#### Chapter 1

#### ELS Overview
switch1> file list /var/tmp
switch1> edit exclusive
switch1#

switch1# delete

switch1# load set /var/tmp/NEW_ELS.conf
switch1# commit confirm 3
switch1# commit  


#### Chapter 2

#### EX Series Management Overview

# set interfaces me0 unit 0 family inet address 192.168.2.10/24

Alternative syntax:
# set interfaces me0.0 family inet address 192.168.2.10/24

When part of a Virtual Chassis:
{master:0}[edit]
# set interfaces vme.0 family inet address 192.168.2.10/24


Managing via In-Band Connection
# set interfaces lo0.0 family inet address 1.1.1.1
# show | compare
# commit check
# commit confirmed 2
# commit
# show interfaces lo0

ELS NOTE	The old Junos syntax was to specify the Layer 3-interface on a VLAN as vlan unit 100 or vlan.100, but the new ELS syntax uses IRB interfaces, so the command would be:
# set vlans V100 vlan-id 100
# set vlans V100 l3-interface irb.100
# set interfaces irb.100 family inet address 192.168.2.10/24
# show | compare
# commit check
# commit confirmed 3
# commit
# show interfaces irb

To enable the J-WEB services:
# set system services web-management http interface irb.2
# commit

To disable web services:
# delete system services web-management 
# show | compare 
[edit system services]
-    web-management {
-        http {
-            interface [ me0.0 irb.2 ];
-        }
-    }
# commit 

Managing Via LCD

From the CLI you can see what the LCD is displaying and also the menu hierarchy. Let’s take a look:
EX4300-6_7-VC> show chassis lcd menu           
fpc0:
--------------------------------------------------------------------------
status-menu
status-menu vcp-status1-menu
status-menu vcp-status2-menu
status-menu power-status
status-menu environ-menu
status-menu show-version
maintenance-menu
maintenance-menu halt-menu
maintenance-menu system-reboot
maintenance-menu rescue-config
maintenance-menu vc-uplink-config
maintenance-menu factory-default
fpc1:
--------------------------------------------------------------------------
status-menu
status-menu vcp-status1-menu
status-menu vcp-status2-menu
status-menu power-status
status-menu environ-menu
status-menu show-version
maintenance-menu
maintenance-menu halt-menu
maintenance-menu system-reboot
maintenance-menu rescue-config
maintenance-menu vc-uplink-config
maintenance-menu factory-default

You can see from the CLI what the LCD is actually displaying on the EX4300 in our lab diagram:
EX4300-6_7-VC# run show chassis lcd        
Front panel contents for slot: 0
---------------------------------
LCD screen:
    00:BK EX4300-6_7 
    LED:SPD ALARM 00 
LEDs status:
    Alarms LED: Off    
    System LED: Green  
    Master LED: Green Blink
Interface	LED(ADM/SPD/DPX/POE)
-------------------------------------
ge-0/0/0        Off                  
ge-0/0/1        Off                  
… Truncated for brevity         
ge-0/0/20       Off                  
ge-0/0/21       Off                  
ge-0/0/22       Off                  
ge-0/0/23       Off                  
Front panel contents for slot: 1
---------------------------------
LCD screen:
    01:RE EX4300-6_7 
    LED:SPD ALARM 01 
LEDs status:
    Alarms LED: Yellow 
    System LED: Green  
    Master LED: Green  
Interface	LED(ADM/SPD/DPX/POE)
-------------------------------------
ge-1/0/0        Off                  
ge-1/0/1        Off                  
ge-1/0/2        Off                  
… Truncated for brevity                  
ge-1/0/20       Off                  
ge-1/0/21       Off                  
ge-1/0/22       Off                  
ge-1/0/23       Off                  

EX4300-6_7-VC# set chassis lcd-menu fpc 0 menu-item maintenance-menu disable
EX4300-6_7-VC# set chassis lcd-menu fpc 1 menu-item maintenance-menu disable
EX4300-6_7-VC# commit 

And you can see that the maintenance-menu is no longer available to anyone using the LCD:
EX4300-6_7-VC# run show chassis lcd menu 
fpc0:
--------------------------------------------------------------------------
status-menu
status-menu vcp-status1-menu
status-menu vcp-status2-menu
status-menu power-status
status-menu environ-menu
status-menu show-version
fpc1:
--------------------------------------------------------------------------
status-menu
status-menu vcp-status1-menu
status-menu vcp-status2-menu
status-menu power-status
status-menu environ-menu
status-menu show-version

You can also set a display message on the LCD or even a specific switch in a VC. Let’s assume you have an end-of-row VC in your data center and you need JJ to connect a server to port ge-1/0/4 in that VC. Now JJ may not know which switch this is but you can set a message on that switch that says “PORT 4  JJ”. That way he can locate the exact switch:
EX4300-6_7-VC> set chassis display message "PORT 4 JJ" fpc-slot 1 permanent 
message sent

EX4300-6_7-VC> show chassis lcd fpc-slot 1 
Front panel contents for slot: 1
---------------------------------
LCD screen:
    01:RE EX4300-6_7 
    PORT 4 JJ 
LEDs status:
    Alarms LED: Yellow 
    System LED: Green  
    Master LED: Green  
Interface	LED(ADM/SPD/DPX/POE)
-------------------------------------
ge-1/0/0        Off                  
ge-1/0/1        Off                  
ge-1/0/2        Off                  
…

#### Managing Via SNMP

Therefore, jnxExSwitching OID becomes 1.3.6.1.4.1.2636.3.40.1, so now you can run a specific walk on your lab EX2300 using that specific OID, but first you need to make sure that the switch can communicate using SNMP. Configure SNMPv2c, first, since it is very simple:
# set snmp community juniper123
# commit and-quit
> show snmp mib walk 1.3.6.1.4.1.2636.3.40.1   
jnxAuthProfileName.0
jnxVirtualChassisMemberSerialnumber.0 = HV0216501848
jnxVirtualChassisMemberRole.0 = 1
....

That was from the Junos operational prompt which is something that a lot of other vendors can not do by the way. Now, let’s do one from a remote device like a laptop:
$ snmpwalk -v 2c -c juniper123 192.168.2.6 1.3.6.1.4.1.2636.3.40.1
SNMPv2-SMI::enterprises.2636.3.40.1.3.1.1.1.0 = ""
SNMPv2-SMI::enterprises.2636.3.40.1.4.1.1.1.2.0 = STRING: "HV0216501848"
SNMPv2-SMI::enterprises.2636.3.40.1.4.1.1.1.3.0 = INTEGER: 1
...

The first thing you need to do is to establish a User based Security Model or USM. Start by identifying the user as JUNIPER and making the authentication-password JUNIPER123 (Note that while you are configuring the password in plain text it will be hashed with SHA1 once it is committed).
# set snmp v3 usm local-engine user JUNIPER authentication-sha authentication-password JUNIPER123
# set snmp v3 usm local-engine user JUNIPER privacy-aes128 privacy-password JUNIPER123

Next create a view-based Access Control Model or VACM. Use a group name of JUNIPER and our security-model will be USM. The security level will be authentication with privacy and you will only allow a read-view.
# set snmp v3 vacm security-to-group security-model usm security-name JUNIPER group JUNIPER 
# set snmp v3 vacm access group JUNIPER default-context-prefix security-model usm security-level privacy read-view JUNIPER

Next set our engine-id (see best practice note below on engine-id):
# set snmp engine-id use-mac-address
# commit

Now, if everything is correct, you should be able to walk the device using snmpv3 with authentication and privacy:
$ snmpwalk -v 3 -u JUNIPER -a sha -A JUNIPER123 -x aes -X JUNIPER123 -c JUNIPER -l authPriv 192.168.2.6 1.3.6.1.4.1.2636.3.40.1
SNMPv2-SMI::enterprises.2636.3.40.1.3.1.1.1.0 = ""
SNMPv2-SMI::enterprises.2636.3.40.1.4.1.1.1.2.0 = STRING: "HV0216500848"
...

And to see the entire snmp hierarchy from the device itself.
# show snmp | display set 
set snmp v3 usm local-engine user JUNIPER authentication-sha authentication-key "$9$5Q69tpB1Ec9CORhcleUjiqmTn6At0BjHApBIcSYg4oUjPfz6/tF3revMXxDiHkfT/9pB1hik5F36AtLx7-24aZUkqfoai.PT3nSrlM7-2gJDHqsYaUDif5Fn/ApBIRSeK81IEyreW8X7-dYgik.Qz6wYaUHkPfhSyl8XwYgaJD-dHqfT3nylevxN"
set snmp v3 usm local-engine user JUNIPER privacy-aes128 privacy-key "$9$tDgXuIESyKv8XEheWLX-dTzF69p1IcSlKz3cyKMXxikq.TzCA0IRSOBNdbwg4QF3nApREyKvLFntOBIcS24oJHqmfTn6A.mF/CpB1xN-woJHkPQ36jimTQFAtO1RcyKMWxdVYvM87NdsYgoJZikFn/u0IDimT3nCALx7-YgDikmPQJZ36ApB17-db4a"
set snmp v3 vacm security-to-group security-model usm security-name JUNIPER group JUNIPER
set snmp v3 vacm access group JUNIPER default-context-prefix security-model usm security-level privacy read-view READ_JUNIPER
set snmp engine-id use-mac-address
set snmp view READ_JUNIPER oid 1.3.6.1.4.1.2636 include

#### Managing Via Mini-USB Type B

You cannot connect to the CON port when managing a device via the Mini-USB as the console input will only be active on one port at a time. The Mini-USB is set to passive and the normal RS-232 Console is active by default. To use the Mini-USB you have to explicitly set the port from the CLI:
EX4300-6_7-VC# set system ports auxiliary port-type mini-usb    

EX4300-6_7-VC# show | compare 
[edit system]
+   ports {
+       auxiliary port-type mini-usb;
+   }

EX4300-6_7-VC# commit 
fpc1: 
configuration check succeeds
fpc0: 
commit complete
fpc1: 
commit complete

The next step is to reboot the switch so the Mini-USB becomes the active console. As you can see this is not something that you want to make a decision on after the switch is already in a VC on your operational network! This is an up-front decision when performing the initial configuration.  
	
EX4300-6_7-VC# set system ports auxiliary port-type rj45 
EX4300-6_7-VC# commit 


#### Managing Storage Via USB

Some organizations do not allow the USB port to be enabled for obvious security reasons. Let’s disable the USB on the EX4300 VC in the lab:
EX4300-6_7-VC# set chassis usb storage disable    
EX4300-6_7-VC# show | compare 
[edit chassis]
+   usb {
+       storage {
+           disable;
+       }
+   }

EX4300-6_7-VC# commit 

If the USB port is disabled, you cannot use the command > request system reboot media usb
To re-enable the port, you have to delete the disable statement:
EX4300-6_7-VC# delete chassis usb storage disable 
EX4300-6_7-VC# commit 
EX4300-6_7-VC# run show chassis usb storage 
USB Enabled

We also discussed booting from a USB with a Junos image. There are two methods for getting the image on the USB. The easiest is to use a switch that is already on the right code and doing a snapshot.  
First, place the USB into the port and then from the CLI issue the command:
EX4300-6_7-VC> request system snapshot media external partition

System may go unstable if module traces or syslog messages are enabled during snapshot.
It is recommended to disable all debug logging.
Do you wish to continue? [yes,no] (no) yes 

This will copy the image and snapshot files to the USB and it will be ready to use on a switch to upgrade the code or recover the original device by issuing the command:
EX4300-6_7-VC> request system reboot media external
	
The other way is to format your USB as FAT/FAT32 and then copy the Junos software package from your PC/laptop to the USB device.  Here are the steps:
1. Format the USB FAT/FAT32.
2. Copy the install media from your PC/Laptop to the USB.
3. Make sure the switch you want to upgrade is powered off.
4. Once the file is on the USB you can plug it into the USB port on the switch.
5. Power on the switch.
6. Once the Boot Loader message is displayed:  Press [Enter] to boot immediately, or space bar for command prompt.
7. Press the space bar (within 1 sec of seeing the message) to enter the loader> prompt.
8. Type loader> install source file:///jinstall-ex-4300-14.1X53-D42.3-domestic-signed.tgz

Note the colon and three slashes :/// just after the file keyword. This is the correct syntax to pull the file from the USB.
If successful, the EX Series switch will load the image and then you will be presented with a login prompt. At that point you can remove the USB from the EX USB port.

#### Chapter 3

#### Junos Basics 
#### Junos Initial Configuration

$ telnet 172.16.0.15 2015
login: root
--- Junos 15.1X53-D50.2 Kernel 32-bit  JNPR-11.0-20160614.329646_build
root@:RE:0%

Junos Operational Mode

root@:RE:0% cli
{master:0}
root>  

#### Junos Configuration or Edit mode

The Junos edit mode is clearly identified as [edit] as well as the octothorpe # prompt.  This is where all changes are made and committed to the active configuration. Now you truly have the power – can you feel it surging through your fingertips? Now let’s get rid of that pesky Auto Image Upgrade message.
{master:0}
root> edit 
Entering configuration mode

{master:0}[edit]
root#

#### Active and Candidate Configuration
{master:0}[edit]
root# delete chassis auto-image-upgrade 
{master:0}[edit]
root# commit
[edit]
  'system'
    Missing mandatory statement: 'root-authentication'
error: commit failed: (missing mandatory statements)

{master:0}[edit]
root# set system root-authentication plain-text-password 
New password: jnpr123
Retype new password: jnpr123

{master:0}[edit]
root# commit

{master:0}[edit]
root# set system host-name EX2300-16
root# run set cli screen-width 100 
Screen width set to 100

root# set system login user lab class super-user authentication plain-text-password 
New password:
Retype new password:

{master:0}[edit]
root# set system services ssh protocol-version v2 
root# set interfaces me0.0 family inet address 172.16.0.16/27 
root# show | compare 
 [edit system login]
+    user lab {
+        class super-user;
+        authentication {
+            encrypted-password "$5$9YdJY4Uf$PvnFzbKAPcxYVbV8GsLmLqL2DcWfgYKRRQx4xga7DI7"; ## SECRET-DATA
+        }
+    }
[edit system services]
+    ssh {
+        protocol-version v2;
+    }
[edit interfaces me0 unit 0 family inet]
+       address 172.16.0.16/27;

{master:0}[edit]
root# commit 
configuration check succeeds
commit complete

root@EX2300-16# run ping 172.16.0.1 

$ ssh 172.16.0.16
Password:
--- Junos 15.1X53-D50.2 Kernel 32-bit  JNPR-11.0-20160614.329646_build
{master:0}
EX2300-16> 

root@EX2300-16# show vlans              
default {
    vlan-id 1;
    l3-interface irb.0;
}
root@EX2300-16# set vlans V100 vlan-id 100 l3-interface irb.100 
root@EX2300-16# delete interfaces ge-0/0/0.0 
root@EX2300-16# set interfaces ge-0/0/1.0 family ethernet-switching interface-mode trunk vlan members V100    
root@EX2300-16# set interfaces ge-0/0/2.0 family ethernet-switching interface-mode trunk vlan members V100 
root@EX2300-16# set interfaces irb.100 family inet address 10.100.0.254/24
root@EX2300-16# delete protocols rstp 
root@EX2300-16# set protocols rstp interface ge-0/0/1 
root@EX2300-16# set protocols rstp interface ge-0/0/2    
root@EX2300-16# set protocols rstp bridge-priority 60k   
root@EX2300-16# show | compare 
[edit interfaces]
-   ge-0/0/0 {
-       unit 0 {
-           family ethernet-switching {
-               storm-control default;
-           }
-       }
-   }
[edit interfaces ge-0/0/1 unit 0 family ethernet-switching]
+      interface-mode trunk;
+      vlan {
+          members V100;
+      }
[edit interfaces ge-0/0/2 unit 0 family ethernet-switching]
+      interface-mode trunk;
+      vlan {
+          members V100;
+      }
[edit interfaces irb]
+    unit 100 {
+        family inet {
+            address 10.100.0.254/24;
+        }
+    }                                  
[edit protocols rstp]
+   bridge-priority 60k;
[edit protocols rstp]
-    interface ge-0/0/0;
-    interface ge-0/0/1;
-    interface ge-0/0/2;
-    interface ge-0/0/3;
… Truncated for brevity
-    interface ge-0/0/23;
-    interface ge-0/1/0;
-    interface xe-0/1/0;
-    interface ge-0/1/1;
-    interface xe-0/1/1;
-    interface ge-0/1/2;
-    interface xe-0/1/2;
-    interface ge-0/1/3;
-    interface xe-0/1/3;
[edit vlans]
+   V100 {
+       vlan-id 100;
+       l3-interface irb.100;
+   }

#### Committing a Configuration

root@EX2300-16# commit 
configuration check succeeds
commit complete

root@EX2300-16# run ping 10.100.0.1    
root@EX2300-16# set interfaces xe-0/1/0 unit 0 family inet address 10.1.0.9/31 
root@EX2300-16# set interfaces ge-0/0/0.0 family inet address 10.1.0.13/31 
root@EX2300-16# commit 
root@EX2300-16# run ping 10.1.0.8 
root@EX2300-16# set routing-options static route 10.100.0.0/24 next-hop 10.100.0.1 
root@EX2300-16# wildcard range set interfaces ge-0/0/[0-24] description "THIS INTERFACE IS FOR LAB USE" 
root@EX2300-16# commit 

root@EX2300-16# run show interfaces descriptions 

root@EX2300-16# run show interfaces terse | match down | except eth-switch 

root@EX2300-16# wildcard range set interfaces ge-0/0/[4-23] disable 
root@EX2300-16# show | compare 
[edit interfaces ge-0/0/4]
+   disable;
[edit interfaces ge-0/0/5]
+   disable;
…

#### Add License


To apply our license, you can paste it into the terminal or secure copy the file to the device and add it from there. Let’s just use the copy paste method:
EX3400-10_11-VC> show system license       
License usage: 
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed 
  ospf2                                 1            0           1    invalid
  virtual-router                        1            0           1    invalid

EX3400-10_11-VC> request system license add terminal    
[Type ^D at a new line to end input,
 enter blank line between each license key]
Serial No :              NV0216340092
Features :               EX-24-EFL : Enhanced feature license for 24 port EX2200, EX3300, EX2300, and EX3400 series switch including IBM OEM SKUs
Issue Date :             04-AUG-2017
License Key : 
Junos942358 aeaqia qmjzld amrrgy ztimbq hezama uqiyds
            qcaztl qbljc6 mpk3zq luzz23 bizbte 47kvo6
            bzfcw6 eufdek t262hr ettskh nbqaic j4
Junos942358: successfully added
add license complete (no errors)

Once you copy and paste the contents of the license into the terminal you have to use CTRL-D to end the input and then, if all is well, you will see the successfully added and no errors statement. 
EX3400-10_11-VC> show system license                    

#### Rollback

ACCESS-1> show system commit 
0   2017-05-05 01:00:58 UTC by tier1 via cli
    Removed interface ge-0/0/0.0 from OSPF area 0.0.0.0//NOC
1   2017-05-01 19:19:28 UTC by tier2 via cli
2   2017-05-01 17:49:30 UTC by tier2 via cli

ACCESS-1> show configuration | compare rollback 1 
[edit protocols ospf area 0.0.0.0]
-     interface ge-0/0/0.0 {
-         interface-type p2p;
-     }

ACCESS-1> edit 
Entering configuration mode

ACCESS-1# show | compare rollback 1 
[edit protocols ospf area 0.0.0.0]
-     interface ge-0/0/0.0 {
-         interface-type p2p;
-     }

ACCESS-1# rollback 1 
load complete

ACCESS-1# show | compare 
[edit protocols ospf area 0.0.0.0]
+     interface ge-0/0/0.0 {
+         interface-type p2p;
+     }
      interface lo0.0 { ... }

ACCESS-1# commit comment "Tier2 rolling back the ospf change from last night"   
configuration check succeeds
commit complete

Real World Scenario 2:


Getting Help

> help apropos help 
> help apropos ospf 
> help topic system configuration                 
> help topic interfaces interface-mode-trunk 
> help reference dot1x authentication-profile-name   

#### System Snapshot

EX4300-6_7-VC> show system storage partitions 
EX4300-6_7-VC> show system snapshot media internal 

EX4300-6_7-VC> request system snapshot slice alternate all-members    

EX4300-6_7-VC> show system snapshot media internal                    

By enabling the auto-snapshot feature you can be sure that the snapshot will automatically take place on system commits:
EX4300-6_7-VC# set system auto-snapshot    
EX4300-6_7-VC# commit 

EX2300> request system snapshot          
EX2300> file list /packages/sets/ 


#### Rescue Configuration

EX4300-6_7-VC> show system alarms 
EX4300-6_7-VC> request system configuration rescue save
EX4300-6_7-VC> show system configuration rescue    
## Last changed: 2017-07-07 01:35:05 UTC
version 14.1X53-D40.8;
groups {
    POC_Lab {
        system {
            host-name EX4300-6_7-VC;
            backup-router 172.16.0.1;
            authentication-order [ radius password ];
            root-authentication {
                encrypted-password "$1$mlMH7KjC$gOLJ9YI4KWlwDMgAfc5iT1"; ## SECRET-DATA
            }
            name-server {
                8.8.8.8;
… Truncated for brevity

And finally, you can verify that the alarm is cleared.
EX4300-6_7-VC> show system alarms 
No alarms currently active

The rescue configuration is valuable for golden configurations or a known good baseline as you can rollback to the rescue.
EX4300-6_7-VC# rollback rescue 
load complete
EX4300-6_7-VC# show | compare 
EX4300-6_7-VC# commit 
fpc1: 
configuration check succeeds
fpc0: 
commit complete
fpc1: 
commit complete


#### Chapter 4

#### Virtual Chassis

# set virtual-chassis no-split-detection
# commit comment “enabling no-split-detection on my 2 member vc”

Virtual Chassis (VC) Configuration

# set virtual-chassis member 0 role routing-engine serial-number AAAA
# set virtual-chassis member 1 role line-card serial-number BBBB
# set virtual-chassis member 2 role routing-engine serial-number CCCC
# set virtual-chassis member 3 role line-card serial-number DDDD role line-card
# set virtual-chassis member 4 role line-card serial-number EEEE role line-card
# set virtual-chassis preprovisioned
# show | compare
# commit check
# commit comment “Creating the preprovisioned configuration for my VC”

To renumber a member-id you utilize the operational request virtual-chassis renumber command:
EX4300-6_7-VC> request virtual-chassis ?
Possible completions:
  mode                 Set a member's mode (Warning: member's mode must be consistent)
  reactivate           Make active from inactive-split mode
  recycle              Recycle member ID
  renumber             Change member ID
  vc-port              Set or delete member's virtual chassis ports

For troubleshooting purposes, you can also use traceoptions that you can turn on and off through apply-groups.  Here is a sample configuration using traceoptions to monitor the status of the Virtual Chassis (Just remember to turn off traceoptions when not in use so it does not impact performance):
# set groups VCTRACE virtual-chassis traceoptions file vctrace.log
# set groups VCTRACE virtual-chassis traceoptions file size 1m
# set groups VCTRACE virtual-chassis traceoptions file files 3
# set groups VCTRACE virtual-chassis traceoptions file world-readable
# set groups VCTRACE virtual-chassis traceoptions flag all
# set apply-groups VCTRACE
# show | compare
# commit check
# commit comment “Creating the traceoptions file for my VC”

> show log vctrace.log
If you remove the set apply-groups VCTRACE statement you disable that group and it will no longer collect logs. To remove the VCTRACE group from apply-groups issue:
> edit
# delete apply-groups VCTRACE
# commit comment “VCTRACE no longer active”
# exit
> show log vctrace.log
Let’s take a look at the output from a real Virtual Chassis (VC). Refer to the lab topology used for this book. Note that all of the VC’s are only 2-members. What is one of the commands we should see in the configuration? You guessed it no-split-detection. Now let’s see what we have on EX4600-4:
EX4600-4_5-VC> show virtual-chassis status 
Preprovisioned Virtual Chassis
Virtual Chassis ID: 72ad.ea24.787d
Virtual Chassis Mode: Enabled
                                                Mstr           Mixed Route Neighbor List
Member ID  Status   Serial No    Model          prio  Role      Mode  Mode ID  Interface
0 (FPC 0)  Prsnt    TC3714350038 ex4600-40f     129   Master*      N  VC   1  vcp-255/0/24
1 (FPC 1)  Prsnt    TC3714350071 ex4600-40f     129   Backup       N  VC   0  vcp-255/0/24

Now let’s look at the actual configuration and see how it was pre-provisioned:
EX4600-4_5-VC> show configuration | display set | match virtual-chassis 
set groups POC_Lab virtual-chassis preprovisioned
set groups POC_Lab virtual-chassis no-split-detection
set groups POC_Lab virtual-chassis member 0 role routing-engine
set groups POC_Lab virtual-chassis member 0 serial-number TC3714350038
set groups POC_Lab virtual-chassis member 1 role routing-engine
set groups POC_Lab virtual-chassis member 1 serial-number TC3714350071

Let’s look at the version of Junos running on each of the members in our VC:
EX4600-4_5-VC> show version all-members brief 

You can also check the actual Virtual Chassis Ports (VCPs) form the command line:
EX4600-4_5-VC> show virtual-chassis vc-port                       

#### Virtual Chassis Port Numbering

EX4300-6_7-VC> show chassis hardware 

#### Virtual Chassis Priorities and Roles

There are only two roles that you can assign to a member in a Virtual Chassis: Backup and Master.
EX4300-6_7-VC> show virtual-chassis 
Preprovisioned Virtual Chassis
Virtual Chassis ID: 3cc8.b1b8.7370
Virtual Chassis Mode: Enabled
                                                Mstr           Mixed Route Neighbor List
Member ID  Status   Serial No    Model          prio  Role      Mode  Mode ID  Interface
0 (FPC 0)  Prsnt    PG37290062 ex4300-24t     129   Backup       N  VC   1  vcp-255/1/0
                                                                           1  vcp-255/1/1
1 (FPC 1)  Prsnt    PG37290002 ex4300-24t     129   Master*      N  VC   0  vcp-255/1/0
                                                                           0  vcp-255/1/1

The simple 2-member VC configured here shows that both members are present and that our Member 1 switch is currently the master routing engine.  The configuration is preprovisioned:
EX4300-6_7-VC> show configuration | display set | match virtual 
set groups POC_Lab virtual-chassis preprovisioned
set groups POC_Lab virtual-chassis no-split-detection
set groups POC_Lab virtual-chassis member 0 role routing-engine
set groups POC_Lab virtual-chassis member 0 serial-number PG37290062
set groups POC_Lab virtual-chassis member 1 role routing-engine
set groups POC_Lab virtual-chassis member 1 serial-number PG37290002

The highest priority on a VC member wins. Therefore, you want the master and backup RE to have the same priority 255. The line cards can then be set to 128.
QFX5100-2_3-VC# show virtual-chassis | display set 
set virtual-chassis no-split-detection
set virtual-chassis member 0 mastership-priority 255
set virtual-chassis member 1 mastership-priority 255
set virtual-chassis aliases serial-number TA3716170025 alias-name RE1
set virtual-chassis aliases serial-number TA3716170306 alias-name RE0
Note that the keyword preprovisioned is not used in assigning priorities.

