Each VLAN is a collection of network nodes that are grouped
together to form separate broadcast domains. On an Ethernet network
that is a single LAN, all traffic is forwarded to all nodes on the
LAN. On VLANs, frames whose origin and destination are in the same
VLAN are forwarded only within the local VLAN. Frames that are not
destined for the local VLAN are the only ones forwarded to other broadcast
domains. VLANs thus limit the amount of traffic flowing across the
entire LAN, reducing the possible number of collisions and packet
retransmissions within a VLAN and on the LAN as a whole.
On an Ethernet LAN, all network nodes must be physically connected
to the same network. On VLANs, the physical location of the nodes
is not important, so you can group network devices in any way that
makes sense for your organization, such as by department or business
function, by types of network nodes, or even by physical location.
Each VLAN is identified by a single IP subnetwork and by standardized
IEEE 802.1Q encapsulation.
You can use the J-Web Quick Configuration to add a new VLAN
or to edit or delete an existing VLAN.
To access the VLAN Quick Configuration:
In the J-Web user interface, select Configuration > Quick Configuration > Switching > VLAN.
The VLAN Configuration page displays a list of existing VLANs.
If you select a specific VLAN, the specific VLAN details are displayed
in the Details section.
Click one:
Add—Creates
a VLAN.
Edit—Edits an existing VLAN configuration.
Delete—Deletes an existing VLAN.
Note:
If you delete a VLAN, the VLAN configuration for all the associated
interfaces is also deleted.
When you are adding or editing a VLAN, enter information
as described in Table 140.
Click one:
To apply changes to the configuration, click OK.
To cancel the configuration without saving changes, click Cancel.
Table 140: VLAN Configuration Details
Field
Function
Action
General tab
VLAN Name
Specifies a unique name for the VLAN.
Enter a name.
VLAN ID/Range
Specifies the identifier or range for the VLAN.
Select one:
VLAN ID—Type a unique identification
number from 1 through 4094. If no value is specified,
it defaults to 0.
VLAN Range—Type a number range
to create VLANs with IDs corresponding to the range. For example,
the range 2–3 will create two VLANs with the ID 2 and 3.
Description
Describes the VLAN.
Enter a brief description for the VLAN.
MAC-Table-Aging-Time
Specifies the maximum time that an entry can remain in the forwarding
table before it ages out.
Type the number of seconds from 60 through 1000000.
Input Filter
Specifies the VLAN firewall filter that is applied to incoming
packets.
To apply an input firewall filter, select the firewall filter
from the list.
Output Filter
Specifies the VLAN firewall filter that is applied to outgoing
packets.
To apply an output firewall filter, select the firewall filter
from the list.
Ports tab
Ports
Specifies the ports to be associated with this VLAN for data
traffic. You can also remove the port association.
Click one:
Add—Select the ports from the available list.
Remove—Select the port that you do not want associated with the VLAN.
IP Address tab
Layer 3 Information
Specifies IP address options for the VLAN.
Select to enable the IP address options.
IP Address
Specifies the IP address of the VLAN.
Enter the IP address.
Subnet Mask
Specifies the range of logical addresses within the address
space that is assigned to an organization.
Enter the address, for example, 255.255.255.0. You
can also specify the address prefix.
Input Filter
Specifies the VLAN interface firewall filter that is applied
to incoming packets.
To apply an input firewall filter to an interface, select the
firewall filter from the list.
Output Filter
Specifies the VLAN interface firewall filter that is applied
to outgoing packets.
To apply an output firewall filter to an interface, select the
firewall filter from the list.
ARP/MAC Details
Specifies the details for configuring the static IP address
and MAC.
Click the ARP/MAC Details button. Enter
the static IP address and MAC address in the window that is displayed.
VoIP tab
Ports
Specifies the ports to be associated with this VLAN for voice
traffic. You can also remove the port association.
Click one:
Add—Select the ports from the available list.
Remove—Select the port that you do not want associated with the VLAN.
Configuring a Spanning Tree—Quick Configuration
Juniper devices provide Layer 2 loop prevention through Spanning
Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple
Spanning Tree Protocol (MSTP). You can configure bridge protocols
data unit (BPDU) protection on interfaces to prevent them from receiving
BPDUs that could result in STP misconfigurations, which could lead
to network outages.
You can use the J-Web Quick Configuration to add a spanning
tree or to edit or delete an existing spanning tree.
To access the Spanning Tree Quick Configuration:
In the J-Web user interface, select Configuration > Quick Configuration > Switching > Spanning Tree.
