Example: Connecting Junos Fusion Enterprises Over EVPN-MPLS
This configuration example illustrates:
how to connect two Junos Fusion Enterprises over a WAN running MPLS.
how to configure Layer 3 connectivity between the network segments.
how to provide Layer 2 adjacency for endpoints in VLANs across the Junos Fusion Enterprises.
It includes the following sections:
Requirements
This example assumes that the hardware and software required for the example are procured.
To procure hardware, see How to Buy.
All software used in this example or for any Junos Fusion Enterprise can be downloaded from the Junos Fusion Hardware and Software Compatibility Matrices link in the Software Download Center.
Overview and Topology
The topology includes two Junos Fusion Enterprises that are in campus buildings 1 and 2. Both Junos Fusion Enterprises include two aggregation devices and provide access ports using a satellite device cluster. The satellite device cluster in building 1 includes two satellite devices and the satellite device cluster in building 2 includes three satellite devices.
The buildings are connected over a WAN network running MPLS. Every aggregation device is connected to the WAN network and functioning as an MPLS PE device.
This example was validated using the hardware and software components listed in Table 1 and Table 2. The instructions in this network configuration example can be used for any Junos Fusion Enterprise using aggregation devices running Junos OS Release 17.4R1 or later. See Junos Fusion Hardware and Software Compatibility Matrices and Understanding Junos Fusion Enterprise Software and Hardware Requirements for additional information on Junos Fusion Enterprise software version compatibility.
Table 1: Campus Building 1 Hardware and Software Components
Device Name | Device Model | Software Version |
---|---|---|
AD1-Building 1 | EX9208 | Junos OS Release 17.4R1 |
AD2-Building 1 | EX9208 | Junos OS Release 17.4R1 |
SD-Cluster-Building 1 | 2 EX4300 | Satellite Software 3.3R2.4 |
Table 2: Campus Building 2 Hardware and Software Components
Device Name | Device Model | Software Version |
---|---|---|
AD1-Building 2 | EX9208 | Junos OS Release 17.4R1 |
AD2-Building 2 | EX9208 | Junos OS Release 17.4R1 |
SD-Cluster-Building 2 | 3 EX4300 | Satellite Software 3.3R2.4 |
Figure 1 provides an overview topology diagram of the setup used in this network configuration example.

This topology includes six VLANs in two Virtual Routing and Forwarding (VRF) instances. VLANs 2 and 3 are located in Building 1 only while VLANs 6 and 7 are located in Building 2 only. VLANs 2, 3, 6, and 7 are all part of VRF1 and are all Layer 3 reachable from both buildings using EVPN Type 5 routes.
VLANs 4 and 5 are in VRF2 in both buildings and are Layer 2 stretched across the campuses. EVPN Type 5 routes are, therefore, not sent to connect the campuses in VRF2 because VRF2 does not have a need for Layer 3 reachability.
Table 3 summarizes the VLANs used in this topology.
Table 3: VLAN Summary
VLAN | Building | Virtual Routing and Forwarding Instance |
---|---|---|
V2 | 1 | VRF1 |
V3 | 1 | VRF1 |
V4 | 1 & 2 | VRF2 |
V5 | 1 & 2 | VRF2 |
V6 | 2 | VRF1 |
V7 | 2 | VRF1 |
Figure 2 illustrates the relationships between the VRFs, IRBs, and VLANs used in this network configuration example.

Configuration
To configure this topology, perform these tasks:
Configuring the Aggregation Devices as MPLS PE Devices and Enabling OSPF as the Routing Protocol
Configuring the MP-BGP Overlay Between the Aggregation Devices
Configuring the Junos Fusion Enterprises
This section provides a summary configuration required to deploy Junos Fusion Enterprise in each campus building.
For a detailed example of a Junos Fusion Enterprise implementation, see Example: Enabling Junos Fusion Enterprise on an Enterprise Campus Network.
CLI Quick Configuration
See Appendix: Connecting Junos Fusion Enterprises Using MPLS Quick Configuration Procedure.
Step-by-Step Procedure
To configure the Junos Fusion Enterprise in each campus building:
- Configure the satellite device clusters:
Building1-AD1 Example:
set chassis satellite-management cluster SD-Cluster-Building1 cluster-id 1 set chassis satellite-management cluster SD-Cluster-Building1 cascade-ports ge-5/0/6 set chassis satellite-management cluster SD-Cluster-Building1 fpc 100 alias SD100 set chassis satellite-management cluster SD-Cluster-Building1 fpc 100 member-id 1 set chassis satellite-management cluster SD-Cluster-Building1 fpc 100 system-id 4c:96:14:e9:91:c0 set chassis satellite-management cluster SD-Cluster-Building1 fpc 108 alias SD108 set chassis satellite-management cluster SD-Cluster-Building1 fpc 108 member-id 8 set chassis satellite-management cluster SD-Cluster-Building1 fpc 108 system-id 4c:96:14:e9:ee:c0
This step must be performed on each aggregation device.
For detailed information on satellite device clustering:
- Create the redundancy groups. The redundancy groups are
needed to enable dual aggregation devices in a Junos Fusion Enterprise
topology.
Building1-AD1 Example:
set chassis satellite-management redundancy-groups chassis-id 1 set chassis satellite-management redundancy-groups rg1 redundancy-group-id 2 set chassis satellite-management redundancy-groups rg1 peer-chassis-id 2 inter-chassis-link ge-5/0/2 set chassis satellite-management redundancy-groups rg1 cluster SD-Cluster-Building1
For detailed information on the components of redundancy group configuration, see Configuring the Dual Aggregation Device Topology in Configuring or Expanding a Junos Fusion Enterprise.
- Perform these steps to ensure the EX4300 switches are
converted into satellite devices.
Download the satellite software. The satellite software is downloaded to the /var/tmp directory on the aggregation devices in these instructions, but it can also be downloaded to other local and remote locations. See Software Download: Junos Fusion to retrieve the software and Installing Satellite Software and Adding Satellite Devices to the Junos Fusion for information on additional satellite software download options.
Enable automatic satellite device conversion:
Building1-AD1 Example:
set chassis satellite-management auto-satellite-conversion satellite 100 set chassis satellite-management auto-satellite-conversion satellite 108
Associate the satellite software upgrade group with a satellite software image:
Building1-AD1 Example:
request system software add /var/tmp/satellite-ppc-3.3R1.1-signed.tgz upgrade-group SD-Cluster-Building1
The upgrade group name in this step is the name of the satellite device cluster.
A switch must be running a supported version of Junos OS and zeroized before it can be converted into a satellite device. See Preparing a Switch Running Junos OS to Become a Satellite Device before converting a switch into a satellite device.
- Enable ICCP and ICL between the aggregation devices.
Building1-AD1 Example:
set interfaces ge-5/0/2 description icl-link set interfaces ge-5/0/2 unit 0 family ethernet-switching interface-mode trunk set interfaces ge-5/0/2 unit 0 family ethernet-switching vlan members 2-5 set interfaces ge-5/0/3 description iccp-link set interfaces ge-5/0/3 unit 0 family inet address 10.20.20.1/24 set protocols iccp local-ip-addr 10.20.20.1
For detailed information on the functions of ICCP and ICL in a Junos Fusion Enterprise using dual aggregation devices, see Configuring the Dual Aggregation Device Topology in Configuring or Expanding a Junos Fusion Enterprise.
- Configure an interface or interfaces on the aggregation
device into a cascade port to connect the aggregation devices to satellite
devices.
Building1-AD1 Example:
set interfaces ge-5/0/6 cascade-port
- Configure an uplink port policy to define which ports
on the satellite devices connect to the aggregation devices and other
satellite devices.
