Difference between revisions of "JunOS Basics"
(15 intermediate revisions by the same user not shown) | |||
Line 11: | Line 11: | ||
To complete this tutorial, you will need: | To complete this tutorial, you will need: | ||
* A laptop running Linux or MacOS. for this tutorial I will be using a laptop running Ubuntu 16 | * A laptop running Linux or MacOS. for this tutorial I will be using a laptop running Ubuntu 16 | ||
− | * A console cable. Since all the new laptops today don't come with a | + | * A console cable. Since all the new laptops today don't come with a console port, you will need a USB to Console adapter |
* The program "Screen" | * The program "Screen" | ||
If you don't have "screen" install it with the command below | If you don't have "screen" install it with the command below | ||
Line 517: | Line 517: | ||
ppaul2@asw-a1-dfw> show interfaces xe-0/1/0 descriptions | ppaul2@asw-a1-dfw> show interfaces xe-0/1/0 descriptions | ||
− | We see that the interface by default is enable | + | We see that the interface by default is enable but not configured. |
The command below will setup the interface as trunk | The command below will setup the interface as trunk | ||
Line 527: | Line 527: | ||
[edit interfaces xe-0/1/0 unit 0 family ethernet-switching] | [edit interfaces xe-0/1/0 unit 0 family ethernet-switching] | ||
+ port-mode trunk; | + port-mode trunk; | ||
+ | |||
+ | Since this is a trunk port we need to decide from which VLAN this port would allow traffic. We set up 4 VLANS we can specify only the 4 VLANS or just set it to allow traffic from all VALNS | ||
+ | |||
+ | ppaul2@asw-a1-dfw# show interfaces xe-0/1/0 | ||
+ | description trunk_asb-b1; | ||
+ | unit 0 { | ||
+ | family ethernet-switching { | ||
+ | port-mode trunk; | ||
+ | vlan { | ||
+ | members all; | ||
+ | } | ||
+ | } | ||
+ | } | ||
We are done with the basic configuration of the switch. The next set is to configure the second switch and test connectivity between both switches. | We are done with the basic configuration of the switch. The next set is to configure the second switch and test connectivity between both switches. | ||
Line 566: | Line 579: | ||
We are going to use a fiber to connect both switches. When done, the link on both switches should show "UP" | We are going to use a fiber to connect both switches. When done, the link on both switches should show "UP" | ||
− | ppaul2@asw-a1-dfw> show interfaces descriptions | + | ppaul2@asw-a1-dfw> show interfaces descriptions |
Interface Admin Link Description | Interface Admin Link Description | ||
ge-0/0/1 down down DISABLED | ge-0/0/1 down down DISABLED | ||
Line 602: | Line 615: | ||
private1-a-dfw 00:21:cc:70:fe:7a Learn 0 ge-0/0/0.0 | private1-a-dfw 00:21:cc:70:fe:7a Learn 0 ge-0/0/0.0 | ||
==Testing Vlans== | ==Testing Vlans== | ||
− | For this lab, I am using a CISCO 2621 router for DHCP and have setup sub interfces on the router to route traffics between VALN's (see configuration output below) on the first switch (asw-a1-dfw) I configured port ge-0/0/47 as a trunk to connect the switch to the CISCO router. | + | For this lab, I am using a CISCO 2621 router for DHCP and have setup sub interfces on the router to route traffics between VALN's (see configuration output below) on the first switch (asw-a1-dfw) I configured port ge-0/0/47 as a trunk to connect the switch to the CISCO router. You need to specify too which VLAN's are allowed on that port.In this case i just set it to members = all |
+ | |||
+ | ppaul2@asw-a1-dfw# show | compare | ||
+ | [edit interfaces] | ||
+ | + ge-0/0/47 { | ||