#### Virtual Chassis Alias-Name

This is a very short primer on using alias-name for virtual chassis.  Here you set the different member’s names RE0 and RE1, but you could just as easily make them DC-RACK1-ROW5 or BLDG5-RM309. This would come in handy in an extended VC where a single switch is spread across ten different locations.
QFX5100-2_3-VC# set virtual-chassis aliases serial-number TA3716170306 alias-name RE0
QFX5100-2_3-VC# set virtual-chassis aliases serial-number TA3716170025 alias-name RE1
QFX5100-2_3-VC# run show virtual-chassis 
Virtual Chassis ID: 1783.5be0.70d8
Virtual Chassis Mode: Enabled
                                                             Mstr           Mixed Route Neighbor List
Member ID  Status   Serial No    Alias-Name   Model          prio  Role      Mode  Mode ID  Interface
0 (FPC 0)  Prsnt    TA3716170306 RE0          qfx5100-48s-6q 128   Master*      N  VC   1  vcp-255/0/48
                                                                                        1  vcp-255/0/49
1 (FPC 1)  Prsnt    TA3716170025 RE1          qfx5100-48s-6q 128   Backup       N  VC   0  vcp-255/0/48
                                                                                        0  vcp-255/0/49

#### Virtual Chassis Convert VCP to 40G Uplink

First, you need to know what ports are connected on the QSFP+ ports, so let’s take a look.
EX4300-6_7-VC> show virtual-chassis vc-port    
fpc0:
--------------------------------------------------------------------------
Interface   Type              Trunk  Status       Speed        Neighbor
or                             ID                 (mbps)       ID  Interface
PIC / Port
1/0         Configured          5    Up           40000        1   vcp-255/1/0
1/1         Configured          5    Up           40000        1   vcp-255/1/1
1/3         Configured               Absent  
1/2         Configured               Absent  
fpc1:
--------------------------------------------------------------------------
Interface   Type              Trunk  Status       Speed        Neighbor
or                             ID                 (mbps)       ID  Interface
PIC / Port
1/0         Configured          5    Up           40000        0   vcp-255/1/0
1/1         Configured          5    Up           40000        0   vcp-255/1/1
1/3         Configured               Absent  
1/2         Configured               Absent  

As you can see we have PIC 1 PORTS 0 and one in use on each of the switches that make up the Virtual Chassis. Let’s focus on member 0 PIC 1 and PORT 2 to convert to a normal interface:
EX4300-6_7-VC> request virtual-chassis vc-port delete pic-slot 1 port 2 member 0    
fpc0:
--------------------------------------------------------------------------
vc-port successfully deleted

{master:1}
EX4300-6_7-VC> show virtual-chassis vc-port                                         
fpc0:
--------------------------------------------------------------------------
Interface   Type              Trunk  Status       Speed        Neighbor
or                             ID                 (mbps)       ID  Interface
PIC / Port
1/0         Configured          5    Up           40000        1   vcp-255/1/0
1/1         Configured          5    Up           40000        1   vcp-255/1/1
1/3         Configured               Absent  
fpc1:
--------------------------------------------------------------------------
Interface   Type              Trunk  Status       Speed        Neighbor
or                             ID                 (mbps)       ID  Interface
PIC / Port
1/0         Configured          5    Up           40000        0   vcp-255/1/0
1/1         Configured          5    Up           40000        0   vcp-255/1/1
1/3         Configured               Absent  
1/2         Configured               Absent  

Now you can see that the PIC 1 PORT 2 interface is no longer present on the switch.  
The next step is to configure the 40G interface on the switch:
EX4300-6_7-VC# set interfaces et-0/1/2 unit 0 family inet address 192.168.99.1/31 

{master:1}[edit]
EX4300-6_7-VC# commit 
fpc1: 
configuration check succeeds
fpc0: 
commit complete
fpc1: 
commit complete

EX4300-6_7-VC> show interfaces terse | match et- 
et-0/1/2                up    up
et-0/1/2.0              up    up   inet     192.168.99.1/31 

Now you can see the 40G interface is up, so let’s check the optic in the hardware output:
EX4300-6_7-VC> show chassis hardware               

EX4600-4_5-VC# set interfaces et-0/0/26.0 family inet address 192.168.99.0/31

Once that is committed you can do a quick ping to see if there’s connectivity:
EX4600-4_5-VC# run ping 192.168.99.1 source 192.168.99.0 

If you remember from a previous note the EX4600’s, when placed in a mixed-mode virtual chassis, have to be the routing engines. What we need to do is grab all the serial numbers form the switches. Make sure we have a ring topology for our VC. Then we can preprovision our mixed-mode VC and see if we can turn two VC’s into one managed VC. This is the fun stuff Systems Engineers get to do!
EX4600-4_5-VC# run show chassis hardware | match FPC | except BUILTIN 
FPC 0            REV 22   650-049940   TC3714350038      EX4600-40F
FPC 1            REV 22   650-049940   TC3714350071      EX4600-40F

EX4300-6_7-VC> show chassis hardware | match FPC | except BUILT 
FPC 0            REV 06   650-044936   PG3713290062      EX4300-24T
FPC 1            REV 06   650-044936   PG3713290002      EX4300-24T

EX4600-4_5-VC> request virtual-chassis vc-port set pic-slot 0 port 26    
Port conversion initiated,  use show virtual-chassis vc-port to verify

EX4300-6_7-VC> show virtual-chassis vc-port                             
fpc0:
--------------------------------------------------------------------------
Interface   Type              Trunk  Status       Speed        Neighbor
or                             ID                 (mbps)       ID  Interface
PIC / Port
1/0         Configured          5    Up           40000        1   vcp-255/1/0
1/1         Configured          5    Up           40000        1   vcp-255/1/1
1/3         Configured               Absent  
fpc1:
--------------------------------------------------------------------------
Interface   Type              Trunk  Status       Speed        Neighbor
or                             ID                 (mbps)       ID  Interface
PIC / Port
1/0         Configured          5    Up           40000        0   vcp-255/1/0
1/1         Configured          5    Up           40000        0   vcp-255/1/1
1/2         Configured         -1    Down         40000
1/3         Configured               Absent  

EX4300-6_7-VC> request virtual-chassis vc-port set pic-slot member 0 1 port 2 
fpc0:
--------------------------------------------------------------------------
Port conversion initiated,  use show virtual-chassis vc-port to verify

As soon as you convert the QSFP+ ports back on the EX4300’s you can see that the EX4600 has already found the EX4300’s and thinks they are part of the VC.
EX4600-4_5-VC> show virtual-chassis 
Preprovisioned Virtual Chassis
Virtual Chassis ID: 72ad.ea24.787d
Virtual Chassis Mode: Enabled
                                                Mstr           Mixed Route Neighbor List
Member ID  Status   Serial No    Model          prio  Role      Mode  Mode ID  Interface
0 (FPC 0)  Prsnt    TC3714350038 ex4600-40f     129   Master*      N  VC   2  vcp-255/0/26
1 (FPC 1)  NotPrsnt TC3714350071 ex4600-40f    
2 (FPC 2)  Inactive PG3713290062 ex4300-24t       0   Linecard     N  VC   3  vcp-255/1/0
                                                                           3  vcp-255/1/1
                                                                           0  vcp-255/1/2
3 (FPC 3)  Inactive PG3713290002 ex4300-24t       0   Linecard     N  VC   2  vcp-255/1/0
                                                                           2  vcp-255/1/1

Now apply the following virtual-chassis configuration:
EX4600-4_5-VC# show virtual-chassis | display set 
set virtual-chassis auto-sw-update
set virtual-chassis preprovisioned
set virtual-chassis member 0 role routing-engine
set virtual-chassis member 0 serial-number TC3714350038
set virtual-chassis member 1 role routing-engine
set virtual-chassis member 1 serial-number TC3714350071
set virtual-chassis member 2 role line-card
set virtual-chassis member 2 serial-number PG3713290062
set virtual-chassis member 3 role line-card
set virtual-chassis member 3 serial-number PG3713290002

Finally, the secret sauce gets applied to the virtual-chassis to make it mixed mode. Once this is run, the VC needs to reboot, so go ahead and issue the reboot command along with the request. Let’s make it happen, captain!
EX4600-4_5-VC> request virtual-chassis mode mixed all-members reboot
fpc1:
--------------------------------------------------------------------------
Mode set to 'Virtual Chassis with mixed devices'.  Rebooting system...
fpc2:
--------------------------------------------------------------------------
Mode set to 'Virtual Chassis with mixed devices'.  Rebooting system...
fpc3:
--------------------------------------------------------------------------
Mode set to 'Virtual Chassis with mixed devices'.  Rebooting system...
fpc0:
--------------------------------------------------------------------------
Mode set to 'Virtual Chassis with mixed devices'.  Rebooting system...
                                                                               
*** System shutdown message from root@EX4600-4_5-VC ***                      
System going down in 1 minute                         

Once the VC is rebooted, log back in and you can see that we now have a mixed-mode Virtual Chassis with EX4600’s and EX4300’s.
EX4600-4_5-VC> show virtual-chassis 
Preprovisioned Virtual Chassis
Virtual Chassis ID: 72ad.ea24.787d
Virtual Chassis Mode: Mixed
                                                Mstr           Mixed Route Neighbor List
Member ID  Status   Serial No    Model          prio  Role      Mode  Mode ID  Interface
0 (FPC 0)  Prsnt    TC3714350038 ex4600-40f     129   Master*      Y  VC   1  vcp-255/0/24
                                                                           2  vcp-255/0/26
1 (FPC 1)  Prsnt    TC3714350071 ex4600-40f     129   Backup       Y  VC   0  vcp-255/0/24
2 (FPC 2)  Prsnt    PG3713290062 ex4300-24t       0   Linecard     Y  VC   0  vcp-255/1/2
                                                                           3  vcp-255/1/0
                                                                           3  vcp-255/1/1
3 (FPC 3)  Prsnt    PG3713290002 ex4300-24t       0   Linecard     Y  VC   2  vcp-255/1/1
                                                                           2  vcp-255/1/0


EX4600-4_5-VC> request virtual-chassis mode disable mixed all-members reboot 
fpc1:
--------------------------------------------------------------------------
Mode set to 'Virtual Chassis with similar devices'.  Rebooting system...

Once everything has been configured and the mixed mode is disabled and the system is rebooted you can see that you are indeed back to a two-switch EX4600 VC and a two-switch EX4300 VC.
EX4600-4_5-VC> show virtual-chassis 
Preprovisioned Virtual Chassis
Virtual Chassis ID: 72ad.ea24.787d
Virtual Chassis Mode: Enabled
                                                Mstr           Mixed Route Neighbor List
Member ID  Status   Serial No    Model          prio  Role      Mode  Mode ID  Interface
0 (FPC 0)  Prsnt    TC3714350038 ex4600-40f     128   Backup       N  VC   1  vcp-255/0/24
1 (FPC 1)  Prsnt    TC3714350071 ex4600-40f     129   Master*      N  VC   0  vcp-255/0/24

EX4300-6_7-VC> show virtual-chassis 
Preprovisioned Virtual Chassis
Virtual Chassis ID: 72ad.ea24.787d
Virtual Chassis Mode: Enabled
                                                Mstr           Mixed Route Neighbor List
Member ID  Status   Serial No    Model          prio  Role      Mode  Mode ID  Interface
0 (FPC 0)  Prsnt    PG3713290062 ex4300-24t     129   Master*      N  VC   1  vcp-255/1/0
                                                                           1  vcp-255/1/1
1 (FPC 1)  Prsnt    PG3713290002 ex4300-24t     129   Backup       N  VC   0  vcp-255/1/0
                                                                           0  vcp-255/1/1
Virtual Chassis Change Mastership

Sometimes you may want to manually switch the mastership from one routing engine to another. To do this there are three commands available from the operational prompt.
EX4300-6_7-VC> request chassis routing-engine master ?
Possible completions:
  acquire              Attempt to become master Routing Engine
  release              Request that other Routing Engine become master
  switch               Toggle mastership between Routing Engines

EX4300-6_7-VC> request chassis routing-engine master release 
warning: Traffic will be interrupted while the PFE is re-initialized
Request the other routing engine become master ? [yes,no] (no) yes 

This results in member 1 now being the master routing engine. 
EX4300-6_7-VC> show virtual-chassis    
Preprovisioned Virtual Chassis
Virtual Chassis ID: 72ad.ea24.787d
Virtual Chassis Mode: Enabled
                                                Mstr           Mixed Route Neighbor List
Member ID  Status   Serial No    Model          prio  Role      Mode  Mode ID  Interface
0 (FPC 0)  Prsnt    PG3713290062 ex4300-24t     129   Backup       N  VC   1  vcp-255/1/0
                                                                           1  vcp-255/1/1
1 (FPC 1)  Prsnt    PG3713290002 ex4300-24t     129   Master*      N  VC   0  vcp-255/1/0
                                                                           0  vcp-255/1/1
	
You can also use the switch keyword:
EX4300-6_7-VC> request chassis routing-engine master switch no-confirm 
EX4300-6_7-VC> show virtual-chassis 
Preprovisioned Virtual Chassis
Virtual Chassis ID: 72ad.ea24.787d
Virtual Chassis Mode: Enabled
                                                Mstr           Mixed Route Neighbor List
Member ID  Status   Serial No    Model          prio  Role      Mode  Mode ID  Interface
0 (FPC 0)  Prsnt    PG3713290062 ex4300-24t     129   Master*      N  VC   1  vcp-255/1/0
                                                                           1  vcp-255/1/1
1 (FPC 1)  Prsnt    PG3713290002 ex4300-24t     129   Backup       N  VC   0  vcp-255/1/0
                                                                           0  vcp-255/1/1

And finally, there is the acquire keyword but you have to be on the device that you want to acquire mastership, so first you need to request session member 1:
EX4300-6_7-VC> request session member 1 
{backup:1}
lab@EX4300-6_7-VC> request chassis routing-engine master acquire 
warning: Traffic will be interrupted while the PFE is re-initialized
Attempt to become the master routing engine ? [yes,no] (no) yes 
Command aborted. Not ready for mastership switch, try after 70 secs.

EX4300-6_7-VC> request chassis routing-engine master acquire    
warning: Traffic will be interrupted while the PFE is re-initialized
Attempt to become the master routing engine ? [yes,no] (no) yes

EX4300-6_7-VC> show virtual-chassis 
Preprovisioned Virtual Chassis
Virtual Chassis ID: 72ad.ea24.787d
Virtual Chassis Mode: Enabled
                                                Mstr           Mixed Route Neighbor List
Member ID  Status   Serial No    Model          prio  Role      Mode  Mode ID  Interface
0 (FPC 0)  Prsnt    PG3713290062 ex4300-24t     129   Backup       N  VC   1  vcp-255/1/0
                                                                           1  vcp-255/1/1
1 (FPC 1)  Prsnt    PG3713290002 ex4300-24t     129   Master*      N  VC   0  vcp-255/1/0
                                                                           0  vcp-255/1/1

You can check for mastership changes in the mastership log file:
EX4300-6_7-VC> show log mastership | match "Jul 28" | match Role 
Jul 28 00:26:54 Role: LINECARD
Jul 28 00:41:56 Role: LINECARD
Jul 28 01:12:01 Role: BACKUP
Jul 28 01:15:13 Role: LINECARD
Jul 28 01:36:34 Role: BACKUP
Jul 28 01:44:33 Role: BACKUP
Jul 28 01:59:00 Role: BACKUP



#### Chapter 5

#### Configuring Virtual Chassis High Availability Features

Let’s configure the prerequisites and then see it in action.
EX4300-6_7-VC# set chassis nssu 

Configuring Graceful Routing Engine Switchover (GRES)

EX4300-6_7-VC# set chassis redundancy graceful-switchover
At this point our Task Replication is still showing disabled so let’s continue on and enable NSR and NSB.

Configuring Non-Stop Routing and Non-Stop Bridging

Non-Stop Active Routing (NSR) allows the routing table to synchronize across both Routing Engines. This allows packets to be forwarded based on that synchronized state without having to learn all routes and wait for convergence of dynamic routing protocols.
EX4300-6_7-VC# set routing-options nonstop-routing 

EX4300-6_7-VC# set protocols layer2-control nonstop-bridging

EX4300-6_7-VC# run show task replication 
        Stateful Replication: Enabled
        RE mode: Master

#### Performing NSSU

Everything is in place for a software upgrade, so let’s go ahead and upgrade our EX4300 VC from 14.1X53-D30.3 to 14.1X53-D35.3 and see how it goes.
First, you need to stage the code, and for this exercise we are going to use a small stepped release jinstall-ex-4300-14.1X53-D35.3:
$ scp jinstall-ex-4300-14.1X53-D35.3-domestic-signed.tgz 172.16.0.6:/var/tmp/
$ telnet 172.16.0.15 2006
login: lab
Password:
--- Junos 14.1X53-D30.3 built 2017-04-23 01:56:25 UTC
{master:0}
lab@EX4300-6_7-VC> show virtual-chassis 

EX4300-6_7-VC# show | display set | match "grace|non" 
set chassis redundancy graceful-switchover
set routing-options nonstop-routing
set protocols layer2-control nonstop-bridging

EX4300-6_7-VC> show task replication 
        Stateful Replication: Enabled
        RE mode: Master

EX4300-6_7-VC> set cli screen-width 160                          
Screen width set to 160

Now start the Non-Stop Service Upgrade (NSSU). The jinstall package will be copied to member 1 first and then once it is rebooted member 0 will release mastership and then load the software and reboot itself:
lab@EX4300-6_7-VC> request system software nonstop-upgrade /var/tmp/jinstall-ex-4300-14.1X53-D35.3-domestic-signed.tgz    
Chassis ISSU Check Done
[Jul 30 13:05:24]:ISSU: Validating Image
[Jul 30 13:05:25]:ISSU: Preparing Backup RE
Installing image on other FPC's along with the backup
[Jul 30 13:05:25]: Checking pending install on fpc1
Pushing /var/tmp/jinstall-ex-4300-14.1X53-D35.3-domestic-signed.tgz to fpc1:/var/tmp/jinstall-ex-4300-14.1X53-D35.3-domestic-signed.tgz
NOTICE: Validating configuration against jinstall-ex-4300-14.1X53-D35.3-domestic-signed.tgz.
NOTE	Use the no-validate option to skip this if desired.
Verify the signature of the new package:
Verified jinstall-ex-4300-14.1X53-D35.3-domestic.tgz signed by PackageProductionRSA_2016
WARNING: A reboot is required to install the software
WARNING:     Use the 'request system reboot' command immediately
[Jul 30 13:06:23]: Completed install on fpc1
[Jul 30 13:06:38]: Backup upgrade done
[Jul 30 13:06:38]: Rebooting Backup RE
Rebooting fpc1
[Jul 30 13:06:39]:ISSU: Backup RE Prepare Done
[Jul 30 13:06:39]: Waiting for Backup RE reboot
 
lab@EX4300-6_7-VC> show virtual-chassis status 
Preprovisioned Virtual Chassis
Virtual Chassis ID: 72ad.ea24.787d
Virtual Chassis Mode: Enabled
                                                Mstr           Mixed Route Neighbor List
Member ID  Status   Serial No    Model          prio  Role      Mode  Mode ID  Interface
0 (FPC 0)  NotPrsnt PG3713290062 ex4300-24t    
1 (FPC 1)  Prsnt    PG3713290002 ex4300-24t     129   Master*      N  VC

Once member 0 is back from the software upgrade and reboot you can see that it is now the backup RE for the VC:
EX4300-6_7-VC> show virtual-chassis status    
Preprovisioned Virtual Chassis
Virtual Chassis ID: 72ad.ea24.787d
Virtual Chassis Mode: Enabled
                                                Mstr           Mixed Route Neighbor List
Member ID  Status   Serial No    Model          prio  Role      Mode  Mode ID  Interface
0 (FPC 0)  Prsnt    PG3713290062 ex4300-24t     129   Backup       N  VC   1  vcp-255/1/0
                                                                           1  vcp-255/1/1
1 (FPC 1)  Prsnt    PG3713290002 ex4300-24t     129   Master*      N  VC   0  vcp-255/1/0
                                                                           0  vcp-255/1/1

EX4300-6_7-VC> request chassis routing-engine master switch 
Toggle mastership between routing engines ? [yes,no] (no) yes 
{master:1}
lab@EX4300-6_7-VC> 
EX4300-6_7-VC (ttyu0)
login: lab
Password:
--- Junos 14.1X53-D35.3 built 2016-03-01 02:32:19 UTC
{master:0}
lab@EX4300-6_7-VC> 


#### Configuring Auto-SW Upgrade

EX4300-6_7-VC# set virtual-chassis auto-sw-update ex-4300 package-name /var/tmp/jinstall-ex-4300-14.1X53-D35.3-signed.tgz 


#### Chapter 6

Configuring EX Series Interfaces

Configuring Layer 2 Interface Modes 

EX4300-6_7-VC# set interfaces ge-0/0/0.0 family ethernet-switching interface-mode trunk vlan members all
	
EX4300-6_7-VC# set interfaces ge-0/0/0.0 family ethernet-switching interface-mode access vlan members V100

EX4300-6_7-VC# wildcard range set interfaces ge-[0-1]/0/[0-23] unit 0 family ethernet-switching interface-mode access vlan members V100 
-
EX4300-6_7-VC# show | compare 
[edit interfaces ge-0/0/0 unit 0 family ethernet-switching]
-      interface-mode trunk;
+      interface-mode access;
[edit interfaces ge-0/0/0 unit 0 family ethernet-switching vlan]
-       members all;
+       members [ all V100 ];
[edit interfaces ge-0/0/1 unit 0 family ethernet-switching]
+      interface-mode access;
+      vlan {
+          members V100;
+      }

#### Configuring VLAN Membership On an Interface

EX4300-6_7-VC# set interfaces ge-0/0/1.0 family ethernet-switching interface-mode access vlan members V100

EX4300-6_7-VC# set interfaces xe-0/2/2.0 family ethernet-switching interface-mode trunk vlan members V100 
EX4300-6_7-VC# set interfaces xe-0/2/2.0 family ethernet-switching interface-mode trunk vlan members V200    
EX4300-6_7-VC# set interfaces xe-0/2/2.0 family ethernet-switching interface-mode trunk vlan members V300    
EX4300-6_7-VC# show interfaces xe-0/2/2 
unit 0 {
    family ethernet-switching {
        interface-mode trunk;
        vlan {
            members [ V100 V200 V300 ];
        }
    }
}

Or you can add them as a set of values:
EX4300-6_7-VC# set interfaces xe-0/2/2.0 family ethernet-switching interface-mode trunk vlan members [V100 V200 V300] 
EX4300-6_7-VC# show interfaces xe-0/2/2 
unit 0 {
    family ethernet-switching {
        interface-mode trunk;
        vlan {
            members [ V100 V200 V300 ];
        }
    }
}

You can also use the all keyword and place all of the available VLANs on a specific trunked interface:
EX4300-6_7-VC# set interfaces xe-0/2/2.0 family ethernet-switching interface-mode trunk vlan members all                 
EX4300-6_7-VC# show interfaces xe-0/2/2 
unit 0 {
    family ethernet-switching {
        interface-mode trunk;
        vlan {
            members all;
        }
    }
}

#### Configuring INET (layer 3 IPv4) interfaces

EX4300-6_7-VC# show interfaces ge-0/0/4    
unit 0 {
    family ethernet-switching {
        interface-mode access;
        vlan {
            members V100;
        }
    }
}
EX4300-6_7-VC# delete interfaces ge-0/0/4.0 
EX4300-6_7-VC# set interfaces ge-0/0/4.0 family inet address 10.10.1.1/30 

If you did not delete the family ethernet-switching prior to commit you would get a fail warning and your commit would not work:
EX4300-6_7-VC # commit 
[edit interfaces ge-0/0/4 unit 0 family]
  'ethernet-switching'
    Family ethernet-switching and rest of the families are mutually exclusive
error: commit failed: (statements constraint check failed)

#### Configuring INET6 (Layer 3 IPv6) Addresses

IPv6 addresses are configured using the INET6 protocol family.  Other than the different protocol family, the process is the same as configuring INET/IPv4 addresses:
EX4300-6_7-VC# delete interfaces ge-0/0/4.0 
EX4300-6_7-VC# set interfaces ge-0/0/4.0 family inet6 address 2001:470:1f11:51f::3:2 

EX4300-6_7-VC# run show interfaces ge-0/0/4.0 detail 
Logical interface ge-0/0/4.0 (Index 578) (SNMP ifIndex 604) (HW Token 4092) (Generation 221)
    Flags: Device-Down SNMP-Traps 0x0 Encapsulation: ENET2
    Traffic statistics:
…
    Protocol inet6, MTU: 1500, Generation: 239, Route table: 0
      Flags: Is-Primary
      Addresses, Flags: Is-Default Is-Primary
        Destination: Unspecified, Local: 2001:470:1f11:51f::3:2
        INET6 Address Flags: Tentative
    Generation: 148
      Addresses, Flags: Is-Preferred
        Destination: fe80::/64, Local: fe80::4e96:14ff:fee4:6607
        INET6 Address Flags: Tentative
    Generation: 150
 
#### Configuring IRB Interfaces

EX4300-6_7-VC# set interfaces irb.200 family inet address 10.10.4.2/31 
 
Unless the IRB interface is associated to a VLAN and there is a supported interface, it will show down. To associate the IRB to a VLAN use the l3-interface keyword (note that is L3 not thirteen).
EX4300-6_7-VC# set interfaces irb.200 family inet address 10.10.4.2/31 
EX4300-6_7-VC# set vlans V200 l3-interface irb.200 
EX4300-6_7-VC# commit
EX4300-6_7-VC# show vlans V200 | display set 
set vlans V200 vlan-id 200
set vlans V200 l3-interface irb.200

EX4300-6_7-VC# run show interfaces irb.200 terse 
Interface               Admin Link Proto    Local                 Remote
irb.200                 up    down inet     10.10.4.2/31    

EX4300-6_7-VC# set interfaces xe-0/2/1.0 family ethernet-switching interface-mode trunk vlan members V200 
EX4300-6_7-VC# commit 
EX4300-6_7-VC# run show interfaces irb.200 terse 
Interface               Admin Link Proto    Local                 Remote
irb.200                 up    up   inet     10.10.4.2/31    

#### Configuring Aggregated Ethernet Interfaces

The first step in configuring aggregate interfaces is to tell the chassis how many ae’s you are going to configure, or are planning. This command is under the chassis hierarchy:
EX4300-6_7-VC# set chassis aggregated-devices ethernet device-count 2 

EX4300-6_7-VC# set interfaces ge-0/0/5 ether-options 802.3ad ae0 
EX4300-6_7-VC# set interfaces ge-0/0/6 ether-options 802.3ad ae0    
EX4300-6_7-VC# commit 
EX4300-6_7-VC# show interfaces ge-0/0/5 
ether-options {
    802.3ad ae0;
}

EX4300-6_7-VC# show interfaces ge-0/0/6    
ether-options {
    802.3ad ae0;
}

EX4300-6_7-VC# set interfaces ae0.0 family inet address 10.20.30.1/30 
EX4300-6_7-VC# run show interfaces terse | match ae 
ge-0/0/5.0              up    down aenet    --> ae0.0
ge-0/0/6.0              up    down aenet    --> ae0.0
ae0                     up    down
ae0.0                   up    down inet     10.20.30.1/30   
ae1                     up    down


#### Configuring VRRP

EX2300-8_9-VC# show vlans 
V200 {
    vlan-id 200;
    l3-interface irb.200;
}

EX2300-8_9-VC# show interfaces irb.200 
family inet {
    address 10.200.0.254/24;
}

QFX5100-2_3-VC# show vlans V200       
vlan-id 200;
l3-interface irb.200;

QFX5100-2_3-VC# show interfaces irb.200 
family inet {
    address 10.200.0.2/24;
}
QFX5100-2_3-VC# show interfaces ge-0/0/4    
unit 0 {
    family ethernet-switching {
        interface-mode trunk;
        vlan {
            members V200;
        }
    }
}

QFX5100-2_3-VC# run ping 10.200.0.254 count 5 rapid 
PING 10.200.0.254 (10.200.0.254): 56 data bytes
!!!!!
--- 10.200.0.254 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 10.156/15.771/32.989/8.705 ms

EX4600-4_5-VC# show interfaces ge-1/0/4 
unit 0 {
    family ethernet-switching {
        interface-mode trunk;
        vlan {
            members V200;
        }
    }
}

EX4600-4_5-VC# show vlans V200 
vlan-id 200;
l3-interface irb.200;

EX4600-4_5-VC# show interfaces irb.200 
family inet {
    address 10.200.0.3/24;
}

EX4600-4_5-VC# run ping 10.200.0.254 count 5 rapid 
PING 10.200.0.254 (10.200.0.254): 56 data bytes
!!!!!
--- 10.200.0.254 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 10.881/11.654/14.427/1.387 ms

EX4600-4_5-VC# set interfaces irb.200 family inet address 10.200.0.3/24 vrrp-group 200 virtual-address 10.200.0.1 authentication-type md5

EX4600-4_5-VC# set interfaces irb.200 family inet address 10.200.0.3/24 vrrp-group 200 virtual-address 10.200.0.1 authentication-key Juniper123 

EX4600-4_5-VC# set interfaces irb.200 family inet address 10.200.0.3/24 vrrp-group 200 virtual-address 10.200.0.1 priority 200

QFX5100-2_3-VC# set interfaces irb.200 family inet address 10.200.0.2/24 vrrp-group 200 virtual-address 10.200.0.1 authentication-type md5 authentication-key Juniper123

QFX5100-2_3-VC# set interfaces irb.200 family inet address 10.200.0.2/24 vrrp-group 200 priority 100 preempt

QFX5100-2_3-VC# set interfaces irb.200 family inet address 10.200.0.2/24 vrrp-group 200 accept-data

EX4600-4_5-VC# set interfaces irb.200 family inet address 10.200.0.3/24 vrrp-group 200 accept-data

Once this is committed it’s back to our access device to see if we can ping the VIP:
EX2300-8_9-VC> ping 10.200.0.1 
PING 10.200.0.1 (10.200.0.1): 56 data bytes
64 bytes from 10.200.0.1: icmp_seq=0 ttl=64 time=11.999 ms
64 bytes from 10.200.0.1: icmp_seq=1 ttl=64 time=9.708 ms
^C
--- 10.200.0.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 9.708/10.854/11.999/1.145 ms

QFX5100-2_3-VC# run show vrrp 
Interface     State       Group   VR state VR Mode   Timer    Type   Address
irb.200       up            200   backup   Active      D  3.349 lcl    10.200.0.2     
                                                                vip    10.200.0.1     
                                                                mas    10.200.0.3 

QFX5100-2_3-VC# set interfaces irb unit 200 family inet address 10.200.0.2/24 vrrp-group 200 priority 254
QFX5100-2_3-VC# run show vrrp 
Interface     State       Group   VR state VR Mode   Timer    Type   Address
irb.200       up            200   master   Active      A  0.722 lcl    10.200.0.2     
                                                                vip    10.200.0.1 

EX4600-4_5-VC# run show vrrp 
Interface     State       Group   VR state VR Mode   Timer    Type   Address
irb.200       up            200   backup   Active      D  2.884 lcl    10.200.0.3     
                                                                vip    10.200.0.1     
                                                                mas    10.200.0.2 

Using the detail keyword on show VRRP provides a lot of feedback. As you can see from the following output, QFX5100 is the active master and that we are using authentication between the two devices:
QFX5100-2_3-VC# run show vrrp detail 
Physical interface: irb, Unit: 200, Address: 10.200.0.2/24
  Index: 550, SNMP ifIndex: 538, VRRP-Traps: enabled, VRRP-Version: 2
  Interface state: up, Group: 200, State: master, VRRP Mode: Active
  Priority: 254, Advertisement interval: 1, Authentication type: md5
  Advertisement threshold: 3, Computed send rate: 0
  Preempt: yes, Accept-data mode: yes, VIP count: 1, VIP: 10.200.0.1         
  Advertisement Timer: 0.343s, Master router: 10.200.0.2
  Virtual router uptime: 00:18:03, Master router uptime: 00:04:42
  Virtual Mac: 00:00:5e:00:01:c8 
  Tracking: disabled 

Now let’s fail our interface ge-0/0/4 on the QFX5100 VC and see if we can still ping our gateway. Let’s start a ping from the access to see how many packets are lost during the failover:
EX2300-8_9-VC> ping 10.200.0.1 
PING 10.200.0.1 (10.200.0.1): 56 data bytes
64 bytes from 10.200.0.1: icmp_seq=0 ttl=64 time=10.326 ms
64 bytes from 10.200.0.1: icmp_seq=1 ttl=64 time=10.210 ms
64 bytes from 10.200.0.1: icmp_seq=2 ttl=64 time=14.352 ms
64 bytes from 10.200.0.1: icmp_seq=20 ttl=64 time=41.638 ms
64 bytes from 10.200.0.1: icmp_seq=21 ttl=64 time=11.830 ms

EX4600-4_5-VC# set interfaces irb.200 family inet address 10.200.0.3/24 vrrp-group 200 fast-interval 100

QFX5100-2_3-VC# set interfaces irb.200 family inet address 10.200.0.2/24 vrrp-group 200 fast-interval 100

QFX5100-2_3-VC# run show vrrp    
Interface     State       Group   VR state VR Mode   Timer    Type   Address
irb.200       up            200   master   Active      A  0.004 lcl    10.200.0.2     
                                                                vip    10.200.0.1     
QFX5100-2_3-VC# run show vrrp detail 
Physical interface: irb, Unit: 200, Address: 10.200.0.2/24
  Index: 550, SNMP ifIndex: 538, VRRP-Traps: enabled, VRRP-Version: 2
  Interface state: up, Group: 200, State: master, VRRP Mode: Active
  Priority: 254, Advertisement interval: .100, Authentication type: md5
  Advertisement threshold: 3, Computed send rate: 10
  Preempt: yes, Accept-data mode: yes, VIP count: 1, VIP: 10.200.0.1         
  Advertisement Timer: 0.010s, Master router: 10.200.0.2
  Virtual router uptime: 00:02:40, Master router uptime: 00:02:36
  Virtual Mac: 00:00:5e:00:01:c8 
  Tracking: disabled 

Now re-run the same failover test done previously to see if there is any improvement:
EX2300-8_9-VC> ping 10.200.0.1    
PING 10.200.0.1 (10.200.0.1): 56 data bytes
64 bytes from 10.200.0.1: icmp_seq=0 ttl=64 time=10.686 ms
64 bytes from 10.200.0.1: icmp_seq=1 ttl=64 time=5.831 ms
64 bytes from 10.200.0.1: icmp_seq=2 ttl=64 time=66.205 ms
64 bytes from 10.200.0.1: icmp_seq=3 ttl=64 time=10.295 ms
64 bytes from 10.200.0.1: icmp_seq=4 ttl=64 time=15.327 ms
64 bytes from 10.200.0.1: icmp_seq=5 ttl=64 time=31.729 ms
64 bytes from 10.200.0.1: icmp_seq=6 ttl=64 time=15.994 ms
64 bytes from 10.200.0.1: icmp_seq=7 ttl=64 time=13.904 ms
64 bytes from 10.200.0.1: icmp_seq=14 ttl=64 time=43.363 ms
	

#### Configuring Energy Efficient Ethernet Interfaces

EX2300-8_9-VC# set interfaces ge-0/0/4 ether-options ieee-802-3az-eee 

EX2300-8_9-VC# run show interfaces ge-0/0/4 

#### Configuring Power Over Ethernet (POE) Interfaces


By Default, Junos has all interfaces configured out of the box for PoE.
EX2300-C# show poe
interface all;

We can remove all poe very easily by just deleting the poe stanza and then applying poe to specific interfaces as required.
EX2300-C# show poe
interface all;

EX2300-C# delete poe

EX2300-C# set poe interface ge-0/0/9

EX2300-C# set poe interface ge-0/0/2

EX2300-C# set poe interface ge-0/0/4

EX2300-C# set poe interface ge-0/0/6

EX2300-C# set poe interface ge-0/0/10

EX2300-C# set poe interface ge-0/0/11

EX2300-C# commit
configuration check succeeds


We can now verify our POE interfaces that are enabled max wattage per interface priority and actual power consumption.