The Spanning Tree Configuration page displays a list of existing
spanning trees. If you select a specific spanning tree, the specific
spanning tree details are displayed in the General and Interfaces
tabs.
Click one of the following:
Add—Creates
a spanning tree.
Edit—Edits an existing spanning-tree configuration.
Delete—Deletes an existing spanning tree.
When you are adding a spanning tree, select a protocol
name:
If you select STP, enter information as described in Table 141.
If you select RSTP, enter information as described in Table 142.
If you select MSTP, enter information as described in Table 143.
Select the Ports tab to configure
the ports associated with this spanning tree. Click one of the following:
Add—Creates a new spanning-tree
interface configuration.
Edit—Modifies an existing spanning-tree
interface configuration.
Delete—Deletes an existing
spanning-tree interface configuration.
When you are adding or editing a spanning-tree port,
enter information as described in Table 144.
Click one:
To apply changes to the configuration, click OK.
To cancel the configuration without saving changes, click Cancel.
Table 141: STP Configuration
Parameters
Field
Function
Action
Protocol Name
Displays the spanning-tree protocol.
View only.
Disable
Disables STP on the interface.
To enable this option, select the check box.
BPDU Protect
Specifies that BPDU blocks are to be processed.
To enable this option, select the check box.
Bridge Priority
Specifies the bridge priority. The bridge priority determines
which bridge is elected as the root bridge. If two bridges have the
same path cost to the root bridge, the bridge priority determines
which bridge becomes the designated bridge for a LAN segment.
Select a value.
Forward Delay
Specifies the number of seconds an interface waits before changing
from spanning-tree learning and listening states to the forwarding
state.
Enter a value from 4 through 30 seconds.
Hello Time
Specifies time interval in seconds at which the root bridge
transmits configuration BPDUs.
Enter a value from 1 through 10 seconds.
Max Age
Specifies the maximum aging time in seconds for all MST instances.
The maximum aging time is the number of seconds a switch waits without
receiving spanning-tree configuration messages before attempting a
reconfiguration.
Enter a value from 6 through 40 seconds.
Table 142: RSTP Configuration Parameters
Field
Function
Action
Protocol Name
Displays the spanning-tree protocol.
View only.
Disable
Specifies whether RSTP must be disabled on the interface.
To enable this option, select the check box.
BPDU Protect
Specifies that BPDU blocks are to be processed.
To enable this option, select the check box.
Bridge Priority
Specifies the bridge priority. The bridge priority determines
which bridge is elected as the root bridge. If two bridges have the
same path cost to the root bridge, the bridge priority determines
which bridge becomes the designated bridge for a LAN segment.
Select a value.
Forward Delay
Specifies the number of seconds a port waits before changing
from its spanning-tree learning and listening states to the forwarding
state.
Enter a value from 4 through 30 seconds.
Hello Time
Specifies the hello time in seconds for all MST instances.
Enter a value from 1 through 10 seconds.
Max Age
Specifies the maximum aging time in seconds for all MST instances.
The maximum aging time is the number of seconds a switch waits without
receiving spanning-tree configuration messages before attempting a
reconfiguration.
Enter a value from 6 through 40 seconds.
Table 143: MSTP Configuration Parameters
Field
Function
Action
Protocol Name
Displays the spanning-tree protocol.
View only.
Disable
Specifies whether MSTP must be disabled on the interface.
To enable this option, select the check box.
BPDU Protect
Specifies that BPDU blocks are to be processed.
To enable this option, select the check box.
Bridge Priority
Specifies the bridge priority. The bridge priority determines
which bridge is elected as the root bridge. If two bridges have the
same path cost to the root bridge, the bridge priority determines
which bridge becomes the designated bridge for a LAN segment.
Select a value.
Forward Delay
Specifies the number of seconds a port waits before changing
from its spanning-tree learning and listening states to the forwarding
state.
Enter a value from 4 through 30 seconds.
Hello Time
Specifies the hello time in seconds for all MST instances.
Enter a value from 1 through 10 seconds.
Max Age
Specifies the maximum aging time for all MST instances. The
maximum aging time is the number of seconds a switch waits without
receiving spanning-tree configuration messages before attempting a
reconfiguration.
Enter a value from 6 through 40 seconds.
Configuration Name
MSTP region name carried in the MSTP bridge protocol data units
(BPDUs).
Enter a name.
Max Hops
Maximum number of hops a BPDU can be forwarded in the MSTP region
Enter a value from 1 through 255.
Revision Level
Revision number of the MSTP region configuration.
