Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Ethernet Interfaces

 

Ethernet is a layer 2 technology, operating in a shared bus topology, that uses best-effort delivery to broadcast traffic. The topic below discuss the overview of Ethernet interfaces on security devices, static ARP entries, creating and deleting the Ethernet interface, and enabling and disabling the promiscuous mode on these interfaces.

Understanding Ethernet Interfaces

Ethernet is a Layer 2 technology that operates in a shared bus topology. Ethernet supports broadcast transmission, uses best-effort delivery, and has distributed access control. Ethernet is a point-to-multipoint technology.

In a shared bus topology, all devices connect to a single, shared physical link through which all data transmissions are sent. All traffic is broadcast so that all devices within the topology receive every transmission. The devices within a single Ethernet topology make up a broadcast domain.

Ethernet uses best-effort delivery to broadcast traffic. The physical hardware provides no information to the sender about whether the traffic was received. If the receiving host is offline, traffic to the host is lost. Although the Ethernet data link protocol does not inform the sender about lost packets, higher layer protocols such as TCP/IP might provide this type of notification.

This topic contains the following sections:

Ethernet Access Control and Transmission

Ethernet's access control is distributed because Ethernet has no central mechanism that grants access to the physical medium within the network. Instead, Ethernet uses carrier-sense multiple access with collision detection (CSMA/CD). Because multiple devices on an Ethernet network can access the physical medium, or wire, simultaneously, each device must determine whether the physical medium is in use. Each host listens on the wire to determine if a message is being transmitted. If it detects no transmission, the host begins transmitting its own data.

The length of each transmission is determined by fixed Ethernet packet sizes. By fixing the length of each transmission and enforcing a minimum idle time between transmissions, Ethernet ensures that no pair of communicating devices on the network can monopolize the wire and block others from sending and receiving traffic.

Collisions and Detection

When a device on an Ethernet network begins transmitting data, the data takes a finite amount of time to reach all hosts on the network. Because of this delay, or latency, in transmitting traffic, a device might detect an idle state on the wire just as another device initially begins its transmission. As a result, two devices might send traffic across a single wire at the same time. When the two electrical signals collide, they become scrambled so that both transmissions are effectively lost.

Collision Detection

To handle collisions, Ethernet devices monitor the link while they are transmitting data. The monitoring process is known as collision detection. If a device detects a foreign signal while it is transmitting, it terminates the transmission and attempts to transmit again only after detecting an idle state on the wire. Collisions continue to occur if two colliding devices both wait the same amount of time before retransmitting. To avoid this condition, Ethernet devices use a binary exponential backoff algorithm.

Backoff Algorithm

With the binary exponential backoff algorithm, each device that sends a colliding transmission randomly selects a value within a range. The value represents the number of transmission times that the device must wait before retransmitting its data. If another collision occurs, the range of values is doubled and retransmission takes place again. Each time a collision occurs, the range of values doubles, to reduce the likelihood that two hosts on the same network can select the same retransmission time. Table 1 shows collision rounds up to round 10.

Table 1: Collision Backoff Algorithm Rounds

Round

Size of Set

Elements in the Set

1

2

{0,1}

2

4

{0,1,2,3}

3

8

{0,1,2,3,...,7}

4

16

{0,1,2,3,4,...,15}

5

32

{0,1,2,3,4,5,...,31}

6

64

{0,1,2,3,4,5,6,...,63}

7

128

{0,1,2,3,4,5,6,7,...,127}

8

256

{0,1,2,3,4,5,6,7,8,...,255}

9

512

{0,1,2,3,4,5,6,7,8,9,...,511}

10

1024

{0,1,2,3,4,5,6,7,8,9,10,...,1023}

Collision Domains and LAN Segments

Collisions are confined to a physical wire over which data is broadcast. Because the physical wires are subject to signal collisions, individual LAN segments are known as collision domains. Although the physical limitations on the length of an Ethernet cable restrict the length of a LAN segment, multiple collision domains can be interconnected by repeaters, bridges, and switches.