+ | + description trunk_cr; | ||
+ | + unit 0 { | ||
+ | + family ethernet-switching { | ||
+ | + port-mode trunk; | ||
+ | + vlan { | ||
+ | + members all; | ||
+ | + } | ||
+ | + } | ||
+ | + } | ||
+ | + } | ||
+ | |||
+ | |||
+ | *Router output | ||
+ | |||
+ | ip dhcp pool private1-a-dfw | ||
+ | network 10.192.0.0 255.255.252.0 | ||
+ | default-router 10.192.0.1 | ||
+ | ! | ||
+ | ip dhcp pool private1-b-dfw | ||
+ | network 10.192.16.0 255.255.252.0 | ||
+ | default-router 10.192.16.1 | ||
+ | ! | ||
+ | ip dhcp pool private1-c-dfw | ||
+ | network 10.192.32.0 255.255.252.0 | ||
+ | default-router 10.192.32.1 | ||
+ | ! | ||
+ | ip dhcp pool private1-c-dfw | ||
+ | network 10.192.48.0 255.255.252.0 | ||
+ | default-router 10.192.48.1 | ||
+ | |||
+ | interface FastEthernet0/1.1 | ||
+ | encapsulation dot1Q 2000 | ||
+ | ip address 10.192.0.1 255.255.252.0 | ||
+ | ! | ||
+ | interface FastEthernet0/1.2 | ||
+ | encapsulation dot1Q 2001 | ||
+ | ip address 10.192.16.1 255.255.252.0 | ||
+ | ! | ||
+ | interface FastEthernet0/1.3 | ||
+ | encapsulation dot1Q 2002 | ||
+ | ip address 10.192.32.1 255.255.252.0 | ||
+ | ! | ||
+ | interface FastEthernet0/1.4 | ||
+ | encapsulation dot1Q 2003 | ||
+ | ip address 10.192.48.1 255.255.252.0 | ||
+ | |||
+ | We connect our host to each vlan using the correspond port for each vlan and here is the out put from the router: | ||
+ | |||
+ | cr-labppnet#show ip dhcp binding | ||
+ | Bindings from all pools not associated with VRF: | ||
+ | IP address Client-ID/ Lease expiration Type | ||
+ | Hardware address/ | ||
+ | User name | ||
+ | 10.192.0.2 00e0.4c68.0658 Mar 02 1993 12:44 AM Automatic | ||
+ | 10.192.16.2 00e0.4c68.0658 Mar 02 1993 12:29 AM Automatic | ||
+ | 10.192.32.2 00e0.4c68.0658 Mar 02 1993 12:36 AM Automatic | ||
+ | 10.192.48.2 00e0.4c68.0658 Mar 02 1993 12:39 AM Automatic | ||
+ | cr-labppnet# | ||
+ | We can see that our host is able to obtain an address from the 10.192.0.0 network which is the private1-a-dfw vlan and the 10.192.16.0 network which is the second vlan and so on... | ||
=Usefully commands= | =Usefully commands= |
Latest revision as of 23:13, 12 March 2019
In this Tutorial We will be discussing about the basic of the JunOS which will include:
- How to setup the root password
- How to change the device name
- How to create a user with admin right using a password and using a SSH key
- How to setup the management interface to ssh in to the switch
- How to create VLAN's
- How to create access and trunk ports
- How to create interfaces range
- How to connect 2 switches
Prerequisites
To complete this tutorial, you will need:
- A laptop running Linux or MacOS. for this tutorial I will be using a laptop running Ubuntu 16
- A console cable. Since all the new laptops today don't come with a console port, you will need a USB to Console adapter
- The program "Screen"
If you don't have "screen" install it with the command below
sudo apt-get install screen
Accessing the device
- Step 1: Plug the console cable to you device into the console port and start screen as root user on your laptop
screen /dev/ttyUSB0
- step 2: Power on your device
After the device finished booting you will get at the prompt below
- Step 3: Enter the username and password
By default, all Juniper devices username is "root" with no password. At the prompt, just type in root and hit enter
How to setup the root password
When you come from a CISCO world like me, at the beginning it is a little bit confusing when working with JunOS. But, with time running a couple of commands, you get use to the concept.
