Switching

We've got a bunch of ex2200 switches deployed and we are cutting our teeth on them.  Coming from a cisco background FWIW.

The switches were setup by our vendor so I know we have a decent base config.  I've read tons of docs, posts and tried the IOS to JUNOS translator.  What I am trying to see is how the JUNOS gurus would translate the switch port below from IOS.  Thanks!

interface GigabitEthernet3/31
 description F1-P13-11 - 205
 switchport access vlan 15
 switchport mode access
 switchport voice vlan 55
 switchport port-security maximum 2
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 qos trust cos
 spanning-tree portfast
 spanning-tree bpduguard enable
 service-policy input qos

interface GigabitEthernet3/31
description F1-P13-11 - 205     
switchport access vlan 15
switchport mode access
switchport voice vlan 55
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
qos trust cos
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input qos

Junos commands:

set interface xe-x/y/z description <description>

set vlan vlan.15 vlan-id 15

set interface xe-x/y/z.0 family ethernet-switching port mode access vlan member 15

set vlan vlan.55 vlan-id 55

set ethernet-switching-options voip interface xe-x/y/z vlan vlan.55

set ethernet-switching-options voip interface xe-x/y/z forwarding-class expedite-forwarding

set ethernet-switching-options secure-access-port interface xe-x/y/z mac-limit 2 action drop

set ethernet-switching-options port-error-disable disable-timeout 120

set protocols rstp interface xe-x/y/z edge

set ethernet-swoitching-options bpdu-block interface xe-x/y/z

set interfaces xe-x/y/z.0 family ethernet-switching filter input <filter-name>

PS: for the cos policy, you need to go through the config guide (the cos is much more structural and modular in junos.. I would strongly suggest you to go through the cos guide and come up with the config that works for you).

PPS: I do not have access to a switch right now and mentioned the commands from memory. please go through the syntax on the EX configuration guide and double check the config during testing before actual deployment 🙂

Cheers,

ankit

I see what you mean about the IOS to Junos translation tool...it came up with the following:

interfaces {

    ge-3/0/31 {

        description "F1-P13-11 - 205";

        hold-time up 0 down 2000;

        unit 0 {

            proxy-arp;

            family ethernet-switching {

                port-mode access;

            }

        }

    }

}

ethernet-switching-options {

    secure-access-port {

        interface ge-3/0/31.0 {

            mac-limit 2 action drop;

So, lets create the VLAN's first:

set vlans DATA vlan-id 15

set vlans VOICE vlan-id 55

Then we set the interface as an Access port using the following command:

set ge-3/0/31.0 family ethernet-switching port-mode access

then to assign the interface to the vlan DATA, you enter:

set vlans DATA interface  ge-3/0/31.0

In order to add the interface to the vlan VOICE, you enter the following:

set ethernet-switching-options voip interface ge-3/0/31.0 vlan VOICE

Once we have done this, we can tell the switch to apply Class of Service to all VoIP traffic originating from that interface:

set ethernet-switching-options voip interface ge-3/0/31.0 forwarding-class assured-forwarding

If you want to specify all access ports as VoIP ports, you can also add the following:

set ethernet-switching-options voip interface access-ports forwarding-class assured-forwarding

To check our work, we can run

show vlans

Name Tag Interfaces

DATA 15

ge-3/0/31.0

VOICE 55

ge-3/0/31.0

Once done, we then need to do port security and setting the portfast alternative...

The replacement to the spanning tree portfast would basically be:

set protocols vstp vlan DATA interface ge-3/0/31.0 edge

The security would be:

set ethernet-switching-options  secure-access-port interface ge-3/0/31.0 mac-limit 2 action drop

The interface number I am using here is to reflect what the IOS translator made it, so you'd change it to the proper interface number

Additionally I would also suggest taking the the JEX and the AJEX course. They both cover port security and voice vlans. Of course the JEX will get you all you need to know and you will understand Juniper's technology, instead of someone just telling you what statements to use to configure the swithces.

Hey,

to add one more, if you have LOTS of these kind of ports, you might want to look into the groups statements, which are kind of a template you define for a port and then just say at the port that you want to use the template for this ports.

(from the top of my head, dont hit me, if i remember something wrong)

groups {                   # define a group

  InterfaceDataVoice {     # with the Name InterfaceDataVoice

     interfaces <*> {      # match it on ALL interfaces, this could also be ge-* or xe-*

       port-mode access;   # Configuration Statements for the Ports ...

       access-vlan DATA;   # ....

       [... and so on ...] #.....

      }

   }

}

interfaces ge-x/y/z {               # inside a interface

  apply-groups InterfaceDataVoice;  # apply the group "InterfaceDataVoice"

}

Now if you use this example you need to realize that you need to define the "full" config (i.e. all subhierarchies of the config, thats why you start with interfaces in the first place and do wildcard the interface name), which is because you can use apply-groups on ALL levels of the hierarchy and junos will strip the hierarchies which are above apply-groups from the groups-"template" and apply only everything inside.  That being said, you could also use this to apply the config to all ge- Ports:

groups {                   # define a group

  InterfaceDataVoice {     # with the Name InterfaceDataVoice

     interfaces <ge-*> {      # match it on ALL interfaces, this could also be ge-* or xe-*

       port-mode access;   # Configuration Statements for the Ports ...

       access-vlan DATA;   # ....

       [... and so on ...] #.....

      }

   }

}

apply-groups InterfaceDataVoice;  # note: this is toplevel, not inside the interfaces hierarchy

 -R

PS: https://www.juniper.net/techpubs//en_US/junos/topics/task/configuration/junos-software-configuration-group-creating.html

Thank you to everyone for the great feedback.  It has been really helpful.  It gets us by until we can get some formal training.

I do have a follow up question.  On certain items, it appears some settings are given and do not need to be set.  For instance - setting a port as an access port - if not explicitly set, it appears to be the default.  I say appears because when looking at ports in the JWEB gui it shows all ports as access even though some do not have the explicit setting and some do (the ones we modified).  Is that correct?

Hi,

You're right:  every 'ethernet-switching' port that is not assinged a port-mode is an access port in the default vlan. Consider these outputs:

root@beta-mclag1# show interfaces xe-0/0/47 | display set
set interfaces xe-0/0/47 unit 0 family ethernet-switching

[edit]
root@beta-mclag1# commit
commit complete

[edit]

root@beta-mclag1# run show vlans default detail
VLAN: default, 802.1Q Tag: Untagged, Admin State: Enabled
Number of interfaces: 1 (Active = 1)
Untagged interfaces: xe-0/0/47.0*   <<<<<<<<<<<<<<<

[edit]

Cheers,

ankit