Enter a value from 0 through 65535.
MSTI tab
MSTI Id
Specifies the multiple spanning-tree instance (MSTI) identifier.
MSTI IDs are local to each region, so you can reuse the same MSTI
ID in different regions.
Click one:
Add—Creates
a MSTI.
Edit—Edits an existing MSTI.
Delete—Deletes an existing MSTI.
Bridge Priority
Specifies the bridge priority. The bridge priority determines
which bridge is elected as the root bridge. If two bridges have the
same path cost to the root bridge, the bridge priority determines
which bridge becomes the designated bridge for a LAN segment.
Specifies the interface for the spanning-tree protocol type.
Select an interface.
Cost
Specifies the link cost to control which bridge is the designated
bridge and which interface is the designated interface.
Enter a value from 1 through 200,000,000.
Priority
Specifies the interface priority to control which interface
is elected as the root port.
Select a value.
Disable Port
Disables the spanning-tree protocol type on the interface.
Select to disable the spanning-tree protocol type.
Edge
Configures the interface as an edge interface. Edge interfaces
immediately transition to a forwarding state.
Select to configure the interface as an edge interface.
No Root Port
Specifies an interface as a spanning-tree designated port. If
the bridge receives superior STP bridge protocol data units (BPDUs)
on a root-protected interface, that interface transitions to a root-prevented
STP state (inconsistency state) and the interface is blocked. This
blocking prevents a bridge that should not be the root bridge from
being elected the root bridge. When the bridge stops receiving superior
STP BPDUs on the root-protected interface, interface traffic is no
longer blocked.
Select to configure the interface as a spanning-tree designated
port.
Interface Mode
Specifies the link mode.
Select one:
Point to Point—For full-duplex
links, select this mode.
Shared—For half-duplex links,
select this mode.
BPDU Timeout Action
Specifies the BPDU timeout action for the interface.
Select one:
Alarm—Generate a system log
file message to record the loop protection event.
Block—Configure loop protection
on a specific interface.
Configuring LACP—Quick Configuration
Use the link aggregation feature to aggregate one or more Ethernet
interfaces to form a virtual link or link aggregation group (LAG).
The MAC client can treat this virtual link as if it were a single
link. Link aggregation increases bandwidth, provides graceful degradation
as failure occurs, and increases availability.
You can use the J-Web Quick Configuration to add a new LAG or
to edit or delete an existing LAG.
Note:
Interfaces that are already configured with MTU, duplex, flow-control,
or logical interfaces are not available for aggregation.
To access the LACP Quick Configuration:
In the J-Web user interface, select Configuration > Quick Configuration > Switching > LACP.
The Aggregated Interfaces list is displayed.
Click one of the following:
Add—Creates an aggregated Ethernet
interface, or LAG. Enter information as specified in Table 145.
Edit > Aggregation—Modifies an selected LAG. Enter information as specified in Table 145.
Edit > VLAN—Specifies VLAN options for the selected LAG. See Table 146 for details on the
options.
Delete—Deletes the selected LAG.
Disable Port or Enable Port—Disables or enables the administrative
status on the selected interface.
Click one:
To apply changes to the configuration, click OK.
To cancel the configuration without saving changes, click Cancel.
Table 145: Aggregated Ethernet Interface Options
Field
Function
Action
Aggregated Interface
Indicates the name of the aggregated interface.
Enter the aggregated interface name. If an aggregated interface
already exists, then the field is displayed as read-only.
LACP Mode
Specifies the mode in which LACP packets are exchanged between
the interfaces. The modes are:
None—Indicates that no mode is applicable.
Active—Indicates that the interface initiates transmission
of LACP packets
Passive—Indicates that the interface only responds
to LACP packets.
Select from the drop-down list.
Description
The description for the LAG.
Enter the description.
Interface
Indicates that the interfaces available for aggregation.
Click Add to select the interfaces.
Note:
Only interfaces that are configured with the same speeds can
be selected together for a LAG.
Enable Log
Specifies whether to enable generation of log entries for LAG.
Select to enable log generation.
Table 146: VLAN
Options
Field
Function
Action
Port Mode
Specifies the mode of operation for the port: trunk or access.
Select the port mode.
VLAN Options
For trunk interfaces, the VLANs for which the interface can
carry traffic.
Click Add to select VLAN members.
Native VLAN
VLAN identifier to associate with untagged packets received
on the interface.
Select the VLAN identifier.
