if I'm wrong but I think that's pretty cool.

Finally, the all powerful "traceoptions" can be configured to log/show LACP events for debugging purposes. One thing that may not be obvious is where you need to configure the traceoptions, after a few minutes of poking arounf the configuration I found that they need to be set under the protocols lacp hierarchy.

[edit protocols]
lacp {
traceoptions {
file lacp.log;
flag all;
}
}

Juniper switch configuration

2 Replies

With a new week came new challenges. Since I passed my JNCIA-ER test a couple of weeks ago someone decided I must be an expert and asked me to work on configuring some switches for a company that decided to go with Juniper for the network in their brand new office but have no one on staff with any experience…. Joy

Yesterday I got to unbox the equipment and take inventory of what we have and it basically breaks down to 5 EX4200 and 2 EX4500 with miscellaneous accessories (redundant power supplies and the like). Given their current environment and goals for the project here’s the general idea.

With an MDF and IDF they still want to manage the EX4200s as a single chassis so the 5th switch will have to be connected by 10Gb links setup as VCE links. Connections to the EX4500s is going to be 2x10Gb uplinks configured as an LACP link to provide some load balancing and redundancy, there will also be a 2x10Gb link between the 4500s.

Configuration process.
I want to be able to define which switch of the 4200s is going to be the Master and which is going to be the backup which means preconfiguring the master switch before powering on any of the others once the VCP cables are connected.

SW1:
The first thing you have to do is set a root password so we’ll do that and setup some other basics and save a rescue configuration (mostly just to turn off the alarm light).

Unless I’m doing more than a handful of commands at a certain hierarchy I tend to run most commands at the top level which I think also helps me to remember which level things are configured.

Sw1# set system root-authentication plain-text-password
New password:

Sw1# set system services ssh
Sw1# set system services web-management http (will be changed to https or disabled when the hardware is installed)
Sw1# set chassis alarm management-ethernet link-down ignore (again, just to turn off the alarm light)
Sw1# set vlans VLAN1 vlan-id 1 description 10.1.0.0 l3-interface vlan.1
Sw1# set interfaces vlan.1 family inet address 10.1.0.1/24
Sw1# exit

Sw1> request system configuration rescue save

Now we have a very basic configuration it’s time to start configuring the virtual chassis options. Since I want to define which members of the chassis are going to be master and backup REs I need to gather the serial numbers for all the switches.

Sw1# set virtual-chassis preprovisioned
Sw1# set virtual-chassis member 0 role routing-engine serial-number xxxxxxxx00
Sw1# set virtual-chassis member 1 role routing-engine serial-number xxxxxxxx01
Sw1# set virtual-chassis member 2 serial-number xxxxxxxx02
Sw1# set virtual-chassis member 3 serial-number xxxxxxxx03
Sw1# set virtual-chassis member 4 serial-number xxxxxxxx04

At this point we can power on the other switches making up the VC and make sure everything comes up and joins the chassis as expected then get back to some supporting commands.

Sw1# set system commit synchronize (to made sure any config commits are copied to other REs)

Sw1# set chassis redundancy graceful-switchover (speedier L2 failover)
Sw1# set routing-options graceful-restart (speedier L3 failover)

On the switches connected to the VCE link we need to run an extra operational mode command to turn their uplink ports into VCE ports:

Sw1> request virtual-chassis vc-port set pic-slot 1 port 0
Sw4> request virtual-chassis vc-port set pic-slot 1 port 2
SW5> request virtual-chassis vc-port set pic-slot 1 port 0
Sw5> request virtual-chassis vc-port set pic-slot 1 port 2

And that’s really all it takes to get a virtual-chassis up and running. Once I’ve configured the links between the chassis and the EX4500s I will post some of that configuration as well.

Routing protocols – OSPF

Leave a reply

The idea was to use the blog as a place to keep notes on topics for quick reference later and im sure ill get around to that eventually but I just finished reading OSPF basics and here’s what I came up with on the rack. After drawing out the topology I decided to make f0/0 on R3 a passive interface so although it is configured as a member of both area 0 and area 1 it is only participating in routing in area 0.