For us to setup the root password, we need to be in configuration mode (#). Right now our prompt is showing "%". type in
cli
the prompt will change to ">" which is the operational mode and after that type in "edit" or "configuration" to enter the configuration mode
root@switch:RE:0% cli {master:0} root@switch> edit Entering configuration mode {master:0}[edit] root@switch#
To setup the root password with a plain-text password the command is "set system root-authentication plain-text-password" Type the command and hit enter. You will be asked to enter a password twice.
root@switch# set system root-authentication plain-text-password New password: Retype new password: {master:0}[edit] root@switch#
Note: just setting up the password is not enough, you need to save the change that you just made. In JunOS the way to save changes is by typing the command "commit".
But before we save the changes, there is another useful command that allows us to see what are all the changes made to the device before we save the changes and that command is "show | compare"
root@switch# show | compare [edit system] + root-authentication { + encrypted-password "$1$vVYnP0uH$YmTKnA.L0W0KGFtTw36NJ/"; ## SECRET-DATA + }
The + sign in front of each lines means that those lines will to added to our devices configuration. Note: you can make all you changes and when done you can type the command " show | compare" before you save with "commit" or you can do one change at the time and do "show | compare" and "commit" and go to the next change. I recommend if you are starting to just do one change and "show | compare" then "commit"
Now we can save our first configuration
root@switch# commit configuration check succeeds commit complete {master:0}[edit] root@switch#
Now that we have the root password set, we are going to give the switch a name: we are going to use "asw-a1-dfw" as name Note: in a production environment I recommend to disable login with root password. We will discuss about this later.
How to change the device name
The command to setup the device name is :set system host-name "device_name"
{master:0}[edit] root@switch# set system host-name asw-a1-dfw
Do a "show | compare"
root@switch# show | compare [edit system] + host-name asw-a1-dfw;
Then a "commit"
root@switch# commit configuration check succeeds commit complete {master:0}[edit] root@asw-a1-dfw#
We can see that the device changed name from "switch" to "asw-a1-dfw"
How to create a privileged user
In the session, we are gong to setup 2 users. One user with a password and another user with a SSH key. The user with the password will be called ppaul1 and the user with the SSH key will be called ppaul2.
Setting user with password
Create user ppaul1
root@asw-a1-dfw# set system login user ppaul1 class super-user authentication plain-text-password New password: Retype new password:
root@asw-a1-dfw# show | compare [edit system] + login { + user ppaul1 { + class super-user; + authentication { + encrypted-password "$1$LivXhitM$r9CHQgnCiT6nzRt7XhM/k/"; ## SECRET-DATA + } + } + }
root@asw-a1-dfw# commit configuration check succeeds commit complete
Testing user ppaul1
logout from the user "root" by just typing "exit" until you get to the login prompt
login: ppaul1 Password: --- JUNOS 10.4R1.9 built 2010-12-04 09:57:12 UTC {master:0} ppaul1@asw-a1-dfw>
We can see now that we have login as the user "ppaul1" with a password.in the next step we will create the user ppaul2 with SSH key.
Setting user with SSH key
You can login as root to create the user "ppaul2 or just use the user "ppaul1" to create the user "ppaul2" since ppaul2 is a supe-user
ppaul1@asw-a1-dfw# set system login user ppaul2 class super-user authentication ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDST4EbXJc9l/AdrVmOZEPl3sxi6qjGIZyPwkupthSdooFHxPxUIh/a5PC9bMk5go6KvRoChpc4L8XuMRsxLTd6Ro6DsWIZieGHFuO/AL9SRUtmevGiSC2q4ibR7ACosJBUvKPRVK8anYnMSL9YWd7lnmVLnW5mvOM3Alhd8aTNKE3/H9ogDt9UfndEJXmieMTLJzGvx65sw6riqa5hh6iOcw02qb3QQCKLSRJmUJQuToY4oo/ZdLl/prEDKQ0I9DSnOxRYIvZxvUsTzwoXVq9X9dWGkKAAMDw7f2DJfa/4uCNT2dKPydApeN0ea2/69VRL3fmTz47y0CC1RTEd8j1j U18pc"
ppaul1@asw-a1-dfw# show | compare [edit system login] + user ppaul2 { + class super-user; + authentication { + ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDST4EbXJc9l/AdrVmOZEPl3sxi6qjGIZyPwkupthSdooFHxPxUIh/a5PC9bMk5go6KvRoChpc4L8XuMRsxLTd6Ro6DsWIZieGHFuO /AL9SRUtmevGiSC2q4ibR7ACosJBUvKPRVK8anYnMSL9YWd7lnmVLnW5mvOM3Alhd8aTNKE3/H9ogDt9UfndEJXmieMTLJzGvx65sw6riqa5hh6iOcw02qb3QQCKLSRJmUJQuToY4oo/ZdLl/prEDKQ0I9DSnOxRYIvZxvUsTzwoXVq9X9dWGkKAAMDw7f2DJfa/4uCNT2dKPydApeN0ea2/69VRL3fmTz47y0CC1RTEd8j1j U18pc"; ## SECRET-DATA + } + }
ppaul1@asw-a1-dfw# commit configuration check succeeds commit complete
we can not test yet the user ppaul2 until we setup the management interface and ssh on the device which we are going to do in the next session (see 6.3)
How to setup management interface and SSH
Setting up mamagement interface
The management interface on Juniper switch is called "me0" Also all interfaces are enable by default on Juniper switches. Let use the command "show interfaces me0" to see its output.