Configuring 802.1x—Quick Configuration
Juniper devices use 802.1X authentication to implement access
control in an enterprise network. Supplicants (hosts) are authenticated
at the initial connection to your LAN. By authenticating supplicants
before they receive an IP address from a DHCP server, unauthorized
supplicants are prevented from gaining access to your LAN.
You can use the J-Web Quick Configuration to configure 802.1x
authentication.
To access the 802.1x Quick Configuration:
In the J-Web user interface, select Configuration > Quick Configuration > Switching > 802.1x.
The 802.1x screen displays a list of interfaces, whether 802.1x
security has been enabled on the interface, and the assigned port
role.
When you select a particular interface, the Details section
displays 802.1x details for the interface.
Click one:
RADIUS Servers—Specifies the
RADIUS server to be used for authentication. Select the check box
to select the required server. Click Add or Edit to add or modify the RADIUS server settings.
Enter information as specified in Table 147.
Exclusion List—Excludes hosts
from the 802.1x authentication list by specifying the MAC address.
Click Add or Edit in the
Exclusion List to include or modify the MAC addresses. Enter information
as specified in Table 148.
Edit—Specifies 802.1x settings
for the selected interface
Apply 802.1x Profile—Applies a predefined 802.1x
profile based on the port role. If a message appears asking if you
want to configure a RADIUS server, click Yes.
802.1x Configuration—Configures custom 802.1x settings
for the selected interface. If a message appears asking if you want
to configure a RADIUS server, click Yes. Enter
information as specified in Table 147. To configure 802.1x settings, enter information
as specified in Table 149.
Delete—Deletes 802.1x authentication
configuration on the selected interface.
Click one:
To apply changes to the configuration, click OK.
To cancel the configuration without saving changes, click Cancel.
Table 147: RADIUS Server Settings
Field
Function
Action
IP Address
Specifies the IP address of the server.
Enter the IP address in dotted decimal notation.
Password
Specifies the login password.
Enter the password.
Confirm Password
Verifies the login password for the server.
Reenter the password.
Server Port Number
Specifies the port with which the server is associated.
Enter the port number.
IP Address
Specifies the source address of the server.
Enter the server’s 32-bit IP address, in dotted decimal
notation.
Retry Attempts
Specifies the number of login retries allowed after a login
failure.
Enter a value from 1 to 10.
Timeout
Specifies the time, in seconds, before the connection to the
server is closed.
Enter a value from 1 to 90 seconds.
Table 148: 802.1x Exclusion List
Field
Function
Action
MAC Address
Specifies the MAC address to be excluded from 802.1x authentication.
Enter the MAC address.
Exclude if connected through port
Specifies that the host can bypass authentication if it is connected
through a particular interface.
Select to enable the option. Select the port through which the
host is connected.
Move the host to VLAN
Specifies moving the host to a specific VLAN once the host is
authenticated.
Select to enable the option. Select the VLAN from the list.
Table 149: 802.1x Port Settings
Field
Function
Action
Supplicant Mode
Supplicant Mode
Specifies the mode to be adopted for supplicants:
Single—Allows only one host for authentication.
Multiple—Allows multiple hosts for authentication.
Each host is checked before being admitted to the network.
Single authentication for multiple hosts—Allows
multiple hosts but only the first is authenticated.
Select the required mode.
Authentication
Enable re-authentication
Specifies enabling reauthentication on the selected interface.
Select to enable reauthentication.
Enter the timeout for reauthentication from 1 through
65,535 seconds.
Action on authentication failure
Specifies the action to be taken in case of an authentication
failure.
Select one:
Move to the Guest VLAN—Select
the VLAN to which unauthenticated hosts are permitted access.
Deny—The host is not permitted
access.
Timeouts
Specifies timeout values for each action.
Enter the value in seconds for:
Port waiting time after an authentication failure. Enter
a value from 0 through 65,535
EAPOL retransmitting interval. Enter a value from 1 through
65,535.
Maximum number of EAPOL requests. Enter a value from 1
through 10.
Maximum number of retries. Enter a value from 1 through
10.
Port timeout value for the response from the supplicant.
Enter a value from 1 through 60.
Port timeout value for the response from the RADIUS server.
Enter a value from 1 through 60.
Configuring IGMP Snooping—Quick Configuration
IGMP snooping regulates multicast traffic in a switched network.
With IGMP snooping enabled, the Juniper device monitors the IGMP transmissions
between a host (a network device) and a multicast router, keeping
track of the multicast groups and associated member interfaces. The
Juniper device uses that information to make intelligent multicast-forwarding
decisions and forward traffic to the intended destination interfaces.
