LAYER 2 NEXT GEN (L2NG) CLI

OVERVIEW
Rajesh Patil
PSD Technical Marketing
 L2NG – INFRASTRUCTURE FEATURES
2 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
L2NG – VLAN CONFIGURATION
§ MX Series: VLAN is not a Broadcast Domain – it’s a Circuit ID
§ MX VLAN equivalent is a Bridge-domain
§ Bridge-domain is supported under routing-instances stanza
§ L2NG CLI – MX Series capability to configure Bridge-
domains under routing instances – except “Bridge-
Domain,” which is replaced with VLAN keyword
§ “Family bridge” changed to “Ethernet-switching”
EX Series L2NG MX Series
 
[edit  vlans]   [edit  vlans]   [edit  bridge]  
     
Family  Ethernet-­‐ Family  Ethernet-­‐ Family  bridge  
switching   switching    
 
 
 

3 JUNIPER NETWORKS CONFIDENTIAL Copyright © 2014 Juniper Networks, Inc. www.juniper.net

L2NG – MULTIPLE VLANS CREATION
§ MX Series: Multiple VLANs configured with “vlan-id list”
command
§ EX Series: Multiple VLANs configured with “vlan-range”
command
§ L2NG CLI – ‘Vlan-range’ aliased to ‘vlan-id-list’ so existing
EX Series configurations can be supported
EX L2NG MX
[edit  vlans]   [edit  vlans]   [edit  bridge-­‐
    domains]  
     
Vlan-­‐range  [100   Vlan-­‐id-­‐list   Vlan-­‐id-­‐list  
200]   [100  200]   [100  200]  
   

4 JUNIPER NETWORKS CONFIDENTIAL Copyright © 2014 Juniper Networks, Inc. www.juniper.net

L2NG – PHYSICAL PORT ASSIGNMENT TO A VLAN
§ MX Series: Interfaces assigned under bridge-domain or family
bridge
§ EX Series: Interfaces assigned under VLANs or family
“ethernet-switching”
§ L2NG CLI – Follows EX Series approach
EX Series L2NG MX Series

[edit vlans <vlan>] [edit vlans <vlan>] [edit bridge-domains

OR OR <bridge-domain>]
[edit interfaces [edit interfaces OR
<interface> unit 0 <interface> unit 0 [edit interfaces
family ethernet- family ethernet- <interface> unit 0
switching vlan switching vlan family bridge vlan-id/
members] members] vlan-id-list]

5 JUNIPER NETWORKS CONFIDENTIAL Copyright © 2014 Juniper Networks, Inc. www.juniper.net

L2NG – VLAN CONFIGURATION SUMMARY
EX Series L2NG MX Series

Vlan Vlan Bridge-domain

Vlan-id Vlan-id Vlan-id

Vlan-range Vlan-id list Vlan-id list

Routing Instance Routing

Instance

6 JUNIPER NETWORKS CONFIDENTIAL Copyright © 2014 Juniper Networks, Inc. www.juniper.net

 L2NG – TRUNK/ACCESS PORT CONFIGURATION
§ L2NG CLI follows MX Series interface mode option
instead of EX Series port-mode option

EX Series L2NG MX Series

[edit  interfaces]   [edit  interfaces]  
unit  0  {   unit  0  {   [edit  interfaces]  
   family  ethernet-­‐    family  ethernet-­‐ unit  0  {  
switching  {   switching  {    family  bridge  {  
       port-­‐mode  trunk/        interface-­‐mode        interface-­‐mode  
access;   trunk/access;   trunk/access;  
       vlan  {          vlan  {        vlan-­‐id  <vlanid>/
               members              members  <vlanid/   vlan-­‐id-­‐list  <list>  
<vlanid/vlanname>   vlanname>      }  
       }          }   }  
   }      }  
}     }      

7 JUNIPER NETWORKS CONFIDENTIAL Copyright © 2014 Juniper Networks, Inc. www.juniper.net

 L2NG – L3 INTERFACE CONFIGURATION
§ L2NG CLI follows MX Series irb
§ vlan.x aliased to irb.x for backward compatibility with EX Series

EX Series L2NG MX Series

 
 
[edit  interfaces]  
[edit  interfaces]   [edit  interfaces]  
irb {
vlan { irb {
unit 0 {
unit 0 { unit 0 {
family inet;
family inet; family inet;
address 1.1.1.1/24; address
address
1.1.1.1/24;
} 1.1.1.1/24;
}
} }
}
}
[edit vlans]
[edit bridge-domains]
l3-interface vlan.0 [edit vlans]
routing-interface irb.
  l3-interface irb.0  
0
 