Building1-AD1 Example:
set policy-options satellite-policies port-group-alias uplink_policy pic 0 port 3 set policy-options satellite-policies port-group-alias uplink_policy pic 0 port 2 set policy-options satellite-policies port-group-alias uplink_policy pic 0 port 4 set policy-options satellite-policies port-group-alias uplink_policy pic 1 port 3 set policy-options satellite-policies port-group-alias uplink_policy pic 1 port 1 set policy-options satellite-policies port-group-alias uplink_policy pic 1 port 2 set policy-options satellite-policies port-group-alias uplink_policy pic 1 port 0 set policy-options satellite-policies port-group-alias uplink_policy pic 1 port 4 set policy-options satellite-policies port-group-alias uplink_policy pic 2 port 0 set policy-options satellite-policies port-group-alias uplink_policy pic 2 port 3 set policy-options satellite-policies port-group-alias uplink_policy pic 2 port 1 set policy-options satellite-policies port-group-alias uplink_policy pic 2 port 2 set policy-options satellite-policies candidate-uplink-port-policy sd_policy uplink-port-group uplink_policy set chassis satellite-management cluster-policy sd_policy
See Configuring Uplink Port Policies on a Junos Fusion for additional information on uplink port policies.
- Repeat these configuration steps from each aggregation device, as needed.
Configuring the Aggregation Devices as MPLS PE Devices and Enabling OSPF as the Routing Protocol
The aggregation devices in the Junos Fusion Enterprises in this topology function as MPLS Provider Edge (PE) devices. IP over MPLS runs in the WAN in this topology, using OSPF as the routing protocol and LDP as the signaling protocol. All WAN-connected interfaces on the aggregation devices, therefore, must enable MPLS, OSPF, and LDP to enable the topology in this network configuration example.
Figure 3 illustrates the MPLS and OSPF topology.

CLI Quick Configuration
See Appendix: Connecting Junos Fusion Enterprises Using MPLS Quick Configuration Procedure.
Step-by-Step Procedure
To configure MPLS, OSPF, and LDP on the WAN-facing interfaces:
- Configure the loopback interface IP address:
Building1-AD1 Example
set interfaces lo0 unit 0 family inet address 192.168.93.1/32
- Configure the IP address of the WAN-facing interface:
Building1-AD1 Example
set interfaces ge-5/0/5 unit 0 family inet address 10.1.0.1/30
- Enable OSPF on the loopback interface and on the WAN-facing
interface. Disable OSPF on the management ethernet interface.
Building1-AD1 Example
set protocols ospf area 0.0.0.0 interface ge-5/0/5.0 set protocols ospf area 0.0.0.0 interface lo0.0 set protocols ospf area 0.0.0.0 interface fxp0.0 disable
- Enable MPLS on the WAN-facing interface.
Building1-AD1 Example
set interfaces ge-5/0/5 unit 0 family mpls set protocols mpls interface ge-5/0/5.0
- Enable LDP on the WAN-facing interface.
Building1-AD1 Example
set protocols ldp interface ge-5/0/5.0
- Repeat these steps for each WAN-facing interface on each aggregation device.
Configuring the MP-BGP Overlay Between the Aggregation Devices
IP connectivity was established between the loopback interfaces of the aggregation devices in the previous section.
MP-BGP connectivity is established in this topology by placing all of the WAN-facing interfaces on the aggregation devices into the same autonomous system. This topology uses iBGP as the BGP type and EVPN for signaling.
Figure 4 illustrates the MP-BGP topology.

CLI Quick Configuration
See Appendix: Connecting Junos Fusion Enterprises Using MPLS Quick Configuration Procedure.
Step-by-Step Procedure
To configure MP-BGP in this topology:
- Configure the router ID and local BGP address on the aggregation
device.
The router ID and local BGP address match the loopback address that was configured to enable OSPF earlier in this guide to simplify network administration.
Building1-AD1 Example
set routing-options router-id 192.168.93.1 set protocols bgp local-address 192.168.93.1
- Assign the device into the autonomous system (AS). The
local AS and the peer AS are the same value in this topology because
all of the WAN-facing links are in the same AS.
Building1-AD1 Example
set routing-options autonomous-system 64502 set protocols bgp peer-as 64502 set protocols bgp local-as 64502
- Create a BGP group and enable IBGP as the BGP type within
the group. Enable unicast IP VPN and EVPN signaling within the BGP
group.
Building1-AD1 Example
set protocols bgp group evpn_mes type internal set protocols bgp group evpn_mes family inet-vpn unicast set protocols bgp group evpn_mes family evpn signaling
- Configure the AS of the BGP group to match the AS numbers
assigned in step 2.
Configure BGP neighborships in the BGP group by configuring the router ID of each aggregation device as a BGP neighbor.
Building1-AD1 Example
set protocols bgp group evpn_mes peer-as 64502 set protocols bgp group evpn_mes neighbor 192.168.93.2 set protocols bgp group evpn_mes neighbor 192.168.93.3 set protocols bgp group evpn_mes neighbor 192.168.93.4
- Repeat these steps on for the WAN-facing interfaces on each aggregation device.
Configuring an EVPN Virtual Switch Instance
Junos Fusion Enterprise supports Virtual Switches and VLAN-aware bundle service. VLAN-aware bundle service provides the ability to map a Virtual Switch to many VLAN IDs (VIDs) and multiple bridge tables, with each bridge table corresponding to a different VLAN.
You can configure an Ethernet VPN (EVPN) with virtual switch support to enable multiple tenants with independent VLANs and subnet spaces within an EVPN instance. Virtual switches provide the ability to extend Ethernet VLANs over a WAN using a single EVPN instance while maintaining data-plane separation between the multiple VLANs associated with that instance. A single EVPN instance can stretch up to 4094 bridge domains defined in a virtual switch to remote sites.
In this section, we complete the following tasks:
Define a virtual switch instance.
Assign a unique route-distinguisher for this virtual switch instance.
Define the MC-LAG BGP peer in the Junos Fusion Enterprise.
Define VLANs that are part of the virtual switch instance.
Configure VLANs that are Layer 2 stretched across the two Junos Fusion Enterprises in different buildings.
Figure 5 illustrates the Virtual Switch instance that is configured in these steps.

CLI Quick Configuration
See Appendix: Connecting Junos Fusion Enterprises Using MPLS Quick Configuration Procedure.
Step-by-Step Procedure
To configure this virtual switch instance:
- Create a routing instance that uses the virtual switch
instance type. Associate the virtual switch with a route distinguisher
and a Virtual Routing and Forwarding (VRF) instance.
Building 1-AD1 Example
set routing-instances evpn1 instance-type virtual-switch set routing-instances evpn1 route-distinguisher 192.168.93.1:1 set routing-instances evpn1 vrf-target target:64502:1
- Enable and configure EVPN in the virtual switch.
This configuration includes two VLANs—VLAN 4 and VLAN 5—that are stretched to carry Layer 2 traffic for both campuses over the WAN. This Layer 2 stretching is configured using the extended-vlan-list option.
Building 1-AD1 Example
set routing-instances evpn1 protocols evpn label-allocation per-instance set routing-instances evpn1 protocols evpn encapsulation mpls set routing-instances evpn1 protocols evpn extended-vlan-list 4-5 set routing-instances evpn1 protocols evpn mclag bgp-peer 192.168.93.2
- Configure a service ID for the virtual switch. This service
ID should match for the virtual switch instances on all aggregation
devices.
Building 1-AD1 Example
set routing-instances evpn1 switch-options service-id 1
- Configure the VLANs into the virtual switch instance.
Associate the VLANs with IRB interfaces and enable no ARP suppression
for each VLAN.
Building 1-AD1 Example
set routing-instances evpn1 vlans v2 vlan-id 2 set routing-instances evpn1 vlans v2 l3-interface irb.2 set routing-instances evpn1 vlans v2 no-arp-suppression set routing-instances evpn1 vlans v3 vlan-id 3 set routing-instances evpn1 vlans v3 l3-interface irb.3 set routing-instances evpn1 vlans v3 no-arp-suppression set routing-instances evpn1 vlans v4 vlan-id 4 set routing-instances evpn1 vlans v4 l3-interface irb.4 set routing-instances evpn1 vlans v4 no-arp-suppression set routing-instances evpn1 vlans v5 vlan-id 5 set routing-instances evpn1 vlans v5 l3-interface irb.5 set routing-instances evpn1 vlans v5 no-arp-suppression
- Create and apply an export routing policy that enables
per-packet load balancing for EVPN traffic in the virtual switch instance.
Building 1-AD1 Example
set policy-options policy-statement evpn-pplb from protocol evpn set policy-options policy-statement evpn-pplb then load-balance per-packet set routing-options forwarding-table export evpn-pplb
- Enable the aggregation devices to use chained composite
next hops to manage ingress EVPN routes.