Repeaters

Repeaters are electronic devices that act on analog signals. Repeaters relay all electronic signals from one wire to another. A single repeater can double the distance between two devices on an Ethernet network. However, the Ethernet specification restricts the number of repeaters between any two devices on an Ethernet network to two, because collision detection with latencies increases in complexity as the wire length and number of repeaters increase.

Bridges and Switches

Bridges and switches combine LAN segments into a single Ethernet network by using multiple ports to connect the physical wires in each segment. Although bridges and switches are fundamentally the same, bridges generally provide more management and more interface ports. As Ethernet packets flow through a bridge, the bridge tracks the source MAC address of the packets and stores the addresses and their associated input ports in an interface table. As it receives subsequent packets, the bridge examines its interface table and takes one of the following actions:

  • If the destination address does not match an address in the interface table, the bridge transmits the packet to all hosts on the network using the Ethernet broadcast address.

  • If the destination address maps to the port through which the packet was received, the bridge or switch discards the packet. Because the other devices on the LAN segment also received the packet, the bridge does not need to retransmit it.

  • If the destination address maps to a port other than the one through which the packet was received, the bridge transmits the packet through the appropriate port to the corresponding LAN segment.

Broadcast Domains

The combination of all the LAN segments within an Ethernet network is called a broadcast domain. In the absence of any signaling devices such as a repeater, bridge, or switch, the broadcast domain is simply the physical wire that makes up the connections in the network. If a bridge or switch is used, the broadcast domain consists of the entire LAN.

Note

On SRX300, SRX320, SRX340, SRX345, and SRX550HM devices, the subnet directed broadcast feature is not supported.

Ethernet Frames

Data is transmitted through an Ethernet network in frames. The frames are of variable length, ranging from 64 octets to 1518 octets, including the header, payload, and cyclic redundancy check (CRC) value. Figure 1 shows the Ethernet frame format.

Figure 1: Ethernet Frame Format
Ethernet Frame Format

Ethernet frames have the following fields:

  • The preamble (PRE) field is 7 octets of alternating 0s and 1s. The predictable format in the preamble allows receiving interfaces to synchronize themselves to the data being sent. The preamble is followed by a 1-octet start-of-frame delimiter (SFD).

  • The destination address (DA) and source address (SA) fields contain the 6-octet (48-bit) MAC addresses for the destination and source ports on the network. These Layer 2 addresses uniquely identify the devices on the LAN.

  • The Length/Type field is a 2-octet field that either indicates the length of the frame's data field or identifies the protocol stack associated with the frame. Here are some common frame types:

    • AppleTalk—0x809B

    • AppleTalk ARP—0x80F3

    • DECnet—0x6003

    • IP—0x0800

    • IPX—0x8137

    • Loopback—0x9000

    • XNS—0x0600

  • The Data field contains the packet payload.

  • The frame check sequence (FCS) is a 4-octet field that contains the calculated CRC value. This value is calculated by the originating host and appended to the frame. When it receives the frames, the receiving host calculates the CRC and checks it against this appended value to verify the integrity of the received frame.

Note

On SRX650 devices, MAC pause frame and FCS error frame counters are not supported for the interfaces ge-0/0/0 through ge-0/0/3. (Platform support depends on the Junos OS Release in your installation.)

Example: Creating an Ethernet Interface

This example shows how to create an Ethernet interface.

Requirements

No special configuration beyond device initialization is required before configuring an interface.

Overview

In this example, you create the ge-1/0/0 Ethernet interface and set the logical interface to 0. The logical unit number can range from 0 to 16,384. You can also add values for properties that you need to configure on the logical interface, such as logical encapsulation or protocol family.

Configuration

Step-by-Step Procedure

To configure an Ethernet interface:

  1. Create the Ethernet interface and set the logical interface.
  2. If you are done configuring the device, commit the configuration.

Verification

Purpose

Verify if the configuration is working properly after creating the interface.

Action

From operational mode, enter the show interfaces command.