Note you need to be in the operational mode (>) to execute this command
ppaul1@asw-a1-dfw> show interfaces me0 Physical interface: me0, Enabled, Physical link is Down Interface index: 1, SNMP ifIndex: 33 Type: Ethernet, Link-level type: Ethernet, MTU: 1514 Device flags : Present Running No-Carrier Interface flags: Hardware-Down SNMP-Traps Current address: 5c:5e:ab:75:6c:81, Hardware address: 5c:5e:ab:75:6c:ff Last flapped : 2016-07-25 01:49:33 UTC (00:00:06 ago) Input packets : 1248 Output packets: 280 Logical interface me0.0 (Index 6) (SNMP ifIndex 34) Flags: Device-Down SNMP-Traps Encapsulation: ENET2 Input packets : 1248 Output packets: 280 Protocol eth-switch Flags: Is-Primary
We can see that interface is enable and down. Down means there is no cable plugged to it. Now in enter configuration mode and type " show interface me0"
{master:0}[edit] ppaul1@asw-a1-dfw# show interfaces me0 {master:0}[edit]
We see that we have no output, this means that the interface is enable but it is not configured
Let us configure the interface by typing the command " set interfaces me0 unit 0 family inet address 10.192.0.100/24.(Please change this IP address to match your environment)
ppaul1@asw-a1-dfw# set interfaces me0 unite 0 family inet address 10.192.0.101/24
See what will be the changes
{master:0}[edit] ppaul1@asw-a1-dfw# show | compare [edit interfaces] + me0 { + unit 0 { + family inet { + address 10.192.0.101/24; + } + } + }
Now save the changes
ppaul1@asw-a1-dfw# commit configuration check succeeds commit complete
check again the interface
ppaul1@asw-a1-dfw# show interfaces me0 unit 0 { family inet { address 10.192.0.101/24; } }
we see that now we have an IP address set for on the interface
Next step is to plug a cable to the interface and check the link on the interface to see if the link is "up". get back in operational mode and type "show interfaces me0" or from the configuration mode you can just type "run show interfaces me0"
ppaul1@asw-a1-dfw# run show interfaces me0 Physical interface: me0, Enabled, Physical link is Up Interface index: 1, SNMP ifIndex: 33 Type: Ethernet, Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps Device flags : Present Running Interface flags: SNMP-Traps Link type : Full-Duplex Current address: 5c:5e:ab:75:6c:ff, Hardware address: 5c:5e:ab:75:6c:ff Last flapped : 2016-07-25 02:05:21 UTC (00:00:44 ago) Input packets : 1248 Output packets: 283 Logical interface me0.0 (Index 7) (SNMP ifIndex 34) Flags: SNMP-Traps Encapsulation: ENET2 Bandwidth: 0 Input packets : 0 Output packets: 3 Protocol inet Flags: Is-Primary Addresses, Flags: Is-Default Is-Preferred Is-Primary Destination: 10.192.0/24, Local: 10.192.0.101, Broadcast: 10.192.0.255
We see from the output that the interface is up .The next step will be to enable SSH
Enable SSH
We just need one simple command to enable SSH on the device. The command is "set system services ssh"
ppaul1@asw-a1-dfw# set system services ssh
ppaul1@asw-a1-dfw# show | compare [edit system] + services { + ssh; + }
{master:0}[edit] ppaul1@asw-a1-dfw# commit configuration check succeedscommit complete
Now let us test user "ppaul2" . on your laptop open a terminal window and type in "ssh ppaul2@10.192.0.101" (Change IP address with your IP address you setup)
Testing user ppaul2
ssh ppaul2@10.192.0.101 --- JUNOS 10.4R1.9 built 2010-12-04 09:57:12 UTC {master:0} ppaul2@asw-a1-dfw>
We are able to login to the device with user "ppaul2: without a password. In the next session we are going to create 4 VLANs.