Building 1-AD1 Example
set routing-options forwarding-table chained-composite-next-hop ingress evpn
- Repeat this procedure on each aggregation device.
Configuring Extended Ports into the Routing Instance
Extended ports on satellite devices are typically used to connect endpoint devices into the network. The extended ports are connected to PCs in this network configuration example.
The extended ports are configured into the virtual switch instance—the routing instance named evpn1 that was configured in the previous procedure—and associated with VLANs in this procedure.
Figure 6 illustrates the hosts and the extended ports that are configured in these steps.

CLI Quick Configuration
See Appendix: Connecting Junos Fusion Enterprises Using MPLS Quick Configuration Procedure.
Step-by-Step Procedure
To configure the extended ports:
- Configure the extended ports into an Ethernet Segment,
and enable all active forwarding.
Building1-AD1 Example
set interfaces ge-100/0/0 unit 0 esi 00:01:02:03:04:00:01:02:04:26 set interfaces ge-100/0/0 unit 0 esi all-active set interfaces ge-100/0/1 unit 0 esi 00:01:02:03:04:00:01:02:04:28 set interfaces ge-100/0/1 unit 0 esi all-active
- Configure the interface mode—either trunk or access
port mode—and associate VLANs with each extended port.
Building1-AD1 Example
set interfaces ge-100/0/0 unit 0 family ethernet-switching interface-mode trunk set interfaces ge-100/0/0 unit 0 family ethernet-switching vlan members 4-5 set interfaces ge-100/0/1 unit 0 family ethernet-switching interface-mode trunk set interfaces ge-100/0/1 unit 0 family ethernet-switching vlan members 2-3
- Configure the extended port into the virtual switch routing
instance.
Building1-AD1 Example
set routing-instances evpn1 interface ge-100/0/0.0 set routing-instances evpn1 interface ge-100/0/1.0
- Repeat this procedure for each extended port.
Configuring Layer 3 and Network Segmentation
In this topology, Layer 3 segmentation happens by creating two VRF instances, VRF 1 and VRF 2.
VRF 1 contains VLANs 1, 2, 6, and 7. VLANs 1 and 2 are configured in building 1 only and VLANs 6 and 7 are configured in building 2 only. Traffic in VRF 1, therefore, does not have a method to cross the WAN without further configuration. EVPN Type 5 routes, which are often also referred to as IP prefix routes, are used in this example to provide Layer 3 connectivity across the WAN for the VLANs in VRF 1.
VRF 2 contains VLANs 4 and 5. VLANs 4 and 5 operate in both buildings and were layer 2 stretched across the buildings in an earlier step. There is, therefore, no need to configure connectivity across the WAN for the VLANs in VRF 2.
Figure 7 illustrates this layer 3 network segmentation in this example.

CLI Quick Configuration
See Appendix: Connecting Junos Fusion Enterprises Using MPLS Quick Configuration Procedure.
Step-by-Step Procedure
To configure layer 3 segmentation:
- Create and configure the IRB interfaces on the aggregation
devices:
Building1-AD1 Example
set interfaces irb unit 2 family inet address 10.20.2.3/24 virtual-gateway-address 10.20.2.1 set interfaces irb unit 3 family inet address 10.20.3.3/24 virtual-gateway-address 10.20.3.1 set interfaces irb unit 4 family inet address 10.20.4.3/24 virtual-gateway-address 10.20.4.1 set interfaces irb unit 5 family inet address 10.20.5.3/24 virtual-gateway-address 10.20.5.1
- Create the VRF instances. Assign the IRB interfaces and
the WAN-facing interfaces into the VRF instances.
Building1-AD1 Example
set routing-instances VRF-1 instance-type vrf set routing-instances VRF-1 interface ge-5/0/8.0 set routing-instances VRF-1 interface irb.2 set routing-instances VRF-1 interface irb.3 set routing-instances VRF-2 instance-type vrf set routing-instances VRF-2 interface ge-5/0/8.1 set routing-instances VRF-2 interface irb.4 set routing-instances VRF-2 interface irb.5
- Configure the route distinguisher and target in each VRF
instance. Enable the VRF table label option to ensure efficient handling
of traffic using the VRF.
Configure the community targets for each VRF to match the VRF target in the routing instances.
Building1-AD1 Example
set routing-instances VRF-1 route-distinguisher 192.168.93.1:2 set routing-instances VRF-1 vrf-target target:64502:7 set routing-instances VRF-1 vrf-table-label set routing-instances VRF-2 vrf-import vrf2-import-policy set routing-instances VRF-2 vrf-target target:64502:10 set routing-instances VRF-2 vrf-table-label set policy-options community VRF1 members target:64502:7 set policy-options community VRF2 members target:64502:10
- (Optional. DHCP Relay config only) Configure DHCP Relay
within the VRFs.
Building1-AD1 Example
set routing-instances VRF-1 forwarding-options dhcp-relay forward-snooped-clients all-interfaces set routing-instances VRF-1 forwarding-options dhcp-relay overrides allow-snooped-clients set routing-instances VRF-1 forwarding-options dhcp-relay overrides trust-option-82 set routing-instances VRF-1 forwarding-options dhcp-relay server-group dhcp-server1 10.1.0.10 set routing-instances VRF-1 forwarding-options dhcp-relay group dhcp-relay-group-1 active-server-group dhcp-server1 set routing-instances VRF-1 forwarding-options dhcp-relay group dhcp-relay-group-1 route-suppression destination set routing-instances VRF-1 forwarding-options dhcp-relay group dhcp-relay-group-1 interface irb.2 set routing-instances VRF-1 forwarding-options dhcp-relay group dhcp-relay-group-1 interface irb.3 set routing-instances VRF-2 forwarding-options dhcp-relay forward-snooped-clients all-interfaces set routing-instances VRF-2 forwarding-options dhcp-relay overrides allow-snooped-clients set routing-instances VRF-2 forwarding-options dhcp-relay overrides trust-option-82 set routing-instances VRF-2 forwarding-options dhcp-relay server-group dhcp-server1 10.1.0.14 set routing-instances VRF-2 forwarding-options dhcp-relay group dhcp-relay-group-1 active-server-group dhcp-server1 set routing-instances VRF-2 forwarding-options dhcp-relay group dhcp-relay-group-1 route-suppression destination set routing-instances VRF-2 forwarding-options dhcp-relay group dhcp-relay-group-1 interface irb.4 set routing-instances VRF-2 forwarding-options dhcp-relay group dhcp-relay-group-1 interface irb.5
- Enable OSPF within the VRFs. The IRB interfaces and the
WAN-facing interfaces must be configured into OSPF in each VRF instance.
Building1-AD1 Example
set routing-instances VRF-1 protocols ospf area 0.0.0.0 interface ge-5/0/8.0 set routing-instances VRF-1 protocols ospf area 0.0.0.0 interface irb.2 set routing-instances VRF-1 protocols ospf area 0.0.0.0 interface irb.3 set routing-instances VRF-2 protocols ospf area 0.0.0.0 interface ge-5/0/8.1 set routing-instances VRF-2 protocols ospf area 0.0.0.0 interface irb.4 set routing-instances VRF-2 protocols ospf area 0.0.0.0 interface irb.5
- Enable EVPN with a routing policy that enables and defines
the IP prefixes to send in the type 5 messages sent between the aggregation
devices in different buildings.
This step is configured in VRF 1 only. EVPN type 5 routes are not needed in VRF 2 in this topology.
Building1-AD1 Example
set policy-options prefix-list type-5 10.20.1.0/24 set policy-options prefix-list type-5 10.20.2.0/24 set policy-options policy-statement EXPORT-TYPE-5 term get_routes from prefix-list type-5 set policy-options policy-statement EXPORT-TYPE-5 term get_routes then accept set policy-options policy-statement EXPORT-TYPE-5 term others then reject set routing-instances VRF-1 protocols evpn ip-prefix-routes advertise direct-nexthop set routing-instances VRF-1 protocols evpn ip-prefix-routes encapsulation mpls set routing-instances VRF-1 protocols evpn ip-prefix-routes export EXPORT-TYPE-5
- Repeat this procedure on the other aggregation devices, as needed.