Having 5 routers let me make a somewhat respectable 2 area network so I could do some router summarization between areas and use both MD5 and plain text authentication.  Some things to remember about OSPF configuration;

Before an adjacency will form between neighbouring devices, the following must match:

  • Authentication type AND password
  • Area number
  • Connected interfaced must be in the same subnet
  • Hello and Dead intervals

Route summarisation can only be done on ABRs (Area Border Routers) and auto-summary is not supported.

Each router ID is decided by the command “router-id” in OSPF config mode, if router-id has not been configured the router ID is decided by the highest value loopback interface IP, if there are no loopback interfaces the router ID is decided by the highest configured interface IP address.

Configuration time!

Area 0

R5 (ABR)



router ospf 1
 router-id 5.5.5.5
 log-adjacency-changes
 area 0 authentication
 area 0 range 10.100.0.0 255.255.0.0
 area 0 range 10.200.0.0 255.255.0.0
 area 1 authentication message-digest
 area 1 range 172.16.0.0 255.255.252.0
 area 1 range 172.16.4.0 255.255.255.0
 network 192.168.50.0 0.0.0.3 area 0
 network 192.168.200.0 0.0.0.255 area 1

interface FastEthernet0/1
 ip address 192.168.200.5 255.255.255.0
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 password

interface FastEthernet0/0
 ip address 192.168.50.1 255.255.255.252
 ip ospf authentication-key useless

R4



router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 area 0 authentication
 network 10.100.0.0 0.0.7.255 area 0
 network 192.168.0.4 0.0.0.3 area 0
 network 192.168.50.0 0.0.0.3 area 0

interface FastEthernet0/0
 ip address 192.168.50.2 255.255.255.252
 ip ospf authentication-key useless

interface Serial0/0
 ip address 192.168.0.6 255.255.255.252
 encapsulation ppp
 no fair-queue

R3



router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 area 0 authentication
 area 0 range 10.200.0.0 255.255.252.0
 passive-interface FastEthernet0/0
 network 10.200.0.0 0.0.3.255 area 0
 network 10.200.4.0 0.0.0.255 area 0
 network 10.200.5.0 0.0.0.255 area 0
 network 192.168.0.4 0.0.0.3 area 0
 network 192.168.200.0 0.0.0.255 area 1

interface FastEthernet0/0
 ip address 192.168.200.3 255.255.255.0
 ip ospf network broadcast

interface Serial0/0
 ip address 192.168.0.5 255.255.255.252
 encapsulation ppp

Area 1

R2

router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 area 1 authentication message-digest
 network 192.168.0.0 0.0.0.3 area 1
 network 192.168.200.0 0.0.0.255 area 1
 default-information originate

interface FastEthernet0/0
 ip address 192.168.200.2 255.255.255.0
 ip ospf message-digest-key 1 md5 password

interface Serial0/1/0
 ip address 192.168.0.2 255.255.255.252
 ip ospf message-digest-key 1 md5 password

R1

router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 area 1 authentication message-digest
 area 1 range 172.16.0.0 255.255.252.0
 network 172.16.0.0 0.0.3.255 area 1
 network 172.16.4.0 0.0.0.255 area 1
 network 192.168.0.0 0.0.0.3 area 1

interface Serial0/0
 ip address 192.168.0.1 255.255.255.252
 ip ospf message-digest-key 1 md5 password

At this level all routing protocols are easy to get to a working configuration but even with 2 areas OSPF is still logical and straightforward. Now that we have a working configuration it’s time to explore some show commands to see the lay of the land.