EX2300-C> show poe interface
Interface    Admin       Oper    Max        Priority       Power          Class
             status      status  power                     consumption
 ge-0/0/0    Disabled    Disabled 0.0W      Low            0.0W           not-applicable
 ge-0/0/1    Disabled    Disabled 0.0W      Low            0.0W           not-applicable
 ge-0/0/2    Enabled      ON     15.4W      Low            2.6W            3
 ge-0/0/3    Disabled    Disabled 0.0W      Low            0.0W           not-applicable
 ge-0/0/4    Enabled      ON     15.4W      Low            2.4W            3
 ge-0/0/5    Disabled    Disabled 0.0W      Low            0.0W           not-applicable
 ge-0/0/6    Enabled      ON     15.4W      Low            2.8W            3
 ge-0/0/7    Disabled    Disabled 0.0W      Low            0.0W           not-applicable
 ge-0/0/8    Disabled    Disabled 0.0W      Low            0.0W           not-applicable
 ge-0/0/9    Enabled      ON     15.4W      Low            4.0W            0
ge-0/0/10    Enabled      ON     15.4W      Low            3.6W            0
ge-0/0/11    Enabled      ON     15.4W      Low            4.2W            0

We can also check to see what the total amount of power being used across all PoE ports by issuing the command “show poe controller”

EX2300-C> show poe controller
Controller  Maximum   Power         Guard    Management   Status        Lldp
index       power     consumption   band                                Priority
   0        125W      20.60W          0W     Class        AT_MODE       Disabled


#### Chapter 7

#### Configuring EX Series Datacenter Technology

#### Configuring Multi-Chassis Link Aggregation

EX9204-AD1
ICCP Link - Explicit configuration. In JFE you can explicitly configure ICCP or have it automatically created using auto-iccp.  First is the explicit configuration option followed by an auto-iccp option:
set interfaces xe-2/0/4 description "ICCP Layer 3"
set interfaces xe-2/0/4 vlan-tagging
set interfaces xe-2/0/4 unit 0 vlan-id 400
set interfaces xe-2/0/4 unit 0 family inet address 192.168.10.1/30

ICL Link:
set interfaces xe-2/0/5 description "ICL Layer 2 link"
set interfaces xe-2/0/5 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-2/0/5 unit 0 family ethernet-switching vlan members all

Loopback and Routing:
set interfaces lo0 unit 0 family inet address 192.168.10.11/32
set protocols ospf area 0.0.0.0 interface lo0.0
set protocols ospf area 0.0.0.0 interface xe-2/0/4.0

Explicit ICCP Configuration:
set protocols iccp local-ip-addr 192.168.10.11
set protocols iccp peer 192.168.10.12 session-establishment-hold-time 50
set protocols iccp peer 192.168.10.12 redundancy-group-id-list 2
set protocols iccp peer 192.168.10.12 backup-liveness-detection backup-peer-ip 10.19.11.44
set protocols iccp peer 192.168.10.12 liveness-detection minimum-interval 2000
set protocols iccp peer 192.168.10.12 liveness-detection multiplier 4

EX9208-AD2
ICCP Link:
set interfaces xe-3/0/3 description "ICCP Layer3 link"
set interfaces xe-3/0/3 vlan-tagging
set interfaces xe-3/0/3 unit 0 vlan-id 4000
set interfaces xe-3/0/3 unit 0 family inet address 192.168.10.2/30

ICL Link:
set interfaces xe-3/0/4 description "ICL Layer 2 Link"
set interfaces xe-3/0/4 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-3/0/4 unit 0 family ethernet-switching vlan members all

Loopback and Routing:
set interfaces lo0.0 family inet address 192.168.10.12/32
set protocols ospf area 0.0.0.0 interface lo0.0
set protocols ospf area 0.0.0.0 interface xe-3/0/3.0

Explicit ICCP Configuration:
set protocols iccp local-ip-addr 192.168.10.12
set protocols iccp peer 192.168.10.11 session-establishment-hold-time 50
set protocols iccp peer 192.168.10.11 redundancy-group-id-list 2
set protocols iccp peer 192.168.10.11 backup-liveness-detection backup-peer-ip 10.19.11.36
set protocols iccp peer 192.168.10.11 liveness-detection minimum-interval 2000
set protocols iccp peer 192.168.10.11 liveness-detection multiplier 4

Verify ICCP is up between the two EX9200s:
EX9204-01-RE0# run show iccp    
Redundancy Group Information for peer 192.168.10.12
  TCP Connection       : Established
  Liveliness Detection : Up
Backup liveness peer status: Up
  Redundancy Group ID          Status
    2                           Up   
Client Application: mclag_cfgchkd
  Redundancy Group IDs Joined: 0 2 
Client Application: l2ald_iccpd_client
  Redundancy Group IDs Joined: None
  
  
  
EX9208-01-RE0# run show iccp 
Redundancy Group Information for peer 192.168.10.11
  TCP Connection       : Established
  Liveliness Detection : Up
Backup liveness peer status: Up
  Redundancy Group ID          Status
    2                           Up   
Client Application: mclag_cfgchkd
  Redundancy Group IDs Joined: 0 2 
Client Application: l2ald_iccpd_client
  Redundancy Group IDs Joined: None
  
Configure Fusion on the ADs
AD1:
set chassis satellite-management redundancy-groups chassis-id 1
set chassis satellite-management redundancy-groups rg2 redundancy-group-id 2
set chassis satellite-management redundancy-groups rg2 peer-chassis-id 2 inter-chassis-link xe-2/0/5

AD2:
set chassis satellite-management redundancy-groups chassis-id 2
set chassis satellite-management redundancy-groups rg2 redundancy-group-id 2
set chassis satellite-management redundancy-groups rg2 peer-chassis-id 1 inter-chassis-link xe-3/0/4

Verify Fusion is enabled on the AD’S:
EX9204-01-RE0# run show chassis satellite redundancy-group 
            Cluster              Peer          Peer               Local         Device
Name        State                Chassis ID    Chassis SN         Chassis ID    Count
rg2         Online               2             44:f4:77:04:a7:c0  1             0/0/0 

EX9208-01-RE0# run show chassis satellite redundancy-group 
            Cluster              Peer          Peer               Local         Device
Name        State                Chassis ID    Chassis SN         Chassis ID    Count
rg2         Online               1             44:f4:77:05:ef:c0  2             0/0/0  


Configure Junos Fusion using the Auto ICCP mode - allows administrators to deploy Fusion in just a few commands.
First rollback to start with a fresh configuration with no ICCP or Fusion:

EX9204-01-RE0# run show iccp 
Client Application: mclag_cfgchkd
  Redundancy Group IDs Joined: 0 2 
Client Application: l2ald_iccpd_client
  Redundancy Group IDs Joined: None
  
EX9208-01-RE0# run show iccp 
Client Application: mclag_cfgchkd
  Redundancy Group IDs Joined: 0 2 
Client Application: l2ald_iccpd_client
  Redundancy Group IDs Joined: None

Configure the ICL on EX9204-AD1:
set interfaces xe-2/0/5 description "ICL Layer 2 Link"
set interfaces xe-2/0/5 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-2/0/5 unit 0 family ethernet-switching vlan members all

Configure the ICL on EX9208-AD2:
set interfaces xe-3/0/4 description "ICL Layer 2 Link"
set interfaces xe-3/0/4 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-3/0/4 unit 0 family ethernet-switching vlan members all

Enable Fusion on the ADs
AD1:
set chassis satellite-management redundancy-groups chassis-id 1
set chassis satellite-management redundancy-groups rg2 redundancy-group-id 2
set chassis satellite-management redundancy-groups rg2 peer-chassis-id 2 inter-chassis-link xe-2/0/5

AD2:
set chassis satellite-management redundancy-groups chassis-id 2
set chassis satellite-management redundancy-groups rg2 redundancy-group-id 2
set chassis satellite-management redundancy-groups rg2 peer-chassis-id 1 inter-chassis-link xe-3/0/4

Verify ICCP is up between the ADs:
AD1:
EX9204-01-RE0> show iccp 
Redundancy Group Information for peer 10.0.0.2
  TCP Connection       : Established
  Liveliness Detection : Up
  Redundancy Group ID          Status
    2                           Up   
Client Application: mclag_cfgchkd
  Redundancy Group IDs Joined: 0 2 
Client Application: l2ald_iccpd_client
  Redundancy Group IDs Joined: None
  
AD2: 
EX9208-01-RE0> show iccp 
Redundancy Group Information for peer 10.0.0.1
  TCP Connection       : Established
  Liveliness Detection : Up
  Redundancy Group ID          Status
    2                           Up   
Client Application: mclag_cfgchkd
  Redundancy Group IDs Joined: 0 2 
Client Application: l2ald_iccpd_client
  Redundancy Group IDs Joined: None
  
  
Verify Fusion is enabled on both ADs:
AD1:
EX9204-01-RE0> show chassis satellite redundancy-group 
            Cluster              Peer          Peer               Local         Device
Name        State                Chassis ID    Chassis SN         Chassis ID    Count
rg2         Online               2             44:f4:77:04:a7:c0  1             0/0/0     

AD2:
EX9208-01-RE0> show chassis satellite redundancy-group 
            Cluster              Peer          Peer               Local         Device
Name        State                Chassis ID    Chassis SN         Chassis ID    Count
rg2         Online               1             44:f4:77:05:ef:c0  2             0/0/0         

*****With Auto ICCP Fusion can be enabled in three commands 
*****Will need explanation of Auto ICCP
Convert a VC to a Junos Fusion Satellite Device Cluster 
Obtain MAC addresses of the VC members 
EX4300-48T-09> show chassis mac-addresses 
    FPC 0   MAC address information:
      Public base address     80:ac:ac:6a:3f:a0
      Public count            96 
    FPC 1   MAC address information:
      Public base address     80:ac:ac:6a:18:40
      Public count            96 
    FPC 2   MAC address information:
      Public base address     80:ac:ac:6a:15:a0
      Public count            96 
	  
Remove devices from the VC by deleting VC ports from each member.  Must be done from the console of each VC member 
> request virtual-chassis vc-port delete pic-slot n port n 

Configure SD cluster on the ADs:
AD1:
set interfaces xe-2/0/7 cascade-port 
set chassis satellite-management cluster Closet2 cluster-id 12
set chassis satellite-management cluster Closet2 cascade-ports xe-2/0/7
set chassis satellite-management cluster Closet2 fpc 140 member-id 0
set chassis satellite-management cluster Closet2 fpc 140 system-id 80:ac:ac:6a:3f:a0
set chassis satellite-management cluster Closet2 fpc 141 member-id 1
set chassis satellite-management cluster Closet2 fpc 141 system-id 80:ac:ac:6a:18:40
set chassis satellite-management cluster Closet2 fpc 142 member-id 2
set chassis satellite-management cluster Closet2 fpc 142 system-id 80:ac:ac:6a:15:a0
set chassis satellite-management redundancy-groups rg2 cluster Closet2
set chassis satellite-management auto-satellite-conversion satellite 140
set chassis satellite-management auto-satellite-conversion satellite 141
set chassis satellite-management auto-satellite-conversion satellite 142

AD2: 
set interfaces xe-3/0/5 cascade-port
set chassis satellite-management cluster Closet2 cluster-id 12
set chassis satellite-management cluster Closet2 cascade-ports xe-3/0/5
set chassis satellite-management cluster Closet2 fpc 140 member-id 0
set chassis satellite-management cluster Closet2 fpc 140 system-id 80:ac:ac:6a:3f:a0
set chassis satellite-management cluster Closet2 fpc 141 member-id 1
set chassis satellite-management cluster Closet2 fpc 141 system-id 80:ac:ac:6a:18:40
set chassis satellite-management cluster Closet2 fpc 142 member-id 2
set chassis satellite-management cluster Closet2 fpc 142 system-id 80:ac:ac:6a:15:a0
set chassis satellite-management redundancy-groups chassis-id 2
set chassis satellite-management redundancy-groups rg2 redundancy-group-id 2
set chassis satellite-management redundancy-groups rg2 peer-chassis-id 1 inter-chassis-link xe-3/0/4
set chassis satellite-management redundancy-groups rg2 cluster Closet2
set chassis satellite-management auto-satellite-conversion satellite 140
set chassis satellite-management auto-satellite-conversion satellite 141
set chassis satellite-management auto-satellite-conversion satellite 142

Add the SNOS image for the SD Cluster on both ADs:
> request system software add /var/tmp/satellite-2.0R1.1-signed.tgz upgrade-group Closet2

From the console of each access switch, zeroize the devices:
> request system zerioize 
***This process takes 15-30 minutes to complete

Check the status of the SD cluster on the ADs:
EX9204-01-RE0> show chassis satellite cluster Closet2 
                        Device          Cascade      Port       Extended Ports
Alias            Slot   State           Ports        State      Total/Up
_sd140           140    Online          xe-142/2/3   present    51/3           
                                        xe-141/2/1   present    
                                        xe-2/0/5*    backup     
_sd141           141    Online          xe-142/2/1   present    51/6           
                                        xe-140/2/2   present    
                                        xe-2/0/7     online     
                                        xe-2/0/5*    backup     
_sd142           142    Online          xe-141/2/2   present    50/4           
                                        xe-140/2/3   present    
                                        xe-2/0/5*    backup     
										
										
EX9208-01-RE0> show chassis satellite cluster Closet2 
                        Device          Cascade      Port       Extended Ports
Alias            Slot   State           Ports        State      Total/Up
_sd140           140    Online          xe-142/2/3   present    51/3           
                                        xe-141/2/1   present    
                                        xe-3/0/5     online     
                                        xe-3/0/4*    backup     
_sd141           141    Online          xe-142/2/1   present    51/6           
                                        xe-140/2/2   present    
                                        xe-3/0/4*    backup     
_sd142           142    Online          xe-140/2/3   present    50/4           
                                        xe-141/2/2   present    
                                        xe-3/0/4*    backup     
							
								
										
Junos Fusion Enterprise Monitoring Commands:

EX9204-01-RE0> show iccp 
Redundancy Group Information for peer 10.0.0.2
  TCP Connection       : Established
  Liveliness Detection : Up
  Redundancy Group ID          Status
    2                           Up   
Client Application: mclag_cfgchkd
  Redundancy Group IDs Joined: 0 2 
Client Application: l2ald_iccpd_client
  Redundancy Group IDs Joined: None
  
EX9204-01-RE0> show chassis satellite   
                        Device          Cascade      Port       Extended Ports
Alias            Slot   State           Ports        State      Total/Up
_sd130           130    Online          xe-131/2/2   present    51/3           
                                        xe-2/0/5*    backup     
_sd131           131    Online          xe-130/2/1   present    51/2           
                                        xe-2/0/6     online     
                                        xe-2/0/5*    backup     
_sd140           140    Online          xe-142/2/3   present    51/3           
                                        xe-141/2/1   present    
                                        xe-2/0/5*    backup     
_sd141           141    Online          xe-142/2/1   present    51/6           
                                        xe-140/2/2   present    
                                        xe-2/0/7     online     
                                        xe-2/0/5*    backup     
_sd142           142    Online          xe-141/2/2   present    50/4           
                                        xe-140/2/3   present    
                                        xe-2/0/5*    backup     
											
EX9204-01-RE0> show chassis hardware satellite 
Hardware inventory:
Item             Version  Part number  Serial number     Description
...


EX9204-01-RE0> show interfaces terse | except down 
Interface               Admin Link Proto    Local                 Remote
...


#### Configuring Generic Route Encapsulation (GRE)

First, let’s verify that there is more than one hop:
EX4600-4_5-VC# run traceroute 10.1.0.2 
traceroute to 10.1.0.2 (10.1.0.2), 30 hops max, 40 byte packets
 1  10.1.0.4 (10.1.0.4)  16.507 ms  11.683 ms  10.980 ms
 2  10.1.0.2 (10.1.0.2)  22.121 ms  22.583 ms  21.970 ms

You can clearly see that the EX4300 is between our endpoints. Now let’s configure the first endpoint on the EX4600 using 10.100.0.0/31 as the tunnel endpoint on xe-1/0/0:
EX4600-4_5-VC# set interfaces gr-0/0/0 unit 0 family inet address 10.100.0.0/31
EX4600-4_5-VC# set interfaces gr-0/0/0 unit 0 tunnel source 10.1.0.5
EX4600-4_5-VC# set interfaces gr-0/0/0 unit 0 tunnel destination 10.1.0.2
EX4600-4_5-VC# set interfaces gr-0/0/0 unit 0 tunnel path-mtu-discovery
EX4600-4_5-VC# commit

Once that is committed you can move on to the QFX5100 and do the same thing. The tunnel IP for the QFX5100 will be 10.100.0.1/31:
QFX5100-2_3-VC# set interfaces gr-0/0/0.0 family inet address 10.100.0.1/31
QFX5100-2_3-VC# set interfaces gr-0/0/0.0 tunnel source 10.1.0.2 
QFX5100-2_3-VC# set interfaces gr-0/0/0.0 tunnel destination 10.1.0.5
QFX5100-2_3-VC# set interfaces gr-0/0/0.0 tunnel path-mtu-discovery 
QFX5100-2_3-VC# commit

Now that we have both tunnel endpoints up let’s see if we can ping the other side:
QFX5100-2_3-VC# run ping 10.100.0.0 source 10.100.0.1 
PING 10.100.0.0 (10.100.0.0): 56 data bytes
64 bytes from 10.100.0.0: icmp_seq=0 ttl=64 time=12.762 ms
64 bytes from 10.100.0.0: icmp_seq=1 ttl=64 time=11.156 ms
64 bytes from 10.100.0.0: icmp_seq=2 ttl=64 time=99.145 ms
^C
--- 10.100.0.0 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 11.156/41.021/99.145/41.105 ms

QFX5100-2_3-VC# run show route 1.1.1.4 
inet.0: 20 destinations, 21 routes (20 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1.1.1.4/32         *[OSPF/150] 00:19:03, metric 0, tag 0
                    > to 10.1.0.3 via xe-0/0/3.0

QFX5100-2_3-VC# set protocols ospf area 0.0.0.0 interface gr-0/0/0.0 interface-type p2p

EX4600-4_5-VC# set protocols ospf area 0.0.0.0 interface gr-0/0/0.0 interface-type p2p
EX4600-4_5-VC# run show route 1.1.1.2 
inet.0: 22 destinations, 23 routes (22 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1.1.1.2/32         *[OSPF/150] 00:00:14, metric 0, tag 0
                    > via gr-0/0/0.0

EX4600-4_5-VC# run show route terse | match gr 
* ? 1.1.1.2/32         O 150          0            >gr-0/0/0.0  
* ? 10.1.0.0/31        O  10          2            >gr-0/0/0.0  
* ? 10.1.0.2/31        O  10          2             gr-0/0/0.0  
* ? 10.1.0.8/31        O  10          3            >gr-0/0/0.0  
* ? 10.100.0.0/31      D   0                       >gr-0/0/0.0  

#### Configuring Virtual Routing and Forwarding (VRF-LITE)

EX2300-16# set vlans V1000 vlan-id 1000 
EX2300-16# set vlans V1000 l3-interface irb.1000 
EX2300-16# set interfaces irb.1000 family inet address 10.0.0.1/25 
EX2300-16# set interfaces ge-0/0/2 disable 
EX2300-16# set interfaces xe-0/1/0 disable
EX2300-16# delete interfaces ge-0/0/1.0
EX2300-16# set interfaces ge-0/0/1.0 family ethernet-switching vlan members V1000 
EX2300-16# commit

EX2300-8_9# set vlans V1000 vlan-id 1000 
EX2300-8_9# set vlans V1000 l3-interface irb.1000 
EX2300-8_9# set interfaces irb.1000 family inet address 10.0.0.129/25 
EX2300-8_9# set interfaces ge-1/0/1 disable 
EX2300-8_9# set interfaces xe-0/1/2 disable
EX2300-8_9# delete interfaces ge-0/0/1.0
EX2300-8_9# set interfaces ge-0/0/1.0 family ethernet-switching vlan members V1000 
EX2300-8_9# commit

Now that we have disabled some interfaces and added some VLAN’s our lab network looks like Figure 7.5 – a Layer 3 Core and the same VLAN on both sides of the network. 

Next let’s move to the EX4600_4 switch to where the fun begins:
EX4600-4_5-VC# set vlans V1000 vlan-id 1000 
EX4600-4_5-VC# set vlans V1000 l3-interface irb.1000
EX4600-4_5-VC# set interfaces irb.1000 family inet address 10.0.0.4/25
EX4600-4_5-VC# set interfaces ge-0/0/2.0 family ethernet-switching vlan members V1000 
EX4600-4_5-VC# commit
EX4600-4_5-VC# run ping 10.0.0.1 count 5 rapid source 10.0.0.4 
PING 10.0.0.1 (10.0.0.1): 56 data bytes
!!!!!
--- 10.0.0.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 21.831/28.665/47.457/9.586 ms

Since we have confirmed that our VLAN 1000 is operational let’s do the same on the QFX5100 side:
QFX5100-2_3-VC# set vlans V1000 vlan-id 1000 
QFX5100-2_3-VC# set vlans V1000 l3-interface irb.1000 
QFX5100-2_3-VC# set interfaces irb.1000 family inet address 10.0.0.130/25 
QFX5100-2_3-VC# set interfaces ge-0/0/4.0 family ethernet-switching vlan members V1000
QFX5100-2_3-VC# commit 
QFX5100-2_3-VC# run ping 10.0.0.8 
PING 10.0.0.8 (10.0.0.8): 56 data bytes
64 bytes from 10.0.0.8: icmp_seq=0 ttl=64 time=22.674 ms
64 bytes from 10.0.0.8: icmp_seq=1 ttl=64 time=11.174 ms
^C
--- 10.0.0.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 11.174/16.924/22.674/5.750 ms

Excellent! We’ve confirmed that VLAN 1000 exists on both sides of the network and we can ping them from the core. The next thing to do is to create the VRF or routing instance on both the QFX5100 and EX4600:
QFX5100-2_3-VC# set routing-instances DO_VRF instance-type virtual-router
QFX5100-2_3-VC# set routing-instances DO_VRF interface irb.1000 
QFX5100-2_3-VC# commit 
QFX5100-2_3-VC# run ping 10.0.0.8 count 5 rapid                    
PING 10.0.0.8 (10.0.0.8): 56 data bytes
.....
--- 10.0.0.8 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
As soon as we placed the irb.1000 interface inside the routing instance we are unable to ping from the master routing instance. To ping or traceroute from a routing instance you have to reference the VRF name. For example:
QFX5100-2_3-VC# run ping 10.0.0.8 count 5 rapid source 10.0.0.2 routing-instance DO_VRF 
PING 10.0.0.8 (10.0.0.8): 56 data bytes
!!!!!
--- 10.0.0.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 9.831/13.292/22.287/4.554 ms

You should note that we referenced “routing-instance DO_VRF” to tell ping to use the inet.0 table from that routing-instance. Once we did that it worked. This shows you that you are segregating you routing tables from the master instance as we move along. Now let’s do the same on the EX4600.

EX4600-4_5-VC# set routing-instances DO_VRF instance-type virtual-router 
EX4600-4_5-VC# set routing-instances DO_VRF interface irb.1000              
EX4600-4_5-VC# commit 

EX4600-4_5-VC# run ping 10.0.0.1 rapid count 5 
PING 10.0.0.1 (10.0.0.1): 56 data bytes
.....
--- 10.0.0.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
EX4600-4_5-VC# run ping routing-instance DO_VRF 10.0.0.1 rapid count 5 
PING 10.0.0.1 (10.0.0.1): 56 data bytes
!!!!!
--- 10.0.0.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 22.915/30.813/34.024/4.056 ms


For our GRE tunnel, let’s go from xe-1/2/1 on EX3400_10 to xe-1/2/1 on EX4300_6, make sure we can ping both ends, and then drop it into our routing-instance:
EX4600-4_5-VC# set interfaces gr-0/0/0.0 family inet address 10.3.0.1/30 
EX4600-4_5-VC# set interfaces gr-0/0/0.0 tunnel source 10.1.0.5             
EX4600-4_5-VC# set interfaces gr-0/0/0.0 tunnel destination 10.1.0.2 
EX4600-4_5-VC# commit 
EX4600-4_5-VC# run show interfaces terse | match gr-0/0/0 
gr-0/0/0                up    up
gr-0/0/0.0              up    up   inet     10.3.0.1/30    

QFX5100-2_3-VC# set interfaces gr-0/0/0.0 family inet address 10.3.0.2/30 
QFX5100-2_3-VC# set interfaces gr-0/0/0.0 tunnel source 10.1.0.2             
QFX5100-2_3-VC# set interfaces gr-0/0/0.0 tunnel destination 10.1.0.5 
QFX5100-2_3-VC# commit 
QFX5100-2_3-VC# run show interfaces terse | match gr-0/0/0 
gr-0/0/0                up    up
gr-0/0/0.0              up    up   inet     10.3.0.2/30 

Ping from one end of the tunnel to the other:
EX4600-4_5-VC> ping 10.3.0.2 source 10.3.0.1 count 5 rapid 
PING 10.3.0.2 (10.3.0.2): 56 data bytes
!!!!!
--- 10.3.0.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.953/10.724/15.621/3.784 ms

Awesome! So now we can push this interface into the routing-instance on both sides of the network:
QFX5100-2_3-VC# set routing-instances DO_VRF interface gr-0/0/0.0

EX4600-4_5-VC# set routing-instances DO_VRF interface gr-0/0/0.0
Once we commit those two statements, check the connectivity:
EX4600-4_5-VC# run ping 10.3.0.2 count 5 rapid 
PING 10.3.0.2 (10.3.0.2): 56 data bytes
.....
--- 10.3.0.2 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

EX4600-4_5-VC# run ping 10.3.0.2 count 5 rapid routing-instance DO_VRF 
PING 10.3.0.2 (10.3.0.2): 56 data bytes
!!!!!
--- 10.3.0.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 10.825/29.545/103.013/36.736 ms

Very nice! But we still need to provide a routing mechanism to get the routing instances to advertise their connectivity. For that, configure ospf area 0 inside the VRF:
EX4600-4_5-VC# set routing-instances DO_VRF protocols ospf area 0.0.0.0 interface irb.1000 interface-type p2p
EX4600-4_5-VC# set routing-instances DO_VRF protocols ospf area 0.0.0.0 interface gr-0/0/0.0 interface-type p2p
EX4600-4_5-VC# commit

QFX5100-2_3-VC# set routing-instances DO_VRF protocols ospf area 0.0.0.0 interface irb.1000 interface-type p2p
QFX5100-2_3-VC# set routing-instances DO_VRF protocols ospf area 0.0.0.0 interface gr-0/0/0.0 interface-type p2p
QFX5100-2_3-VC# commit

Once OSPF is configured you should see routes on both sides:
QFX5100-2_3-VC# run show route table DO_VRF.inet.0 
DO_VRF.inet.0: 6 destinations, 7 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.0.0.0/25        *[OSPF/10] 01:15:33, metric 2
                    > via gr-0/0/0.0
10.0.0.128/25      *[Direct/0] 01:15:33
                    > via irb.1000
10.0.0.130/32      *[Local/0] 01:15:33
                      Local via irb.1000
10.3.0.0/30        *[Direct/0] 01:25:57
                    > via gr-0/0/0.0
                    [OSPF/10] 01:25:57, metric 1
                    > via gr-0/0/0.0
10.3.0.2/32        *[Local/0] 01:25:57
                      Local via gr-0/0/0.0
224.0.0.5/32       *[OSPF/10] 01:46:30, metric 1
                      MultiRecv

EX4600-4_5-VC# run show route table DO_VRF.inet.0 
DO_VRF.inet.0: 6 destinations, 7 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.0.0.0/25        *[Direct/0] 01:16:19
                    > via irb.1000
10.0.0.4/32        *[Local/0] 01:16:19
                      Local via irb.1000
10.0.0.128/25      *[OSPF/10] 01:15:56, metric 2
                    > via gr-0/0/0.0
10.3.0.0/30        *[Direct/0] 01:26:49
                    > via gr-0/0/0.0
                    [OSPF/10] 01:26:49, metric 1
                    > via gr-0/0/0.0
10.3.0.1/32        *[Local/0] 01:26:49
                      Local via gr-0/0/0.0
224.0.0.5/32       *[OSPF/10] 01:47:20, metric 1
                      MultiRecv

The last thing to do is provide a route to our access layer. You can set a static default route or you can point to the other half of the network. Let’s choose the latter and see if we can get end-to-end reachability:
EX2300-8_9-VC# set routing-options static route 10.0.0.0/25 next-hop 10.0.0.130
EX2300-8_9-VC# commit

EX2300-16# set routing-options static route 10.0.0.128/25 next-hop 10.0.0.4
EX2300-16# commit
EX2300-8_9-VC# run ping 10.0.0.1 count 5 rapid 
PING 10.0.0.1 (10.0.0.1): 56 data bytes
!!!!!
--- 10.0.0.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 69.103/92.536/124.694/23.632 ms

EX2300-16> ping 10.0.0.129 count 10 rapid 
PING 10.0.0.129 (10.0.0.129): 56 data bytes
!!!!!!!!!!
--- 10.0.0.129 ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max/stddev = 64.333/78.790/147.934/23.645 ms

EX2300-16> ssh lab@10.0.0.129 
Password:
Last login: Thu Jul  6 21:46:02 2017 from 10.1.1.10
--- Junos 15.1X53-D50.2 Kernel 32-bit  JNPR-11.0-20160614.329646_build
{master:0}
lab@EX2300-8_9-VC> exit

There you go. We have successfully connected the same VLAN across the network over a GRE tunnel. We were even able to SSH over it to show the TCP connectivity. However, is isn’t finished. This is only one side of the network that the traffic is following. You need to configure a path on the west side as well, but this time let’s use the vlan-tagging command and drop the interfaces into the VRF:
EX4600-4_5-VC# set interfaces xe-0/0/4 vlan-tagging
EX4600-4_5-VC# set interfaces xe-0/0/4.0 vlan-id 10
EX4600-4_5-VC# set interfaces xe-0/0/4.1 vlan-id 1000 family inet address 10.3.0.5/30
EX4600-4_5-VC# set routing-instances DO_VRF interface xe-0/0/4.1
EX4600-4_5-VC# commit 

EX3400-10_11-VC# set interfaces xe-0/2/2 vlan-tagging 
EX3400-10_11-VC# set interfaces xe-0/2/2 unit 0 vlan-id 10   
EX3400-10_11-VC# set interfaces xe-0/2/2 unit 1 vlan-id 1000 family inet address 10.3.0.9/30
EX3400-10_11-VC# set interfaces xe-1/2/1 vlan-tagging 
EX3400-10_11-VC# set interfaces xe-1/2/1 unit 0 vlan-id 10   
EX3400-10_11-VC# set interfaces xe-1/2/1 unit 1 vlan-id 1000 family inet address 10.3.0.6/3
EX3400-10_11-VC# set routing-instances DO_VRF instance-type virtual-router
EX3400-10_11-VC# set routing-instances DO_VRF interface xe-0/2/2.1
EX3400-10_11-VC# set routing-instances DO_VRF interface xe-1/2/1.1
EX3400-10_11-VC# set routing-instances DO_VRF protocols ospf area 0.0.0.0 interface xe-1/2/1.1 interface-type p2p
EX3400-10_11-VC# set routing-instances DO_VRF protocols ospf area 0.0.0.0 interface xe-0/2/2.1 interface-type p2p
EX3400-10_11-VC# commit 

QFX5100-2_3-VC# set interfaces xe-1/0/1 vlan-tagging
QFX5100-2_3-VC# set interfaces xe-1/0/1 unit 0 vlan-id 10 
QFX5100-2_3-VC# set interfaces xe-1/0/1 unit 1 vlan-id 1000 family inet address 10.3.0.10/30
QFX5100-2_3-VC# commit

After everything is committed you should now have reachability:
QFX5100-2_3-VC# run ping routing-instance DO_VRF 10.3.0.5 count 5 rapid 
PING 10.3.0.5 (10.3.0.5): 56 data bytes
!!!!!
--- 10.3.0.5 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 32.908/55.580/112.970/29.846 ms

QFX5100-2_3-VC# run traceroute routing-instance DO_VRF 10.3.0.5 
traceroute to 10.3.0.5 (10.3.0.5), 30 hops max, 40 byte packets
 1  10.3.0.9 (10.3.0.9)  86.509 ms  24.447 ms  22.645 ms
 2  10.3.0.5 (10.3.0.5)  58.308 ms  55.040 ms  58.979 ms

And finally, we can ping from end to end using the new path and vlan-tagging. 