Configuring a DHCP Server
A DHCP server is added to this topology in building 1 using these instructions. The server is connected to both aggregation devices.
CLI Quick Configuration
See Appendix: Connecting Junos Fusion Enterprises Using MPLS Quick Configuration Procedure.
Step-by-Step Procedure
To configure the DHCP server into the network:
The DHCP server configuration matches on both aggregation devices, and is configured using groups in this document.
- Apply the group configurations:
set apply-groups global set apply-groups DHCP-SERVER1 set apply-groups DHCP-SERVER2 set apply-groups DHCP-SERVER3 set apply-groups DHCP-SERVER4
Note Additional configuration is required to support configuration synchronization using groups in a Junos Fusion. See Understanding Configuration Synchronization in a Junos Fusion and Enabling Configuration Synchronization Between Aggregation Devices in a Junos Fusion.
- Configure the interfaces on the aggregation device that
connect to the DHCP server—in this case, ge-0/0/10 and ge-0/0/11—into
the DHCP local server group.
Building 1-AD1 & Building1-AD2 Example
set groups DHCP-SERVER1 system services dhcp-local-server group dhcp-server1 interface ge-0/0/10.0 set groups DHCP-SERVER1 system services dhcp-local-server group dhcp-server1 interface ge-0/0/11.0 set groups DHCP-SERVER2 system services dhcp-local-server group dhcp-server1 interface ge-0/0/10.0 set groups DHCP-SERVER2 system services dhcp-local-server group dhcp-server1 interface ge-0/0/11.0 set groups DHCP-SERVER3 system services dhcp-local-server group dhcp-server1 interface ge-0/0/10.1 set groups DHCP-SERVER3 system services dhcp-local-server group dhcp-server1 interface ge-0/0/11.1 set groups DHCP-SERVER4 system services dhcp-local-server group dhcp-server1 interface ge-0/0/10.1 set groups DHCP-SERVER4 system services dhcp-local-server group dhcp-server1 interface ge-0/0/11.1
- Configure the DHCP address pools for each group.
Building 1-AD1 & Building1-AD2 Example
set groups DHCP-SERVER1 access address-assignment pool p1 family inet network 10.20.2.0/24 set groups DHCP-SERVER1 access address-assignment pool p1 family inet range p1_range low 10.20.2.5 set groups DHCP-SERVER1 access address-assignment pool p1 family inet range p1_range high 10.20.2.254 set groups DHCP-SERVER2 access address-assignment pool p2 family inet network 10.20.3.0/24 set groups DHCP-SERVER2 access address-assignment pool p2 family inet range p2_range low 10.20.3.5 set groups DHCP-SERVER2 access address-assignment pool p2 family inet range p2_range high 10.20.3.254 set groups DHCP-SERVER3 access address-assignment pool p3 family inet network 10.20.4.0/24 set groups DHCP-SERVER3 access address-assignment pool p3 family inet range p3_range low 10.20.4.8 set groups DHCP-SERVER3 access address-assignment pool p3 family inet range p3_range high 10.20.4.254 set groups DHCP-SERVER4 access address-assignment pool p4 family inet network 10.20.5.0/24 set groups DHCP-SERVER4 access address-assignment pool p4 family inet range p4_range low 10.20.5.8 set groups DHCP-SERVER4 access address-assignment pool p4 family inet range p4_range high 10.20.5.254
- Configure the VLAN associations and the IP addresses of
each DHCP-server facing interface on the aggregation devices.
Building 1-AD1 & Building1-AD2 Example
set interfaces ge-0/0/10 vlan-tagging set interfaces ge-0/0/10 unit 0 vlan-id 2 set interfaces ge-0/0/10 unit 0 family inet address 10.1.0.10/30 set interfaces ge-0/0/10 unit 1 vlan-id 3 set interfaces ge-0/0/10 unit 1 family inet address 10.1.0.14/30 set interfaces ge-0/0/11 vlan-tagging set interfaces ge-0/0/11 unit 0 vlan-id 4 set interfaces ge-0/0/11 unit 0 family inet address 10.1.0.18/30 set interfaces ge-0/0/11 unit 1 vlan-id 5 set interfaces ge-0/0/11 unit 1 family inet address 10.1.0.22/30
- Configure the DHCP-server facing interfaces on the aggregation
devices into the OSPF area:
Building 1-AD1 & Building1-AD2 Example
set protocols ospf area 0.0.0.0 interface fxp0.0 disable set protocols ospf area 0.0.0.0 interface lo0.0 passive set protocols ospf area 0.0.0.0 interface ge-0/0/10.0 set protocols ospf area 0.0.0.0 interface ge-0/0/10.1 set protocols ospf area 0.0.0.0 interface ge-0/0/11.0 set protocols ospf area 0.0.0.0 interface ge-0/0/11.1
Configuring 802.1X and MAC RADIUS Authentication
This procedure shows how to enable an authentication order that includes 802.1X and MAC RADIUS for the hosts connected to the extended ports in campus building 1. The configuration assumes a RADIUS server is connected to both aggregation devices in the campus.
Figure 8 illustrates the 802.1X and MAC authentication topology.

CLI Quick Configuration
See Appendix: Connecting Junos Fusion Enterprises Using MPLS Quick Configuration Procedure.
Step-by-Step Procedure
To configure an authentication order with 802.1X and MAC RADIUS on a host connected to an extended port.
- Configure the extended port into an ESI and configure
the interface type.
Building1-AD1 Example
set interfaces ge-100/0/1 unit 0 esi 00:01:02:03:04:00:01:02:04:28 set interfaces ge-100/0/1 unit 0 esi all-active set interfaces ge-100/0/1 unit 0 family ethernet-switching interface-mode access set interfaces ge-100/0/0 unit 0 esi 00:01:02:03:04:00:01:02:04:26 set interfaces ge-100/0/0 unit 0 esi all-active set interfaces ge-100/0/0 unit 0 family ethernet-switching interface-mode access
- Create the 802.1X access profile. The profile is associated
with the extended port interfaces in a later step.
Building1-AD1 Example
set access profile dot1x_profile authentication-order radius set access profile dot1x_profile radius authentication-server 10.204.38.247 set access profile dot1x_profile radius options nas-identifier building1-ad1
- Associate the access profile defined in step 2 with the
802.1X protocol.
Building1-AD1 Example
set protocols dot1x authenticator authentication-profile-name dot1x_profile
- Configure the authentication order for each extended port.
Building1-AD1 Example
set protocols dot1x authenticator interface ge-100/0/0.0 authentication-order mac-radius set protocols dot1x authenticator interface ge-100/0/0.0 supplicant multiple set protocols dot1x authenticator interface ge-100/0/0.0 mac-radius set protocols dot1x authenticator interface ge-100/0/1.0 authentication-order dot1x set protocols dot1x authenticator interface ge-100/0/1.0 authentication-order mac-radius set protocols dot1x authenticator interface ge-100/0/1.0 supplicant multiple set protocols dot1x authenticator interface ge-100/0/1.0 mac-radius
- Configure the RADIUS server.
The RADIUS server configuration can vary between servers and the configuration for each RADIUS server option is beyond the scope of this document. The following sample RADIUS server configuration, however, is provided for illustrative purposes.
ssh root@user-radius pwd: password
Below is a sample RADIUS server configuration file. The file is located in the /etc/freeradius/users directory on the RADIUS server.
user2 Auth-Type = EAP, Cleartext-Password := "password" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "v2", Session-Timeout = 360000 user3 Auth-Type = EAP, Cleartext-Password := "password" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "v3", Session-Timeout = 360000 001605821122 User-Password :="001605821122" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "data-vlan", Session-Timeout = 360000 001605821123 User-Password :="001605821123" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "v5", Session-Timeout = 360000
Configuring Voice over IP
This procedure shows how to connect a Voice over IP phone to an extended port in campus building 1. The topology includes a PC connected to the phone and includes separate VLANs to differentiate handling of data and voice traffic.
Figure 9 illustrates the Voice over IP topology.

CLI Quick Configuration
See Appendix: Connecting Junos Fusion Enterprises Using MPLS Quick Configuration Procedure.