How to create VLANs
In this session we are going to create 4 VLAN's
- Vlan private1-a-dfw with ID 2000
- Vlan private1-b-dfw with ID 2001
- Vlan private1-c-dfw with ID 2002
- Vlan private1-d-dfw with ID 2003
The command to create the VLAN's is " set vlans vlan_name vlan-id XXXX"
ppaul2@asw-a1-dfw# set vlans private1-a-dfw vlan-id 2000
Check the output before saving
ppaul2@asw-a1-dfw# show | compare [edit] + vlans { + private1-a-dfw { + vlan-id 2000; + } + }
ppaul2@asw-a1-dfw# commit configuration check succeedscommit complete
We have the first VLAN, we are going to use the same command the create the other VLAN's by changing the vlan_name and the the vlan_id. After create all the VLAN's type the command "show vlans"
Output
ppaul2@asw-a1-dfw# show vlans private1-a-dfw { vlan-id 2000; } private1-b-dfw { vlan-id 2001; } private1-c-dfw { vlan-id 2002; } private1-d-dfw { vlan-id 2003; }
Now we have all the VLAN's setup, in the next session we are going to create 5 interfaces-range.
How to create interfaces range
As I mentioned earlier when setting up the management interface me0, all interfaces on the Juniper devices are enable by default. Setting up interfaces range, will help better organized and manage the device. Think of interface range as a group or category in which you can group interfaces with the same configuration set. We mentioned earlier that by default all interfaces on the Juniper devices are enable. For security reason, it is best to disable all interfaces by default and just enable it when it has to be used.
The first interface-range we are going to create is the interface-range called disable and will have ford description DISABLED and we will set the interface to disable.
ppaul2@asw-a1-dfw# set interfaces interface-range disable disable description DISABLED
{master:0}[edit] ppaul2@asw-a1-dfw# show | compare [edit interfaces] + interface-range disable { + description DISABLED; + disable; + }
we can see that we create an interface-range name disable with a description DISABLE and we disable the interface range.
we can not save the changes we made until we interface range has a member. if we try to save the change right now with the interface-range having no member will we get:
ppaul2@asw-a1-dfw# commit error: interface-range 'disable' has no member/member-range statements error: interface-ranges expansion failed
Before assigning a member to the interface-range, type in configuration mode " show interfaces"
ppaul2@asw-a1-dfw# show interfaces interface-range disable { description DISABLED; disable; } ge-0/0/0 { unit 0 { family ethernet-switching; } } ge-0/0/1 { unit 0 { family ethernet-switching; } } ---
This output list all the interfaces on the devices. If you have 1GB interfaces and 10GB interfaces the 1GB interface will be listed as ge-0/0/x and the 10GB interfaces will be listed as xe-0/1/x. for the 1GB interfaces x = 0 to n , n being the last interface on the devices. for example if you have a device with 48 interfaces n =48 so you will have ge-0/0/0 to ge-/0/0/48.
In case of a device with 48 interfaces, we have the option to move all the 48 interfaces in the interface-range disable by using the member-range <start-range> to <end-range> command . But in this tutorial, we are going to move the interface using just "member" which is use to move interface by interface. I like this option because of the layout.