EX2300-16> ping 10.0.0.129 count 50 rapid 
PING 10.0.0.129 (10.0.0.129): 56 data bytes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
--- 10.0.0.129 ping statistics ---
50 packets transmitted, 50 packets received, 0% packet loss
round-trip min/avg/max/stddev = 8.665/14.189/22.671/4.445 ms

EX2300-16> traceroute 10.0.0.129 
traceroute to 10.0.0.129 (10.0.0.129), 30 hops max, 52 byte packets
 1  10.0.0.4 (10.0.0.4)  44.409 ms  67.677 ms  45.950 ms
 2  10.3.0.6 (10.3.0.6)  10.967 ms  14.641 ms  10.985 ms
 3  10.3.0.10 (10.3.0.10)  43.208 ms  46.107 ms  35.762 ms
 4  10.0.0.129 (10.0.0.129)  11.718 ms  6.953 ms  10.885 ms

We deactivated the gr-0/0/0 interface to make sure that our traffic took the new path we created. Let’s see what happens when we reactivate that interface.
EX2300-16> traceroute 10.0.0.129    
traceroute to 10.0.0.129 (10.0.0.129), 30 hops max, 52 byte packets
 1  10.0.0.4 (10.0.0.4)  35.460 ms  48.465 ms  34.289 ms
 2  10.3.0.2 (10.3.0.2)  53.690 ms  47.345 ms  55.257 ms
 3  10.0.0.129 (10.0.0.129)  80.624 ms  75.877 ms  77.272 ms

#### Chapter 8

#### Configuring EX Spanning Tree Protocols

The following configuration is applied to all four switches with only the IP address for me0.0 and the host-name changed per switch:
SWITCH-1> show configuration | display set 
set version 15.1R6-S2.1
set groups LAB system host-name SWITCH-1
set groups LAB system backup-router 192.168.2.5
set groups LAB system authentication-order radius
set groups LAB system authentication-order password
set groups LAB system root-authentication encrypted-password "$1$4SUDuuFj$ZvqhdxrLzJWYkfDhraZt90"
set groups LAB system name-server 8.8.8.8
set groups LAB system login message "\n \n LAB SWITCH-1\n \n"
set groups LAB system login user lab uid 2000
set groups LAB system login user lab class super-user
set groups LAB system login user lab authentication encrypted-password "$1$zWm9E0R2$vC1i0E9.tI9HfZ0Mzszqv."
set groups LAB system login user lab uid 2002
set groups LAB system login user lab class super-user
set groups LAB system services ssh
set groups LAB system services netconf ssh
set groups LAB interfaces me0 unit 0 family inet address 192.168.2.14/24
set groups LAB routing-options static route 0.0.0.0/0 next-hop 192.168.2.1
set apply-groups LAB
set interfaces ge-0/0/0 unit 0 family ethernet-switching
set interfaces ge-0/0/1 unit 0 family ethernet-switching
set interfaces ge-0/0/2 unit 0 family ethernet-switching
set interfaces ge-0/0/3 unit 0 family ethernet-switching
set interfaces ge-0/0/4 unit 0 family ethernet-switching
set interfaces ge-0/0/5 unit 0 family ethernet-switching
set interfaces ge-0/0/6 unit 0 family ethernet-switching
set interfaces ge-0/0/7 unit 0 family ethernet-switching
set interfaces ge-0/0/8 unit 0 family ethernet-switching
set interfaces ge-0/0/9 unit 0 family ethernet-switching
set interfaces ge-0/0/10 unit 0 family ethernet-switching
set interfaces ge-0/0/11 unit 0 family ethernet-switching
set interfaces ge-0/1/0 unit 0 family ethernet-switching
set interfaces ge-0/1/1 unit 0 family ethernet-switching

$ ping 192.168.2.14
PING 192.168.2.14 (192.168.2.14): 56 data bytes
64 bytes from 192.168.2.14: icmp_seq=0 ttl=62 time=2.708 ms
 …
64 bytes from 192.168.2.14: icmp_seq=17 ttl=62 time=10.623 ms
Request timeout for icmp_seq 18
Request timeout for icmp_seq 19
Request timeout for icmp_seq 20
Request timeout for icmp_seq 21
Request timeout for icmp_seq 22
Request timeout for icmp_seq 23
Request timeout for icmp_seq 24
Request timeout for icmp_seq 25
Request timeout for icmp_seq 26
64 bytes from 192.168.2.14: icmp_seq=18 ttl=62 time=9793.608 ms
64 bytes from 192.168.2.14: icmp_seq=19 ttl=62 time=8793.551 ms
64 bytes from 192.168.2.14: icmp_seq=20 ttl=62 time=7791.432 ms
64 bytes from 192.168.2.14: icmp_seq=21 ttl=62 time=6788.174 ms
64 bytes from 192.168.2.14: icmp_seq=22 ttl=62 time=5785.347 ms
64 bytes from 192.168.2.14: icmp_seq=23 ttl=62 time=4780.493 ms

The network is so overwhelmed that the switch cannot even establish a simple SSH connection.
$ ssh 192.168.2.14

SWITCH-1> show interfaces ge-0/0/0 detail 
Physical interface: ge-0/0/0, Enabled, Physical link is Down
  Interface index: 130, SNMP ifIndex: 502, Generation: 133
  Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Speed: Auto, Duplex: Auto, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
  Remote fault: Online, Media type: Copper, IEEE 802.3az Energy Efficient Ethernet: Disabled
  Device flags   : Present Running Down
  Interface flags: Hardware-Down SNMP-Traps Internal: 0x4000
  Link flags     : None
  CoS queues     : 8 supported, 8 maximum usable queues
  Hold-times     : Up 0 ms, Down 0 ms
  Current address: 5c:45:27:e7:9b:03, Hardware address: 5c:45:27:e7:9b:03
  Last flapped   : 2010-01-02 22:48:04 UTC (00:00:25 ago)
  Statistics last cleared: 2010-01-02 22:38:05 UTC (00:10:24 ago)
  Traffic statistics:
   Input  bytes  :          43045419392                    0 bps
   Output bytes  :          43044399296                    0 bps
   Input  packets:            672584678                    0 pps
   Output packets:            672568739                    0 pps
   
SWITCH-1# show protocols rstp 
interface all {
    mode point-to-point;
}

$ ping 192.168.2.14
PING 192.168.2.14 (192.168.2.14): 56 data bytes
64 bytes from 192.168.2.14: icmp_seq=0 ttl=62 time=3.157 ms
64 bytes from 192.168.2.14: icmp_seq=1 ttl=62 time=3.960 ms
64 bytes from 192.168.2.14: icmp_seq=2 ttl=62 time=4.019 ms
64 bytes from 192.168.2.14: icmp_seq=3 ttl=62 time=3.211 ms
64 bytes from 192.168.2.14: icmp_seq=4 ttl=62 time=2.617 ms
64 bytes from 192.168.2.14: icmp_seq=5 ttl=62 time=3.332 ms
64 bytes from 192.168.2.14: icmp_seq=6 ttl=62 time=4.889 ms
64 bytes from 192.168.2.14: icmp_seq=7 ttl=62 time=3.227 ms
^C
--- 192.168.2.14 ping statistics ---
8 packets transmitted, 8 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.617/3.551/4.889/0.659 ms

Now, the spanning-tree for ge-0/0/0:
SWITCH-1> show spanning-tree interface    
Spanning tree interface parameters for instance 0
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/0.0             128:513   128:513 32768.cce17f8f7ac1    20000 BLK   ALT  
ge-0/0/1.0             128:514   128:515 32768.5c4527e7e801    20000 FWD   ROOT 

You can also tell that SWITCH-1 is not the root bridge for the network because there’s a ROOT Role in the output. You can look into this further by issuing the spanning-tree bridge statement:
SWITCH-1> show spanning-tree bridge       
STP bridge parameters 
Context ID                          : 0
Enabled protocol                    : RSTP
  Root ID                           : 32768.30:7c:5e:10:86:c1
  Root cost                         : 40000
  Root port                         : ge-0/0/1.0
  Hello time                        : 2 seconds
  Maximum age                       : 20 seconds
  Forward delay                     : 15 seconds
  Message age                       : 2 
  Number of topology changes        : 4
  Time since last topology change   : 105 seconds
  Topology change initiator         : ge-0/0/1.0
  Topology change last recvd. from  : 5c:45:27:e7:e8:05
  Local parameters 
    Bridge ID                       : 32768.5c:45:27:e7:9b:01
    Extended system ID              : 0
    Internal instance ID            : 0

Based on our diagram with our annotated chassis mac-addresses you can tell that the root bridge is SWITCH-3.  Let’s take a look at all of the spanning tree interfaces so we can see which links were cut off:
SWITCH-1> show spanning-tree interface    
Spanning tree interface parameters for instance 0
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/0.0             128:513   128:513 32768.cce17f8f7ac1    20000 BLK   ALT  
ge-0/0/1.0             128:514   128:515 32768.5c4527e7e801    20000 FWD   ROOT 

SWITCH-2> show spanning-tree interface    
Spanning tree interface parameters for instance 0
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/0.0             128:513   128:513 32768.307c5e1086c1    20000 FWD   ROOT 
ge-0/0/2.0             128:515   128:515 32768.5c4527e7e801    20000 FWD   DESG 

SWITCH-3> show spanning-tree interface       
Spanning tree interface parameters for instance 0
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/0.0             128:513   128:513 32768.307c5e1086c1    20000 FWD   DESG 
ge-0/0/1.0             128:514   128:514 32768.307c5e1086c1    20000 FWD   DESG 

SWITCH-4> show spanning-tree interface    
Spanning tree interface parameters for instance 0
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/0.0             128:513   128:513 32768.cce17f8f7ac1    20000 FWD   DESG 
ge-0/0/2.0             128:515   128:514 32768.307c5e1086c1    20000 FWD   ROOT 

Let’s disconnect ge-0/0/0 on Switch-2 and see if this is correct:
SWITCH-2# set interfaces ge-0/0/0 disable 
SWITCH-2# commit 
configuration check succeeds
commit complete

Now a quick look at Switch-1 and Switch-2 shows:
SWITCH-1> show spanning-tree interface 
Spanning tree interface parameters for instance 0
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/0.0             128:513   128:513 32768.cce17f8f7ac1    20000 FWD   ROOT 
ge-0/0/1.0             128:514   128:514 32768.5c4527e79b01    20000 FWD   DESG 

SWITCH-2> show spanning-tree interface 
Spanning tree interface parameters for instance 0
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/2.0             128:515   128:514 32768.5c4527e79b01    20000 FWD   ROOT 
Just as expected! Let’s enable interface ge-0/0/0 on Switch-2 and also add the link inbetween Switch-2 and Switch-4 on ge-0/0/11. 
Added an additional loop in the mix is illustrated in Figure 8.3.


#### Configuring and Monitoring Rapid Spanning Tree Protocol (RSTP)

SWITCH-2# set protocols rstp interface ge-0/0/5.0 edge    
SWITCH-2# set protocols rstp interface ge-0/0/6.0 edge 
SWITCH-2# set protocols rstp bpdu-block-on-edge 

Here is a packet capture using the monitor traffic interface command that allows you to see a lot of the information and how it is being transmitted:
SWITCH-3> monitor traffic interface ge-0/0/0 no-resolve extensive 

SWITCH-1# set protocols rstp bridge-priority 4k
SWITCH-2# set protocols rstp bridge-priority 8k
SWITCH-3# set protocols rstp bridge-priority 16k

Now you can check to see who is the root bridge in the topology:
SWITCH-1> show spanning-tree interface 
Spanning tree interface parameters for instance 0
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/0.0             128:513   128:513  4096.5c4527e79b01    20000 FWD   DESG 
ge-0/0/1.0             128:514   128:514  4096.5c4527e79b01    20000 FWD   DESG 

SWITCH-1> show spanning-tree bridge detail 
STP bridge parameters 
Context ID                          : 0
Enabled protocol                    : RSTP
  Root ID                           : 4096.5c:45:27:e7:9b:01
  Hello time                        : 2 seconds
  Maximum age                       : 20 seconds
  Forward delay                     : 15 seconds
  Message age                       : 0 
  Number of topology changes        : 6
  Time since last topology change   : 254 seconds
  Topology change initiator         : ge-0/0/0.0
  Topology change last recvd. from  : 5c:45:27:e7:e8:05
  Local parameters 
    Bridge ID                       : 4096.5c:45:27:e7:9b:01
    Extended system ID              : 0
    Internal instance ID            : 0
    Hello time                      : 2 seconds
    Maximum age                     : 20 seconds
    Forward delay                   : 15 seconds
    Path cost method                : 32 bit 

But we aren’t done yet. We still want to influence our network and force it into the Z topology. The next tool is using path cost. 
SWITCH-2# set protocols rstp interface ge-0/0/2 cost 10
SWITCH-3# set protocols rstp interface ge-0/0/0 cost 100 
SWITCH-3# set protocols rstp interface ge-0/0/1 cost 10 

SWITCH-4# set protocols rstp interface ge-0/0/0 cost 100
SWITCH-4# set protocols rstp interface ge-0/0/11 cost 10
SWITCH-4# set protocols rstp interface ge-0/0/2 cost 10

Once these are all committed we will ave indeed influenced our path so let’s map it out again on the diagram.
SWITCH-1> show spanning-tree interface    
Spanning tree interface parameters for instance 0
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/0.0             128:513   128:513  4096.5c4527e79b01    20000 FWD   DESG 
ge-0/0/1.0             128:514   128:514  4096.5c4527e79b01    20000 FWD   DESG 

SWITCH-2# run show spanning-tree interface    
Spanning tree interface parameters for instance 0
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/0.0             128:513   128:513  8192.5c4527e7e801    20000 FWD   DESG 
ge-0/0/2.0             128:515   128:514  4096.5c4527e79b01       10 FWD   ROOT 
ge-0/0/11.0            128:524   128:524  8192.5c4527e7e801    20000 FWD   DESG 

SWITCH-3# run show spanning-tree interface    
Spanning tree interface parameters for instance 0
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/0.0             128:513   128:513  8192.5c4527e7e801      100 BLK   ALT  
ge-0/0/1.0             128:514   128:515 32768.cce17f8f7ac1       10 FWD   ROOT 

SWITCH-4# run show spanning-tree interface    
Spanning tree interface parameters for instance 0
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/0.0             128:513   128:513  4096.5c4527e79b01      100 BLK   ALT  
ge-0/0/2.0             128:515   128:515 32768.cce17f8f7ac1       10 FWD   DESG 
ge-0/0/11.0            128:524   128:524  8192.5c4527e7e801       10 FWD   ROOT 


#### Configuring and Monitoring Multiple Spanning Tree Protocol (MSTP)

SWITCH-1# set vlans V100 vlan-id 100 
SWITCH-1# set vlans V200 vlan-id 200 
SWITCH-1# set vlans V100 vlan-id 300 
SWITCH-1# set vlans V200 vlan-id 400 
SWITCH-1# commit     

SWITCH-2# set vlans V100 vlan-id 100 
SWITCH-2# set vlans V200 vlan-id 200 
SWITCH-2# set vlans V300 vlan-id 300 
SWITCH-2# set vlans V400 vlan-id 400 
SWITCH-2# commit 

SWITCH-3# set vlans V300 vlan-id 300 
SWITCH-3# set vlans V400 vlan-id 400 
SWITCH-3# commit

SWITCH-4# set vlans V100 vlan-id 100 
SWITCH-4# set vlans V200 vlan-id 200 
SWITCH-4# set vlans V300 vlan-id 300 
SWITCH-4# set vlans V400 vlan-id 400 
SWITCH-4# commit 

ELS ALERT	The new ELS command for creating trunk interfaces is interface-mode – make sure you’re not using the old port-mode commands here.
SWITCH-1# set interfaces ge-0/0/0.0 family ethernet-switching interface-mode trunk vlan members [V100 V200]  
SWITCH-1# set interfaces ge-0/0/1.0 family ethernet-switching interface-mode trunk vlan members [V100 V200] 

SWITCH-2# set interfaces ge-0/0/0.0 family ethernet-switching interface-mode trunk vlan members [V300 V400] 
SWITCH-2# set interfaces ge-0/0/2.0 family ethernet-switching interface-mode trunk vlan members [V100 V200] 
SWITCH-2# set interfaces ge-0/0/11.0 family ethernet-switching interface-mode trunk vlan members [V100 V200 V300 V400] 

SWITCH-3# set interfaces ge-0/0/0.0 family ethernet-switching interface-mode trunk vlan members [V300 V400] 
SWITCH-3# set interfaces ge-0/0/1.0 family ethernet-switching interface-mode trunk vlan members [V300 V400] 

SWITCH-4# set interfaces ge-0/0/0.0 family ethernet-switching interface-mode trunk vlan members [V100 V200] 
SWITCH-4# set interfaces ge-0/0/2.0 family ethernet-switching interface-mode trunk vlan members [V300 V400]
SWITCH-4# set interfaces ge-0/0/11.0 family ethernet-switching interface-mode trunk vlan members [V100 V200 V300 V400] 

SWITCH-1# show protocols mstp | display set 
set protocols mstp configuration-name region1
set protocols mstp bridge-priority 4k
set protocols mstp interface ge-0/0/0 cost 1000
set protocols mstp interface ge-0/0/0 mode point-to-point
set protocols mstp interface ge-0/0/1 cost 1000
set protocols mstp interface ge-0/0/1 mode point-to-point
set protocols mstp msti 1 bridge-priority 8k
set protocols mstp msti 1 vlan 100
set protocols mstp msti 1 vlan 200

SWITCH-2# show protocols mstp | display set 
set protocols mstp configuration-name region1
set protocols mstp interface ge-0/0/0 cost 1000
set protocols mstp interface ge-0/0/0 mode point-to-point
set protocols mstp interface ge-0/0/2 cost 1000
set protocols mstp interface ge-0/0/2 mode point-to-point
set protocols mstp interface ge-0/0/11 cost 1000
set protocols mstp interface ge-0/0/11 mode point-to-point
set protocols mstp msti 1 bridge-priority 8k
set protocols mstp msti 1 vlan 100
set protocols mstp msti 1 vlan 200
set protocols mstp msti 2 bridge-priority 32k
set protocols mstp msti 2 vlan 300
set protocols mstp msti 2 vlan 400

SWITCH-3# show protocols mstp | display set 
set protocols mstp configuration-name region1
set protocols mstp interface ge-0/0/0 cost 1000
set protocols mstp interface ge-0/0/0 mode point-to-point
set protocols mstp interface ge-0/0/1 cost 1000
set protocols mstp interface ge-0/0/1 mode point-to-point
set protocols mstp msti 2 bridge-priority 4k
set protocols mstp msti 2 vlan 300
set protocols mstp msti 2 vlan 400
	

SWITCH-4# show protocols mstp | display set
set protocols mstp configuration-name region1
set protocols mstp interface ge-0/0/0 cost 1000
set protocols mstp interface ge-0/0/0 mode point-to-point
set protocols mstp interface ge-0/0/2 cost 1000
set protocols mstp interface ge-0/0/2 mode point-to-point
set protocols mstp interface ge-0/0/11 cost 1000
set protocols mstp interface ge-0/0/11 mode point-to-point
set protocols mstp msti 1 bridge-priority 32k
set protocols mstp msti 1 vlan 100
set protocols mstp msti 1 vlan 200
set protocols mstp msti 2 bridge-priority 32k
set protocols mstp msti 2 vlan 300
set protocols mstp msti 2 vlan 400

SWITCH-1# run show spanning-tree interface    

SWITCH-2# run show spanning-tree interface 

SWITCH-3# run show spanning-tree interface    

SWITCH-4# run show spanning-tree interface    

On each device, you can get the MSTP configuration and see what VLANs are being carried by each instance:
SWITCH-1> show spanning-tree mstp configuration 
MSTP information 
...


SWITCH-2> show spanning-tree mstp configuration    
MSTP information 
...


SWITCH-3> show spanning-tree bridge    
STP bridge parameters 
...


SWITCH-2> show spanning-tree bridge           
STP bridge parameters 
...


#### Configuring and Monitoring VLAN Spanning Tree Protocol (VSTP)

SWITCH-1# show protocols vstp | display set 
set protocols vstp vlan 100 bridge-priority 4k
set protocols vstp vlan 100 interface ge-0/0/0 mode point-to-point
set protocols vstp vlan 200 interface ge-0/0/1 mode point-to-point

SWITCH-2# show protocols vstp | display set 
set protocols vstp vlan 100
set protocols vstp vlan 200 bridge-priority 4k
set protocols vstp vlan 400 bridge-priority 4k
set protocols vstp vlan 100 interface ge-0/0/0 mode point-to-point
set protocols vstp vlan 200 interface ge-0/0/2 mode point-to-point
set protocols vstp vlan 400 interface ge-0/0/11 mode point-to-point

SWITCH-3# show protocols vstp | display set 
set protocols vstp vlan 300 bridge-priority 4k
set protocols vstp vlan 300 interface ge-0/0/0 mode point-to-point
set protocols vstp vlan 300 interface ge-0/0/1 mode point-to-point

SWITCH-4# show protocols vstp | display set 
set protocols vstp vlan 100 interface ge-0/0/0 mode point-to-point
set protocols vstp vlan 200 interface ge-0/0/11 mode point-to-point
set protocols vstp vlan 300 interface ge-0/0/2 mode point-to-point
set protocols vstp vlan 400 interface ge-0/0/11 mode point-to-point
set protocols vstp vlan 100 bridge-priority 32k
set protocols vstp vlan 200 bridge-priority 32k
set protocols vstp vlan 300 bridge-priority 32k
set protocols vstp vlan 400 bridge-priority 32k



Now that we have all the configuration in place let’s look at the spanning-tree topology.

SWITCH-1# run show spanning-tree interface 
Spanning tree interface parameters for VLAN 100
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/0.0             128:513   128:513  4196.5c4527e79b01    20000 FWD   DESG 
ge-0/0/1.0             128:514   128:514  4196.5c4527e79b01    20000 FWD   DESG 
Spanning tree interface parameters for VLAN 200
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/0.0             128:513   128:513 32968.5c4527e79b01    20000 FWD   DESG 
ge-0/0/1.0             128:514   128:515  4296.5c4527e7e801    20000 FWD   ROOT 

SWITCH-2# run show spanning-tree interface 
Spanning tree interface parameters for VLAN 100
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/2.0             128:515   128:514  4196.5c4527e79b01    20000 FWD   ROOT 
ge-0/0/11.0            128:524   128:524 32868.5c4527e7e801    20000 FWD   DESG 
Spanning tree interface parameters for VLAN 200
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/2.0             128:515   128:515  4296.5c4527e7e801    20000 FWD   DESG 
ge-0/0/11.0            128:524   128:524  4296.5c4527e7e801    20000 FWD   DESG 
Spanning tree interface parameters for VLAN 300
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/0.0             128:513   128:513  4396.307c5e1086c1    20000 FWD   ROOT 
ge-0/0/11.0            128:524   128:524 33068.5c4527e7e801    20000 FWD   DESG 
Spanning tree interface parameters for VLAN 400
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/0.0             128:513   128:513  4496.5c4527e7e801    20000 FWD   DESG 
ge-0/0/11.0            128:524   128:524  4496.5c4527e7e801    20000 FWD   DESG 

SWITCH-3# run show spanning-tree interface 
Spanning tree interface parameters for VLAN 300
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/0.0             128:513   128:513  4396.307c5e1086c1    20000 FWD   DESG 
ge-0/0/1.0             128:514   128:514  4396.307c5e1086c1    20000 FWD   DESG 

SWITCH-4# run show spanning-tree interface 
Spanning tree interface parameters for VLAN 100
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/0.0             128:513   128:513  4196.5c4527e79b01    20000 FWD   ROOT 
ge-0/0/11.0            128:524   128:524 32868.5c4527e7e801    20000 BLK   ALT  
Spanning tree interface parameters for VLAN 200
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/0.0             128:513   128:513 32968.5c4527e79b01    20000 BLK   ALT  
ge-0/0/11.0            128:524   128:524  4296.5c4527e7e801    20000 FWD   ROOT 
Spanning tree interface parameters for VLAN 300
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/2.0             128:515   128:514  4396.307c5e1086c1    20000 FWD   ROOT 
ge-0/0/11.0            128:524   128:524 33068.5c4527e7e801    20000 BLK   ALT  
Spanning tree interface parameters for VLAN 400
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/2.0             128:515   128:513  4496.5c4527e7e801    20000 FWD   ROOT 
ge-0/0/11.0            128:524   128:524  4496.5c4527e7e801    20000 BLK   ALT  


#### Configuring Loop Protection

Using our topology, you can place loop protection on all of the interfaces but we are primarily concerned with the ALT/BLK interfaces, so let’s only perform the commands on Switch-4 for this example:
SWITCH-4# run show spanning-tree interface                   
Spanning tree interface parameters for instance 0
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/0.0             128:513   128:513  4096.5c4527e79b01     1000 BLK   ALT  
ge-0/0/2.0             128:515   128:515 32768.cce17f8f7ac1    20000 FWD   DESG 
ge-0/0/11.0            128:524   128:524  8192.5c4527e7e801      100 FWD   ROOT 

Loop protection is configured using bpdu-timeout-action. There are two actions associated with this key word, you can block or log and they should be self-explanatory.
SWITCH-4# set protocols rstp interface ge-0/0/0 bpdu-timeout-action block    
SWITCH-4# commit

And that’s all there is to it. Now let’s disable RSTP on interface ge-0/0/0 on Switch-1 and see what happens on the Switch-4 ge-0/0/0 interface:
SWITCH-1# set protocols rstp interface ge-0/0/0 disable 
SWITCH-1# commit 
configuration check succeeds
commit complete

SWITCH-4> show spanning-tree interface    
Spanning tree interface parameters for instance 0
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/0.0             128:513   128:513 32768.cce17f8f7ac1    21000 BLK   DIS (Loop-Incon)
ge-0/0/11.0            128:524   128:524  4096.5c4527e7e801    20000 FWD   ROOT 


#### Configuring Bridge Protocol Data Unit (BPDU) Protection

We’ll test the drop action of bpdu-block on ge-1/0/0 on the lab QFX5100.
QFX5100-2_3-VC# set protocols layer2-control bpdu-block interface ge-1/0/0 drop
QFX5100-2_3-VC# commit
QFX5100-2_3-VC# run monitor start messages

And now let’s turn up the interface on EX2300_16 after giving that switch a 4k bridge priority. Let’s take a look at the ethernet-switching table. It is indeed discarding:
QFX5100-2_3-VC# run show ethernet-switching interface    
Routing Instance Name : default-switch
Logical Interface flags (DL - disable learning, AD - packet action drop,
                         LH - MAC limit hit, DN - interface down,
                         SCTL - shutdown by Storm-control,
                         MMAS - Mac-move action shutdown, AS - Autostate-exclude enabled) 
Logical          Vlan          TAG     MAC         STP         Logical           Tagging 
interface        members               limit       state       interface flags  
ge-0/0/4.0                             294912                                     untagged   
                 V1000         1000    294912      Forwarding                     untagged   
Routing Instance Name : default-switch
Logical Interface flags (DL - disable learning, AD - packet action drop,
                         LH - MAC limit hit, DN - interface down,
                         SCTL - shutdown by Storm-control,
                         MMAS - Mac-move action shutdown, AS - Autostate-exclude enabled) 
Logical          Vlan          TAG     MAC         STP         Logical           Tagging 
interface        members               limit       state       interface flags  
ge-1/0/0.0                             294912                   DN                tagged     
                 V100          100     294912      Discarding                     tagged   


#### Configuring Root Protection

Before
SWITCH-2# run show spanning-tree bridge    
STP bridge parameters 
Context ID                          : 0
Enabled protocol                    : RSTP
  Root ID                           : 32768.5c:45:27:e7:9b:01
  Root cost                         : 20000
  Root port                         : ge-0/0/2.0
  Hello time                        : 2 seconds
  Maximum age                       : 20 seconds
  Forward delay                     : 15 seconds
  Message age                       : 1 
  Number of topology changes        : 25
  Time since last topology change   : 1503 seconds
  Topology change initiator         : ge-0/0/2.0
  Topology change last recvd. from  : 5c:45:27:e7:9b:04
  Local parameters 
    Bridge ID                       : 32768.5c:45:27:e7:e8:01
    Extended system ID              : 0
    Internal instance ID            : 0

After
SWITCH-2# run show spanning-tree bridge    
STP bridge parameters 
Context ID                          : 0
Enabled protocol                    : RSTP
  Root ID                           : 32768.30:7c:5e:10:86:c1
  Root cost                         : 20000
  Root port                         : ge-0/0/0.0
  Hello time                        : 2 seconds
  Maximum age                       : 20 seconds
  Forward delay                     : 15 seconds
  Message age                       : 1 
  Number of topology changes        : 27
  Time since last topology change   : 110 seconds
  Topology change initiator         : ge-0/0/11.0
  Topology change last recvd. from  : cc:e1:7f:8f:7a:ce
  Local parameters 
    Bridge ID                       : 32768.5c:45:27:e7:e8:01
    Extended system ID              : 0
    Internal instance ID            : 0

After setting interface ge-0/0/1 to disable on Switch-2 you can see that the network thinks Switch-1 is the root bridge:
SWITCH-1> show spanning-tree interface 
Spanning tree interface parameters for instance 0
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/0.0             128:513   128:513 32768.5c4527e79b01    20000 FWD   DESG 
ge-0/0/1.0             128:514   128:514 32768.5c4527e79b01    20000 FWD   DESG 

SWITCH-1> show spanning-tree bridge 
STP bridge parameters 
...

This time add root-protection to our RSTP configuration on ge-0/0/1 on Switch-2 as well as ge-0/0/2 on Switch-4:
SWITCH-2# set protocols rstp interface ge-0/0/1 no-root-port

SWITCH-4# set protocols rstp interface ge-0/0/2 no-root-port 

And when you enable those ports and check the root bridge:
SWITCH-2# delete interfaces ge-0/0/1 disable 
SWITCH-2# commit            
configuration check succeeds
commit complete

SWITCH-2# run show lldp neighbors 
Local Interface    Parent Interface    Chassis Id          Port info          System Name
ge-0/0/1.0         -                   5c:45:27:b1:72:00   ge-0/0/0.0         SWITCH-3               
ge-0/0/2.0         -                   5c:45:27:e7:9b:00   ge-0/0/1.0         SWITCH-1            
ge-0/0/11.0        -                   cc:e1:7f:8f:7a:c0   ge-0/0/11.0        SWITCH-4      

SWITCH-2# run show spanning-tree bridge 
STP bridge parameters 
...