Understanding Static ARP Entries on Ethernet Interfaces

By default, the device responds to an Address Resolution Protocol (ARP) request only if the destination address of the ARP request is on the local network of the incoming interface. For Fast Ethernet or Gigabit Ethernet interfaces, you can configure static ARP entries that associate the IP addresses of nodes on the same Ethernet subnet with their media access control (MAC) addresses. These static ARP entries enable the device to respond to ARP requests even if the destination address of the ARP request is not local to the incoming Ethernet interface.

Example: Configuring Static ARP Entries on Ethernet Interfaces

Requirements

No special configuration beyond device initialization is required before creating an interface.

Overview

In this example, you configure a static ARP entry on the logical unit 0 of the ge-0/0/3 Gigabit Ethernet interface. The entry consists of the interface’s IP address (10.1.1.1/24) and the corresponding MAC address of a node on the same Ethernet subnet (00:ff:85:7f:78:03). The example also configures the device to reply to ARP requests from the node using the publish option.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following command, paste it into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the command into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a static ARP entry on an Ethernet interface:

  1. Create the Gigabit Ethernet interface.
  2. Configure a static ARP entry.
  3. Set the IP address of the subnet node and the corresponding MAC address.

Results

From configuration mode, confirm your configuration by entering the show interfaces ge-0/0/3 command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying Static ARP Configurations

Purpose

Verify the IP address and MAC (hardware) address of the node.

Action

From operational mode, enter the show interfaces ge-0/0/3 command.

Purpose

Verify that all interfaces on the device are operational using the ping tool on each peer address in the network.

Action

For each interface on the device:

  1. In the J-Web interface, select Troubleshoot>Ping Host.
  2. In the Remote Host box, type the address of the interface for which you want to verify the link state.
  3. Click Start. The output appears on a separate page.

If the interface is operational, it generates an ICMP response. If this response is received, the round-trip time in milliseconds is listed in the time field..

Verifying Interface Properties

Purpose

Verify that the interface properties are correct.

Action

From operational mode, enter the show interfaces detail command.

user@host> show interfaces detail

The output shows a summary of interface information. Verify the following information:

  • The physical interface is Enabled. If the interface is shown as Disabled, do one of the following:

    • In the CLI configuration editor, delete the disable statement at the [edit interfaces ge-0/0/3] level of the configuration hierarchy.

    • In the J-Web configuration editor, clear the Disable check box on the Interfaces> ge-0/0/3 page.

  • The physical link is Up. A link state of Down indicates a problem with the interface module, interface port, or physical connection (link-layer errors).

  • The Last Flapped time is an expected value. The Last Flapped time indicates the last time the physical interface became unavailable and then available again. Unexpected flapping indicates likely link-layer errors.

  • The traffic statistics reflect expected input and output rates. Verify that the number of inbound and outbound bytes and packets matches expected throughput for the physical interface. To clear the statistics and see only new changes, use the clear interfaces statistics ge-0/0/3 command.

Understanding Promiscuous Mode on Ethernet Interface

When promiscuous mode is enabled on a Layer 3 Ethernet interface, all packets received on the interface are sent to the central point or Services Processing Unit (SPU) regardless of the destination MAC address of the packet. You can also enable promiscuous mode on chassis cluster redundant Ethernet interfaces and aggregated Ethernet interfaces. If you enable promiscuous mode on a redundant Ethernet interface, promiscuous mode is then enabled on any child physical interfaces. If you enable promiscuous mode on an aggregated Ethernet interface, promiscuous mode is then enabled on all member interfaces.

Understanding Promiscuous Mode on the SRX5K-MPC

The promiscuous mode function is supported on 1-Gigabit, 10-Gigabit, 40-Gigabit, and 100-Gigabit Ethernet interfaces on the I/O cards (IOCs) and the SRX5000 line Module Port Concentrator (SRX5K-MPC).