How to assign members to an interface-range
we are going to assign the first 2 interface ge-0/0/0 and ge-0/0/1 to our interface-range disable
ppaul2@asw-a1-dfw# set interfaces interface-range disable member ge-0/0/0 {master:0}[edit] ppaul2@asw-a1-dfw# show | compare [edit interfaces] + interface-range disable { + member ge-0/0/0; + description DISABLED; + disable; + }
ppaul2@asw-a1-dfw# set interfaces interface-range disable member ge-0/0/1 {master:0}[edit] ppaul2@asw-a1-dfw# show | compare [edit interfaces] + interface-range disable { + member ge-0/0/0; + member ge-0/0/1; + description DISABLED; + disable; + }
Now that we have the 2 first interfaces in the interface-range disable, let us save the changes and issue the command "show interfaces ge-/0/0/0 descriptions" in operational mode. Issue also the commmande " show interfaces"
ppaul2@asw-a1-dfw> show interfaces ge-0/0/0 descriptions Interface Admin Link Description ge-0/0/0 down down DISABLED ppaul2@asw-a1-dfw> show interfaces Physical interface: ge-0/0/0, Administratively down, Physical link is Down Interface index: 130, SNMP ifIndex: 504 Description: DISABLED Physical interface: ge-0/0/1, Administratively down, Physical link is Down Interface index: 131, SNMP ifIndex: 506 Description: DISABLED
Create interface range for VLANS
In this section, we are going to create 4 interface-ranges for the 4 VLAN's we created in section.7
- vlan-private1-a-dfw
- vlan-private1-b-dfw
- vlan-private1-c-dfw
- vlan-private1-d-dfw
We know already the command to create an interface-range.
{master:0}[edit] ppaul2@asw-a1-dfw# set interfaces interface-range vlan-private1-a-dfw unit 0 family ethernet-switching vlan members private1-a-dfw
This will create the interface-range vlan-private-a-dfw and assign the private1-a-dfw VLAN to it.
Next, we are going to set this interface range to be an access interface.
{master:0}[edit] ppaul2@asw-a1-dfw# set interfaces interface-range vlan-private1-a-dfw unit 0 family ethernet-switching port-mode access
check before saving and save.
ppaul2@asw-a1-dfw# show | compare [edit interfaces] interface-range disable { ... } + interface-range vlan-private1-a-dfw { + unit 0 { + family ethernet-switching { + port-mode access; + vlan { + members private1-a-dfw; + } + } + } + }
before saving, we need to assign at less one member to the interface range and give that member a description
{master:0}[edit] ppaul2@asw-a1-dfw# set interfaces interface-range vlan-private1-a-dfw member ge-0/0/2
ppaul2@asw-a1-dfw# show | compare [edit interfaces] interface-range disable { ... } + interface-range vlan-private1-a-dfw { + member ge-0/0/2; + unit 0 { + family ethernet-switching { + port-mode access; + vlan { + members private1-a-dfw; + } + } + } + } [edit interfaces ge-0/0/2] + description testsrv2001;
Now we can save the changes and issue the command "show interfaces"
{master:0}[edit] ppaul2@asw-a1-dfw# show interfaces interface-range disable { member ge-0/0/0; member ge-0/0/1; description DISABLED; disable; } interface-range vlan-private1-a-dfw { member ge-0/0/2; unit 0 { family ethernet-switching { port-mode access; vlan { members private1-a-dfw; } } } } ---
Use the same steps to create the other interface-ranges. After that we should have all 4 interfaces and each one with a less 1 member.
{master:0}[edit] ppaul2@asw-a1-dfw# show interfaces interface-range disable { member ge-0/0/0; member ge-0/0/1; description DISABLED; disable; } interface-range vlan-private1-a-dfw { member ge-0/0/2; unit 0 { family ethernet-switching { port-mode access; vlan { members private1-a-dfw; } } } } interface-range vlan-private1-b-dfw { member ge-0/0/12; unit 0 { family ethernet-switching { port-mode access; vlan { members private1-b-dfw; } } } } interface-range vlan-private1-c-dfw { member ge-0/0/23; unit 0 { family ethernet-switching { port-mode access; vlan { members private1-c-dfw; } } } } interface-range vlan-private1-d-dfw { member ge-0/0/35; unit 0 { family ethernet-switching { port-mode access; vlan { members private1-d-dfw; } } } }
Now that we have all VLAN's and interface-ranges setup it is time to configure a trunk interface that will connect this switch to our second switch.