SWITCH-2# run show spanning-tree interface 
Spanning tree interface parameters for instance 0
Interface            Port ID   Designated    Designated       Port   State Role
                                port ID      bridge ID        Cost
ge-0/0/1.0             128:514   128:513 16384.5c4527b17201    20000 BLK   ALT (Root-Incon)
ge-0/0/2.0             128:515   128:514 32768.5c4527e79b01    20000 FWD   ROOT 
ge-0/0/11.0            128:524   128:524 32768.5c4527e7e801    20000 FWD   DESG 


#### Configuring Redundant Trunk Group (RTG) Protection

The first thing to do is disable RSTP on the RTG links on Switch-2:
SWITCH-2# set protocols rstp interface ge-0/0/2 disable 
SWITCH-2# set protocols rstp interface ge-0/0/11 disable   
SWITCH-2# commit 
configuration check succeeds

And then disable RSTP on Switch-1:
SWITCH-1# set protocols rstp interface ge-0/0/1 disable 
SWITCH-1# commit 
Configuration check succeeds. And on Switch-4:
SWITCH-4# set protocols rstp interface ge-0/0/11 disable 
SWITCH-4# commit 
Configuration check succeeds again. And now we create the RTG on Switch-2.

SWITCH-2# show switch-options | display set 
set switch-options redundant-trunk-group group RTG-0 preempt-cutover-timer 5
set switch-options redundant-trunk-group group RTG-0 interface ge-0/0/2.0 primary
set switch-options redundant-trunk-group group RTG-0 interface ge-0/0/11.0
SWITCH-2# commit 
configuration check succeeds
commit complete

Everything is now set up for the redundant-trunk-group configuration and that the switch knows which interface is primary and which interfaces make up the RTG:
SWITCH-2# run show redundant-trunk-group 
Group      Interface   State       Time of last flap                      Flap 
name                                                                      count
RTG-0      ge-0/0/2.0  Up/Pri/Act  2017-08-01 23:56:55 UTC (00:00:59 ago)     2
           ge-0/0/11.0 Up          2017-08-01 23:57:06 UTC (00:00:48 ago)     2

Let’s ping sourcing Switch-2 irb.100 gateway for V100 to the gateway on Switch-1. Once that is started you can immediately shut down interface ge-0/0/1 on Switch-1.
SWITCH-2> ping 172.16.14.1    
PING 172.16.14.1 (172.16.14.1): 56 data bytes
64 bytes from 172.16.14.1: icmp_seq=0 ttl=64 time=4.246 ms
64 bytes from 172.16.14.1: icmp_seq=1 ttl=64 time=3.283 ms
64 bytes from 172.16.14.1: icmp_seq=2 ttl=64 time=3.606 ms
64 bytes from 172.16.14.1: icmp_seq=3 ttl=64 time=4.255 ms
64 bytes from 172.16.14.1: icmp_seq=4 ttl=64 time=3.290 ms
64 bytes from 172.16.14.1: icmp_seq=5 ttl=64 time=3.763 ms
64 bytes from 172.16.14.1: icmp_seq=6 ttl=64 time=3.288 ms
64 bytes from 172.16.14.1: icmp_seq=7 ttl=64 time=3.287 ms
64 bytes from 172.16.14.1: icmp_seq=8 ttl=64 time=34.698 ms
64 bytes from 172.16.14.1: icmp_seq=9 ttl=64 time=4.502 ms
64 bytes from 172.16.14.1: icmp_seq=10 ttl=64 time=4.067 ms
64 bytes from 172.16.14.1: icmp_seq=11 ttl=64 time=3.311 ms
64 bytes from 172.16.14.1: icmp_seq=12 ttl=64 time=4.251 ms
64 bytes from 172.16.14.1: icmp_seq=13 ttl=64 time=3.756 ms
64 bytes from 172.16.14.1: icmp_seq=14 ttl=64 time=3.759 ms
64 bytes from 172.16.14.1: icmp_seq=15 ttl=64 time=42.102 ms
64 bytes from 172.16.14.1: icmp_seq=16 ttl=64 time=3.762 ms
^C
--- 172.16.14.1 ping statistics ---
17 packets transmitted, 17 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.283/7.837/42.102/11.239 ms

SWITCH-2> show redundant-trunk-group 
Group      Interface   State       Time of last flap                      Flap 
name                                                                      count
RTG-0      ge-0/0/2.0  Dwn/Pri     2017-08-02 01:01:02 UTC (00:00:08 ago)     3
           ge-0/0/11.0 Up/Act      2017-08-01 23:57:06 UTC (01:04:04 ago)     2

#### Chapter 9

#### Configuring EX Series Protocols

#### Configuring LLDP

To enable LLDP on EX switches:
switch1# set protocols lldp interface all 

You can also enable LLDP on a per-interface basis by specifying the interface:
switch1# set protocols lldp interface ge-0/0/0 

switch1# set protocols lldp-med interface all 
LLDP-MED can also be enabled on a per-interface basis by using this configuration:
switch1# set protocols lldp-med interface ge-0/0/0 

For verifying LLDP status on EX Ethernet switches, use the show lldp command: 
switch1> show lldp 
LLDP                      : Enabled
...


user@switch> show lldp neighbors 

user@switch1> clear lldp neighbors

user@switch1> clear lldp neighbors interface ge-0/0/0 

user@switch1> show lldp local-information 
LLDP Local Information details 
...

user@switch> show lldp statistics

Interface Parent Interface Received Unknown TLVs With Errors 
ge-0/0/0.0   -
ge-0/0/1.0   -
ge-0/0/2.0   -
158502    0             0
158510    0             0
158517    0             0
Discarded TLVs  Transmitted  Untransmitted
0               158502       1
0               158510       1
0               158517       1

user@switch1> clear lldp statistics 

Configuring LLDP MANAGEMENT-ADDRESS

> show lldp neighbors interface ge-0/0/0    
LLDP Neighbor Information:
...


> show lldp neighbors interface ge-0/0/0    
LLDP Neighbor Information:
...

> show lldp neighbors interface ge-0/0/0  
LLDP Neighbor Information:
...

# set management-address 192.168.3.1

Then rerunning show lldp neighbors interface you can now see the correct management interface specified:
> show lldp neighbors interface ge-0/0/0    
LLDP Neighbor Information:
...

#### Routing Protocols (OSPF) 


Device A:
[edit]

# set protocols ospf area 0.0.0.0 interface ge-0/0/0 
# set protocols ospf area 0.0.0.0 interface ge-0/0/1 
# set protocols ospf area 0.0.0.0 interface lo0 passive


Device C:
[edit]
# set protocols ospf area 0.0.0.0 interface ge-0/0/0 
# set protocols ospf area 0.0.0.0 interface lo0 passive

Device B:
[edit]
# set protocols ospf area 0.0.0.0 interface ge-0/0/0 
# set protocols ospf area 0.0.0.2 interface ge-0/0/2 
# set protocols ospf area 0.0.0.0 interface lo0 passive

Device D:
[edit]

# set protocols ospf area 0.0.0.2 interface ge-0/0/0 
# set protocols ospf area 0.0.0.2 interface ge-0/0/2 
# set protocols ospf area 0.0.0.2 interface lo0 passive

Device E:
[edit]
# set protocols ospf area 0.0.0.2 interface ge-0/0/2 

user@switch1> show ospf neighbor 
user@switch> show ospf route 


#### Configuring Import Policy


Switch A Configuration:

The Export policy redistributes the static routes from Switch A routing table to switch A OSPF database. Static route is in Switch A OSPF database the route is advertised in an LSA to switch A’s OSPF neighbor which is Switch C
 
[edit]
# set interfaces ge-0/0/0 unit 0 family inet address 20.0.3.1/30
# set protocols ospf export export_static
# set protocols ospf area 0.0.0.0 interface ge-0/0/0

Redistribute the static route into OSPF:

# set policy-options policy-statement export_static from protocol static
# set policy-options policy-statement export_static then accept


		Switch C Configuration:

[edit]
# set interfaces ge-0/0/0 unit 0 family inet address 20.0.3.2/30

Switch C has an OSPF import policy configured that matches the static route to the 20.0.16.0/30 network and prevents the static route from being installed in switch C’s routing table. Here are the steps to Configure the OSPF import policy.

# set protocols ospf import filter_routes
# set protocols ospf area 0.0.0.0 interface ge-0/0/0
# set policy-options policy-statement filter_routes from route-filter 20.0.16.0/30 exact
# set policy-options policy-statement filter_routes then reject


#### Configure OSPF Interfaces


First step is to configure the interface

[edit]
# set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.1/16

and then assign the interface to an OSPF area

[edit]
# set protocols ospf area 0.0.0.0 interface ge-0/0/0

[edit]
# set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 interface-type p2p


1.	First step is to configure an interface 
 [edit]
# set interfaces ge-0/1/0 unit 0 family inet address 192.168.1.1

2.	Then Create an OSPF area.
[edit]
# set protocols ospf area 0.0.0.0

3.	Assign the interface to the area. 

In this example, include the eligible keyword to allow the neighbor to be a designated router.
[edit ]
# set protocols ospf area 0.0.0.0
# set interface ge-0/0/0 interface-type nbma neighbor 192.0.2.2 eligible


4.	Configure the poll interval.
[edit protocols ospf area 0.0.0.0]
# set interface ge-0/0/0 poll-interval 130


#### Configuring an OSPFv2 Interface on a Point-to-Multipoint Network:

1.	To configure an OSPFv2 interface on a point-to-multipoint network you have to first Configure the interface.
[edit]
# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24

2.	Then Create an OSPF area.
[edit]
# edit protocols ospf area 0.0.0.0 

3.	Assign the interface to the area and specify the neighbor.
[edit protocols ospf area 0.0.0.1]
# set interface ge-0/0/0 neighbor 192.168.1.2


#### Configuring BFD for OSPF

To configure BFD:
[edit]

# set protocols ospf area 0.0.0.0 interface ge-0/0/1 bfd-liveness-detection minimum-interval 300

# set protocols ospf area 0.0.0.0 interface ge-0/0/1 bfd-liveness-detection multiplier 4

# set protocols ospf area 0.0.0.0 interface ge-0/0/1 bfd-liveness-detection full-neighbors-only 

And the show command to verify the BFD session:
user@host> show bfd session detail

user@switch# set protocols pim rp local address <ip_address>

For all other routers, configure: 
user@switch# set protocols pim rp static address <ip_address>

Any routed interface, including RP interface, that will be routing multicast traffic, needs to be enabled for PIM-SM: 
user@switch# set protocols pim interface <interface_name> mode sparse 

The show pim rps command is to verify the RP. Its output provides a RP address, how the RP is learned, number of active multicast groups, and the multicast group the RP can forward: 
user@swtich> show pim rps

This show pim neighbors command is used to validate PIM neighbors: 
user@switch> show pim neighbors

The show multicast route command displays the multicast route for a given multicast group, as well as the multicast source and the upstream and downstream multicast path: 
user@switch> show multicast route

#### Multicast Switching 

For hosts that do not support IGMP, the group can be manually configured using: 
user@switch# set protocols igmp-snooping vlan <vlan_name> interface <interface_ name> static group <multicast_ip_group_address> 

The show igmp-snooping membership command is to view the IGMP snooping table that was built by the switch. The output provides all the multicast groups on a per-VLAN basis: 
user@switch> show igmp-snooping membership VLAN: v2 

#### Bidirectional Forwarding Detection (BFD)

user@root# set routing-options static route <destination> bfd-liveness-detection minimum-interval <value>
user@root# set protocols bfd traceoptions file bfd-trace 
user@root# set protocols bfd traceoptions flag all



#### OAM Link-Fault Management (802.3ah) 

user@switch# set protocols oam ethernet link-fault-management action-profile <action- profile-name> event link-adjacency-loss
user@switch# set protocols oam ethernet link-fault-management action-profile <action- profile-name> action link-down 

Next, enable 802.3ah on the interfaces: 
user@switch# set protocols oam ethernet link-fault-management interface ge- 0/1/0.0 link-discovery active 

And the last step is to bind the action profile to the interface: 
user@switch# set interface ge-0/1/0.0 apply-action-profile action-profile-name 

user@switch> show oam ethernet link-fault-management Interface: ge-0/0/23.0 


#### Configuring BGP

Internal BGP session:

Here is the CLI to configure IBGP between these 3 switches

Switch A:

# set interfaces ge-0/1/0 unit 0 description to-B
# set interfaces ge-0/1/0 unit 0 family inet address 20.20.20.1/30
# set interfaces lo0 unit 1 family inet address 192.168.6.2/32
# set protocols bgp group internal-peers type internal
# set protocols bgp group internal-peers description “connections to B and C”
# set protocols bgp group internal-peers local-address 192.168.6.2
# set protocols bgp group internal-peers export send-direct
# set protocols bgp group internal-peers neighbor 192.167.6.3
# set protocols bgp group internal-peers neighbor 192.166.6.4
# set protocols ospf area 0.0.0.0 interface lo0.1 passive
# set protocols ospf area 0.0.0.0 interface ge-0/1/0.1
# set policy-options policy-statement send-direct term 2 from protocol direct
# set policy-options policy-statement send-direct term 2 then accept
# set routing-options router-id 192.168.6.2
# set routing-options autonomous-system 20

Device B
# set interfaces ge-0/1/0 unit 0 description to-A
# set interfaces ge-0/1/0 unit 0 family inet address 20.20.20.2/30
# set interfaces ge-0/1/1 unit 0 description to-C
# set interfaces ge-0/1/1 unit 0 family inet address 20.20.20.5/30
# set interfaces lo0 unit 2 family inet address 192.167.6.3/32
# set protocols bgp group internal-peers type internal
# set protocols bgp group internal-peers description “connections to A and C”
# set protocols bgp group internal-peers local-address 192.167.6.3
# set protocols bgp group internal-peers export send-direct
# set protocols bgp group internal-peers neighbor 192.168.6.2
# set protocols bgp group internal-peers neighbor 192.166.6.4
# set protocols ospf area 0.0.0.0 interface lo0.2 passive
# set protocols ospf area 0.0.0.0 interface ge-0/1/0.0
# set protocols ospf area 0.0.0.0 interface ge-0/1/1.0
# set policy-options policy-statement send-direct term 2 from protocol direct
# set policy-options policy-statement send-direct term 2 then accept
# set routing-options router-id 192.167.6.3
# set routing-options autonomous-system 20

Device C
# set interfaces ge-0/1/0 unit 0 description to-B
# set interfaces ge-0/1/0 unit 0 family inet address 10.10.10.6/30
# set interfaces lo0 unit 3 family inet address 192.166.6.4/32
# set protocols bgp group internal-peers type internal
# set protocols bgp group internal-peers description “connections to A and B”
# set protocols bgp group internal-peers local-address 192.166.6.4
# set protocols bgp group internal-peers export send-direct
# set protocols bgp group internal-peers neighbor 192.168.6.2
# set protocols bgp group internal-peers neighbor 192.167.6.3
# set protocols ospf area 0.0.0.0 interface lo0.3 passive
# set protocols ospf area 0.0.0.0 interface ge-0/1/0.0
# set policy-options policy-statement send-direct term 2 from protocol direct
# set policy-options policy-statement send-direct term 2 then accept
# set routing-options router-id 192.166.6.4
# set routing-options autonomous-system 20


you can use “show interfaces, show policy-options, show protocol and show routing-option” commands to confirm your configuration.

user@C# show interfaces
user@C# show policy-options

You can use “show bgp neighbors” command to make share peering is up between the switches


user@A> show bgp neighbor
Peer: 192.167.6.3+179 AS 20    Local: 192.168.6.2+58852 AS 20  
  Type: Internal    State: Established    Flags: Sync
...


#### Configuring Exterior BGP:

Switch A:

# set interfaces ge-1/2/0 unit 0 description to-B 
# set interfaces ge-1/2/0 unit 0 family inet address 30.30.30.1/30 
# set interfaces ge-0/0/1 unit 0 description to-C
# set interfaces ge-0/0/1 unit 0 family inet address 20.20.20.1/30 
# set protocols bgp group external-peers type external 
# set protocols bgp group external-peers neighbor 30.30.30.2 peer-as 80
# set protocols bgp group external-peers neighbor 20.20.20.2 peer-as 22
# set routing-options autonomous-system 20
# set policy-options policy-statement send-direct term 1 from protocol direct
# set policy-options policy-statement send-direct term 1 then accept


Switch B: 

# set interfaces ge-1/2/0 unit 0 description to-A
# set interfaces ge-1/2/0 unit 0 family inet address 30.30.30.2/30 
# set protocols bgp group external-peers type external 
# set protocols bgp group external-peers neighbor 30.30.30.1 peer-as 20
# set routing-options autonomous-system 80
# set policy-options policy-statement send-direct term 1 from protocol direct
# set policy-options policy-statement send-direct term 1 then accept

Switch C: 

# set interfaces ge-1/2/0 unit 0 description to-A 
# set interfaces ge-1/2/0 unit 0 family inet address 20.20.20.2/30 
# set protocols bgp group external-peers neighbor 20.20.20.1 peer-as 20
# set routing-options autonomous-system 22
# set policy-options policy-statement send-direct term 1 from protocol direct
# set policy-options policy-statement send-direct term 1 then accept


#### Chapter 10
#### Configuring EX Series System 
#### Configuring LOCAL USERS

First let’s build a typical local user account, and then build a user named LAB with a password of Juniper123.you can perform a quick show command:
switch1# show | display set | match user 
set system login user junspace uid 2000
set system login user junspace class super-user
set system login user junspace authentication encrypted-password "$5$TYz4tAbe$e8FfaEVoIltX5XmBolayuiSNZK73wxjs/dfDXKeA6Z0"

The normal ASCII output of the show command:
switch1# show system login         
user junspace {
    uid 2000;
    class super-user;
    authentication {
        encrypted-password "$5$TYz4tAbe$e8FfaEVoIltX5XmBolayuiSNZK73wxjs/dfDXKeA6Z0"; ## SECRET-DATA
    }
}

Let’s go ahead and create our user and give them a limited login class. The super-user class is basically root.  Using context sensitive help, you can see that there are four built-in classes:
switch1# set system login user LAB class ?
Possible completions:
  <class>              Login class
  operator             permissions [ clear network reset trace view ]
  read-only            permissions [ view ]
  super-user           permissions [ all ]
  unauthorized         permissions [ none ]

Let’s give our LAB user class read-only and then see if we can use that account to edit the configuration:
switch1# set system login user LAB class read-only authentication plain-text-password 
New password: 
Retype new password: 

{master:0}[edit]
switch1# show | compare 
[edit system login]
+    user LAB {
+        class read-only;
+        authentication {
+            encrypted-password "$5$sVprU.Wk$BpsoZzuuf.sPXQj6gQacJY8hBeFD7WOiS2ZRO3O9hQ8"; ## SECRET-DATA
+        }
+    }

{master:0}[edit]
switch1# commit 
configuration check succeeds
commit complete

switch1# show | display set | match LAB 
set system login user LAB uid 2002
set system login user LAB class read-only
set system login user LAB authentication encrypted-password "$5$sVprU.Wk$BpsoZzuuf.sPXQj6gQacJY8hBeFD7WOiS2ZRO3O9hQ8"

TIP	Since Junos is built on FreeBSD you can guarantee that all commands will be case sensitive. If you tried logging in with lab or Lab, it would fail because our user is all upper-case LAB.  
$ ssh LAB@192.168.2.6 
Password:
--- Junos 15.1X53-D51 Kernel 32-bit  JNPR-11.0-20160921.337570_build
{master:0}
switch1> edit
             ^
unknown command. 

switch1> show configuration                  
version /* ACCESS-DENIED */;
system { /* ACCESS-DENIED */ };
chassis { /* ACCESS-DENIED */ };
...

{master:0}
switch1> show route 
inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.2.0/24     *[Direct/0] 00:00:00	> via irb.2
192.168.2.6/32     *[Local/0] 00:00:00	Local via irb.2
192.168.5.0/24     *[Static/5] 00:00:00	> to 192.168.2.1 via irb.2
	
{master:0}
switch1> show interfaces terse 
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   eth-switch
	…
{master:0}
switch1> show cli authorization 
Current user: 'LAB         ' class 'read-only'
Permissions:
    view        -- Can view current values and statistics
Individual command authorization:
    Allow regular expression: none
    Deny regular expression: none
    Allow configuration regular expression: none
    Deny configuration regular expression: none

$ ssh 192.168.2.5 -l LAB
192.168.2.5's password: 

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
...


[AUTOMATE ~]$ cat .ssh/id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EDAQABAAABAQC4Zll4iKukuS52ds5cXKE4cvC4tdn7ktB5feIXy48s/uscZGOphCIWEJQzp696y/JWYRpU1GAgImZZPbedC2w6wcqC34YTSf1OpcK81C7xBhmcnAp6DQmjzh5Amim7bo/bjuKhATNxYhwymaWCBpv6bzUkBQmHcxmGjEAep4zdgbQrte/im1p6od//1AfOEu/nhOktmeywY7YM4DT1QOXVVL9TFXYB701t1KMUtwjZdL5JLlQk2RjtFkJCIXtvmfkwD1UW3AllJa51+mOERds+/spiwbQZy0Z7yukxTCKflWec6hI/Bvrd62yQ2pkgdRreGzZtoueiiIXMAYNdcz3P AUTOMATE

switch1> edit 
Entering configuration mode

switch1# set system login user LAB authentication ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4Zll4iKu kuS52ds5cXKE4cvC4tdn7ktB5feIXy48s/uscZGOphCIWEJQzp696y/JWYRpU1GAgImZZPbedC2w6wcqC34YTSf1OpcK81C7xBhmcnAp6DQmjzh5Amim7bo/bjuKhATNxYhwymaWCBpv6bzUkBQmHcxmGjEAep4zdgbQrte/im1p6od//1AfOEu/nhOktmeywY7YM4DT1QOXVVL9TFXYB701t1KMUtwjZdL5JLlQk2RjtFkJCIXtvmfkwD1UW3AllJa51+mOERds+/spiwbQZy0Z7yukxTCKflWec6hI/Bvrd62yQ2pkgdRreGzZtoueiiIXMAYNdcz3P AUTOMATE”

[AUTOMATE ~]$ ssh 192.168.2.6
Last login: Sat May  6 03:42:58 2017 from 192.168.2.5
--- Junos 15.1X53-D51 Kernel 32-bit  JNPR-11.0-20160921.337570_build
{master:0}
switch1>

###Configuring RADIUS

$ ssh labuser1@192.168.56.11
labuser1@VEX1> show configuration | display set | match radius
set system authentication-order radius
set system radius-server 192.168.56.1 secret "$9$COIylMNdsEcds24DjCtuOEcrevL7-"
set system radius-server 192.168.56.1 retry 3
set system radius-server 192.168.56.1 source-address 192.168.56.11
set system radius-options password-protocol mschap-v2
set system radius-options attributes nas-ip-address 192.168.56.11

# set system login user remote-su uid 2002
# set system login user remote-su class super-user

To create a class with only specific permissions and apply that to a specific user in a RADIUS configuration takes just a few steps. Let’s say you wanted to create a VIEW-ONLY class with read permissions for interface, firewall, network, and SNMP. The configuration would look like the following:
# set system login class VIEW-ONLY permissions firewall
# set system login class VIEW-ONLY permissions interface
# set system login class VIEW-ONLY permissions network
# set system login class VIEW-ONLY permissions snmp

Now let’s apply this class to the remote-su account instead of the super-user class:
# set system login user remote-su class VIEW-ONLY
# commit

Using our RADIUS login of labuser1 we should now see a different set of authorized commands than we had previously seen as super-user:
labuser1@EX2300-16> show cli   
					^
syntax error, expecting <command>.
labuser1@EX2300-16> show ?
Possible completions:
  firewall             Show firewall information
  host                 Show hostname information from domain name server
  interfaces           Show interface information
  multicast            Show multicast information
  policer              Show interface policer counters and information
		
labuser1@EX2300-16> edit    
              			 ^
unknown command.

# set system login class VIEW-ONLY permissions all deny-commands "^show interfaces" 
[edit]
# set system login class VIEW-ONLY permissions all deny-configuration-regex [ “interfaces” “protocols” “system”]

Once this is committed let’s log out and log back in with the LAB account, then do a quick show cli authorization output to see that our deny commands and deny-configuration-regex are there just like we configured it:
EX2300-16> show cli authorization    
Current user: 'LAB         ' class 'VIEW-ONLY'
Permissions:
…

Now let’s test to see if our regular expressions will stop our LAB user from actually issuing those commands.
EX2300-16> show int   
               			   ^
syntax error, expecting <command>.
 EX2300-16> edit 
Entering configuration mode
[edit]
 EX2300-16# set int
              		^
syntax error.
 EX2300-16# set protocols
              		^
syntax error.
[edit]
 EX2300-16# set syste
              		^

Here is a quick example of logging accounting to a RADIUS server:
EX3400-10_11-VC# set system accounting events [change-log interactive-commands login] destination radius server 172.16.0.17 secret JUNIPER123


#### Configuring TACACS+

For the lab environment, we have loaded tac_plus-4.0.4.26-1.el6.nux.x86_64.rpm on CentOS 7.  The same user: labuser1 with password: labP@$$1 has been created in the /etc/tac_plus.conf  file. 
$ sudo rpm -ivh tac_plus-4.0.4.26-1.el6.nux.x86_64.rpm 
[sudo] password for labuser: 
warning: tac_plus-4.0.4.26-1.el6.nux.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 85c6cd8a: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:tac_plus-4.0.4.26-1.el6.nux      ################################# [100%]

# tac_pwd
Password to be encrypted: labP@$$1
tfIupE.ZfiQK2

# vi tac_plus.conf 
key = "JUNIPER123"
accounting file = /var/log/tac.log
user = labuser1 {
	#login = cleartext labP@$$1
          login = des tfIupE.ZfiQK2
	service = junos-exec {
               	local-user-name = remote-su
	    }
}

# service tac_plus start
Starting tac_plus (via systemctl):                         [  OK  ]

Now let’s focus on the Junos configuration to support a tacplus server.  Log into your Junos device and add the following commands to configure tacplus. For this example, let’s use the EX4600 VC consisting of EX4600-4/5:
$ ssh 172.16.0.4
Password:
--- Junos 14.1X53-D40.8 built 2016-11-09 02:13:22 UTC
{master:0}
EX4600-4_5-VC> edit 
Entering configuration mode
{master:0}[edit]
EX4600-4_5-VC# set system authentication-order [tacplus password ]

{master:0}[edit]
EX4600-4_5-VC# set system tacplus-server 172.16.0.17 secret "JUNIPER123"

{master:0}[edit]
EX4600-4_5-VC# set system tacplus-server 172.16.0.17 port 49 
{master:0}[edit]
EX4600-4_5-VC# set system tacplus-server 172.16.0.17 source-address 172.16.0.4

{master:0}[edit]
EX4600-4_5-VC# set system login user remote-su class super-user

{master:0}[edit]
EX4600-4_5-VC# commit and-quit 
fpc0: 
configuration check succeeds
fpc1: 
commit complete
fpc0: 
commit complete
Exiting configuration mode

$ ssh labuser1@172.16.0.4
Password: 
--- Junos 14.1X53-D40.8 built 2016-11-09 02:13:22 UTC
{master:0}
labuser1@EX4600-4_5-VC>

### Configuring Syslog

The rsyslog package is available in the yum repository as rsyslogd.x86 as shown in this output from our server:
$ sudo yum search rsyslog

And then to install rsyslog on the server using the yum repository simply install it like this:
$ sudo yum install rsyslog

To start the syslog daemon in CentOS 7 just start the service like so:
$ sudo service rsyslog start
Redirecting to /bin/systemctl start  rsyslog.service

$ sudo service rsyslog status
Redirecting to /bin/systemctl status  rsyslog.service
 rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2017-05-19 13:44:08 CDT; 12s ago
 Main PID: 30756 (rsyslogd)
   CGroup: /system.slice/rsyslog.service
           └─30756 /usr/sbin/rsyslogd -n

Now let’s get to the fun stuff and configure our Junos devices for syslog using local1 as our facility.  The following is a basic syslog configuration that will use local1 as the facility and then send specific information “off-box” via UDP/514 to our syslog server:
# set system syslog host 172.16.0.17 facility-override local1
# set system syslog host 172.16.0.17 log-prefix EX4300-6
# set system syslog host 172.16.0.17 source-address 172.16.0.6
# set system syslog host 172.16.0.17 kernel info
# set system syslog host 172.16.0.17 interactive-commands any
# set system syslog host 172.16.0.17 structured-data
# commit comment “adding syslog configuration to the device//SER”
# exit

# set system syslog file messages any notice
# set system syslog file messages authorization none
# set system syslog file interactive-commands interactive-commands any
# set system syslog file default-log-messages any any
# set system syslog file default-log-messages structured-data
# set system syslog file User-Auth authorization any
# set system syslog file User-Auth interactive-commands any
# set system syslog console any any

> show log messages?  
Possible completions:
  <filename>           Name of log file
  messages             Size: 205369, Last changed: May 20 15:39:30
  messages.0.gz        Size: 29312, Last changed: May 18 22:15:00
  messages.1.gz        Size: 35085, Last changed: May 10 02:30:00
  messages.2.gz        Size: 35029, Last changed: May 01 13:00:00
  messages.3.gz        Size: 54145, Last changed: Apr 20 03:45:00

This device is not synching with the NTP server for some reason so we need to take a look. 
> show ntp associations 
   remote         refid           st t when poll reach   delay   offset  jitter
===============================================================================
 192.168.2.5      .NKEY.          16 -    -   64    0    0.000    0.000 4000.00

The messages logs were correct if we hadn’t been advised in the logs this could have gone unnoticed and caused us some issues. The NKEY reference usually points to not having the trusted key setting in the configuration so let’s check it out:
> show configuration | display set | match ntp 
set system ntp boot-server 192.168.2.5
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value "$9$hG5yeM7-boJUfT1EcyvMaJGDqm5QF/Ap"
set system ntp server 192.168.2.5 key 1
set system ntp source-address 192.168.2.6
Sure enough, we are missing the trusted-key statement so let’s put it in there and see what happens:
# set system ntp trusted-key 1 
[edit]
# commit and-quit 
configuration check succeeds
commit complete
Exiting configuration mode

> show ntp associations 
   remote         refid           st t when poll reach   delay   offset  jitter
==================================================================
 192.168.2.5      66.96.99.10      3 -    1   64    1    4.385  -14.946   0.007

> show ntp associations    
   remote         refid           st t when poll reach   delay   offset  jitter
==================================================================
*192.168.2.5      66.96.99.10      3 -    9   64    3    3.428  -15.455   0.472

> show system uptime   
fpc0:
--------------------------------------------------------------------------
Current time: 2017-05-20 16:05:32 UTC
Time Source:  NTP CLOCK 
System booted: 2017-04-20 02:05:36 UTC (4w2d 13:59 ago)
Protocols started: 2017-04-20 02:08:29 UTC (4w2d 13:57 ago)
Last configured: 2017-05-20 16:01:08 UTC (00:04:24 ago) by user
 4:05PM  up 30 days, 14 hrs, 1 users, load averages: 0.41, 0.44, 0.40