When promiscuous mode is enabled on a Layer 3 Ethernet interface, all packets received on the interface are sent to the central point or to the Services Processing Unit (SPU) regardless of the destination MAC address of the packet.

By default, an interface enables MAC filtering. You can configure promiscuous mode on the interface to disable MAC filtering. When you delete the promiscuous mode configuration, the interface will perform MAC filtering again.

You can change the MAC address of an interface even when the interface is operating in promiscuous mode. When the interface is operating in normal mode again, the MAC filtering function on the IOC uses the new MAC address to filter the packets.

You can also enable promiscuous mode on chassis cluster redundant Ethernet interfaces and aggregated Ethernet interfaces. If you enable promiscuous mode on a redundant Ethernet interface, promiscuous mode is then enabled on any child physical interfaces. If you enable promiscuous mode on an aggregated Ethernet interface, promiscuous mode is then enabled on all member interfaces.

Example: Configuring Promiscuous Mode on the SRX5K-MPC

This example shows how to configure promiscuous mode on an SRX5K-MPC interface in an SRX5600 to disable MAC address filtering.

Requirements

This example uses the following hardware and software components:

  • An SRX5600 with an SRX5K-MPC that includes a 100-Gigabit Ethernet CFP transceiver

  • Junos OS Release 12.1X47-D10 or later

No special configuration beyond device initialization is required before configuring this feature.

Overview

By default, the interfaces on an SRX5K-MPC have MAC address filtering enabled. In this example, you configure promiscuous mode on an interface to disable MAC address filtering. Then you delete promiscuous mode to reenable MAC address filtering on the interface.

Configuration

Configuring Promiscuous Mode on an Interface

CLI Quick Configuration

To quickly configure this example, copy the following command, paste it into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the command into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see the Junos OS CLI User Guide.

To configure promiscuous mode:

  1. Configure the ingress interface.
  2. Enable promiscuous mode on the interface.

Results

From configuration mode, confirm your configuration by entering the show command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Disabling Promiscuous Mode on an Interface

CLI Quick Configuration

To quickly configure this example, copy the following command, paste it into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the command into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

To disable promiscuous mode:

  1. Disable promiscuous mode on the interface.

Verification

Confirm that the configuration is working properly.

Verifying That Promiscuous Mode Is Enabled on the SRX5K-MPC

Purpose

Verify that promiscuous mode is enabled on the interface.

Action

From operational mode, enter the show interfaces command.

Meaning

The Interface flags: Promiscuous field shows that promiscuous mode is enabled on the interface.

Verifying the Status of Promiscuous Mode

Purpose

Verify that promiscuous mode works on the et-4/0/0 interface.

Action

Send traffic into the et-4/0/0 interface with a MAC address that is different from the interface MAC address and turn on promiscuous mode.

From operational mode, enter the monitor interface traffic command.

Meaning

The input packets and pps fields show that traffic is passing through the et-4/0/0 interface as expected after promiscuous mode is enabled.

Verifying That Promiscuous Mode Is Disabled

Purpose

Verify that disabled promiscuous mode works on the et-4/0/0 interface.

Action

Send traffic into the et-4/0/0 interface with a MAC address that is different from the interface MAC address and turn off promiscuous mode.

From operational mode, enter the monitor interface traffic command.

Meaning

The pps field shows that the traffic is not passing through the et-4/0/0 interface after promiscuous mode is disabled.

Example: Deleting an Ethernet Interface

This example shows how to delete an Ethernet interface.

Requirements

No special configuration beyond device initialization is required before configuring an interface.

Overview

In this example, you delete the ge-1/0/0 interface.

Note

Performing this action removes the interface from the software configuration and disables it. Network interfaces remain physically present, and their identifiers continue to appear on J-Web pages.

Configuration

Step-by-Step Procedure

To delete an Ethernet interface:

  1. Specify the interface you want to delete.
  2. If you are done configuring the device, commit the configuration.

Verification

Purpose

Verify if the configuration is working properly after deleting the interface.

Action

From operational mode, enter the show interfaces command.

Related Documentation