Tag Archives: Action modifiers

Notas estudo JNCIS-ENT parte 4

Nota: Este Post faz parte do guide de Switching.

 Chapter 5 Device Security and Firewall Filters

Storm Control

O Storm Control monitoriza o broadcast, multicast e unknown unicast
By default o limite cumulativo em todas as interface e de 80%

set ethernet-switching-options storm-control interface all

É possível definir um novo limite bem como desativar o storm control individualmente

Storm Control Actions

set ethernet-switching-options storm-control interface all
set ethernet-switching-options storm-control action-shutdown

By default quando o limite é excedido o tráfego em excesso é descartado. É possível configurar para que a interface seja desativada
É possível usar a action shutdown e port-error-disable, permitindo fazer o recover automaticamente

!Executar manualmente para colocar novamente em servico
clear ethernet-switching port-error

Firewall Filters

Os firewall filters nos EX são analisados em hardware, no PFE.

Firewall Filter Types

Types:
Port-based
VLAN-based
Router-based

Port/VLAN based são usados na family ethernet-switching
Router-based usa a family inet ou family inet6

Building Blocks of Firewall Filters

Discard implicito na firewall rule (Default action)

As rules sao executadas sequencialmente, para reordenar usar o insert no CLI

É possível fazer match de grande parte dos header fields, inclui ainda:
Numeric range
Address
Bit field

[email protected]# set firewall family ethernet-switching filter test term test from ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don’t inherit configuration data from these groups
> destination-address  Match IP destination address
> destination-mac-address  Match MAC destination address
+ destination-port     Match TCP/UDP destination port
> destination-prefix-list  Match IP destination prefixes in named list
+ dot1q-tag            Match Dot1Q Tag Value
+ dot1q-user-priority  Match Dot1Q user priority
+ dscp                 Match Differentiated Services (DiffServ) code point
+ ether-type           Match Ethernet Type
fragment-flags       Match fragment flags (in symbolic or hex formats) – (Ingress
only)
+ icmp-code            Match ICMP message code
+ icmp-type            Match ICMP message type
> interface            Match interface name
is-fragment          Match if packet is a fragment
+ precedence           Match IP precedence value
+ protocol             Match IP protocol type
> source-address       Match IP source address
> source-mac-address   Match MAC source address
+ source-port          Match TCP/UDP source port
> source-prefix-list   Match IP source prefixes in named list
tcp-established      Match packet of an established TCP connection
tcp-flags            Match TCP flags (in symbolic or hex formats) – (Ingress only)
tcp-initial          Match initial packet of a TCP connection – (Ingress only)
+ vlan                 Match Vlan Id or Name

Common Actions

Terminating actions:
accept
discard
reject

Action modifiers:
analyser
count
log
syslog
forwarding-class
loss-priotiry
policer

set firewall family ethernet-switching filter limit-MAC-ge006 term 1 from source-mac-address 00:26:88:02:74:86
set firewall family ethernet-switching filter limit-MAC-ge006 term 1 then accept
set firewall family ethernet-switching filter limit-MAC-ge006 term 2 then discard count ge006-invalid-MAC
set interface ge-0/0/6.0 family ethernet-switching vlan menbers v11
set interface ge-0/0/6.0 family ethernet-switching filter input limit-MAC-ge006

set firewall family ethernet-switching filter block-dest-MAC term 1 from destination-mac-address 01:80:c2:00:00:00
set firewall family ethernet-switching filter block-dest-MAC term 1 then discard count block-stp-bpdus
set firewall family ethernet-switching filter block-dest-MAC term 2 then accept
set vlans v11 vlan-id 11 l3-interface vlan.11 filter input block-dest-MAC

Chapter 6 Virtual Chassis

Ate 4 EX2200
Ate 10 EX3300,EX4200, EX4500
Ate 10 EX4500 e 4200 combinados
Ate 8 EX8200

RE redundantes permite implementar nonstop active routing (NSR) e nonstop bridging (NSB)

Virtual Chassis Ports (VCP) podem ser usadas as portas dedicadas e/ou portas de uplink
O interconnect entre os virtual chassis pode ser feito através de qualquer modelo EX

{master:0}
[email protected]> request virtual-chassis vc-port set pic-slot 1 port 0

{master:0}
[email protected]> show interfaces terse | match vcp-255
vcp-255/1/0             up    down

Virtual Chassis cabling

A distancia máxima entre switches e de 5 metros (topologia daisy chained ring)
Também existe a topologia braided ring

Extended Virtual Chassis

O máximo da circunferência e de 100 km (usando 1/10 GbE uplinks)

Os switches RE0 e RE1 não tem os uplinks em qualquer das topologias

Recommended RE Placement

topologia daisy chained ring – RE0(#1) e RE1(#3), Uplinks Porta 2/4
topologia brainded ring – RE0(#2) e RE1(#3), Uplinks Porta 1/4

By default a feature Split Virtual chassis “split brain” está activa nos EX4200

Determinar o Mastership

1. Priority + alta , by default 128
2. Membro anteriormente a funcionar como master, após reboot
3. Membro com uptime superior (diference deve ser superior a 1 minuto)
4. Membro com o MAC-Address mais baixo
5. 2′ membro torna-se backup, os restantes como line cards

Caso o master ou backup falhe e elegido um dos line card switches usando o mesmo processo

Member ID é assignado manualmente ou dinamicamente através do master switch (este usualmente com ID 0)
Member ID preservado em caso de reboot

{master:0}
[email protected]> request virtual-chassis renumber member-id 0 new-member-id 5
To move configuration specific to member ID 0 to member ID 5, please
use the replace command. e.g. replace pattern ge-0/ with ge-5/
Do you want to continue ? [yes,no] (no) yes
{master:0}
[email protected]>
Switch-1 (ttyu0)
login: user
Password:
— JUNOS 10.1R2.8 built 2010-05-11 04:08:08 UTC
{master:5}
[email protected]>

{master:5}
[email protected]> request system halt member ?
Possible completions:
<member>             Halt specific virtual chassis member (0..

{master:5}
[email protected]> request session member 1
— JUNOS 10.1R2.8 built 2010-05-11 04:08:08 UTC
{backup:1}
[email protected]>

Replacing a Member Switch

Quando e removido um switch a configuração permanece
Para efetuar o replacement:
Fazer recycle do member ID a ser substituido, torna-o menos prioritário

{master:0}
[email protected]>request virtual-chassis recycle member-id <member-id>

Management Connectivity

As Ethernet Ports (me0) nos switches são representados por uma unica virtual management Ethernet (VME) interface
Esta porta e configurada no master switch

set interfaces vme unit 0 family inet address 10.210.14.148/27

A porta de consola de qualquer dos membros do virtual chassis redireciona para a do master switch

{master:5}
[email protected]> request session member 1
— JUNOS 10.1R2.8 built 2010-05-11 04:08:08 UTC
{backup:1}
[email protected]>

Referências:

Notas estudo JNCIS-ENT parte 1

Notas estudo JNCIS-ENT parte 2

Notas estudo JNCIS-ENT parte 3