> show log messages | match ntp
May 20 15:26:25  switch1 xntpd[18569]: NTP Server 192.168.2.5 is Unreachable
May 20 15:43:31  switch1 xntpd[18569]: NTP Server 192.168.2.5 is Unreachable
May 20 16:06:59  switch1 xntpd[18569]: ntpd 4.2.0-a Fri Sep 23 12:29:28  2016 (1)
May 20 16:07:12  switch1 xntpd[18569]: kernel time sync enabled 2001

EX3400-10_11-VC> monitor stop 
EX3400-10_11-VC> monitor start messages
May 20 12:29:31  EX3400-10_11-VC rpd[2921]: EVENT <UpDown> xe-0/2/2.0 index 557 <Broadcast Multicast> address #0 30.b6.4f.c6.27.22
May 20 12:29:31  EX3400-10_11-VC rpd[2921]: RPD_OSPF_NBRDOWN: OSPF neighbor 10.1.0.0 (realm ospf-v2 xe-0/2/2.0 area 0.0.0.0) state changed from Full to Down due to KillNbr (event reason: local router ID changed)
May 20 12:29:31  EX3400-10_11-VC rpd[2921]: EVENT UpDown xe-0/2/2.0 index 557 10.1.0.1/31 -> zero-len <Broadcast Multicast Localup>
May 20 12:29:31  EX3400-10_11-VC rpd[2921]: RPD_OSPF_NBRDOWN: OSPF neighbor 10.1.0.7 (realm ospf-v2 xe-1/2/1.0 area 0.0.0.0) state changed from Full to Down due to KillNbr (event reason: local router ID changed)
May 20 12:29:31  EX3400-10_11-VC rpd[2921]: EVENT <UpDown> xe-0/2/2 index 700 <Broadcast Multicast> address #0 30.b6.4f.c6.27.22
May 20 12:29:31  EX3400-10_11-VC rpd[2921]: STP handler: IFD=xe-0/2/2, op=change, state=Discarding, Topo change generation=0
May 20 12:29:31  EX3400-10_11-VC rpd[2921]: *STP Change*, notify to other modules
May 20 12:29:31  EX3400-10_11-VC mib2d[2920]: SNMP_TRAP_LINK_DOWN: ifIndex 597, ifAdminStatus up(1), ifOperStatus down(2), ifName xe-0/2/2

EX3400-10_11-VC> file list /var/tmp/ 
/var/tmp/:
bcast.bdisp.log
bcast.disp.log
bcast.rstdisp.log
bcast.undisp.log
ex_autod_config
ex_autod_rollback_cfg
…
EX3400-10_11-VC> file archive source /var/log/ destination /var/tmp/EX3400_LOGS_0520171155.logs compress 
tar: Removing leading '/' from member names
{master:0}

EX3400-10_11-VC> file list detail /var/tmp/ 
/var/tmp/:
total blocks: 8440
-rw-------  1 labuser wheel   2087200 May 20 12:55 EX3400_LOGS_0520171155.logs.tgz

To collect the logs from the backup routing engine perform the following steps:
EX3400-10_11-VC> request routing-engine login backup 
--- Junos 15.1X53-D50.2 Kernel 32-bit  JNPR-11.0-20160614.329646_build
warning: This chassis is operating in a non-master role as part of a virtual-chassis (VC) system.
warning: Use of interactive commands should be limited to debugging and VC Port operations.
warning: Full CLI access is provided by the Virtual Chassis Master (VC-M) chassis.
warning: The VC-M can be identified through the show virtual-chassis status command executed at this console.
warning: Please logout and log into the VC-M to use CLI.
{backup:1}
EX3400-10_11-VC>

{backup:1}
EX3400-10_11-VC> file archive source /var/log/ destination /var/tmp/EX3400_RE1_LOGS_0520171156.logs compress 
tar: Removing leading '/' from member names

{backup:1}
EX3400-10_11-VC> file list /var/tmp/ 
/var/tmp/:
EX3400_RE1_LOGS_0520171156.logs.tgz

{backup:1}
labuser@EX3400-10_11-VC> exit 
rlogin: connection closed

{master:0}
labuser@EX3400-10_11-VC> file copy re1:/var/tmp/*.tgz /var/tmp/ 

{master:0}
labuser@EX3400-10_11-VC> file list /var/tmp/EX34* detail 
-rw-------  1 labuser wheel   2087200 May 20 12:55 /var/tmp/EX3400_LOGS_0520171155.logs.tgz
-rw-------  1 labuser wheel   2114254 May 20 21:44 /var/tmp/EX3400_RE1_LOGS_0520171156.logs.tgz
total files: 2

This will collect all the logs and copy them to the RE so you can SCP them off. A quick  file list/var/tmp will verify that the logs were copied off the line card:
> file list /var/tmp/MEM4.logs.tgz detail 
-rw-------  1 lab wheel   2036892 Jun 22 15:58 /var/tmp/MEM4.logs.tgz
total files: 1


#### Configuring TIMEZONE

The default time zone for Junos is UTC (Universal Time Coordinated or Coordinated Universal Time, formally known as GMT or Greenwich Mean Time). We are going to modify the local time zone under the edit system hierarchy and set it to America/Chicago:
# set system time-zone America/C? 
Possible completions:
  <time-zone>          Time zone name or POSIX-compliant time zone string (<continent>/<major-city> or <time-zone>)
  America/Cambridge_Bay  
  America/Campo_Grande  
  America/Cancun       
  America/Caracas      
  America/Catamarca    
  America/Cayenne      
  America/Cayman       
  America/Chicago      
  America/Chihuahua    
  America/Cordoba      
  America/Costa_Rica   
  America/Cuiaba       
  America/Curacao      
# set system time-zone America/Chicago 
# commit

Now we can check the system clock to make sure we are on Central Daylight Time (CDT).
# run show system uptime 
Current time: 2017-05-19 15:30:42 CDT
System booted: 2017-05-18 16:56:11 CDT (22:34:31 ago)
Protocols started: 2017-05-18 16:56:59 CDT (22:33:43 ago)
Last configured: 2017-05-19 15:30:33 CDT (00:00:09 ago) by labuser1
 3:30PM  up 22:35, 2 users, load averages: 0.00, 0.00, 0.00
 
There are over 100 different time zones you can set your device to, including Zulu. If you don’t want to use a location based time zone you can choose to use offset instead. GMT or UTC is 5 hours ahead of CDT so instead of specifying CDT we could use an offset from GMT and still get the same local time. Let’s take a look:
# set system time-zone GMT?   
Possible completions:
  <time-zone>          Time zone name or POSIX-compliant time zone string (<continent>/<major-city> or <time-zone>)
  GMT                  
  GMT+1                
  GMT+10               
  GMT+11               
  GMT+12               
  GMT+2                
  GMT+3                
  GMT+4                
  GMT+5                
  GMT+6                
  GMT+7                
…                
  GMT-9               
# set system time-zone GMT-5    
[edit]
labuser@VEX1# commit 
Now let’s check the system uptime to see if properly reflects the GMT-5 time:
> show system uptime 
Current time: 2017-05-19 15:43:41 GMT-5
System booted: 2017-05-18 16:56:08 GMT-5 (22:47:33 ago)
Protocols started: 2017-05-18 16:56:56 GMT-5 (22:46:45 ago)
Last configured: 2017-05-20 01:42:17 GMT-5 (-9:-58:-36 ago) by labuser1


#### Configuring NTP

First pull down the NTP package on the server and install it using yum:
# yum install ntp
Now you need to edit the /etc/ntp.conf file and add some publicly accessible ntp servers. To get a list of server you can go to http://www.pool.ntp.org/en/use.html and follow their join and use processes:
# cat ntp.conf | grep -v "#"
driftfile /var/lib/ntp/drift
restrict default nomodify notrap nopeer noquery
restrict 127.0.0.1 
restrict ::1
restrict 192.168.56.0 mask 255.255.255.0 nomodify notrap
restrict 172.16.0.0 mask 255.255.255.0 nomodify notrap
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
disable monitor

You also need to set a key to use for NTP authentication. To do that you need to edit the key file under /etc/ntp/. Here we add two keys to be used with NTP:
# more keys
# For more information about this file, see the man page ntp_auth(5).
#
# id	type	key
1	M	JUNIPER123
2	M	WATERMELON123
Let’s make sure the server is started now:
# service ntpd start
Now you can check your connectivity to the NTP server by using the command: ntpq -p

$ ntpq -pn
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 192.168.56.1    .XFAC.          16 u    - 1024    0    0.000    0.000   0.000
*66.96.99.10     204.9.54.119     2 u  309  512  377   43.795    5.533   1.404
+66.96.98.9      64.250.105.227   2 u  261  512  377   43.901    5.952   1.437
 38.229.71.1     .STEP.          16 u    - 1024    0    0.000    0.000   0.000
 159.203.158.197 .STEP.          16 u    - 1024    0    0.000    0.000   0.000

Using our lab we will point to 172.16.0.17 for our NTP server that we just configured. The server is authorized to serve time on this network as seen in the ntp.conf file above.
# set system ntp server 172.16.0.17 prefer

The prefer key word says to prefer this server over any other servers listed. Now let’s add a secret key and hash it using Message Digest 5 (MD5):
# set system ntp authentication-key 1 type md5 value "JUNIPER123"
# set system ntp trusted-key 1 
# show system ntp | display set 
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value "$9$tXwY01ElKW-VsUj/Ap0REdVwYaZDikPTz"
set system ntp trusted-key 1
set system ntp server 172.16.0.17 prefer

Next tell the device which key to use because you can have multiple keys with different md5 values to switch out whenever you want. For now, you are just going to focus on one key:
# set system ntp server 172.16.0.17 key 1

That is the basic configuration for NTP on a Junos device to connect to the secure NTP server in our network.  However, in step 3 we want to specify a source address for NTP
# set system ntp source-address 172.16.0.6

Now go ahead and commit what you have so far and then you will set our system time:
# commit 
# show system ntp | display set 
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value "$9$tXwY01ElKW-VsUj/Ap0REdVwYaZDikPTz"
set system ntp server 192.168.56.1 key 1
set system ntp server 192.168.56.1 prefer
set system ntp source-address 192.168.56.11
Excellent, so now let’s go ahead and set the date from operational mode:
> set date ?
Possible completions:
  <time>               New date and time (YYYYMMDDhhmm.ss)
  ntp                  Set system date and time using Network Time Protocol servers

As you can see we have two ways to set the date. Type it in manually or point to the NTP server. We are going to do it both ways just for practice:
> set date 201705191724 
Fri May 19 17:24:00 GMT-5 2017

Outstanding now let’s try with the NTP server:
> set date ntp 172.16.0.17 
20 May 03:25:58 ntpdate[12591]: step time server 172.16.0.17 offset 36009.441756 sec

The last thing we listed was to check the status of NTP. There are two commands that will provide us information and let us know if we are synchronized with the server.
# run show ntp status          

> show ntp associations 
     remote           refid      st t when poll reach   delay   offset  jitter
==================================================================
*172.16.0.17    66.96.99.10      3 -   62   64   17    0.283   72.534  36.735


### Configuring EX Switches to Act as NTP Servers

Currently none of the devices are configured for NTP and are not able to reach the NTP server.
SWITCH-1> show ntp associations 
SWITCH-1> show system uptime 

Our first step is to become a client to the NTP source (this is usually a separate appliance or a source available over the Internet). The command to become a client is a little counter-intuitive because it is actually “server”:
SWITCH-1# show system ntp | display set 
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value "$9$wn2oZHqP36CRh-bs2JZn69AO1EcyKWL"
set system ntp server 192.168.2.5 key 1
set system ntp trusted-key 1

SWITCH-1# run show ntp associations    
   remote         refid           st t when poll reach   delay   offset  jitter
===============================================================================
*192.168.2.5      96.244.96.19     3 -    4   64    1    0.833   -0.584   0.127

SWITCH-1# run show ntp status 
status=0664 leap_none, sync_ntp, 6 events, event_peer/strat_chg,
version="ntpd 4.2.0-a Thu Jul 20 08:16:47  2017 (1)", processor="arm",
system="Junos15.1R6-S2.1", leap=00, stratum=4, precision=-16,
rootdelay=43.024, rootdispersion=1.560, peer=41532, refid=192.168.2.5,
reftime=dd27367c.03c04f9d  Sat, Jul 29 2017 16:29:48.014, poll=6,
clock=dd27368e.6f230f9b  Sat, Jul 29 2017 16:30:06.434, state=3,
offset=0.000, frequency=0.000, jitter=0.110, stability=0.000

Just like in the previous chapter we added the NTP configuration and pointed the device to the “server” of 192.168.2.5. That makes Switch-1 a client of 192.168.2.5.
Now you want to configure this device to also SERVE time to the rest of the network. You can use either broadcast or peer (Symmetric Active) to accomplish this. Let’s go ahead and do broadcast first:
SWITCH-1# set vlans V100 l3-interface irb.100 
SWITCH-1# set interfaces irb.100 family inet address 172.16.14.1/24 
SWITCH-1# set system ntp broadcast 172.16.14.0
SWITCH-1# commit

SWITCH-1# show | display set | match ntp    
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value "$9$wn2oZHqP36CRh-bs2JZn69AO1EcyKWL"
set system ntp server 192.168.2.5 key 1
set system ntp broadcast 172.16.14.0
set system ntp trusted-key 1

SWITCH-1# run show ntp associations         
   remote         refid           st t when poll reach   delay   offset  jitter
*192.168.2.5      96.244.96.19     3 -   56   64   17    0.808   -3.449   0.542
 172.16.14.1      .BCST.          16 -    -   64    0    0.000    0.000 4000.00

You can see that we have configured a Layer 3 interface for VLAN 100 and configured broadcast for that address so the rest of the network can point to 172.16.14.1 as the broadcast server.
The next step is to configure your clients, Switch-2 and Switch-3:
SWITCH-2# set vlans V100 l3-interface irb.100 
SWITCH-2# set interfaces irb.100 family inet address 172.16.14.2/24 
SWITCH-2# commit 

SWITCH-2# show system ntp | display set 
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value "$9$DmH.f36CBIhWLJUjHPf1IEcev8X7Vs2"
set system ntp server 172.16.14.1
set system ntp broadcast-client

SWITCH-2# run show ntp associations 
   remote         refid           st t when poll reach   delay   offset  jitter
===============================================================================
*172.16.14.1      192.168.2.5      4 -   15   64   17    3.704   -0.658   0.483

SWITCH-2# run show ntp status 
status=0664 leap_none, sync_ntp, 6 events, event_peer/strat_chg,
version="ntpd 4.2.0-a Thu Mar 24 17:43:25  2016 (1)", processor="arm",
system="Junos15.1R3.6", leap=00, stratum=5, precision=-16,
rootdelay=66.661, rootdispersion=4.515, peer=59540, refid=172.16.14.1,
reftime=dd273fc6.fa255fa9  Sat, Jul 29 2017 17:09:26.977, poll=6,
clock=dd273fdb.d3f20198  Sat, Jul 29 2017 17:09:47.827, state=3,
offset=0.000, frequency=0.000, jitter=0.411, stability=0.000
And now onto Switch-3. 


SWITCH-3# show system ntp | display set 
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value "$9$DmH.f36CBIhWLJUjHPf1IEcev8X7Vs2"
set system ntp server 172.16.14.1
set system ntp broadcast-client

SWITCH-3# run set date ntp 
29 Jul 17:22:59 ntpdate[14778]: step time server 172.16.14.1 offset 25.585421 sec

SWITCH-3# run show ntp associations    
   remote         refid           st t when poll reach   delay   offset  jitter
===============================================================================
*172.16.14.1      192.168.2.5      4 -   62   64    3    3.759    0.138   1.272
Switch-4 already has VLAN 100 so all we have to do is copy and paste the NTP configuration used on Switch-2 or Switch-3, set the date manually and then we should get NTP synch.
TIP	When trying to synchronize with an NTP server you have to be within 128 seconds of the time being served. Once you are in that window it will –STEP- you up in 128ms increments to get the correct time.
SWITCH-4# show system ntp | display set 
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value "$9$DmH.f36CBIhWLJUjHPf1IEcev8X7Vs2"
set system ntp server 172.16.14.1
set system ntp broadcast-client

SWITCH-4# run show ntp associations 
   remote         refid           st t when poll reach   delay   offset  jitter
================
 172.16.14.1      .STEP.          16 -   32   64    0    0.000    0.000 4000.00
STEP indicates that we are in the window and that the server is stepping up 128ms at a time to bring us in synch.
Now our entire network is synchronized off of our NTP server. You should note that the stratum level for Switch-1 is Stratum 3. This is because the local NTP server is Stratum 2. This makes our broadcast clients Stratum 4 as you can see in the associated output.
Since you have direct connections to Switch-1 and Switch-4, you could also make these primary and backup servers for the network. To accomplish that use the prefer keyword.
NOTE	When viewing the output of the ntp association command you will see symbols in front of the IP addresses: * master (synced), # master (unsynced), + selected, - candidate, and ~ configured.
First, configure Switch-4 with server statements and prefer the NTP appliance over Switch-1:
SWITCH-4# show system ntp | display set 
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value "$9$wn2oZHqP36CRh-bs2JZn69AO1EcyKWL"
set system ntp server 192.168.2.5 prefer
set system ntp server 172.16.14.1
set system ntp trusted-key 1

By using the prefer keyword you can specify which device you want to be primary. That way you can have more than one NTP source for failover. To test this, let’s disable the interface that 192.168.2.5 is reachable (this emulates a real-world scenario). Check the current associations first:
SWITCH-4# run show ntp associations 
   remote         refid           st t when poll reach   delay   offset  jitter
==================================================================
*192.168.2.5      96.244.96.19     3 -   39   64  377    0.742   -2.644   1.146
+172.16.14.1      192.168.2.5      4 -   31   64  377    3.760  -22.486   2.095

This output clearly show that 192.168.2.5 is the preferred master and is synced (identified by *). Now let’s disable that interface and see what happens.
SWITCH-4# run show ntp associations 
   remote         refid           st t when poll reach   delay   offset  jitter
==================================================================
 192.168.2.5      45.127.112.2     3 -   53   64  375    0.739   -1.684   0.720
*172.16.14.1      192.168.2.5      4 -   45   64  377    5.162  -20.013  98.945
You can see that 172.16.14.1 has become the master synched ( * ) transitioning from selected ( + ) and is still synched. We can also make Switch-2 and Switch-3 clients of Switch-1 and Switch-4 respectively and then have backup connections to the main two NTP sources:

SWITCH-2# show system ntp | display set 
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value "$9$DmH.f36CBIhWLJUjHPf1IEcev8X7Vs2"
set system ntp server 172.16.14.4
set system ntp server 172.16.14.1 prefer
set system ntp broadcast-client

SWITCH-2# run show ntp associations                      
   remote         refid           st t when poll reach   delay   offset  jitter
===============================================================================
+172.16.14.4      172.16.14.1      4 -   51   64  377    5.160    7.470   3.244
*172.16.14.1      192.168.2.5      3 -   53   64  377    4.516   -6.597   1.158

SWITCH-3# show system ntp | display set 
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value "$9$DmH.f36CBIhWLJUjHPf1IEcev8X7Vs2"
set system ntp server 172.16.14.4 prefer
set system ntp server 172.16.14.1
set system ntp broadcast-client


SWITCH-3# run show ntp associations        
   remote         refid           st t when poll reach   delay   offset  jitter
===============================================================================
*172.16.14.4      172.16.14.1      4 -   34   64  377    4.711   -3.337   8.753
+172.16.14.1      192.168.2.5      3 -   32   64  377    5.432  -19.796   6.898
If we take away NTP on 172.16.14.4 then Switch-3 should pick up on 172.16.14.1 without any issues. 

SWITCH-4# deactivate system ntp 
SWITCH-4# commit 

SWITCH-3# run show ntp associations    
   remote         refid           st t when poll reach   delay   offset  jitter
==================================================================
 172.16.14.4      .INIT.          16 -    -   64    0    0.000    0.000 4000.00
*172.16.14.1      192.168.2.5      3 -   32   64    1    3.663    0.567   0.171

And once we rollback the change we made to Switch-4 then Switch-3 will pick back up on 172.16.14.4 because it is preferred:
SWITCH-4# rollback 1 
load complete
SWITCH-4# commit 
SWITCH-4# run show ntp associations 
   remote         refid           st t when poll reach   delay   offset  jitter
===============================================================================
 192.168.2.5      .STEP.          16 -  502   64    0    0.000    0.000 4000.00
 172.16.14.1      .STEP.          16 -   65   64    0    0.000    0.000 4000.00

SWITCH-4# run show ntp associations    
   remote         refid           st t when poll reach   delay   offset  jitter
===============================================================================
*192.168.2.5      132.163.4.101    2 -    1   64    1    1.225   14.808   0.269
+172.16.14.1      192.168.2.5      3 -    1   64    1    3.987   -2.778   0.462

Once everything is back up on Switch-4 let’s check Switch-3 and see that it indeed has regained the preferred master clock on the network which is an EX Series switch:
SWITCH-3# run show ntp associations    
   remote         refid           st t when poll reach   delay   offset  jitter
===============================================================================
*172.16.14.4      192.168.2.5      3 -    1   64    1    4.219    2.698   0.330
+172.16.14.1      192.168.2.5      3 -    2   64    1    4.726    0.462   0.326

Let’s do a quick configuration and check of the peer statement on the network and see what it gives us that broadcast or server keywords do not:
EX4600-4_5-VC# show | display set | match ntp 
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value "$9$XP4NVsaZDmfQtuMLxNwsPfTz/Cp0BESr"
set system ntp peer 172.16.0.2 key 1
set system ntp peer 172.16.0.17
set system ntp server 172.16.0.17
set system ntp trusted-key 1
set system ntp source-address 172.16.0.2
set system ntp source-address 172.16.0.4

EX4600-4_5-VC# run show ntp associations    
   remote         refid           st t when poll reach   delay   offset  jitter
===============================================================================
+172.16.0.2       172.16.0.17      4 -   42   64  175    0.844   -0.179   1.191
+172.16.0.17      204.2.134.163    3 -   47  512   37    0.429   -0.445   0.078
*172.16.0.17      204.2.134.163    3 -   32   64  377    0.400   -0.449   0.114


#### Configuring NAME-SERVER

This is a very simple task but is important if you want to be able to use Domain Name Servers (DNS) in your production network to reference devices by name instead of IP addresses:
EX3400-10_11-VC# set system name-server 8.8.8.8    
EX3400-10_11-VC# commit
EX3400-10_11-VC# run ping juniper.net    
PING juniper.net (66.129.230.17): 56 data bytes
As you can see we used Google’s name server 8.8.8.8 in our configuration and then ran a quick ping to juniper.net from edit mode and it is able to translate the IP for us to 66.129.230.17.
We should also set our domain-name if we are going to be using DNS. 
EX3400-10_11-VC # set system domain-name juniper.net

#### Chapter 11

#### Configuring EX Series Port Security 
#### Configuring MAC Limiting

Before getting started let’s log into an EX2300-C running ELS code and check what mac-addresses are being learned by viewing the ethernet-switching table:
EX2300-C# run show ethernet-switching table 
MAC flags (S - static MAC, D - dynamic MAC, L - locally learned, P - Persistent static, C - Control MAC
           SE - statistics enabled, NM - non configured MAC, R - remote PE MAC, O - ovsdb MAC)
Ethernet switching table : 11 entries, 11 learned
Routing instance : default-switch
    Vlan            MAC                 MAC       Age    Logical            NH        RTR 
    name            address             flags            interface          Index     ID
    OOB             08:00:27:a4:0a:eb   D           -   ge-0/0/11.0        0         0       
    OOB             2c:21:72:ce:8f:88   D           -   ge-0/0/11.0        0         0       
    OOB             30:7c:5e:10:86:ff   D           -   ge-0/0/3.0         0         0       
    OOB             5c:45:27:b1:72:3f   D           -   ge-0/0/5.0         0         0       
    OOB             5c:45:27:e7:9b:3f   D           -   ge-0/0/0.0         0         0       
    OOB             5c:45:27:e7:e8:3f   D           -   ge-0/0/4.0         0         0       
    OOB             78:fe:3d:e4:01:bf   D           -   ge-0/0/2.0         0         0       
    OOB             a8:20:66:27:06:19   D           -   ge-0/0/11.0        0         0       
    OOB             cc:e1:7f:8f:7a:ff   D           -   ge-0/0/1.0         0         0       
    OOB             d4:ae:52:ba:65:95   D           -   ge-0/0/11.0        0         0       
    OOB             ec:b1:d7:4c:24:53   D           -   ge-0/0/11.0        0         0    

EX2300-C # show interfaces ge-0/0/11 | display set 
set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members 2
set interfaces ge-0/0/11 unit 0 family ethernet-switching storm-control default

# set switch-options interface ge-0/0/11 interface-mac-limit 4 packet-action drop-and-log 
# commit 
configuration check succeeds
commit complete

# run show ethernet-switching table interface ge-0/0/11    

Now let’s do the same thing for the entire VLAN. Here is the configuration for the VLAN OOB (vlan-id 2):
# set vlans OOB vlan-id 2
# set vlans OOB l3-interface irb.2
# set vlans OOB switch-options interface-mac-limit 4
# set vlans OOB switch-options interface-mac-limit packet-action drop-and-log

To clear the actions that have been taken by MAC limiting actions, such as drop or shutdown, use the clear ethernet-switching mac-learning-log command. 
> clear ethernet-switching mac-learning-log

#### Configuring MAC Move Limiting

The following commands will initiate MAC move limitations on a VLAN:
# set vlans OOB switch-options mac-move-limit 4 packet-action log


#### Configuring Persistent MAC 

# set switch-options interface ge-0/0/4 persistent-learning
# run show ethernet-switching mac-learning-log | match ge-0/0/4 

The switch will still allow you to type it in using the old syntax and will even commit without any complaint:
{master:0}[edit]
EX2300# set system services dhcp pool 172.16.30.0/24 address-range low 172.16.30.2 
{master:0}[edit]
EX2300# set system services dhcp pool 172.16.30.0/24 address-range high 172.16.30.10 
{master:0}[edit]
EX2300# set system services dhcp pool 172.16.30.0/24 domain-name adroitnetworking.com 
{master:0}[edit]
EX2300# set system services dhcp pool 172.16.30.0/24 router 172.16.30.1 
{master:0}[edit]
EX2300# commit 
configuration check succeeds
commit complete

However, it will not provide your client with a DHCP address and when you go looking for the reason you will find it right in the configuration.
EX2300# show system services dhcp 
##
## Warning: configuration block ignored: unsupported platform (ex2300-c-12p)
##
##
## Warning: Incompatible with 'system services dhcp-local-server group'
## Warning: Incompatible with 'system services dhcp-local-server group'
##
pool 172.16.30.0/24 {
    address-range low 172.16.30.2 high 172.16.30.10;
    domain-name five-nines.com;
    router {
        172.16.30.1;
    }
}

Configure the VLAN:
set vlans V16 vlan-id 16
set vlans V16 l3-interface irb.16

Configure the irb interface:
set interfaces irb unit 16 family inet address 172.16.30.1/24

Configure the dhcp-local-server group:
set system services dhcp-local-server group V16 interface irb.16

Add the vlan to you access interfaces:
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members V16
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members V16

Use the access hierarchy to define your DHCP attributes:
set access address-assignment pool V16 family inet network 172.16.30.0/24
set access address-assignment pool V16 family inet range V16-RANGE low 172.16.30.10
set access address-assignment pool V16 family inet range V16-RANGE high 172.16.30.40
set access address-assignment pool V16 family inet dhcp-attributes maximum-lease-time 36000
set access address-assignment pool V16 family inet dhcp-attributes server-identifier 172.16.30.1
set access address-assignment pool V16 family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool V16 family inet dhcp-attributes router 172.16.30.1

If you are just standing the service up for the first time its also a good idea to add traceoptions for troubleshooting.
set system processes dhcp-service traceoptions file dhcp_logfile
set system processes dhcp-service traceoptions file size 2m
set system processes dhcp-service traceoptions level all
set system processes dhcp-service traceoptions flag all

Then once you commit the new configuration and connect a DHCP client to the interface you should be able to see the bindings:
EX2300# run show dhcp server binding   
IP address        Session Id  Hardware address   Expires     State      Interface
172.16.30.10      1           d4:ae:52:ba:65:97  34370       BOUND      irb.16    

As well as the dhcp statistics:
EX2300# run show dhcp server statistics 
Packets dropped:
    Total                      0
...