Step-by-Step Procedure
To enable Voice over IP:
- Configure the extended port into an ESI and configure
the port mode.
Building1-AD1 Example:
set interfaces ge-108/0/11 unit 0 esi 00:01:02:03:04:00:01:02:04:26 set interfaces ge-108/0/11 unit 0 esi all-active set interfaces ge-108/0/11 unit 0 family ethernet-switching interface-mode access
- Configure authentication using 802.1X and MAC Radius.
Building1-AD1 Example:
set groups DOT1X protocols dot1x authenticator interface ge-108/0/11.0 authentication-order dot1x set groups DOT1X protocols dot1x authenticator interface ge-108/0/11.0 authentication-order mac-radius set groups DOT1X protocols dot1x authenticator interface ge-108/0/11.0 supplicant multiple set groups DOT1X protocols dot1x authenticator interface ge-108/0/11.0 mac-radius
- Configure the RADIUS server to support the voice and data
VLANs.
The RADIUS server configuration options are beyond the scope of this document. The following sample RADIUS server configuration is provided for illustrative purposes only.
Sample RADIUS Server Configuration to Support Voice over IP and Data VLANs:
0004f28ac5e9 User-Password :="0004f28ac5e9" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "data-vlan", Juniper-VoIP-Vlan = "voice-vlan", Session-Timeout = 360000 user7 Auth-Type = EAP, Cleartext-Password := "password" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "data-vlan", Session-Timeout = 360000
- Enable LLDP and LLDP-MED on the extended port:
Building1-AD1 Example
set protocols lldp interface ge-108/0/11 set protocols lldp-med interface ge-108/0/11
- Enable PoE on the extended port:
Building1-AD1 Example
set poe interface ge-108/0/11
- Create or add the extended port to a routing instance.
Building1-AD1 Example
set routing-instances evpn1 interface ge-108/0/11.0
- Create a data and a voice VLAN in the routing instance,
and associate an IRB with each VLAN. Configure the extended port as
a Voice over IP interface and associate the extended port with the
voice VLAN.
Building1-AD1 Example
set routing-instances evpn1 vlans data-vlan l3-interface irb.4 set routing-instances evpn1 vlans data-vlan vlan-id 4 set routing-instances evpn1 vlans data-vlan l3-interface irb.4 set routing-instances evpn1 vlans data-vlan no-arp-suppression set routing-instances evpn1 vlans voice-vlan l3-interface irb.5 set routing-instances evpn1 vlans voice-vlan vlan-id 5 set routing-instances evpn1 vlans voice-vlan l3-interface irb.5 set routing-instances evpn1 vlans voice-vlan no-arp-suppression set routing-instances evpn1 switch-options voip interface ge-108/0/11.0 vlan voice-vlan
- Configure the IRB interfaces into a VRF. Enable DHCP relay
and OSPF on the IRB interfaces.
Building1-AD1 Example
set routing-instances VRF-2 interface irb.4 set routing-instances VRF-2 forwarding-options dhcp-relay group dhcp-relay-group-1 interface irb.4 set routing-instances VRF-2 protocols ospf area 0.0.0.0 interface irb.4 set routing-instances VRF-2 interface irb.5 set routing-instances VRF-2 forwarding-options dhcp-relay group dhcp-relay-group-1 interface irb.5 set routing-instances VRF-2 protocols ospf area 0.0.0.0 interface irb.5
- Repeat this procedure on aggregation device 2.
Verification
This section shows the tasks that can be used to verify configuration and operation of the topology configured in this network configuration example.
It includes the following sections:
Verifying that the Satellite Devices are Online
Purpose
Verify that the satellite devices are online.
Action
Enter the show chassis satellite command from the aggregation devices to verify that the satellite devices in that Junos Fusion Enterprise are online.
Building1-AD1 Example:
user@building1-ad1> show chassis satellite Device Cascade Port Extended Ports Alias Slot State Ports State Total/Up SD100 100 Online et-108/1/1 present 49/4 ge-5/0/2* backup SD108 108 Online et-100/1/0 present 25/2 ge-5/0/6 online ge-5/0/2* backup
Verifying the Satellite Device Hardware Models
Purpose
Verify the hardware models of the satellite devices in the Junos Fusion Enterprise.
Action
Enter the show chassis satellite terse command from an aggregation device.
Building1-AD1 Example:
user@building1-ad1> show chassis satellite terse Device Extended Ports Slot State Model Total/Up Version 100 Online EX4300-48P 49/4 3.3R2.4 108 Online EX4300-24P 25/2 3.3R2.4
Verifying Cascade and Uplink Port States
Purpose
Verify the state of the cascade and uplink ports in the Junos Fusion Enterprise.
Action
Enter the show chassis satellite interface command from an aggregation device.
Building1-AD1 Example:
user@building1-ad1> show chassis satellite interface Interface State Type DF-Role DF-Address ge-5/0/2 Up ICL NA NA ge-5/0/6 Up Cascade NA NA lo0 Up Loopback NA NA sd-100/0/0 Up Satellite NON-DF 0.0.0.0/32 sd-108/0/0 Up Satellite NON-DF 0.0.0.0/32
Verifying Extended Port Operation
Purpose
Verify that the extended ports are recognized and are operating properly.
Action
Enter the show chassis satellite extended-port command from an aggregation device.
Building1-AD1 Example:
user@building1-ad1> show chassis satellite extended-port Legend for interface types: * -- Uplink interface + -- Clustering interface Rx Tx Admin/Op IFD Name State Request State Request State State Idx PCID et-100/1/0+ AddComplete None Ready Up/Up 255 123 et-108/1/1+ AddComplete None Ready Up/Up 206 572 ge-100/0/0 AddComplete None Ready Up/Up 207 83 ge-100/0/1 AddComplete None Ready Up/Up 208 82 ge-100/0/10 AddComplete None Ready Up/Dn 217 81 ....(output removed for brevity) ge-108/0/7 AddComplete None Ready Up/Dn 189 528 ge-108/0/8 AddComplete None Ready Up/Dn 190 519 ge-108/0/9 AddComplete None Ready Up/Dn 191 518
Verifying the Satellite Software Version
Purpose
Verify the satellite software version running on the satellite devices in the Junos Fusion Enterprise.
Action
Enter the show chassis satellite software command from an aggregation device.
Building1-AD1 Example:
user@building1-ad1> show chassis satellite software Version Platforms Group 3.3R2.4 i386 ppc arm arm563xx SD-Cluster-Building1
Verifying the OSPF State
Purpose
Verifying OSPF state for the interfaces on the aggregation device that are participating in OSPF.
Action
Enter the show ospf neighbor command from an aggregation device.
Building1-AD1 Example:
user@building1-ad1> show ospf neighbor Address Interface State ID Pri Dead 10.1.0.2 ge-5/0/5.0 Full 192.168.93.5 128 32
Verifying the MPLS Protocol Status
Purpose
Verify MPLS operations.
Action
Enter the show ldp session command on an aggregation device to verify MPLS-related information.
Building1-AD1 Example:
user@building1-ad1> show ldp session Address State Connection Hold time Adv. Mode 192.168.93.5 Operational Open 27 DU
Verifying the BGP Neighbor State
Purpose
Verify that BGP is established and operational with all neighbor devices and in all routing tables.
Action
Enter the show bgp summary command from an aggregation device.
Building1-AD1 Example:
user@building1-ad1> show bgp summary Groups: 1 Peers: 3 Down peers: 0 Table Tot Paths Act Paths Suppressed History Damp State Pending bgp.evpn.0 1056 1056 0 0 0 0 Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped 192.168.93.2 64502 29 10 0 1 13 Establ bgp.evpn.0: 1019/1019/1019/0 VRF-1.evpn.0: 1/1/1/0 evpn1.evpn.0: 1015/1015/1015/0 __default_evpn__.evpn.0: 2/2/2/0 VRF-2.evpn.0: 1/1/1/0 192.168.93.3 64502 11 10 0 1 19 Establ bgp.evpn.0: 17/17/17/0 VRF-1.evpn.0: 2/2/2/0 evpn1.evpn.0: 11/11/11/0 __default_evpn__.evpn.0: 2/2/2/0 VRF-2.evpn.0: 2/2/2/0 192.168.93.4 64502 16 10 0 1 15 Establ bgp.evpn.0: 20/20/20/0 VRF-1.evpn.0: 2/2/2/0 evpn1.evpn.0: 14/14/14/0 __default_evpn__.evpn.0: 2/2/2/0 VRF-2.evpn.0: 2/2/2/0
Verifying EVPN Type 5 Routes
Purpose
Verifying EVPN Type 5 routes.