Setup a trunk interface
It is best practice to use the 10GB interface when it comes to configure a trunk port to connect to another switch. In our case the switch has one 10GB interface we are going to use this interface as trunk interface. you can use also any 1Gb port as trunk port.
ppaul2@asw-a1-dfw> show interfaces | match xe Physical interface: xe-0/1/0, Enabled, Physical link is Down Logical interface xe-0/1/0.0 (Index 115) (SNMP ifIndex 703)
{master:0} ppaul2@asw-a1-dfw> show interfaces xe-0/1/0 descriptions
We see that the interface by default is enable but not configured. The command below will setup the interface as trunk
{master:0}[edit] ppaul2@asw-a1-dfw# set interfaces xe-0/1/0 unit 0 family ethernet-switching port-mode trunk
{master:0}[edit] ppaul2@asw-a1-dfw# show | compare [edit interfaces xe-0/1/0 unit 0 family ethernet-switching] + port-mode trunk;
Since this is a trunk port we need to decide from which VLAN this port would allow traffic. We set up 4 VLANS we can specify only the 4 VLANS or just set it to allow traffic from all VALNS
ppaul2@asw-a1-dfw# show interfaces xe-0/1/0 description trunk_asb-b1; unit 0 { family ethernet-switching { port-mode trunk; vlan { members all; } } }
We are done with the basic configuration of the switch. The next set is to configure the second switch and test connectivity between both switches.
Setup second switch
The process of setting up the second switch is the same as setting up the first switch. Just redo all the steps. There are other methods like coping the configuration from the first switch to the second switch or use puppet to configure the switch. We are not going to discuss about those methods here.
The only thing that will be different on the second switch will be the name of the switch and the management IP. The second switch will be called asw-b1-dfw
Testing connectivity
Now that the 2 switches are setup, we are going to connect both switches together using port xe-0/1/0. Right now, the port on both switches are configured as trunk port and there are not connected. (See below)
ppaul2@asw-a1-dfw> show interfaces descriptions
Interface Admin Link Description
ge-0/0/1 down down DISABLED
ge-0/0/2 down down DISABLED
ge-0/0/3 down down DISABLED
ge-0/0/4 down down DISABLED
ge-0/0/5 down down DISABLED
ge-0/0/6 down down DISABLED
xe-0/1/0 up down trunk_asb-b1
ppaul2@asw-b1-dfw> show interfaces descriptions
Interface Admin Link Description
ge-0/0/1 down down DISABLE
ge-0/0/2 down down DISABLE
ge-0/0/3 down down DISABLE
ge-0/0/4 down down DISABLE
ge-0/0/5 down down DISABLE
ge-0/0/6 down down DISABLE
ge-0/0/7 down down DISABLE
ge-0/0/8 down down DISABLE
ge-0/0/9 down down DISABLE
ge-0/0/10 down down DISABLE
ge-0/0/11 down down DISABLE
xe-0/1/0 up down trunk_asw-a1
- Connect both switches
We are going to use a fiber to connect both switches. When done, the link on both switches should show "UP"
ppaul2@asw-a1-dfw> show interfaces descriptions
Interface Admin Link Description
ge-0/0/1 down down DISABLED
ge-0/0/2 down down DISABLED
ge-0/0/3 down down DISABLED
ge-0/0/4 down down DISABLED
ge-0/0/5 down down DISABLED
ge-0/0/6 down down DISABLED
xe-0/1/0 up up trunk_asb-b1
ppaul2@asw-b1-dfw> show interfaces descriptions
Interface Admin Link Description
ge-0/0/1 down down DISABLE
ge-0/0/2 down down DISABLE
ge-0/0/3 down down DISABLE
ge-0/0/4 down down DISABLE
ge-0/0/5 down down DISABLE
ge-0/0/6 down down DISABLE
ge-0/0/7 down down DISABLE
ge-0/0/8 down down DISABLE
ge-0/0/9 down down DISABLE
ge-0/0/10 down down DISABLE
ge-0/0/11 down down DISABLE
xe-0/1/0 up up trunk_asw-a1
- connect a host on port ge-0/0/0 which is part of vlan private1-a-dfw