#### Configuring DHCP snooping and Dynamic Arp Inspection (DAI)

The lab’s EX4600-4 has two directly connected VLANs: V100 and V200. Let’s configure them both for basic Dynamic ARP Inspection (DAI) and see how the DHCP binding database is built:
EX4600-4_5-VC# show vlans 
V100 {
    vlan-id 100;
    l3-interface irb.100;
}
V200 {
    vlan-id 200;
    l3-interface irb.200;
}
EX4600-4_5-VC# set vlans V100 forwarding-options dhcp-security arp-inspection
EX4600-4_5-VC# set vlans V200 forwarding-options dhcp-security arp-inspection
EX4600-4_5-VC# commit 
fpc0: 
configuration check succeeds
fpc1: 
commit complete
fpc0: 
commit complete

EX4600-4_5-VC> show dhcp-security arp inspection statistics
ARP inspection statistics:
Interface        Packets received  ARP inspection pass   ARP inspection failed
ge-0/0/1.0                      7                    5                     2
ge-0/0/2.0                     10                   10                     0
ge-0/0/3.0                     12                   12                     0

#### Configuring IP Source Guard

CAUTION	As of this writing the only device that supports IP Source Guard in the lab is the EX4300-6. The EX2300, EX3400, EX4600, and QFX5100 do not support the ip-source-guard command.
EX4300-6_7-VC# show vlans 
V100 {
    vlan-id 100;
    forwarding-options {
        dhcp-security {
            arp-inspection;
            ip-source-guard;
        }
    }
}

At this point the DHCP snooping database is enabled, DAI is enabled and now IP Source Guard. To check the status of the database, use the operational command:
EX4300-6_7-VC> show dhcp-security binding ip-source-guard
IP Address    MAC Address               Vlan      Expires        State      Interface
10.0.2.17    00:05:85:3A:83:77       V100      86265      BOUND      ge-0/0/1.0
10.0.2.18    00:05:85:3A:83:79       V100      86265      BOUND      ge-0/0/1.0
10.0.2.19    00:05:85:3A:83:80       V100      86287      BOUND      ge-0/0/2.0
10.0.2.20    00:05:85:3A:83:81       V100      86287      BOUND      ge-0/0/2.0
10.0.2.21    00:05:85:3A:83:83       V100      86287      BOUND      ge-0/0/2.0

#### Configuring 802.1X Network Access Control (NAC)

# set access radius-server 172.16.30.12 port 1812
# set access radius-server 172.16.30.12 secret "$9$fQ3/uORlK8CtK8X7Tz3Ct0BIcre"
# set access radius-server 172.16.30.12 timeout 5
# set access radius-server 172.16.30.12 retry 3

Now that the device is pointed to the appropriate RADIUS server for Network Access Control (NAC), you need to set an access profile:
# set access profile juniper-access-profile authentication-order radius
# set access profile juniper-access-profile radius authentication-server 172.16.30.12
# set access profile juniper-access-profile radius accounting-server 172.16.30.12
# set access profile juniper-access-profile accounting order radius
# set access profile juniper-access-profile accounting accounting-stop-on-failure
# set access profile juniper-access-profile accounting accounting-stop-on-access-deny

(1)
# set protocols dot1x authenticator authentication-profile-name juniper-access-profile
(2)
# set protocols dot1x authenticator interface ge-0/0/6.0 supplicant single
# set protocols dot1x authenticator interface ge-0/0/6.0 retries 1
# set protocols dot1x authenticator interface ge-0/0/6.0 transmit-period 10
# set protocols dot1x authenticator interface ge-0/0/6.0 reauthentication 3600
# set protocols dot1x authenticator interface ge-0/0/6.0 supplicant-timeout 30
# set protocols dot1x authenticator interface ge-0/0/6.0 server-timeout 60
# set protocols dot1x authenticator interface ge-0/0/6.0 maximum-requests 3
(3)
# set protocols dot1x authenticator interface ge-0/0/6.0 guest-vlan GUEST
(4)
# set protocols dot1x authenticator interface ge-0/0/6.0 server-reject-vlan REMEDIATION
(5)
# set protocols dot1x authenticator interface ge-0/0/6.0 server-fail vlan-name BASIC_INTERNET

# set groups DOT1X_TRACE protocols dot1x traceoptions file DOT1X
# set groups DOT1X_TRACE protocols dot1x traceoptions file size 1m
# set groups DOT1X_TRACE protocols dot1x traceoptions file files 3
# set groups DOT1X_TRACE protocols dot1x traceoptions flag state
# set groups DOT1X_TRACE protocols dot1x traceoptions flag dot1x-debug
# set groups DOT1X_TRACE protocols dot1x traceoptions flag eapol

And now apply the configuration use:
# set apply-groups DOT1X_TRACE 
# commit and-quit 

Let’s take a look at the actual interface to see what it says about 802.1x:
# run show dot1x interface ge-0/0/6.0    
802.1X Information:
Interface     Role           State           MAC address          User
ge-0/0/6.0    Authenticator  Authenticated   D4:AE:52:BA:65:97    labuser1     

And let’s not forget our DOT1X log. Let’s take a look at the end of that file and see if it says Authenticated.
# run show log DOT1X | last
Jun 26 12:48:56.589975 Queuing EAPOL frame to be transmitted out on interface ge-0/0/6
Jun 26 12:48:56.590832  authenticatedStateCause 3


> show dot1x statistics interface ge-0/0/6    
Interface: ge-0/0/6.0
  TxReqId = 268 TxReq = 2318 TxTotal = 2586
  RxStart = 6 RxLogoff = 0 RxRespId = 259 RxResp = 2318
  CoA-Request = 0 CoA-Ack = 0 CoA-Nak = 0
  RxInvalid = 0 RxLenErr = 0 RxTotal = 2583
  LastRxVersion = 1 LastRxSrcMac = d4:ae:52:ba:65:97

> show dot1x accounting-attributes 
User: labuser1        MAC Address: d4:ae:52:ba:65:97 
Accounting Attribute:
    NAS port (5)                 :561
    NAS port ID (87)             :ge-0/0/6.0
    Called station Id (30)       :28-a2-4b-88-21-5d
    Calling Station Id (31)      :d4-ae-52-ba-65-97
    Framed Mtu (12)              :1514
    Session Timeout (27)         :3600
    Acct Authentic (45)          :radius
    NAS Identifier (32)          :EX2300
    Acct Status (40)             :START
    Acct Session Id (44)         :8O2.1x8152010100062bf7

#### Configuring MAC RADIUS 

# run clear ethernet-switching table interface ge-0/0/6.0
# run clear dot1x interface ge-0/0/6.0
# run show dot1x interface ge-0/0/6.0 
802.1X Information:
Interface     Role           State           MAC address          User
ge-0/0/6.0    Authenticator  Connecting     

# set access profile mac-radius authentication-order none
# set access profile mac-radius radius-server 172.16.30.12 secret “Juniper123"

Then we identify the dot1x profile for mac-radius. 
# set protocols dot1x authenticator authentication-profile-name mac-radius
# set protocols dot1x authenticator interface ge-0/0/6.0 supplicant single
# set protocols dot1x authenticator interface ge-0/0/6.0 mac-radius restrict

And then the interface is configured on the host. You can also see from the show dot1x interface command that we are indeed only using MAC-RADIUS authentication:
# run show dot1x interface ge-0/0/6.0 detail 
ge-0/0/6.0
  Role: Authenticator
...

> show ethernet-switching table | match ge-0/0/6.0 
    V16                 d4:ae:52:ba:65:97   D         -   ge-0/0/6.0          0         0

Here are the quick configuration examples:
# set protocols dot1x authenticator static d4:ae:52:ba:65:97
# set protocols dot1x authenticator static d4:ae:52:ba:65:97 interface ge-0/0/6.0
# set protocols dot1x authenticator static d4:ae:52:ba:65:97 interface ge-0/0/6.0 vlan-assignment V16

To apply our CentOS MAC address and bypass any authentication you can remove the entire dot1x protocol hierarchy and then add the three lines of code to enable the bypass:
# delete protocol dot1x
# set protocols dot1x authenticator interface ge-0/0/6.0 supplicant multiple 
# set protocols dot1x authenticator static d4:ae:52:ba:65:97/48 vlan-assignment V16
# set protocols dot1x authenticator static d4:ae:52:ba:65:97/48 interface ge-0/0/6.0
# commit


# run clear dot1x interface ge-0/0/6 

{master:0}[edit]
EX2300# run show dot1x interface ge-0/0/6     
802.1X Information:
Interface     Role           State           MAC address          User
ge-0/0/6.0    Authenticator  Connecting     

And when you turn the interface on the server it will be assigned to the correct VLAN without actually communicating with the server over RADIUS because it is statically mapped to the interface.  

# run show dot1x interface ge-0/0/6.0 detail    
ge-0/0/6.0
  Role: Authenticator
  Administrative state: Auto
  Supplicant mode: Multiple
  Number of retries: 3
  Quiet period: 60 seconds
  Transmit period: 30 seconds
  Mac Radius: Disabled
  Mac Radius Restrict: Disabled
  Reauthentication: Enabled
  Reauthentication interval: 3600 seconds
  Supplicant timeout: 30 seconds
  Server timeout: 30 seconds
  Maximum EAPOL requests: 2
  Guest VLAN member: not configured
  Number of connected supplicants: 0

# run ping 172.16.30.11    
PING 172.16.30.11 (172.16.30.11): 56 data bytes
64 bytes from 172.16.30.11: icmp_seq=0 ttl=64 time=8.933 ms
^C
--- 172.16.30.11 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 8.933/8.933/8.933/0.000 ms

To generate the self-signed SSL, we are going to jump on our Centos 7 server that has Open-SSL loaded and generate a Privacy Enhanced Mail (PEM) file, this is the equivalent of a Certificate Signed Request (CSR), where the encoding can be PEM.  The following command issued on an Open-SSL server will generate a PEM file that we can use for our HTTPS captive portal:
$ openssl req -x509 -nodes -newkey rsa:2048 -keyout captive-portal.pem -out captive-portal.pem
Generating a 2048 bit RSA private key
................................+++
........................................+++
writing new private key to 'captive-portal.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:IL
Locality Name (eg, city) [Default City]:Day One 
Organization Name (eg, company) [Default Company Ltd]:Juniper
Organizational Unit Name (eg, section) []:System Engineering
Common Name (eg, your name or your server's hostname) []:EX
Email Address []:lab@juniper.net

$ ls -al captive-portal.pem 
-rw-rw-r-- 1 lab lab 3136 Jun 23 13:47 captive-portal.pem

$ scp captive-portal.pem lab@192.168.2.6:/var/tmp/
captive-portal.pem  
100% 3136     3.1KB/s   00:00

Now that you have generated a certificate and copied it to the switch you need to tell the switch where to find it and to load it into the security hierarchy:
# set security certificates local captive-portal load-key-file /var/tmp/captive-portal.pem 

Then you need to apply the rest of the captive portal configuration to the switch. Apply the PEM certificate generated earlier and apply it to the system services web-management hierarchy:
# set system services web-management https local-certificate captive-portal

Next apply HTTP and HTTPS to the interfaces through the web-management hierarchy. (You could use a wildcard here if you have a lot of interfaces.)
# set system services web-management https interface irb.16
# set system services web-management http interface irb.16
		
Then tell captive-portal that it will be using secure-authentication via https. Supply a custom URL for the captive-portal to report to once we have authenticated through the captive portal.
# set services captive-portal secure-authentication https
# set services captive-portal interface ge-0/0/6.0
# set services captive-portal custom-options post-authentication-url http://192.168.2.5
# commit 
configuration check succeeds
		commit complete
Once the configuration is successfully committed let’s check the status. 
# run show captive-portal interface ge-0/0/6.0 
Captive Portal Information:
Interface      State           MAC address          User           Fallen back
ge-0/0/6.0     Connecting                                          No   

# run show captive-portal interface ge-0/0/6.0 detail 
ge-0/0/6.0
  Supplicant mode: Single
  Number of retries: 3
  Quiet period: 60 seconds
  Configured CP session timeout: 3600 seconds
  Server timeout: 15 seconds
  CP fallen back: No
		 
EX2300# run show captive-portal interface ge-0/0/6.0 
Captive Portal Information:
Interface      State           MAC address          User           Fallen back
ge-0/0/6.0     Connecting      d4:ae:52:ba:65:97    No User        No   

EX2300# run show captive-portal interface ge-0/0/6.0    
Captive Portal Information:
Interface      State           MAC address          User           Fallen back
ge-0/0/6.0     Authenticated   d4:ae:52:ba:65:97    labuser1       No   

EX2300# set services captive-portal custom-options post-authentication-url http://192.168.2.5

#### Chapter 12

#### Configuring EX Series Firewalls and Policers 
#### Configuring Policers and Firewalls 

# set firewall family ?
Possible completions:
> any                  Protocol-independent filter
> ethernet-switching   Protocol family Ethernet Switching for firewall filter
> inet                 Protocol family IPv4 for firewall filter
> inet6                Protocol family IPv6 for firewall filter 

All of the Junos devices have “built-in” policers that protect the routing engine (aka Control Plane). You can see some of these using the show policer command like so:
EX4300-6_7-VC> show policer ?
Possible completions:
  <[Enter]>            Execute this command
  <policer>            Policer name
  __auto_policer_template_1__  
  __auto_policer_template_2__  
  __auto_policer_template_3__  
  __auto_policer_template_4__  
  __auto_policer_template_5__  
  __auto_policer_template_6__  
  __auto_policer_template_7__  
  __auto_policer_template_8__  
  __auto_policer_template__  
  __cfm_filter_shared_lc__  
  __default_arp_policer__  
  __dhcpv6__           
  __jdhcpd__           
  __jdhcpd_l2_snoop_filter__  
  |                    Pipe through a command
{master:1}
EX4300-6_7-VC> show policer __default_arp_policer__ 
Policers:
Name                                                Bytes              Packets
__default_arp_policer__                                 0                    0

Setting the limits pretty low (the lowest that is accepted in fact) so we can trigger the discard and see how it is working:
# set groups DO_POLICER firewall policer HTTP-DISCARD if-exceeding bandwidth-limit 32k
# set groups DO_POLICER firewall policer HTTP-DISCARD if-exceeding burst-size-limit 1500
# set groups DO_POLICER firewall policer HTTP-DISCARD then discard

Next create a firewall filter to use the policer that we’ve created:
# set groups DO_POLICER firewall family inet filter HTTP-DISCARD-IN term LIMIT-HTTP from protocol tcp
# set groups DO_POLICER firewall family inet filter HTTP-DISCARD-IN term LIMIT-HTTP from destination-port http
# set groups DO_POLICER firewall family inet filter HTTP-DISCARD-IN term LIMIT-HTTP then policer HTTP-DISCARD
# set groups DO_POLICER firewall family inet filter HTTP-DISCARD-IN term LIMIT-HTTP then count http.counter
# set groups DO_POLICER firewall family inet filter HTTP-DISCARD-IN term LIMIT-HTTP then log
# set groups DO_POLICER firewall family inet filter HTTP-DISCARD-IN term ACCEPT-REST then accept

Note that we included the ACCEPT-REST term in the firewall filter to allow all other traffic to be accepted otherwise it would be dropped. And now we can apply the group DO_POLICER:
# set apply-groups DO_POLICER
# commit

Now you have a policer and a firewall but you still haven’t applied it to the interface ge-0/0/6.0. One thing you should do before applying the filter to the interface is to clear the statistics so you have a clean slate.
EX2300# run clear interfaces statistics all 

And now let’s apply the firewall filter to the interface:  
EX2300# set interfaces ge-0/0/6.0 family inet filter input HTTP-DISCARD-IN 
EX2300# commit 
configuration check succeeds
commit complete

EX2300# run show firewall filter HTTP-DISCARD-IN    
Filter: HTTP-DISCARD-IN                                        
Counters:
Name                                                Bytes              Packets
http.counter                                            0                    0
Policers:
Name                                                Bytes              Packets
HTTP-DISCARD-LIMIT-HTTP                                 0                    0

Everything is in place now: 1) the policer, 2) the firewall filter; 3) and the filter applied to the interface. Now let’s a test from the client connected on port ge-0/0/6 to the web server connected on port ge-0/0/9.
$ sudo hping3 -i u10 -S -p 80 -c 30  192.168.2.5 
HPING 192.168.2.5 (em2 192.168.2.5): S set, 40 headers + 0 data bytes
len=46 ip=192.168.2.5 ttl=63 DF id=0 sport=80 flags=SA seq=0 win=29200 rtt=0.4 ms
len=46 ip=192.168.2.5 ttl=63 DF id=0 sport=80 flags=SA seq=1 win=29200 rtt=0.5 ms
len=46 ip=192.168.2.5 ttl=63 DF id=0 sport=80 flags=SA seq=4 win=29200 rtt=0.4 ms
...
len=46 ip=192.168.2.5 ttl=63 DF id=0 sport=80 flags=SA seq=28 win=29200 rtt=0.1 ms
len=46 ip=192.168.2.5 ttl=63 DF id=0 sport=80 flags=SA seq=29 win=29200 rtt=0.1 ms
--- 192.168.2.5 hping statistic ---
30 packets transmitted, 23 packets received, 24% packet loss
round-trip min/avg/max = 0.1/0.4/0.7 ms

I ran the above 3 times in quick succession and then we want to look at the firewall filter and counter.

# run show firewall filter HTTP-DISCARD-IN    
Filter: HTTP-DISCARD-IN                                        
Counters:
Name                                                Bytes              Packets
http.counter                                        11520                  180
Policers:
Name                                                Bytes              Packets
HTTP-DISCARD-LIMIT-HTTP       5952                   93

One last thing that I want to show you is that you can view the firewall log and see the ports and protocols being accepted and rejected on a per firewall basis:
EX2300# set groups DO_POLICER firewall family inet filter HTTP-DISCARD-IN term LIMIT-SSH from destination-port ssh
EX2300# set groups DO_POLICER firewall family inet filter HTTP-DISCARD-IN term LIMIT-SSH then count ssh.counter
EX2300# set groups DO_POLICER firewall family inet filter HTTP-DISCARD-IN term LIMIT-SSH then reject

Now this is VERY important. When you add ACL’s or additional terms to a firewall filter they will be placed at the end of the filter. In this case the three commands above will be placed below the ACCEPT-REST term. If you do not change the order of the terms all SSH traffic will hit the ACCEPT-REST term and be accepted and never reach the LIMIT-SSH term.
# show | display set | match DO_POLICER
…
set groups DO_POLICER firewall family inet filter HTTP-DISCARD-IN term ACCEPT-REST then accept
set groups DO_POLICER firewall family inet filter HTTP-DISCARD-IN term LIMIT-SSH from destination-port ssh
So, you need to move that LIMIT-SSH term or insert it above the ACCEPT-REST term and the easy way to do that is just use the insert command. 
EX2300# insert groups DO_POLICER firewall family inet filter HTTP-DISCARD-IN term LIMIT-SSH before term ACCEPT-REST
EX2300# commit

And now you can see that the order is correct:
EX2300# show | display set | match DO_PO 
set groups DO_POLICER firewall family inet filter HTTP-DISCARD-IN term LIMIT-HTTP from destination-port http
set groups DO_POLICER firewall family inet filter HTTP-DISCARD-IN term LIMIT-HTTP then policer HTTP-DISCARD
set groups DO_POLICER firewall family inet filter HTTP-DISCARD-IN term LIMIT-HTTP then count http.counter
set groups DO_POLICER firewall family inet filter HTTP-DISCARD-IN term LIMIT-HTTP then log
set groups DO_POLICER firewall family inet filter HTTP-DISCARD-IN term LIMIT-SSH from destination-port ssh
set groups DO_POLICER firewall family inet filter HTTP-DISCARD-IN term LIMIT-SSH then count ssh.counter
set groups DO_POLICER firewall family inet filter HTTP-DISCARD-IN term LIMIT-SSH then discard
set groups DO_POLICER firewall family inet filter HTTP-DISCARD-IN term ACCEPT-REST then accept
set groups DO_POLICER firewall policer HTTP-DISCARD if-exceeding bandwidth-limit 32k
set groups DO_POLICER firewall policer HTTP-DISCARD if-exceeding burst-size-limit 1500
set groups DO_POLICER firewall policer HTTP-DISCARD then discard
set apply-groups DO_POLICER

Now we can send some SSH packets through the interface and see if they are discarded.

# run show firewall filter HTTP-DISCARD-IN    
Filter: HTTP-DISCARD-IN                                        
Counters:
Name                                                Bytes              Packets
http.counter                                        11520                  180
ssh.counter                                          3840                   60
Policers:
Name                                                Bytes              Packets
HTTP-DISCARD-LIMIT-HTTP       5504                   86

#### Monitoring Ternary Content Addressable Memory (TCAM) 

ELS
To demonstrate how to monitor your filter and TCAM limits let’s apply some simple input and output firewall filters and apply them to our EX4300 in the lab. Then run a show command to see how many filter entries have been used and how many are left for ingress and egress. Here are the two very simple firewall filters applied to the switch:
EX2300-16# show firewall | display set 
set firewall family inet filter RE-PROTECT term LOG-SSH from protocol tcp
set firewall family inet filter RE-PROTECT term LOG-SSH from destination-port 22
set firewall family inet filter RE-PROTECT term LOG-SSH then count SSH-COUNTER
set firewall family inet filter RE-PROTECT term LOG-SSH then log
set firewall family inet filter RE-PROTECT term LOG-SSH then accept
set firewall family inet filter RE-PROTECT term ACCEPT-ALL then accept
set firewall family inet filter OUTGOING-SSH term SSH-OUT from protocol tcp
set firewall family inet filter OUTGOING-SSH term SSH-OUT from destination-port 22
set firewall family inet filter OUTGOING-SSH term SSH-OUT then count SSH-EGRESS
set firewall family inet filter OUTGOING-SSH term SSH-OUT then accept
set firewall family inet filter OUTGOING-SSH term ALLOW-ALL then accept

Now let’s apply them to our interfaces. First, apply the RE-PROTECT to the input of the loopback 0 interface and then the OUTGOING-SSH filter to the output of irb.100:
EX2300-16# set interfaces lo0.0 family inet filter input RE-PROTECT
EX2300-16# set interfaces irb.100 family inet filter output OUTGOING-SSH
EX2300-16# commit 
configuration check succeeds
commit complete

								Once we have those in place we can check our filter utilization.

EX2300-16> show pfe filter hw summary 
Slot 0
Group                    Group-ID       Allocated      Used           Free
---------------------------------------------------------------------------
> Ingress filter groups:
  iRACL group            33             128            8              120
> Egress filter groups:
  eRACL group            54             128            4              124

It should be noted that the term limit is on a per switch basis. Therefore, you could have more free ACLs on other switches when you are using them in a Virtual-Chassis configuration like so:
EX2300-8_9-VC> show pfe filter hw summary 
Slot 0
Group                    Group-ID       Allocated      Used           Free
---------------------------------------------------------------------------
> Ingress filter groups:
  iPACL group            25             128            3              125
> Egress filter groups:
Slot 1
Group                    Group-ID       Allocated      Used           Free
---------------------------------------------------------------------------
> Ingress filter groups:
> Egress filter groups:
Slot

While you are applying filters, it is a good idea to send logs to your user-id, console, or syslog. 
You can do this with the following commands:
EX2300-16# set system syslog user lab firewall emergency 
EX2300-16# set system syslog console firewall emergency 
EX2300-16# set system syslog file FIREWALL firewall emergency 

On those devices that support TCAM you can also use:
EX4600-4_5-VC# set system syslog user lab pfe emergency 
EX4600-4_5-VC# set system syslog console pfe emergency 
EX4600-4_5-VC# set system syslog file PFE_TCAM pfe emergency

#### Configuring Class of Service (CoS)
EX3400-10_11-VC> file list /etc/config 
/etc/config:
ex3400-24p-defaults.conf@ -> /packages/mnt/junos-runtime-ex/etc/config/ex3400-24p-defaults.conf
ex3400-24p-factory.conf@ -> /packages/mnt/junos-runtime-ex/etc/config/ex3400-24p-factory.conf
ex3400-24t-defaults.conf@ -> /packages/mnt/junos-runtime-ex/etc/config/ex3400-24t-defaults.conf
ex3400-24t-factory.conf@ -> /packages/mnt/junos-runtime-ex/etc/config/ex3400-24t-factory.conf
ex3400-48p-defaults.conf@ -> /packages/mnt/junos-runtime-ex/etc/config/ex3400-48p-defaults.conf
ex3400-48p-factory.conf@ -> /packages/mnt/junos-runtime-ex/etc/config/ex3400-48p-factory.conf
ex3400-48t-defaults.conf@ -> /packages/mnt/junos-runtime-ex/etc/config/ex3400-48t-defaults.conf
ex3400-48t-factory.conf@ -> /packages/mnt/junos-runtime-ex/etc/config/ex3400-48t-factory.conf
ezqos-voip.conf@ -> /packages/mnt/junos-runtime-ex/etc/config/ezqos-voip.conf
ezsetup-tvp.conf@ -> /packages/mnt/junos-runtime-ex/etc/config/ezsetup-tvp.conf
junos-defaults.conf@ -> /packages/mnt/junos-runtime/etc/config/junos-defaults.conf
junos-factory.conf@ -> /packages/mnt/junos-runtime/etc/config/junos-factory.conf
junos-fips-defaults.conf@ -> /packages/mnt/junos-runtime/etc/config/junos-fips-defaults.conf
l2ng-autoimage.conf@ -> /packages/mnt/junos-runtime-ex/etc/config/l2ng-autoimage.conf
pvi-model-factory.conf@ -> /etc/config/ex3400-24t-factory.conf
shmlog/
subs-mgmt-proc-set@ -> /packages/mnt/junos-runtime/etc/config/subs-mgmt-proc-set
{master:0}
lab@EX3400-10_11-VC> 

Let’s use the predefined ezqos-voip.conf file that is located in the /etc/config directory. To load the EZQOS configs perform the following:
# load merge /etc/config/ezqos-voip.conf 
load complete

WARNING	Make sure you use the merge keyword and not the override keyword when doing this load. Use the show | compare command to check your work and use commit confirmed when committing this, just to be safe. You don’t want to blow away your entire configuration.
# set apply-groups ezqos-voip 
# commit

Now you have a complete COS profile with very little learning curve. Let’s take a look at the actual configuration that was applied.

# show | display set | match ezqos
set groups ezqos-voip class-of-service classifiers dscp ezqos-dscp-classifier import default
set groups ezqos-voip class-of-service classifiers dscp ezqos-dscp-classifier forwarding-class ezqos-voice-fc loss-priority low code-points 101110
set groups ezqos-voip class-of-service classifiers dscp ezqos-dscp-classifier forwarding-class ezqos-control-fc loss-priority low code-points 110000
set groups ezqos-voip class-of-service classifiers dscp ezqos-dscp-classifier forwarding-class ezqos-control-fc loss-priority low code-points 011000
set groups ezqos-voip class-of-service classifiers dscp ezqos-dscp-classifier forwarding-class ezqos-control-fc loss-priority low code-points 011010
set groups ezqos-voip class-of-service classifiers dscp ezqos-dscp-classifier forwarding-class ezqos-control-fc loss-priority low code-points 111000
set groups ezqos-voip class-of-service classifiers dscp ezqos-dscp-classifier forwarding-class ezqos-video-fc loss-priority low code-points 100010
set groups ezqos-voip class-of-service forwarding-classes class ezqos-best-effort queue-num 0
set groups ezqos-voip class-of-service forwarding-classes class ezqos-video-fc queue-num 4
set groups ezqos-voip class-of-service forwarding-classes class ezqos-voice-fc queue-num 5
set groups ezqos-voip class-of-service forwarding-classes class ezqos-control-fc queue-num 7
set groups ezqos-voip class-of-service scheduler-maps ezqos-voip-sched-maps forwarding-class ezqos-voice-fc scheduler ezqos-voice-scheduler
set groups ezqos-voip class-of-service scheduler-maps ezqos-voip-sched-maps forwarding-class ezqos-control-fc scheduler ezqos-control-scheduler
set groups ezqos-voip class-of-service scheduler-maps ezqos-voip-sched-maps forwarding-class ezqos-video-fc scheduler ezqos-video-scheduler
set groups ezqos-voip class-of-service scheduler-maps ezqos-voip-sched-maps forwarding-class ezqos-best-effort scheduler ezqos-data-scheduler
set groups ezqos-voip class-of-service schedulers ezqos-voice-scheduler buffer-size percent 20
set groups ezqos-voip class-of-service schedulers ezqos-voice-scheduler priority strict-high
set groups ezqos-voip class-of-service schedulers ezqos-control-scheduler buffer-size percent 10
set groups ezqos-voip class-of-service schedulers ezqos-control-scheduler priority strict-high
set groups ezqos-voip class-of-service schedulers ezqos-video-scheduler transmit-rate percent 70
set groups ezqos-voip class-of-service schedulers ezqos-video-scheduler buffer-size percent 20
set groups ezqos-voip class-of-service schedulers ezqos-video-scheduler priority low
set groups ezqos-voip class-of-service schedulers ezqos-data-scheduler transmit-rate percent 30
set groups ezqos-voip class-of-service schedulers ezqos-data-scheduler buffer-size percent 50
set groups ezqos-voip class-of-service schedulers ezqos-data-scheduler priority low

To apply the DSCP to an interface you configure it under the class-of-service hierarchy. 
EX2300# set class-of-service interfaces ge-0/0/6 unit 0 classifiers dscp ezqos-dscp-classifier

The class-of-service hierarchy is also used to apply the scheduler to an interface.
EX2300# set class-of-service interfaces ge-0/0/9 scheduler-map ezqos-voip-sched-maps

Now once that is committed you should have a CoS path for our traffic. 
EX2300# run show class-of-service interface ge-0/0/6 
Physical interface: ge-0/0/6, Index: 654

#### Configuring Storm Control

The configuration for storm control is pretty straightforward. First, define your storm control profile:
# set forwarding-options storm-control-profiles default all

# wildcard range set interfaces ge-0/0/[0-8,11] unit 0 family ethernet-switching storm-control default

# set groups PM forwarding-options analyzer PM-MONITOR input ingress interface ge-0/0/6.0
# set groups PM forwarding-options analyzer PM-MONITOR input ingress interface ge-0/0/8.0
# set groups PM forwarding-options analyzer PM-MONITOR output interface ge-0/0/9.0
# set apply-groups PM

#### Chapter 13

##### Configuring Media Access Control Security (MACSec)

Before the upgrade the software version showed as:
EX4300-6_7-VC> show version 
fpc0:
--------------------------------------------------------------------------
Hostname: EX4300-6_7-VC
Model: ex4300-24t
Junos: 14.1X53-D35.3
You can see that without the controlled software there is no way to configure macsec:
EX4600-4_5-VC# set security mac   
                                                   ^
syntax error.
EX4600-4_5-VC# set security ?     
Possible completions:
> alarms               Configure security alarms
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> authentication-key-chains  Authentication key chain configuration
> certificates         X.509 certificate configuration
> group-vpn            Group VPN configuration
> ike                  IKE configuration
> ipsec                IPSec configuration
> log                  Configure auditable security logs
> pki                  PKI service configuration
> ssh-known-hosts      SSH known host list
> traceoptions         Trace options for IPSec key management

There is no macsec command present. Once you upgrade the software you can see the difference in the command set:

EX4300-6_7-VC> show version detail | match macsec 
macsec-actions-dd release 14.1X53-D45.3 built by builder on 2017-07-28 03:34:29 UTC
macsec-actions-dd release 14.1X53-D45.3 built by builder on 2017-07-28 03:34:29 UTC

And you can now see that the macsec hierarchy is enabled and ready for us to configure:
EX4300-6_7-VC# set security ?      
Possible completions:
> alarms               Configure security alarms
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> authentication-key-chains  Authentication key chain configuration
> certificates         X.509 certificate configuration
> group-vpn            Group VPN configuration
> ike                  IKE configuration
> ipsec                IPSec configuration
> log                  Configure auditable security logs
> macsec               MAC Security configuration
> pki                  PKI service configuration
> ssh-known-hosts      SSH known host list
> traceoptions         Trace options for IPSec key management

After our upgrade, to MACSec capable Junos, our next step is to acquire and load the MACSec license.
MACSec Feature License
MACSec is not ubiquitous now but it has a bright future especially within the Federal and Financial verticals. The MACSec license is an additional license to any EFL that may already be present on the system, so you will need to contact your account teams to purchase for your network.
The license for the EX3400, for example, looks like this:
Serial No :              NV0216340092
Features :               EX-QFX-MACSEC-ACC : MACSEC License for 1G Access platforms - EX3300, EX3400, EX4300 and EX4200
Issue Date :             05-AUG-2017
License Key : 
Junos942854 aeaqia qmjzld amrrgy ztimbq hezama uqomds
            rwvvr6 ikzuoc heglnu tabzcr urdthx wynwdx
            7zu6ny wlynqk wlyrww t3jmfg rhayaw ky

And we can apply it just like any other software license:
EX3400-10_11-VC> request system license add terminal 
[Type ^D at a new line to end input,
 enter blank line between each license key]
Serial No :              NV0216340092
Features :               EX-QFX-MACSEC-ACC : MACSEC License for 1G Access platforms - EX3300, EX3400, EX4300 and EX4200
Issue Date :             05-AUG-2017
License Key : 
Junos942854 aeaqia qmjzld amrrgy ztimbq hezama uqomds
            rwvvr6 ikzuoc heglnu tabzcr urdthx wynwdx
            7zu6ny wlynqk wlyrww t3jmfg rhayaw ky
Junos942854: successfully added
add license complete (no errors)
And once we have it loaded we can see that it is licensed.
EX3400-10_11-VC> show system license 
License usage: 
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed 
  ospf3                                 0            1           0    permanent
  ripng                                 0            1           0    permanent
  ospf2                                 1            1           0    permanent
  bfd-liveness-detection                0            1           0    permanent
  unicast-rpf                           0            1           0    permanent
  virtual-router                        1            1           0    permanent
  igmp                                  0            1           0    permanent
  pim-mode                              0            1           0    permanent
  pim-ssm                               0            1           0    permanent
  connectivity-fault-management         0            1           0    permanent
  vrrp                                  0            1           0    permanent
  dot1q-tunneling                       0            1           0    permanent
  svlan                                 0            1           0    permanent
  services-rpm                          0            1           0    permanent
  juniper-msdp                          0            1           0    permanent
  multicast-listener-discovery          0            1           0    permanent
  gr-ifd                                0            1           0    permanent
  macsec                                0            1           0    permanent
Licenses installed: 
  License identifier: Junos942358
  License version: 4
  Valid for device: NV0216340092
  Features:
    extended-feature-list - Licensed extended feature list
      permanent
  License identifier: Junos942854
  License version: 4
  Valid for device: NV0216340092
  Features:
    macsec-feature-list - Licensed MACsec feature
      permanent