 
8 JUNIPER NETWORKS CONFIDENTIAL Copyright © 2014 Juniper Networks, Inc. www.juniper.net
L2NG – MULTIPLE UNITS CONFIGURED ON A SINGLE
INTERFACE
§ EX Series: supports only unit 0 under Family – Ethernet switching
§ MX Series: supports configuration of multiple units on same port,
even if family bridge is configured on some units
§ L2NG CLI supports same behavior as MX Series:
interfaces {
ge-0/0/0 {
encapsulation flexible-ethernet-services;
unit 0 {
family ethernet-switching {
vlan {
members 3;
}
}
unit 1 {
family inet {
address 10.10.6.1/24;
}
}
}
9 JUNIPER NETWORKS CONFIDENTIAL Copyright © 2014 Juniper Networks, Inc. www.juniper.net
L2NG – SPANNING TREE CONFIGURATION
§ No changes to RSTP and MSTP configuration
§ Like MX Series, legacy STP configuration can be done using
“force-version” option to RSTP

EX Series MX Series/L2NG
[edit prototols rstp ] [edit prototols rstp ]

[edit protocols mstp] [edit protocols mstp]

[edit protocols stp] [edit protocols rstp force-

version stp]

STP is disabled by default on MX Series products.

With L2NG CLI implementation – STP is enabled by default.
10 JUNIPER NETWORKS CONFIDENTIAL Copyright © 2014 Juniper Networks, Inc. www.juniper.net
 L2NG – NEW FEATURES ON NEXT-GEN
EX CORE
11 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
L2NG – NEW FEATURES ON NEXT-GEN EX CORE

Storm Control sFlow

Prevents starvation of link resources by BUM Jflow-like traffic monitoring functionality
traffic

Analyzer Access Security

Traffic monitoring even across different L2 DHCP Snooping, DAI
networks

RTG Access Control

LAG-like redundant trunk group without requiring 802.1X, MAC Radius, Captive Portal
configuration at both ends

MLD Snooping PVLAN

IPv6 multicast traffic forwarding within a VLAN Segregation of traffic within a VLAN

12 JUNIPER NETWORKS CONFIDENTIAL Copyright © 2014 Juniper Networks, Inc. www.juniper.net

 L2NG – STORM CONTROL
§ Storm control feature monitors traffic levels and drops broadcast and unknown
Unicast packets when a specified level is exceeded.

EX L2NG
[edit forwarding-options storm-control-profiles ]
[edit ethernet-switching-options storm-
foo {
control] all {
interface ge-0/0/0.0 { bandwidth [percentage] 1500;
[no-unknown-unicast | no-broadcast | no-
bandwidth 1500;
multicast | no-registered-multicast | no-unregistered-
[no-broadcast | no-unknown- multicast]
unicast | no-multicast |..] }
shutdown;
} }
action shutdown; [edit interfaces]
ge-0/0/0 {
ether-options {
[edit ethernet-switching-options]
ethernet-switch-profile {
port-error-disable { storm-control foo;
disable-timeout 60; disable-timeout <x>;
}
} }
}
ge-0/0/0 {
unit 0 {
13 JUNIPER NETWORKS CONFIDENTIAL Copyright © 2014 Juniper Networks, Inc. family ethernet-switching {
www.juniper.net
storm-control bar;
disable-timeout <x>;
L2NG – sFLOW
sFlow Collector
sFlow
Traffic
§ Used to monitor traffic to Data

provide visibility into high-

speed switched or routed Analysis

networks sFlow Agents

§ Up to four sFlow collectors

can be configured per switch

Support two types of samplings:

§ Packet-based
§ Time-based

14 JUNIPER NETWORKS CONFIDENTIAL Copyright © 2014 Juniper Networks, Inc. www.juniper.net

L2NG – sFLOW CLI
EX Series L2NG
[edit protocols ]
[edit protocols ]
sflow {
sflow {
agent-id <ip-address>;
agent-id <ip-address>;
collector {
collector {
<ip-address>;
<ip-address>;
udp-port <port-number>;
udp-port <port-number>;
}
}
disable;
disable;
interfaces interface-name {
interfaces interface-name {
disable;
disable;
polling-interval <seconds>;
polling-interval <seconds>;
sample-rate number;
sample-rate number;
}
}
polling-interval seconds;
polling-interval seconds;
sample-rate number;
sample-rate number;
source-ip ip-address;
source-ip ip-address;
}
}