Action
Enter the show evpn l3-context VRF-1 extensive command to verify that EVPN type 5 routes are being exported.
Building1-AD1 Example:
user@building1-ad1> show evpn l3-context VRF-1 extensive L3 context: VRF-1 Type: Configured Advertisement mode: Direct nexthop Encapsulation: MPLS, Label: 16 IP->EVPN export policy: EXPORT-TYPE-5 Flags: 0xd (Configured Sys-MAC IRB-MAC) Change flags: 0x0 Composite nexthop support: Enabled Route Distinguisher: 192.168.93.1:2 Reference count: 7
Enter the show route table VRF-1.inet.0 protocol direct command to verify which direct routes are in the routing table for the VRF.
Enter the show evpn ip-prefix-database l3-context VRF-1 direction exported extensive command to confirm which routes are being sent as EVPN Type 5 (IP Prefix) routes.
Building1-AD1 Example:
user@building1-ad1> show route table VRF-1.inet.0 protocol direct VRF-1.inet.0: 47 destinations, 91 routes (47 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.1.0.8/30 *[Direct/0] 03:14:33 > via ge-5/0/8.0 10.20.2.0/24 *[Direct/0] 02:00:35 > via irb.2 10.20.3.0/24 *[Direct/0] 02:00:35 > via irb.3 user@building1-ad1> show evpn ip-prefix-database l3-context VRF-1 direction exported extensive L3 context: VRF-1 IPv4->EVPN Exported Prefixes Prefix: 10.20.2.0/24 EVPN route status: Created Change flags: 0x0 Advertisement mode: Direct nexthop Encapsulation: MPLS Label: 16 Prefix: 10.20.3.0/24 EVPN route status: Created Change flags: 0x0 Advertisement mode: Direct nexthop Encapsulation: MPLS Label: 16 [edit] user@building1-ad1>
Enter the show route table VRF-1.evpn.0 protocol evpn to view the EVPN Type 5 routes created for exported IP prefixes.
Building1-AD1 Example:
user@building1-ad1> show route table VRF-1.evpn.0 protocol evpn VRF-1.evpn.0: 30 destinations, 30 routes (30 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 5:192.168.93.1:2::0::10.20.2.0::24/248 *[EVPN/170] 02:03:35 Indirect 5:192.168.93.1:2::0::10.20.3.0::24/248 *[EVPN/170] 00:01:09 Indirect
Enter the show route table VRF-1.evpn.0 advertising-protocol bgp 192.168.93.4 extensive command to gather information on EVPN Type 5 route attributes.
Building1-AD1 Example:
user@building1-ad1> show route table VRF-1.evpn.0 advertising-protocol bgp 192.168.93.4 extensive VRF-1.evpn.0: 30 destinations, 30 routes (30 active, 0 holddown, 0 hidden) * 5:192.168.93.1:2::0::10.20.2.0::24/248 (1 entry, 1 announced) BGP group evpn_mes type Internal Route Distinguisher: 192.168.93.1:2 Route Label: 16 ## VRF route label Overlay gateway address: 0.0.0.0 ## set in direct nexthop mode Nexthop: Self Localpref: 100 AS path: [64502] I Communities: target:64502:7 ## Type 5 route carries the VRF Route Target * 5:192.168.93.1:2::0::10.20.3.0::24/248 (1 entry, 1 announced) BGP group evpn_mes type Internal Route Distinguisher: 192.168.93.1:2 Route Label: 16 Overlay gateway address: 0.0.0.0 Nexthop: Self Localpref: 100 AS path: [64502] I Communities: target:64502:7
Enter the show route table VRF-1.evpn.0 protocol bgp to gather information about EVPN type 5 routes distributed through the EVPN control plane from campus building 1 to campus building 2.
Building2-AD1 Example:
user@building2-ad1> show route table VRF-1.evpn.0 protocol bgp VRF-1.evpn.0: 48 destinations, 48 routes (48 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 5:192.168.93.1:2::0::10.20.2.0::24/248 *[BGP/170] 00:39:29, localpref 100, from 192.168.93.1 AS path: I, validation-state: unverified > to 10.2.0.2 via ge-0/0/4.0, Push 300896 5:192.168.93.1:2::0::10.20.3.0::24/248 *[BGP/170] 00:09:50, localpref 100, from 192.168.93.1 AS path: I, validation-state: unverified > to 10.2.0.2 via ge-0/0/4.0, Push 300896 5:192.168.93.2:2::0::10.20.2.0::24/248 *[BGP/170] 00:43:58, localpref 100, from 192.168.93.2 AS path: I, validation-state: unverified > to 10.2.0.2 via ge-0/0/4.0, Push 300944
Enter show evpn ip-prefix-database l3-context VRF-1 direction imported extensive for information on EVPN type 5 routes that are selected for import as IP prefixes:
Building2-AD1 Example:
user@building2-ad1> show evpn ip-prefix-database l3-context VRF-1 direction imported extensive L3 context: VRF-1 EVPN->IPv4 Imported Prefixes Prefix: 10.20.2.0/24, Ethernet tag: 0 Change flags: 0x0 Remote advertisements: Route Distinguisher: 192.168.93.1:2 Label: 16 BGP nexthop address: 192.168.93.1 IP route status: Created Route Distinguisher: 192.168.93.2:2 Label: 16 BGP nexthop address: 192.168.93.2 IP route status: Created Prefix: 10.20.3.0/24, Ethernet tag: 0 Change flags: 0x0 Remote advertisements: Route Distinguisher: 192.168.93.1:2 Label: 16 BGP nexthop address: 192.168.93.1 IP route status: Created
Enter show route table VRF-1.inet.0 protocol evpn to a list of IP routes created for imported EVPN type 5 routes:
Building2-AD1 Example:
user@building2-ad1> show route table VRF-1.inet.0 protocol evpn VRF-1.inet.0: 55 destinations, 153 routes (55 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.20.2.0/24 *[EVPN/170] 00:42:42 > to 10.2.0.2 via ge-0/0/4.0, Push 16, Push 300896(top) [EVPN/170] 00:42:35 > to 10.2.0.2 via ge-0/0/4.0, Push 16, Push 300944(top) 10.20.3.0/24 *[EVPN/170] 00:13:03 > to 10.2.0.2 via ge-0/0/4.0, Push 16, Push 300896(top)
Verifying Operation of the EVPN Route Types and MAC Tables
Purpose
Verify operation of the EVPN Route types and MAC tables in the routing instance.
Action
Enter the show route advertising-protocol bgp extensive command from an aggregation device to verify operation of the EVPN route types from the device advertising the BGP routes.
Enter the show route receive-protocol bgp extensive command from an aggregation device to verify operation of the EVPN route types from the device advertising the BGP routes.
Enter the show ethernet-switching table command from an aggregation device to verify the MAC addresses in the forwarding table for the routing instance.