The first command to use to see the running OSPF configuration is “show ip protocols” which will show you several important pieces of information:



R5>sho ip protocol
Routing Protocol is "ospf 1" - Running process ID
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 5.5.5.5 - The configured router ID
It is an area border router - Router type
Number of areas in this router is 2. 2 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
192.168.50.0 0.0.0.3 area 0
192.168.200.0 0.0.0.255 area 1 - Routed networks added with "network" command
Reference bandwidth unit is 100 mbps
Routing Information Sources:
Gateway         Distance      Last Update
(this router)        110      01:27:18
1.1.1.1              110      01:27:18 - Neighbour devices
4.4.4.4              110      01:27:18
2.2.2.2              110      01:27:18
3.3.3.3              110      01:27:18
10.100.7.1           110      1w0d
Distance: (default is 110)

Another command to use when verifying/troubleshooting an OSPF instance is “show ip ospf interface”

R4>sho ip ospf inter s0/0
Serial0/0 is up, line protocol is up
Internet Address 192.168.0.6/30, Area 0 - Configured IP address and assigned Area
Process ID 1, Router ID 4.4.4.4, Network Type POINT_TO_POINT, Cost: 64
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 - Timer intervals (these are default)
oob-resync timeout 40
Hello due in 00:00:06 - Time until next Hello expected
Index 1/9, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 6
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 3.3.3.3 - Router ID of neighbour device
Suppress hello for 0 neighbor(s)
Simple password authentication enabled - Conigured authentication type, plain text in this case

To verify routes a propagating through the network correctly you can view the raw database of advertised routes by running the command “show ip ospf database”, this will show all routes the router has learned about from it’s neighbours before the routing table has been built by the SPF algorithm.

R5>sho ip ospf data

            OSPF Router with ID (5.5.5.5) (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
3.3.3.3         3.3.3.3         687         0x80000149 0x001CD0 8
4.4.4.4         4.4.4.4         237         0x80000153 0x007B64 11
5.5.5.5         5.5.5.5         308         0x8000013F 0x001F71 1

                Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
192.168.50.2    4.4.4.4         501         0x80000007 0x009EC6

                Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
172.16.0.0      5.5.5.5         308         0x80000009 0x00EE35
172.16.4.0      5.5.5.5         308         0x80000009 0x00D14B
192.168.0.0     5.5.5.5         308         0x8000000A 0x00B3C3
192.168.200.0   3.3.3.3         687         0x80000007 0x00DA1D
192.168.200.0   5.5.5.5         308         0x8000013D 0x002F89

                Summary ASB Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
2.2.2.2         5.5.5.5         308         0x8000000A 0x008095

                Router Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Link count
1.1.1.1         1.1.1.1         1002        0x80000141 0x00B2BB 7
2.2.2.2         2.2.2.2         568         0x80000144 0x00827B 3
5.5.5.5         5.5.5.5         310         0x80000141 0x004419 1

                Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
192.168.200.2   2.2.2.2         568         0x80000007 0x0030AB

                Summary Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
10.100.0.0      5.5.5.5         310         0x8000013D 0x005427
10.200.0.0      5.5.5.5         310         0x80000008 0x008F7D
192.168.0.4     5.5.5.5         310         0x800000AF 0x003698
192.168.50.0    5.5.5.5         313         0x8000013F 0x0091BE

                Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
0.0.0.0         2.2.2.2         64          0x8000013E 0x0081EA 1

As I sad earlier, a working instance of OSPF is very easy to create and make work for you but there are a lot of unexplored options here that allude to a very tunable and rebust protocol, I think I’m going to enjoy working with OSPF in the future.

EIGRP is up next for the lab which looks just as easy to get up and running so I’ll probably do some redistribution or some other options to make it just a little more interesting without getting too far away from the CCNA content.

On to adventures in ICND2

1 Reply

As of 10:41am Saturday March 20th 2010,  I am CCENT certified and officially on the Cisco certification track…. scary… I’ve taken a couple of weeks off hard studying but now it’s time to get back at it and finish the CCNA so I can move up to either JNCIA-EX or CCNP.