First set the connectivity-association:
EX4300-6_7-VC# set security macsec connectivity-association ex4300-to-ex4600

Next, set the security mode to static-cak as a best practice. Dynamic and static-sak are the other options:
EX4300-6_7-VC# set security macsec connectivity-association ex4300-to-ex4600 security-mode static-cak

Once you have the security-mode you need to configure a CKN which is 64 hexidecimal digits:
EX4300-6_7-VC# set security macsec connectivity-association ex4300-to-ex4600 pre-shared-key ckn 080520171913c2c45ddd012aa5bc8ef284aa23ff6729ee2e4acb66e91fe34ba2

We also need a pre-shared CAK which is 32 hexidecimal digits.
EX4300-6_7-VC# set security macsec connectivity-association ex4300-to-ex4600 pre-shared-key cak 080520171913c2c45ddd012aa5bc8ef2

The MKA key-server-priority provides a way to determine which switch is going to be the main key-server. Setting the priority to 0 will insure that switch as master key-server. The default priority is 16.
EX4300-6_7-VC# set security macsec connectivity-association ex4300-to-ex4600 mka key-server-priority 16

Once the link is up and MACSec is established all traffic between these connections is encrypted. There is an option to set the interface to clear text if traffic needs to be viewed for troubleshooting (use keyword no-encryption after the CA Name).
EX4600-4_5-VC# set security macsec connectivity-association EX4300-to-EX4600 security-mode static-cak
EX4600-4_5-VC# set security macsec connectivity-association EX4300-to-EX4600 pre-shared-key ckn 080520171913c2c45ddd012aa5bc8ef284aa23ff6729ee2e4acb66e91fe34ba2 
EX4600-4_5-VC# set security macsec connectivity-association EX4300-to-EX4600 pre-shared-key cak 080520171913c2c45ddd012aa5bc8ef2  
EX4600-4_5-VC# set security macsec connectivity-association EX4300-to-EX4600 mka key-server-priority 0 

When connecting to an EX4300 switch other switches have to enable the keyword include-sci an 8-octet long tag that is required for EX4300’s. This is significant overhead on an ethernet interface so make sure it is only included on interfaces that connect to EX4300’s:
EX4600-4_5-VC# set security macsec interfaces xe-1/0/0 connectivity-association EX4300-to-EX4600

Once the interface has been associated to an interface, and a corresponding switch has the same pre-shared keys, all traffic between those two switches on that ethernet segment is encrypted:
EX4300-6_7-VC# set security macsec interfaces xe-1/2/1 connectivity-association ex4300-to-ex4600    

EX4300-6_7-VC# commit 
To check the status of the connection use the show security macsec connections command.
EX4600-4_5-VC# run show security macsec connections 
    Interface name: xe-1/0/0
        CA name: EX4300-to-EX4600   
        Cipher suite: GCM-AES-128   Encryption: on
        Key server offset: 0        Include SCI: yes
        Replay protect: off         Replay window: 0
          Outbound secure channels
            SC Id: 64:64:9B:5F:F9:03/1
            Outgoing packet number: 22
            Secure associations
            AN: 0 Status: inuse Create time: 00:00:26
          Inbound secure channels
            SC Id: 4C:96:14:E4:66:20/1
            Secure associations
            AN: 0 Status: inuse Create time: 00:00:26

EX4300-6_7-VC# run show security macsec connections 
    Interface name: xe-1/2/1
        CA name: EX4300-to-EX4600   
        Cipher suite: GCM-AES-128   Encryption: on
        Key server offset: 0        Include SCI: yes
        Replay protect: off         Replay window: 0
          Outbound secure channels
            SC Id: 4C:96:14:E4:66:20/1
            Outgoing packet number: 27
            Secure associations
            AN: 0 Status: inuse Create time: 00:01:23
          Inbound secure channels
            SC Id: 64:64:9B:5F:F9:03/1
            Secure associations
            AN: 0 Status: inuse Create time: 00:01:23

EX4600-4_5-VC# run ping 10.1.0.4 count 50 rapid source 10.1.0.5 
PING 10.1.0.4 (10.1.0.4): 56 data bytes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
--- 10.1.0.4 ping statistics ---
50 packets transmitted, 50 packets received, 0% packet loss
round-trip min/avg/max/stddev = 5.019/12.434/89.941/11.138 ms

After connectivity run a quick ping to see that the packets are being protected by macsec on the interface statistics:
EX4600-4_5-VC# run show security macsec statistics interface xe-1/0/0 
    Secure Channel transmitted
        Encrypted packets: 434
        Encrypted bytes:   33639
        Protected packets: 0
        Protected bytes:   0
    Secure Association transmitted
        Encrypted packets: 434
        Protected packets: 0
    Secure Channel received
        Accepted packets:  183
        Validated bytes:   0
        Decrypted bytes:   21102
    Secure Association received
        Accepted packets:  183
        Validated bytes:   0
        Decrypted bytes:   0

MACSec statistics are also visible in the interface detail and extensive output.
EX4600-4_5-VC# run show interfaces xe-1/0/0 detail 
Physical interface: xe-1/0/0, Enabled, Physical link is Up
  Interface index: 651, SNMP ifIndex: 525, Generation: 143
  Link-level type: Ethernet, MTU: 1514, MRU: 0, Speed: 10Gbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Media type: Fiber
… Truncated for brevity
  MACSec statistics:
    Output
        Secure Channel Transmitted
        Protected Packets               : 0
        Encrypted Packets               : 525
        Protected Bytes                 : 0
        Encrypted Bytes                 : 39615
     Input
        Secure Channel Received
        Accepted Packets                : 201
        Validated Bytes                 : 0
        Decrypted Bytes                 : 23373

#### Chapter 14

#### Configuring EX Series with Automation 
#### Configuring NETCONF for API Access

Place this on all lab devices:
QFX5100-2_3-VC# set system services netconf ssh ? 
Possible completions:
  <[Enter]>            Execute this command
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  connection-limit     Maximum number of allowed connections (1..250)
  port                 Service port number (1..65535)
  rate-limit           Maximum number of connections per minute (1..250)
  |                    Pipe through a command

If you want to use the default NETCONF port of 830 you need to specify the port otherwise if you stop at ssh it will use port 22 by default. To simplify and reduce the number of ports through the firewall let’s stay with port 22 and stop at ssh.
{master:0}[edit]
QFX5100-2_3-VC# set system services netconf ssh    
{master:0}[edit]

QFX5100-2_3-VC# commit and-quit 
configuration check succeeds
fpc1: 
commit complete
commit complete
Exiting configuration mode
{master:0}
QFX5100-2_3-VC>

(1)
$ python
Python 2.7.5 (default, Nov  6 2016, 00:28:07) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-11)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
(2)
>>> from jnpr.junos import Device
(3)
>>> from pprint import pprint
>>> 
(4)
>>> EX4300 = Device(host='172.16.0.6',user='lab',password='jnpr123')
>>> 
(5)
>>> EX4300.open()
Device(172.16.0.6)
>>> 
(6)
>>> pprint(EX4300.facts)
{'2RE': True,
 'HOME': '/var/home/lab',
 'RE0': {'last_reboot_reason': '0x1:power cycle/failure',
         'mastership_state': 'backup',
         'model': 'EX4300-24T',
         'status': 'OK',
         'up_time': '18 days, 19 minutes, 21 seconds'},
 'RE1': {'last_reboot_reason': '0x1:power cycle/failure',
         'mastership_state': 'master',
         'model': 'EX4300-24T',
         'status': 'OK',
         'up_time': '18 days, 19 minutes, 16 seconds'},
 'RE_hw_mi': False,
 'current_re': ['master',
                'node',
                'fwdd',
                'member',
                'pfem',
                're0',
                'fpc1',
                'feb0',
                'fpc16'],
 'domain': None,
 'fqdn': 'EX4300-6_7-VC',
 'hostname': 'EX4300-6_7-VC',
 'hostname_info': {'fpc0': 'EX4300-6_7-VC', 'fpc1': 'EX4300-6_7-VC'},
 'ifd_style': 'SWITCH',
 'junos_info': {'fpc0': {'object': junos.version_info(major=(14, 1), type=X, minor=(53, 'D', 40), build=8),
                         'text': '14.1X53-D40.8'},
                'fpc1': {'object': junos.version_info(major=(14, 1), type=X, minor=(53, 'D', 40), build=8),
                         'text': '14.1X53-D40.8'}},
 'master': 'RE1',
 'model': 'EX4300-24T',
 'model_info': {'fpc0': 'EX4300-24T', 'fpc1': 'EX4300-24T'},
 'personality': 'SWITCH',
 're_info': {'default': {'0': {'last_reboot_reason': '0x1:power cycle/failure',
                               'mastership_state': 'backup',
                               'model': 'EX4300-24T',
                               'status': 'OK'},
                         '1': {'last_reboot_reason': '0x1:power cycle/failure',
                               'mastership_state': 'master',
                               'model': 'EX4300-24T',
                               'status': 'OK'},
                         'default': {'last_reboot_reason': '0x1:power cycle/failure',
                                     'mastership_state': 'backup',
                                     'model': 'EX4300-24T',
                                     'status': 'OK'}}},
 're_master': {'default': '1'},
 'serialnumber': 'PG3713290002',
 'srx_cluster': None,
 'switch_style': 'VLAN_L2NG',
 'vc_capable': True,
 'vc_fabric': None,
 'vc_master': '1',
 'vc_mode': 'Enabled',
 'version': '14.1X53-D40.8',
 'version_RE0': None,
 'version_RE1': None,
 'version_info': junos.version_info(major=(14, 1), type=X, minor=(53, 'D', 40), build=8),
 'virtual': False}
(7)
>>> EX4300.close()

$ more ser_grab_set_config.pb.yaml 
---
- name: Junos CLI commands
  hosts: "{{ target }}"
  connection: local
  gather_facts: no
  roles:
    - Juniper.junos
  vars:
    ask_vault_pass: False
    netconf_user:
    netconf_password:
    default_port: 22
    config_dir: CONFIGS
  tasks:
    - name: GET CONFIGURATION FROM {{ target }}
      junos_cli:
        host: "{{ inventory_hostname }}"
        cli: "show configuration | display set"
        logfile: "cli.log"
        dest: "{{ config_dir }}/{{ inventory_hostname }}.setconfig.txt"
        format: text

$ ansible-playbook -i ser.inv ser_grab_set_config.pb.yaml --extra-vars "target=lab-switches"
PLAY [Junos CLI commands] *************************************************************************************************
TASK [GET CONFIGURATION FROM lab-switches] *************************************************************************************************
ok: [172.16.0.2]
ok: [172.16.0.4]
ok: [172.16.0.8]
ok: [172.16.0.16]
ok: [172.16.0.10]
ok: [172.16.0.6]
PLAY RECAP *************************************************************************************************
172.16.0.10                : ok=1    changed=0    unreachable=0    failed=0   
172.16.0.16                : ok=1    changed=0    unreachable=0    failed=0   
172.16.0.2                 : ok=1    changed=0    unreachable=0    failed=0   
172.16.0.4                 : ok=1    changed=0    unreachable=0    failed=0   
172.16.0.6                 : ok=1    changed=0    unreachable=0    failed=0   
172.16.0.8                 : ok=1    changed=0    unreachable=0    failed=0  

That script pulled all the configs in under five seconds! And now they are stored in the specified directory “CONFIGS” which was specified under –vars in the yaml file. Let’s make sure they are there:
$ ls *.txt
172.16.0.10.setconfig.txt  
172.16.0.16.setconfig.txt  
172.16.0.2.setconfig.txt  
172.16.0.4.setconfig.txt  
172.16.0.6.setconfig.txt  
172.16.0.8.setconfig.txt
And let’s also take a look inside to make sure that they were indeed captured:
$ cat 172.16.0.* | more
set version 15.1X53-D50.2
set groups POC_Lab system host-name EX3400-10_11-VC
set groups POC_Lab system backup-router 172.16.0.1
set groups POC_Lab system authentication-order radius
set groups POC_Lab system authentication-order password
We can’t stress enough just how easy Ansible is to use. Not only can you mine data from the network but you can also push changes to your network and automate your configuration management for your entire organization with Ansible. It’s very powerful and easy to use.
MORE?	Check the Juniper Books web pages for more books on PyEZ and Ansible that are in development as this book goes to press: http://www.juniper.net/books.

#### Installing and using JAIDEGUI

You download the zip file and then issue $ python setup.py install and then you can run the script. Now if you already have Python and pip installed its even easier than that:
$ sudo pip install jaidegui
The directory '/Users/sreger/Library/Caches/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
You are using pip version 7.1.0, however version 9.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
The directory '/Users/sreger/Library/Caches/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Requirement already satisfied (use --upgrade to upgrade): jaidegui in /Library/Python/2.7/site-packages/jaidegui-1.0.0-py2.7.egg
Collecting jaide>=2.0.0 (from jaidegui)
  Downloading jaide-2.0.0-py2-none-any.whl
Requirement already satisfied (use --upgrade to upgrade): Pmw>=1.3.3 in /Library/Python/2.7/site-packages/Pmw-2.0.1-py2.7.egg (from jaidegui)
Requirement already satisfied (use --upgrade to upgrade): ncclient>=0.4.2 in /Library/Python/2.7/site-packages (from jaide>=2.0.0->jaidegui)
Requirement already satisfied (use --upgrade to upgrade): ecdsa>=0.11 in /Library/Python/2.7/site-packages (from jaide>=2.0.0->jaidegui)
Requirement already satisfied (use --upgrade to upgrade): pycrypto!=2.4,>=2.1 in /Library/Python/2.7/site-packages (from jaide>=2.0.0->jaidegui)
Requirement already satisfied (use --upgrade to upgrade): paramiko<2.0.0,>=1.14.0 in /Library/Python/2.7/site-packages (from jaide>=2.0.0->jaidegui)
Requirement already satisfied (use --upgrade to upgrade): colorama>0.3.2 in /Library/Python/2.7/site-packages (from jaide>=2.0.0->jaidegui)
Collecting click<5.0.0,>=4.0.0 (from jaide>=2.0.0->jaidegui)
  Downloading click-4.1-py2.py3-none-any.whl (62kB)
    100% |████████████████████████████████| 65kB 316kB/s 
Requirement already satisfied (use --upgrade to upgrade): scp<1.0.0,>=0.8.0 in /Library/Python/2.7/site-packages (from jaide>=2.0.0->jaidegui)
Requirement already satisfied (use --upgrade to upgrade): setuptools>0.6 in /Library/Python/2.7/site-packages (from ncclient>=0.4.2->jaide>=2.0.0->jaidegui)
Requirement already satisfied (use --upgrade to upgrade): lxml>=3.3.0 in /Library/Python/2.7/site-packages (from ncclient>=0.4.2->jaide>=2.0.0->jaidegui)
Requirement already satisfied (use --upgrade to upgrade): six in /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python (from ncclient>=0.4.2->jaide>=2.0.0->jaidegui)
Installing collected packages: click, jaide

Successfully installed click-4.1 jaide-2.0.0
Now launch this tool from the CLI and use it as a CLI tool ,or launch the JAIDE GUI. First, let’s see the help file for jaide on the command line:
$ jaide
Usage: jaide [OPTIONS] COMMAND [ARGS]...
  Manipulate one or more Junos devices.
  Will connect to one or more Junos devices, and manipulate them based on the command you have chosen. If a comma separated list or a file containing IP/hostnames on each line is given for the IP
  option, the commands will be sent simultaneously to each device.
Options:
  -i, --ip TEXT                   The target hostname(s) or IP(s). Can be a comma separated list, or path to a file listing devices on individual lines.
  -u, --username TEXT
  -p, --password TEXT
  -P, --port INTEGER              The port to connect to. Defaults to SSH (22)
  --quiet / --no-quiet            Boolean flag to show no output, except in certain error scenarios. Defaults to false (--no-quiet), which shows the output.
  -t, --session-timeout INTEGER RANGE
                                  The session timeout value, in seconds, for declaring a lost session. Default is 300 seconds. This should be increased when no output could be seen for more than 5
                                  minutes (ex. requesting a system snapshot).
  -T, --connect-timeout INTEGER RANGE
                                  The timeout, in seconds, for declaring a device unreachable during connection establishment. Default is 5 seconds.
  --version                       Show the version and exit.
  -w, --write [s | single | m | multiple] FILEPATH
                                  Write the output to a file instead of echoing it to the terminal. This can be useful when touching more than one device, because the output can be split into a file per
                                  device. In this case, output filename format is IP_FILENAME.
  -h, --help                      Show this message and exit.
Commands:
  commit       Execute a commit against the device.
  compare      Compare commands against running config.
  diff_config  Compare the config between two devices.
  errors       Get any interface errors from the device.
  health       Get alarm and device health information.
  info         Get basic device information.
  operational  Execute operational mode command(s).
  pull         Copy file(s) from device(s) -> local machine.
  push         Copy file(s) from local machine -> device(s).
  shell        Send shell commands to the device(s).
The second option is to use it as a GUI. To launch that simply type: $ jaidegui& and then viola Figure 14.1.

Figure 14.1		JaideGUI Interface.
If you have Python and PIP installed you could have an easy open-source scripting tool at your fingertips in just a matter of minutes. There are dependencies, as outlined on Git.Let’s run it on the lab network and pull the hardware from all of the devices. 
NOTE	This is where the CLI option versus the GUI comes in handy. While we do have VNC access to our lab, it is over 800 miles away, so being able to simply run this from the CLI is a plus!
First,  build a file called IPLIST and place all the management IP’s in the file. You can also do this with comma separated IPs. Then create a file with all the show commands you want to run. Here is a preview of the files:
$ more IPLIST 
172.16.0.2
172.16.0.4
172.16.0.6
172.16.0.8
172.16.0.10
172.16.0.12
172.16.0.13
172.16.0.16
$ more JAIDECOMMANDS 
show chassis hardware | no-more
show virtual-chassis
show configuration | display set | no-more
show interfaces terse
show route
And now to run this from the CLI, run the following and watch the feedback on the screen. Using the –w m and specifying an extension will also place each switch output in its own file for easy access:
$ jaide -i IPLIST -u lab -p jnpr123 -w m jaide.txt operational JAIDECOMMANDS
172.16.0.4 output appended to: 172.16.0.4_jaide.txt
172.16.0.2 output appended to: 172.16.0.2_jaide.txt
172.16.0.8 output appended to: 172.16.0.8_jaide.txt
172.16.0.16 output appended to: 172.16.0.16_jaide.txt
172.16.0.12 output appended to: 172.16.0.12_jaide.txt
172.16.0.10 output appended to: 172.16.0.10_jaide.txt
172.16.0.6 output appended to: 172.16.0.6_jaide.txt
172.16.0.13 output appended to: 172.16.0.13_jaide.txt
This went very quickly and efficiently and ran all the commands without error!  Now looking at the files:
$ ls *jaide.txt
172.16.0.10_jaide.txt  172.16.0.13_jaide.txt  172.16.0.2_jaide.txt  172.16.0.6_jaide.txt
172.16.0.12_jaide.txt  172.16.0.16_jaide.txt  172.16.0.4_jaide.txt  172.16.0.8_jaide.txt

$ more 172.16.0.10_jaide.txt 
==================================================
Results from device: 172.16.0.10

> show chassis hardware | no-more
Hardware inventory:
...

> show virtual-chassis
Preprovisioned Virtual Chassis
Virtual Chassis ID: 9370.5006.089a
Virtual Chassis Mode: Enabled
...

> show configuration | display set | no-more
set version 15.1X53-D50.2
set groups POC_Lab system host-name EX3400-10_11-VC
set groups POC_Lab system backup-router 172.16.0.1
set groups POC_Lab system authentication-order radius
set groups POC_Lab system authentication-order password
… Truncated for brevity

#### Chapter 15
#### Configuring QFX Series with Vagrant 

#PyEZ
1) pip install junos-eznc
#NetConify
1) pip install junos-netconify
#Ansible
1) sudo pip install ansible
2) ansible --version
3) sudo ansible-galaxy install Juniper.junos
4) cd /etc/ansible/
5) vi ansible.cfg
        [defaults]
        log_path=~/.ansible/log/ansible.log
        forks=50 
6) sudo usermod -a -G root username
7) sudo chmod g+w ansible.cfg

# yum –y install https://releases.hashicorp.com/vagrant/1.9.7/vagrant_1.9.7_x86_64.rpm

Now that we have all of the pre-installation requirements met for vQFX we can download the actual vQFX git package and install it on our platform. For this section we’re using a MacBook Pro, so for Windows and Linux users, please follow the instructions from the git repository. There are plenty of How To guides on the internet that can walk you through your specific setup, too.
$ git clone https://github.com/Juniper/vqfx10k-vagrant.git
Cloning into 'vqfx10k-vagrant'...
remote: Counting objects: 387, done.
remote: Total 387 (delta 0), reused 0 (delta 0), pack-reused 387
Receiving objects: 100% (387/387), 68.71 KiB | 0 bytes/s, done.
Resolving deltas: 100% (180/180), done.

That went super fast and now there should be a vqfx directory so let’s find that.
$ ls -al | grep vqfx
drwxr-xr-x   17 lab staff      578 Jul 26 10:59 vqfx10k-vagrant

We have downloaded the package and verified that the vqfx10k-vagrant directory exists. The only thing left to do is navigate to our desired topology and start the vagrant environment:
$ cd vqfx10k-vagrant/
lab-mbp:vqfx10k-vagrant lab$ ls
INSTALL.md			TROUBLESHOOTING.md		full-2qfx	light-1qfx			light-ipfabric-2S-3L
LICENSE				full-1qfx			full-2qfx-4srv-evpnvxlan	light-2qfx
README.md			full-1qfx-1srv			full-4qfx	light-2qfx-2srv

$ cd full-2qfx
lab-mbp:full-2qfx lab$ ls
README.md		Vagrantfile		ansible.cfg		host_vars	pb.conf.all.commit.yaml	pb.conf.save.yaml	vqfx.conf.j2

Once parked in the full-2qfx directory we can launch the topology:
$ vagrant up
Bringing machine 'vqfx1-pfe' up with 'virtualbox' provider...
Bringing machine 'vqfx1' up with 'virtualbox' provider...
Bringing machine 'vqfx2-pfe' up with 'virtualbox' provider...
Bringing machine 'vqfx2' up with 'virtualbox' provider...
==> vqfx1-pfe: Box 'juniper/vqfx10k-pfe' could not be found. Attempting to find and install...
    vqfx1-pfe: Box Provider: virtualbox
    vqfx1-pfe: Box Version: >= 0
==> vqfx1-pfe: Loading metadata for box 'juniper/vqfx10k-pfe'
    vqfx1-pfe: URL: https://vagrantcloud.com/juniper/vqfx10k-pfe
==> vqfx1-pfe: Adding box 'juniper/vqfx10k-pfe' (v0.1.0) for provider: virtualbox
    vqfx1-pfe: Downloading: https://vagrantcloud.com/juniper/boxes/vqfx10k-pfe/versions/0.1.0/providers/virtualbox.box
    vqfx1-pfe: Progress: 2% (Rate: 625k/s, Estimated time remaining: 0:16:25)
As you can see it is downloading the Virtual Machines for this topology and it will be a few minutes. One of the things you need to do is actually read the README.md file – it has a lot of information that will help you when accessing the devices, etc. Here is a small exerpt that we will need later on when accessing the device. There is a ton of information in the README.md file so take the time to read it!
#### vqfx10k-pfe
Requires:
- 1.5/2GB of memory
- 1 dedicated core
A maximum of 2 interfaces are supported:
- first interface is used by vagrant (eth0)
- second interface is used to connect to the RE VM (eth1)
This VM has 2 account by default:
- login: vagrant, with ssh_key authentication using vagrant insecure_key
- login: root, password: no
And now our PFE is downloaded we see some more movement on the vagrant package.
==> vqfx1-pfe: Successfully added box 'juniper/vqfx10k-pfe' (v0.1.0) for 'virtualbox'!
==> vqfx1-pfe: Importing base box 'juniper/vqfx10k-pfe'...
==> vqfx1-pfe: Matching MAC address for NAT networking...
==> vqfx1-pfe: Checking if box 'juniper/vqfx10k-pfe' is up to date...
==> vqfx1-pfe: Setting the name of the VM: full-2qfx_vqfx1-pfe_1501086890774_88281
==> vqfx1-pfe: Clearing any previously set network interfaces...
==> vqfx1-pfe: Preparing network interfaces based on configuration...
    vqfx1-pfe: Adapter 1: nat
    vqfx1-pfe: Adapter 2: intnet
==> vqfx1-pfe: Forwarding ports...
    vqfx1-pfe: 22 (guest) => 2222 (host) (adapter 1)
==> vqfx1-pfe: Booting VM...
==> vqfx1-pfe: Waiting for machine to boot. This may take a few minutes...
    vqfx1-pfe: SSH address: 127.0.0.1:2222
    vqfx1-pfe: SSH username: vagrant
    vqfx1-pfe: SSH auth method: private key
==> vqfx1-pfe: Machine booted and ready!
==> vqfx1-pfe: Checking for guest additions in VM...
    vqfx1-pfe: No guest additions were detected on the base box for this VM! Guest
    vqfx1-pfe: additions are required for forwarded ports, shared folders, host only
    vqfx1-pfe: networking, and more. If SSH fails on this machine, please install
    vqfx1-pfe: the guest additions and repackage the box to continue.
    vqfx1-pfe: 
    vqfx1-pfe: This is not an error message; everything may continue to work properly,
    vqfx1-pfe: in which case you may ignore this message.
==> vqfx1-pfe: Running provisioner: ansible...
    vqfx1-pfe: Running ansible-playbook...
==> vqfx1: Box 'juniper/vqfx10k-re' could not be found. Attempting to find and install...
    vqfx1: Box Provider: virtualbox
    vqfx1: Box Version: >= 0
==> vqfx1: Loading metadata for box 'juniper/vqfx10k-re'
    vqfx1: URL: https://vagrantcloud.com/juniper/vqfx10k-re
==> vqfx1: Adding box 'juniper/vqfx10k-re' (v0.2.0) for provider: virtualbox
    vqfx1: Downloading: https://vagrantcloud.com/juniper/boxes/vqfx10k-re/versions/0.2.0/providers/virtualbox.box
This process takes a while for the very first run but will be very fast when subsequent launches are made because the VM’s are already downloaded. 
TIP	You will notice that we downloaded a vqfx10k-pfe and a vqfx10k-re. PFE stand for Packet Forwarding Engine and RE stands for Routing Engine.  This shows how we completely separate Junos Control and Forwarding planes and why it makes us so much more efficient at processing packets than our competitors.
==> vqfx1: Successfully added box 'juniper/vqfx10k-re' (v0.2.0) for 'virtualbox'!
==> vqfx1: Importing base box 'juniper/vqfx10k-re'...
==> vqfx1: Matching MAC address for NAT networking...
==> vqfx1: Checking if box 'juniper/vqfx10k-re' is up to date...
==> vqfx1: Setting the name of the VM: full-2qfx_vqfx1_1501087612356_59890
==> vqfx1: Fixed port collision for 22 => 2222. Now on port 2200.
==> vqfx1: Clearing any previously set network interfaces...
==> vqfx1: Preparing network interfaces based on configuration...
    vqfx1: Adapter 1: nat
    vqfx1: Adapter 2: intnet
    vqfx1: Adapter 3: intnet
    vqfx1: Adapter 4: intnet
    vqfx1: Adapter 5: intnet
    vqfx1: Adapter 6: intnet
    vqfx1: Adapter 7: intnet
    vqfx1: Adapter 8: intnet
    vqfx1: Adapter 9: intnet
==> vqfx1: Forwarding ports...
    vqfx1: 22 (guest) => 2200 (host) (adapter 1)
==> vqfx1: Booting VM...
==> vqfx1: Waiting for machine to boot. This may take a few minutes...
    vqfx1: SSH address: 127.0.0.1:2200
    vqfx1: SSH username: vagrant
    vqfx1: SSH auth method: private key
==> vqfx1: Machine booted and ready!
==> vqfx1: Checking for guest additions in VM...
    vqfx1: No guest additions were detected on the base box for this VM! Guest
    vqfx1: additions are required for forwarded ports, shared folders, host only
    vqfx1: networking, and more. If SSH fails on this machine, please install
    vqfx1: the guest additions and repackage the box to continue.
    vqfx1: 
    vqfx1: This is not an error message; everything may continue to work properly,
    vqfx1: in which case you may ignore this message.
==> vqfx1: Setting hostname...
==> vqfx1: Running provisioner: ansible...
    vqfx1: Running ansible-playbook...

Okay, so we have successfully downloaded the PFE and RE image and it will launch those automatically into VirtualBox and use Ansible to place the configuration required for this specific topology on the switches. There is another series of the output but its just more of the same for the second vqfx so we aren’t going to display it. 
At this point you should have successfully launched 2 full vqfx10ks (full meaning each vqfx is made up of 1 RE and 1 PFE) and the underlying physical topology is already built in VBox as well. The next step is to log in and start using the Junos CLI.

From the screen capture in the last output you can see that the full2-vqfx topology is launched and actively running in VirtualBox. Now we can access the devices from the command line.
$ vagrant ssh vqfx1
--- Junos 15.1X53-D63.9 built 2017-04-01 20:45:26 UTC
{master:0}
vagrant@vqfx-re> show chassis hardware 
Hardware inventory:
Item             Version  Part number  Serial number     Description
Chassis                                26780205283       QFX3500

vagrant@vqfx-re> show configuration 
## Last commit: 2017-04-07 12:42:24 UTC by root
version 15.1X53-D63.9;
system {
    host-name vqfx-re;
    root-authentication {
        encrypted-password "$1$3ttX6Wqv$vYBmNrdOf9f.OQRQxf/SQ1"; ## SECRET-DATA
        ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key"; ## SECRET-DATA
    }
    login {
        user vagrant {
            uid 2000;
            class super-user;
            authentication {
                ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key"; ## SECRET-DATA
            }
        }
    }
    services {
        ssh {
            root-login allow;
        }
        netconf {
            ssh;
        }
        rest {
            http {
                port 8080;
            }
            enable-explorer;
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    extensions {
        providers {
            juniper {
                license-type juniper deployment-scope commercial;
            }
            chef {
	…. Truncated for brevity
The really cool part is that the physical layer is all prebuilt inside VirtualBox and is ready to go to start networking.  You can see that we have real interfaces to work with from this output:
vagrant@vqfx-re> show interfaces terse 
Interface               Admin Link Proto    Local                 Remote
gr-0/0/0                up    up
pfe-0/0/0               up    up
pfe-0/0/0.16383         up    up   inet    
pfh-0/0/0               up    up
pfh-0/0/0.16383         up    up   inet    
pfh-0/0/0.16384         up    up   inet    
xe-0/0/0                up    up
xe-0/0/0.0              up    up   inet   
…
And after logging into each vQFX and configuring LLDP to interfaces, you can see that we definitely show our neighbor and the way the two devices are connected:
vagrant@vqfx1-re> show lldp neighbors 
Local Interface    Parent Interface    Chassis Id          Port info          System Name
xe-0/0/1           -                   02:05:86:71:5e:00   xe-0/0/1           vqfx2-re            
xe-0/0/0           -                   02:05:86:71:5e:00   xe-0/0/0           vqfx2-re            
xe-0/0/2           -                   02:05:86:71:5e:00   xe-0/0/2           vqfx2-re            
xe-0/0/3           -                   02:05:86:71:5e:00   xe-0/0/3           vqfx2-re            
xe-0/0/4           -                   02:05:86:71:5e:00   xe-0/0/4           vqfx2-re 