Building1-AD1 Example (Advertising BGP):
user@building1-ad1> show route advertising-protocol bgp 192.168.93.3 extensive VRF-1.evpn.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden) * 5:192.168.93.1:2::0::10.20.2.0::24/248 (1 entry, 1 announced) BGP group evpn_mes type Internal Route Distinguisher: 192.168.93.1:2 Route Label: 16 Overlay gateway address: 0.0.0.0 Nexthop: Self Localpref: 100 AS path: [64502] I Communities: target:64502:7 * 5:192.168.93.1:2::0::10.20.3.0::24/248 (1 entry, 1 announced) BGP group evpn_mes type Internal Route Distinguisher: 192.168.93.1:2 Route Label: 16 Overlay gateway address: 0.0.0.0 Nexthop: Self Localpref: 100 AS path: [64502] I Communities: target:64502:7 VRF-2.evpn.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden) * 5:192.168.93.1:3::0::10.20.2.0::24/248 (1 entry, 1 announced) BGP group evpn_mes type Internal Route Distinguisher: 192.168.93.1:3 Route Label: 17 Overlay gateway address: 0.0.0.0 Nexthop: Self Localpref: 100 AS path: [64502] I Communities: target:64502:10 * 5:192.168.93.1:3::0::10.20.3.0::24/248 (1 entry, 1 announced) BGP group evpn_mes type Internal Route Distinguisher: 192.168.93.1:3 Route Label: 17 Overlay gateway address: 0.0.0.0 Nexthop: Self Localpref: 100 AS path: [64502] I Communities: target:64502:10 evpn1.evpn.0: 47 destinations, 47 routes (47 active, 0 holddown, 0 hidden) * 1:192.168.93.1:1::010203040001020426::0/192 AD/EVI (1 entry, 1 announced) BGP group evpn_mes type Internal Route Distinguisher: 192.168.93.1:1 Route Label: 299936 Nexthop: Self Localpref: 100 AS path: [64502] I Communities: target:64502:1 * 1:192.168.93.1:1::010203040001020428::0/192 AD/EVI (1 entry, 1 announced) BGP group evpn_mes type Internal Route Distinguisher: 192.168.93.1:1 Route Label: 299936 Nexthop: Self Localpref: 100 AS path: [64502] I Communities: target:64502:1 * 2:192.168.93.1:1::4::00:31:46:04:70:70/304 MAC/IP (1 entry, 1 announced) BGP group evpn_mes type Internal Route Distinguisher: 192.168.93.1:1 Route Label: 299936 ESI: 00:00:00:00:00:00:00:00:00:00 Nexthop: Self Localpref: 100 AS path: [64502] I Communities: target:64502:1 evpn-default-gateway * 2:192.168.93.1:1::5::00:31:46:04:70:70/304 MAC/IP (1 entry, 1 announced) BGP group evpn_mes type Internal Route Distinguisher: 192.168.93.1:1 Route Label: 299936 ESI: 00:00:00:00:00:00:00:00:00:00 Nexthop: Self Localpref: 100 AS path: [64502] I Communities: target:64502:1 evpn-default-gateway * 2:192.168.93.1:1::4::00:31:46:04:70:70::10.20.4.3/304 MAC/IP (1 entry, 1 announced) BGP group evpn_mes type Internal Route Distinguisher: 192.168.93.1:1 Route Label: 299936 ## for known Unicast frame ESI: 00:00:00:00:00:00:00:00:00:00 Nexthop: Self Localpref: 100 AS path: [64502] I Communities: target:64502:1 evpn-default-gateway * 2:192.168.93.1:1::5::00:31:46:04:70:70::10.20.5.3/304 MAC/IP (1 entry, 1 announced) BGP group evpn_mes type Internal Route Distinguisher: 192.168.93.1:1 Route Label: 299936 ESI: 00:00:00:00:00:00:00:00:00:00 Nexthop: Self Localpref: 100 AS path: [64502] I Communities: target:64502:1 evpn-default-gateway * 3:192.168.93.1:1::4::192.168.93.1/248 IM (1 entry, 1 announced) BGP group evpn_mes type Internal Route Distinguisher: 192.168.93.1:1 Route Label: 299952 PMSI: Flags 0x0: Label 299952: Type INGRESS-REPLICATION 192.168.93.1 Nexthop: Self Localpref: 100 AS path: [64502] I Communities: target:64502:1 PMSI: Flags 0x0: Label 299952: Type INGRESS-REPLICATION 192.168.93.1 * 3:192.168.93.1:1::5::192.168.93.1/248 IM (1 entry, 1 announced) BGP group evpn_mes type Internal Route Distinguisher: 192.168.93.1:1 Route Label: 299952 ## for BUM frame PMSI: Flags 0x0: Label 299952: Type INGRESS-REPLICATION 192.168.93.1 Nexthop: Self Localpref: 100 AS path: [64502] I Communities: target:64502:1 PMSI: Flags 0x0: Label 299952: Type INGRESS-REPLICATION 192.168.93.1 __default_evpn__.evpn.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden) * 1:192.168.93.1:0::010203040001020426::FFFF:FFFF/192 AD/ESI (1 entry, 1 announced) BGP group evpn_mes type Internal Route Distinguisher: 192.168.93.1:0 Nexthop: Self Localpref: 100 AS path: [64502] I Communities: target:64502:1 esi-label:0x0:all-active (label 300144) * 1:192.168.93.1:0::010203040001020428::FFFF:FFFF/192 AD/ESI (1 entry, 1 announced) BGP group evpn_mes type Internal Route Distinguisher: 192.168.93.1:0 Nexthop: Self Localpref: 100 AS path: [64502] I Communities: target:64502:1 esi-label:0x0:all-active (label 300112) * 4:192.168.93.1:0::010203040001020426:192.168.93.1/296 ES (1 entry, 1 announced) BGP group evpn_mes type Internal Route Distinguisher: 192.168.93.1:0 Nexthop: Self Localpref: 100 AS path: [64502] I Communities: es-import-target:1-2-3-4-0-1 * 4:192.168.93.1:0::010203040001020428:192.168.93.1/296 ES (1 entry, 1 announced) BGP group evpn_mes type Internal Route Distinguisher: 192.168.93.1:0 Nexthop: Self Localpref: 100 AS path: [64502] I Communities: es-import-target:1-2-3-4-0-1 user@building1-ad1> show ethernet-switching table MAC flags (S - static MAC, D - dynamic MAC, L - locally learned, P - Persistent static, C - Control MAC SE - statistics enabled, NM - non configured MAC, R - remote PE MAC, O - ovsdb MAC) Ethernet switching table: 14 entries, 14 learned Routing instance : evpn1 Vlan MAC MAC Age Logical NH RTR name address flags interface Index ID v2 00:10:94:00:0c:0f DR - ge-100/0/1.0 0 0 v4 00:10:94:00:00:5a DR - ge-100/0/0.0 0 0 v4 00:10:94:00:00:5f DC - 1048598 1048598 v4 00:10:94:00:00:6a DC - 1048598 1048598 v4 00:10:94:00:23:83 DR - ge-100/0/0.0 0 0 v4 44:f4:77:92:6a:30 DC - 1048579 1048579 v4 54:4b:8c:f1:4b:f0 DC - 1048582 1048582 v4 54:4b:8c:f2:d7:f0 DC - 1048588 1048588 v5 00:10:94:00:00:5f DC - 1048598 1048598 v5 00:10:94:00:00:84 DR - ge-100/0/0.0 0 0 v5 00:10:94:00:11:5c DR - ge-100/0/0.0 0 0 v5 44:f4:77:92:6a:30 DC - 1048579 1048579 v5 54:4b:8c:f1:4b:f0 DC - 1048582 1048582 v5 54:4b:8c:f2:d7:f0 DC - 1048588 1048588
Building2-AD1 Example (Receiving BGP):