Having passed the ICND1 test I can finally start using the lab equipment i’ve been collecting for the last month or so – ICND1 material is a good start to get a grasp of the technologies on a small network but it always stopped short of the interesting material – a lot of chapters in the Cisco press book end with “… is beyond the scope of this book – see ICND2 for more information”.  Since i’m using a combination of Jeremy Cioara’s CBT Nuggets videos and the Cisco Press book I decided to build a lab similar to what they are demonstrating and here it is:

The cloud in this case is the “lab” VLAN on my home network (10.10.10.0/24) so I will eventually be able to configure NAT on R2 for the 192.168.200.0/24 network but for now it just sits out there looking all cloudy.  What isn’t shown in the picture is the 2509 Access Server (also connected to the 10.10.10.0/24 network) that means I can connect from work and work on the lab should the urge arise.

Goals I have for the lab include getting another switch to be able to do more with STP and VTP and possibly adding an 830 series router off of R5.  I also want to add a PC/server to the network so i can do config archiving since things change frequently and I rarely remember to pull a config before i start messing with it.  As it stands now I have VTP and STP running on the switches with one being a VTP server and the other configured as a client.  I have OSPF (3 areas) running on R1 (area 1), R2 (area 0), R3 (area 0) and R4 (area 2) with R5 running EIGRP and R4 redistributing routes between the two protocols.  Im not sure if it’s a CCNA level technology but I will probably setup VRRP or HSRP on R3 and R5 for redundancy to R4.  Once I start getting into the details of the configuration of STP, routing, etc.. I will upload more complete diagrams with configuration specific information and maybe device configs but as it stands now, that’s the lab.

Working with TFTP

Leave a reply

Anyone working in the networking field is going to have a need to backup and/or restore device configurations which can be as easy or complicated as you want it to be.  Personally I prefer the easy route so when we were doing a large deployment of new hardware to our remote sites i used tftpd32.exe pretty extensively and got very familiar with the Cisco command.

#copy start tftp://x.x..x.x

After this command you will be prompted to confirm the server address and the name of the file after it has been transferred.

When we got the go ahead from the business to make the switch to Juniper hardware, the way i was going to get configs to and from devices was the last thing on my mind so we got together and came up with a configuration that would work well alongside our existing Cisco devices; VRRP instead of HSRP, OSPF replaced EIGRP and then we had to copy the configuration from the lab switch so we had a copy we could adapt to other devices roll out easily which is where the fun really started.

Similar to how Cisco IOS has user mode, enable mode and config mode, Juniper JunOS has different tiers of CLI which all have different commands available and I’m sure that in time switching between the different modes will be automatic but at the moment it still takes some thinking about so for me which made figuring out the process even more interesting.

To start with it helps to know the difference between the 3 CLI modes available or at least, my ideas about what the modes are.

System level (shell) – this is at the very top of the system and is basically FreeBSD and acts exactly like that
User level – this is similar to Cisco’s user mode and allows access to a lot of view commands but no way to edit the system
Configuration level – Similar to Cisco’s enable mode; this is where you do all of your configuration on the device.

So now to the meat of this post, how to TFTP config files to and fron Juniper devices.

From configuration mode you need to save the configuration to a text file.

#save <filename>.txt

This command saves the current configuration to a text file in your user home directory.

Step2. Exit out to user mode and enter the command to start the command shell which gives you access to the FreeBSD system underneath JUNOS

> start shell

Once at a system prompt you will need to start the tftp client:

% tftp x.x.x.x (IP address of the tftp server you want to connect to)
tftp>

After launching the tftp client you are able to copy files to or from the tftp server:

get <filename>.txt – retrieve the file <filename>.txt from the tftp server.
put <filename>.txt – copy a local file to the tftp server.

To apply a configuration from a text file you will need to get back to configuration mode:

tftp> quit
% exit
> configure

Step2. To load the configuration you just copied you need to be in configuration mode and run the command:

# load override <filename>.txt

The override command removes the original configuration and replaces it with the contents of the file; other options are merge, replace and update which all treat the existing config differently.  Because i don’t want to reinvent the wheel (and would probably get it wrong), here’s a Juniper article on the differences: http://www.juniper.net/techpubs/software/junos/junos57/swconfig57-getting-started/html/cli-configuration-mode40.html

-M