15 JUNIPER NETWORKS CONFIDENTIAL Copyright © 2014 Juniper Networks, Inc. www.juniper.net

 L2NG – PORT MIRRORING/ANALYZER
§ Port mirroring copies packets to either a local interface for local
monitoring or to a VLAN for remote monitoring.
- MX Series uses port-mirroring while EX Series uses analyzer CLI
EX MX
[edit forwarding-options]
port-mirroring {
[edit ethernet-switching-options] family vpls {
output {
analyzer foo { interface ge-1/1/45.0;
output { }
interface {  }
ge-0/0/45.0;
[edit interfaces]
}
ge-0/0/1 {
} unit 0 {
} family bridge {
[edit firewall family ethernet-switching analyzer-filter] filter input port-mirror-filter;
term 0 { filter output port-mirror-filter;
}
then analyzer foo; }
} }
ge-0/0/5 {
[edit interfaces] unit 0 {
family bridge {
ge-0/0/1 {
filter input port-mirror-filter;
unit 0 { filter output port-mirror-filter;
family ethernet-switching { }
filter [input |output] analyzer-filter;
  [edit firewall family bridge filter port-mirror-filter]
term 0 {
then port-mirror;
16 JUNIPER NETWORKS CONFIDENTIAL Copyright © 2014 Juniper Networks, Inc.
} www.juniper.net
L2NG – PORT MIRRORING/ANALYZER UNIFIED CLI
[edit forwarding-options]
port-mirroring {
family ethernet-switching {
foo {
output {
interface ge-1/1/45.0;
}

[edit interfaces]
ge-0/0/1 {
unit 0 {
family ethernet-switching {
filter input port-mirror-filter;
filter output port-mirror-filter;
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
filter input port-mirror-filter;
filter output port-mirror-filter;
}
}
[edit firewall family ethernet-switching filter port-mirror-filter]
term 0 {
then port-mirror foo;
}

17 JUNIPER NETWORKS CONFIDENTIAL Copyright © 2014 Juniper Networks, Inc. www.juniper.net

L2NG – ACCESS SECURITY
DHCP SNOOPING
§ DHCP Snooping is used to prevent rogue DHCP server attacks
§ Configured on a port connected to valid DHCP server
§ Once configured, no other ports will respond to DHCP request packets,
thus preventing the attacks
§ L2NG CLI uses MX Series style, but a separate stanza to decouple
DHCP relay functionality
EX L2NG MX
[edit vlans vlan1 forwarding-options]  [edit bridge-domains bd1
[edit  ethernet-­‐ dhcp-security { forwarding-options]
switching-­‐options   forward-snooped-clients dhcp-relay {
secure-­‐access-­‐port]   configured-interfaces; forward-snooped-clients
       interface   group frankfurt { configured-interfaces;
ge-­‐0/0/0.0  {   overrides { group frankfurt {
allow-snooped-clients; overrides {
               dhcp-­‐trusted;   }
       }   allow-snooped-clients;
interface ge-1/0/0.0 { }
       vlan  v1  {                                                            
upto ge-1/0/4.0; interface ge-1/0/0.0 {
examine-­‐dhcp;   } upto ge-1/0/4.0;
       }   } }
}   } }
  }

18 JUNIPER NETWORKS CONFIDENTIAL Copyright © 2014 Juniper Networks, Inc. www.juniper.net

 L2NG – MAC-LIMITING/SOURCE ADDRESS FILTERING
§ MAC-Limiting feature on EX is called Source Address Filtering on MX products
- L2NG CLI also supports action for MAC-Limiting and MAC-Move limiting as EX

EX L2NG MX

ethernet-switching-options {
secure-access-port { interface ge-0/0/0 { interface ge-0/0/0 {
interface ge-0/0/0.0 { ether-options { gigether-options {
allowed-mac 00:05:85:3A: source-address-filter {   source-address-filter {
82:80; 00:05:85:3A:82:80; 00:05:85:3A:82:80;
allowed-mac 00:05:85:3A: 00:05:85:3A:82:81; 00:05:85:3A:82:81;
82:81; 00:05:85:3A:82:83; 00:05:85:3A:82:83;
allowed-mac 00:05:85:3A: 00:05:85:3A:82:85; 00:05:85:3A:82:85;
82:83; } }
allowed-mac 00:05:85:3A: }
82:85; }
}
}
}

19 JUNIPER NETWORKS CONFIDENTIAL Copyright © 2014 Juniper Networks, Inc. www.juniper.net

L2NG – ACCESS CONTROL
§ MX Series only supports dot1x single supplicant mode
- Multi supplicant, MAC-Radius Authentication, Captive-Portal and
other dot1x features will be added as is from EX Series CLI