ppaul2@asw-a1-dfw> show interfaces descriptions Interface Admin Link Description ge-0/0/0 up up test_host1
ppaul2@asw-a1-dfw> show ethernet-switching table interface ge-0/0/0 Ethernet-switching table: 1 unicast entries VLAN MAC address Type Age Interfaces private1-a-dfw * Flood - All-members private1-a-dfw 00:21:cc:70:fe:7a Learn 0 ge-0/0/0.0
Testing Vlans
For this lab, I am using a CISCO 2621 router for DHCP and have setup sub interfces on the router to route traffics between VALN's (see configuration output below) on the first switch (asw-a1-dfw) I configured port ge-0/0/47 as a trunk to connect the switch to the CISCO router. You need to specify too which VLAN's are allowed on that port.In this case i just set it to members = all
ppaul2@asw-a1-dfw# show | compare [edit interfaces] + ge-0/0/47 { + description trunk_cr; + unit 0 { + family ethernet-switching { + port-mode trunk; + vlan { + members all; + } + } + } + }
- Router output
ip dhcp pool private1-a-dfw network 10.192.0.0 255.255.252.0 default-router 10.192.0.1 ! ip dhcp pool private1-b-dfw network 10.192.16.0 255.255.252.0 default-router 10.192.16.1 ! ip dhcp pool private1-c-dfw network 10.192.32.0 255.255.252.0 default-router 10.192.32.1 ! ip dhcp pool private1-c-dfw network 10.192.48.0 255.255.252.0 default-router 10.192.48.1
interface FastEthernet0/1.1 encapsulation dot1Q 2000 ip address 10.192.0.1 255.255.252.0 ! interface FastEthernet0/1.2 encapsulation dot1Q 2001 ip address 10.192.16.1 255.255.252.0 ! interface FastEthernet0/1.3 encapsulation dot1Q 2002 ip address 10.192.32.1 255.255.252.0 ! interface FastEthernet0/1.4 encapsulation dot1Q 2003 ip address 10.192.48.1 255.255.252.0
We connect our host to each vlan using the correspond port for each vlan and here is the out put from the router:
cr-labppnet#show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Type Hardware address/ User name 10.192.0.2 00e0.4c68.0658 Mar 02 1993 12:44 AM Automatic 10.192.16.2 00e0.4c68.0658 Mar 02 1993 12:29 AM Automatic 10.192.32.2 00e0.4c68.0658 Mar 02 1993 12:36 AM Automatic 10.192.48.2 00e0.4c68.0658 Mar 02 1993 12:39 AM Automatic cr-labppnet#
We can see that our host is able to obtain an address from the 10.192.0.0 network which is the private1-a-dfw vlan and the 10.192.16.0 network which is the second vlan and so on...
Usefully commands
Below you will find some usefully commands when it comes to troubleshooting.
show interfaces descriptions # displays all the interfaces on the switch that have a description
show interfaces descriptions | match "xe-" #will only show you the 10G interfaces
show interfaces ge-x/y/z media # that adds media related informations
show interfaces diagnostics optics xe-x/y/z # shows the light levels for fiber optic
show ethernet-switching table interface ge-x/y/x # shows you if the switch learned a mac address on a specific interface, and on which vlans it sees it
show ethernet-switching table | match "00:00:00:00:00:00" # to find a mac address somewhere on the switch stack if you are using switch stack in your environment.
show interfaces ge-x/y/z extensive | match "error"`#to see if there are any errors on the interface, output is raw but a good start
show lldp neighbors # will show you all the host connect to that switch
show | compare #display the pending changes
show | display set # show you the configuration at your current level in a "set" format, so you can copy/paste them or modify them more easily
show interfaces ge-x/y/z | display set # shows you what to type to configure the interface the way it's configured
show interfaces ge-5/0/17 | display inheritance # show you *everything* about a given port