user@building2-ad1> show route receive-protocol bgp 192.168.93.1 extensive * 1:192.168.93.1:0::010203040001020426::FFFF:FFFF/192 AD/ESI (1 entry, 0 announced) Import Accepted Route Distinguisher: 192.168.93.1:0 Nexthop: 192.168.93.1 Localpref: 100 AS path: I Communities: target:64502:1 esi-label:0x0:all-active (label 300144) * 1:192.168.93.1:0::010203040001020428::FFFF:FFFF/192 AD/ESI (1 entry, 0 announced) Import Accepted Route Distinguisher: 192.168.93.1:0 Nexthop: 192.168.93.1 Localpref: 100 AS path: I Communities: target:64502:1 esi-label:0x0:all-active (label 300112) * 1:192.168.93.1:1::010203040001020426::0/192 AD/EVI (1 entry, 0 announced) Import Accepted Route Distinguisher: 192.168.93.1:1 Route Label: 299936 Nexthop: 192.168.93.1 Localpref: 100 AS path: I Communities: target:64502:1 * 1:192.168.93.1:1::010203040001020428::0/192 AD/EVI (1 entry, 0 announced) Import Accepted Route Distinguisher: 192.168.93.1:1 Route Label: 299936 Nexthop: 192.168.93.1 Localpref: 100 AS path: I Communities: target:64502:1 * 2:192.168.93.1:1::4::00:31:46:04:70:70/304 MAC/IP (1 entry, 0 announced) Import Accepted Route Distinguisher: 192.168.93.1:1 Route Label: 299936 ## Remote side for Known Unicast Frame. ESI: 00:00:00:00:00:00:00:00:00:00 Nexthop: 192.168.93.1 Localpref: 100 AS path: I Communities: target:64502:1 evpn-default-gateway * 2:192.168.93.1:1::5::00:31:46:04:70:70/304 MAC/IP (1 entry, 0 announced) Import Accepted Route Distinguisher: 192.168.93.1:1 Route Label: 299936 ESI: 00:00:00:00:00:00:00:00:00:00 Nexthop: 192.168.93.1 Localpref: 100 AS path: I Communities: target:64502:1 evpn-default-gateway (some output removed for brevity) * 3:192.168.93.1:1::4::192.168.93.1/248 IM (1 entry, 1 announced) Import Accepted Route Distinguisher: 192.168.93.1:1 Nexthop: 192.168.93.1 Localpref: 100 AS path: I Communities: target:64502:1 PMSI: Flags 0x0: Label 299952: Type INGRESS-REPLICATION 192.168.93.1 ## Remote Side for BUM traffic * 3:192.168.93.1:1::5::192.168.93.1/248 IM (1 entry, 1 announced) Import Accepted Route Distinguisher: 192.168.93.1:1 Nexthop: 192.168.93.1 Localpref: 100 AS path: I Communities: target:64502:1 PMSI: Flags 0x0: Label 299952: Type INGRESS-REPLICATION 192.168.93.1 __default_evpn__.evpn.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden) (snip) user@building2-ad1> show ethernet-switching table MAC flags (S - static MAC, D - dynamic MAC, L - locally learned, P - Persistent static, C - Control MAC SE - statistics enabled, NM - non configured MAC, R - remote PE MAC, O - ovsdb MAC) Ethernet switching table : 13 entries, 13 learned Routing instance : evpn1 Vlan MAC MAC Age Logical NH RTR name address flags interface Index ID v4 00:10:94:00:00:5a DC - 1048607 1048607 v4 00:10:94:00:00:5f DR - ge-109/0/3.0 0 0 v4 00:10:94:00:00:6a DR - ge-109/0/3.0 0 0 v4 00:10:94:00:23:83 DC - 1048607 1048607 v4 00:31:46:04:70:70 DC - 1048591 1048591 v4 44:f4:77:92:6a:30 DC - 1048578 1048578 v4 54:4b:8c:f2:d7:f0 DC - 1048595 1048595 v5 00:10:94:00:00:5f DR - ge-109/0/3.0 0 0 v5 00:10:94:00:00:84 DC - 1048607 1048607 v5 00:10:94:00:11:5c DC - 1048607 1048607 v5 00:31:46:04:70:70 DC - 1048591 1048591 v5 44:f4:77:92:6a:30 DC - 1048578 1048578 v5 54:4b:8c:f2:d7:f0 DC - 1048595 1048595
Verifying DHCP Operations
Purpose
Verify DHCP operations, state, and various other related information.
Action
Enter the following commands to gather pertinent information about DHCP in this topology.
Building1-AD1 Example:
user@building1-ad1> show ospf neighbor Address Interface State ID Pri Dead 10.1.0.9 ge-0/0/10.0 Full 10.1.0.9 128 34 10.1.0.13 ge-0/0/10.1 Full 10.1.0.13 128 33 10.1.0.17 ge-0/0/11.0 Full 10.1.0.17 128 34 10.1.0.21 ge-0/0/11.1 Full 10.1.0.21 128 36 {master:0}[edit] user@building1-ad1> user@building1-ad1> show dhcp server binding IP address Session Id Hardware address Expires State Interface 10.20.5.10 52 00:10:94:00:00:84 76134 BOUND ge-0/0/11.1 10.20.2.11 89 00:10:94:00:0c:0f 78053 BOUND ge-0/0/11.0 10.20.4.8 49 00:10:94:00:23:83 76194 BOUND ge-0/0/11.1 10.20.3.9 49 00:10:94:00:01:23 76156 BOUND ge-0/0/11.0 {master:0}[edit] user@building1-ad1>
Verifying 802.1X and MAC Authentication
Purpose
Verify 802.1X roles, states, and other information about authentication.
Action
Building1-AD1 Example:
user@building1-ad1> show dot1x interface ge-100/0/1 802.1X Information: Interface Role State MAC address User ge-100/0/1.0 Authenticator Synced 00:10:94:00:11:34 user3 ge-100/0/1.0 Synced 00:10:94:00:AA:78 user2 [edit] user@building1-ad1> user@building1-ad1> show dot1x interface ge-100/0/0 802.1X Information: Interface Role State MAC address User ge-100/0/0.0 Authenticator Synced 00:16:05:82:11:22 001605821122 ge-100/0/0.0 Synced 00:16:05:82:11:23 001605821123 [edit] user@building1-ad1>
Verifying Voice over IP
Purpose
Verify the Voice over IP configuration, including power consumption, data and voice VLAN associations, 802.1X configuration details, LLDP configuration details, and DHCP Relay bindings.
Action
Enter the following commands from the aggregation device to collect key Voice over IP configuration details.
Building1-AD1 Example:
user@building1-ad1> show poe interface Interface Admin Oper Max Priority Power Class status status power consumption ge-108/0/11 Enabled ON 7.0W Low 2.0W 2 [edit] user@building1-ad1> user@building1-ad1> show vlans Routing instance VLAN name Tag Interfaces default-switch default 1 default-switch vlan_data 7 default-switch vlan_voice 8 evpn1 data-vlan 4 ge-108/0/11.0* ge-5/0/2.0* evpn1 default 1 ge-100/0/1.0* ge-108/0/11.0* ge-5/0/2.0* evpn1 v2 2 ge-5/0/2.0* evpn1 v3 3 ge-5/0/2.0* evpn1 voice-vlan 5 ge-108/0/11.0* ge-5/0/2.0* [edit] user@building1-ad1> show ethernet-switching interface ge-108/0/11 Routing Instance Name : evpn1 Logical Interface flags (DL - disable learning, AD - packet action drop, LH - MAC limit hit, DN - interface down, MMAS - Mac-move action shutdown, AS - Autostate-exclude enabled, SCTL - shutdown by Storm-control, MI - MAC+IP limit hit) Logical Vlan TAG MAC MAC+IP STP Logical Tagging interface members limit limit state interface flags ge-108/0/11.0 524287 8192 tagged,untagged default 1 65535 1024 Forwarding untagged voice-vlan 5 65535 1024 Forwarding tagged data-vlan 4 65535 1024 Forwarding untagged [edit] user@building1-ad1> [edit] user@building1-ad1> show dot1x interface ge-108/0/11 detail ge-108/0/11.0 Role: Authenticator Administrative state: Auto Supplicant mode: Multiple Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Enabled Mac Radius Restrict: Disabled Mac Radius Authentication Protocol: Append Reauthentication: Enabled Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 2 Guest VLAN member: not configured Number of connected supplicants: 2 Supplicant: 0004f28ac5e9, 00:04:F2:8A:C5:E9 Operational state: Authenticated Backend Authentication state: Idle Authentication method: Mac Radius Authenticated VLAN: voice-vlan Session Reauth interval: 360000 seconds Reauthentication due in 359822 seconds Eapol-Block: Not In Effect Supplicant: user7, 00:50:56:80:F4:4F Operational state: Authenticated Backend Authentication state: Idle Authentication method: Radius Authenticated VLAN: data-vlan Session Reauth interval: 360000 seconds Reauthentication due in 359715 seconds Eapol-Block: Not In Effect [edit] user@building1-ad1> show lldp neighbors Local Interface Parent Interface Chassis Id Port info System Name ge-108/0/11 - 10.20.5.95 1 Polycom VVX 310 [edit] user@building1-ad1> show dhcp relay binding routing-instance VRF-2 IP address Session Id Hardware address Expires State Interface 10.20.4.89 11 00:16:05:82:11:22 77034 BOUND irb.4 [edit]