You can use the J-Web Quick Configuration to add a new IGMP
snooping configuration or to edit or delete an existing configuration.
To access the IGMP Snooping Quick Configuration:
In the J-Web user interface, select Configuration > Quick Configuration > Switching > IGMP Snooping.
The VLAN Configuration page displays a list of existing IGMP
snooping configurations.
Click one:
Add—Creates
an IGMP snooping configuration for the VLAN.
Edit—Edits an existing IGMP snooping configuration for the VLAN.
Delete—Deletes member settings for the interface.
Note:
If you delete a configuration, the VLAN configuration for all
the associated interfaces is also deleted.
Disable Vlan—Disables IGMP
snooping on the selected VLAN.
When you are adding or editing a VLAN, enter information
as described in Table 150.
Click one:
To apply changes to the configuration, click OK.
To cancel the configuration without saving changes, click Cancel.
Table 150: IGMP Snooping Configuration Fields
Field
Function
Action
VLAN Name
Specifies the VLAN on which to enable IGMP snooping.
Select the VLAN from the list.
Immediate Leave
Immediately removes a multicast group membership from an interface
when it receives a leave message from that interface and suppresses
the sending of any group-specific queries for the multicast group
To enable the option, select the check box.
To disable the option, clear the check box.
Query Interval
Configures how frequently the switch sends host-query timeout
messages to a multicast group.
Enter a value from 1 through 1024 seconds.
Query Last Member Interval
Configures the interval between group-specific query timeout
messages sent by the switch.
Enter a value from 1 through 1024 seconds.
Query Response Interval
Configures the length of time the switch waits to receive a
response to a specific query message from a host.
Enter a value from 1 through 25 seconds.
Robust Count
Specifies the number of timeout intervals the switch waits before
timing out a multicast group.
Enter a value from 2 through 10.
Interfaces List
Statically configures an interface as a switching interface
toward a multicast router (the interface to receive multicast traffic).
Click Add.
Select an interface from the list.
Select Multicast Router Interface.
Enter the maximum number of groups an interface
can join in Group Limit.
In Static, choose one:
Click Add, type a group IP address,
and click OK.
Select a group and click Remove to
remove the group membership.
Configuring GVRP—Quick Configuration
As a network expands and the number of clients and VLANs increases,
VLAN administration becomes complex, and the task of efficiently configuring
VLANs on multiple EX-series switches becomes increasingly difficult.
To automate VLAN administration, you can enable GARP VLAN Registration
Protocol (GVRP) on the network.
GVRP learns VLANs on a particular 802.1Q trunk port, and adds
the corresponding trunk interface to the VLAN if the advertised VLAN
is preconfigured or existing already on the switch. For example, a
VLAN named “sales” is advertised to trunk interface 1
on the GVRP-enabled switch. The switch adds trunk interface 1 to the
sales VLAN if the sales VLAN already exists on the switch.
As individual interfaces become active and send requests to
join a VLAN, the VLAN configuration is updated and propagated among
the switches. Limiting the VLAN configuration to active participants
reduces the network overhead. GVRP also provides the benefit of pruning
VLANs to limit the scope of broadcast, unknown unicast, and multicast
(BUM) traffic to interested network devices only.
You can use the J-Web Quick Configuration to enable or disable
GVRP on an interface.
To access the GVRP Quick Configuration:
In the J-Web user interface, select Configuration > Quick Configuration > Switching > GVRP.
The GVRP Configuration page displays a list of interfaces on
which GVRP is enabled.
Click one:
Global Settings—Modifies GVRP timers. Enter the information as described in Table 151.
Add—Enables
GVRP on an interface.
Disable Port—Disables an interface.
Delete—Deletes an interface.
Click one:
To apply changes to the configuration, click OK.
To cancel the configuration without saving changes, click Cancel.
Table 151: GVRP Global Settings
Field
Function
Action
Disable GVRP
Disables GVRP on all the interfaces.
Click to select.
Join Timer
Specifies the number of milliseconds an interface must wait
before sending VLAN advertisements.
Enter a value from 0 through 4294967295 milliseconds.
Leave Timer
Specifies the number of milliseconds an interface must wait
after receiving a leave message to remove itself from the VLAN specified
in the message.
Enter a value from 0 through 4294967295 milliseconds.
Leave All Timer
Specifies the interval in milliseconds at which Leave All messages
are sent on interfaces. Leave All messages help to maintain current
GVRP VLAN membership information in the network.
Enter a value from 0 through 4294967295 milliseconds.