20 JUNIPER NETWORKS CONFIDENTIAL Copyright © 2014 Juniper Networks, Inc. www.juniper.net

 L2NG – ACCESS CONTROL CLI (CONT.)
EX Series L2NG
edit protocols dot1x]
protocols {
authenticator {
authentication-access-control {
authentication-profile-name foo;
traceoptions (file | flag| <config-internal | dot1x-
interface ge-0/0/0{
debug | eapol | esw-if | general | normal | parse | task);
maximum-requests seconds;
static <mac-addresses | interface | vlan> ;
quiet-period seconds;
authentication-profile-name foo;
reauthentication (disable | interval seconds);
interface (all | [interface-ids]) {
retries integer;
supplicant (single|secure|multiple);
server-timeout seconds;
supplicant [single |multiple|single-secure];
dot1x {
transmit-period seconds;
transmit-period <seconds>;
}
supplicant-timeout <seconds>;
}
maximim-requests <seconds>;
[edit services captive-portal]
[no-]captive-portal;
authentication-profile-name cp {
}
custom-options {
/* Captive portal configuration */
banner-message string;
captive-portal-custom-options {
footer-bgcolor color;
banner-message
footer-message ;
footer-bgcolor
interface (all | [interface-names]) {
footer-message
supplicant (multiple | single | single-secure)
footer-text-color
}

21 JUNIPER NETWORKS CONFIDENTIAL Copyright © 2014 Juniper Networks, Inc. www.juniper.net

 L2NG CLI – IGMP SNOOPING
§ IGMP Snooping allows switch to send multicast traffic to only intended
destination hosts
- Helps control multicast traffic in a switched network

EX Series L2NG MX Series

protocols { protocols { bridge-domains {
igmp-snooping { igmp-snooping { vlan100 {
vlan vlan100 { vlan vlan100 { protocols {
interface ge-0/0/0.0 { interface ge-0/0/0.0 { igmp-snooping {
multicast-router- multicast-router- interface ge-0/0/0.0 {
interface; interface; multicast-router-
static { static { interface;
group 225.1.1.1; group 225.1.1.1; static {
} } group 225.1.1.1;
} } }
} } }
}
}

22 JUNIPER NETWORKS CONFIDENTIAL Copyright © 2014 Juniper Networks, Inc. www.juniper.net  

L2NG – REDUNDANT TRUNK GROUP (RTG)
§ Using RTG if the primary link fails, the secondary link automatically takes
over without waiting for normal STP convergence

EX Series L2NG
[edit interfaces]
ge-0/0/0 {
ether-options {
redundant-trunk-group {
rtg0;
[edit ethernet-switching-options] primary;
redundant-trunk-group { }
group g1 { }
preempt-cutover-timer 60; }
interface ge-0/0/9.0 { ge-0/0/1 {
primary; ether-options {
} redundant-trunk-group {
interface ge-0/0/10.0; rtg0;
} }
} }
}
rtg0 {
rtg-ether-options {
preempt-cutover-timer <time_in_secs>
}
}
23 JUNIPER NETWORKS CONFIDENTIAL Copyright © 2014 Juniper Networks, Inc. www.juniper.net
 L2NG – PRIVATE VLAN (PVLAN)
§ PVLAN allows to spilt a broadcast domain into multiple isolated broadcast domains

EX Series L2NG
edit vlans ] interfaces {
hr-comm { ge-1/1/1 {
vlan-id 300; unit 0 {
interface { family ethernet-switching {
ge-1/1/13.0; interface-mode access;
ge-1/1/14.0; vlan {
} members 10; ß promiscuous port
primary-vlan vlan100; }
} }
vlan100 { ge-1/1/2 {
vlan-id 100; unit 0 {
pvlan { family ethernet-switching {
isolation-vlan-id 200; vlan {
} members 20 ; ß isolated port
interface { }
ge-1/1/1.0 { routing-instances {
pvlan-trunk; vs {
} instance-type virtual-switch;
ge-1/1/2.0 { interface ge-1/1/1.0;
promiscuous; interface ge-1/1/2.0;
} vlans {
ge-1/1/3.0 { Vp {
24 JUNIPER isolated;
NETWORKS CONFIDENTIAL vlan-id 10; ß primary vlan
Copyright © 2014 Juniper Networks, Inc. www.juniper.net
} isolated-vlan 20 name Vi;
}
KEY TAKEAWAYS

§ Though there are differences between MX Series

and EX Series, they are only syntactic, not
semantic
§ Aliasing will be used for backward compatibility

25 JUNIPER NETWORKS CONFIDENTIAL Copyright © 2014 Juniper Networks, Inc. www.juniper.net