Jシリーズおよび拠点/支社向けSRXシリーズのイーサネットスイッチング設定ガイド

Similar documents
SRXシリーズおよびJシリーズのネットワークアドレス変換

untitled

SRX300 Line of Services Gateways for the Branch

00.目次_ope

Juniper Networks Corporate PowerPoint Template

LSM-L3-24設定ガイド(初版)

WEB.dvi

アライドテレシス ディストリビューション・スイッチ AT-x600シリーズで実現するMicrosoft® NAP

STP.dvi

コア・スイッチAT-SBx908シリーズとデータセンタースイッチAT-DC2552XSシリーズで実現する10Gデータセンターネットワーク

リング型IPカメラ監視ソリューション(マルチキャスト編)

Win XP SP3 Japanese Ed. NCP IPSec client Hub L3 SW SRX100 Policy base VPN fe-0/0/0 vlan.0 Win 2003 SVR /

IPSEC-VPN IPsec(Security Architecture for Internet Protocol) IP SA(Security Association, ) SA IKE IKE 1 1 ISAKMP SA( ) IKE 2 2 IPSec SA( 1 ) IPs

リング型IPカメラ監視ソリューション

Campus LAN Design Guide

LSM-L3-24設定ガイド(初版)

PIM-SSMマルチキャストネットワーク

Dynamic VPN Dynamic VPN IPSec VPN PC SRX IPSec VPN SRX PC IPSec 2 Copyright 2010 Juniper Networks, Inc.

EtherChannelの設定

ES1018V2_24V2_MG.book

VLAN.dvi

アライドテレシスコア スイッチ AT-SBx908 シリーズで実現する AMF-SBx908 ソリューション Solution No 主な目的 ネットワークの一元管理 共有化をしたい 既存ネットワークを再構築せずに 簡単に導入したい ネットワーク管理 運用にかかるコストを削減

アライドテレシス・コアスイッチ AT-x900 シリーズ で実現するエンタープライズ・VRRPネットワーク

拠点/支社向けSRXシリーズおよびJシリーズのWebフィルタリング

SCREENOS NAT ScreenOS J-Series(JUNOS9.5 ) NAT ScreenOS J-Series(JUNOS9.5 ) NAT : Destination NAT Zone NAT Pool DIP IF NAT Pool Egress IF Loopback Grou

ii 2011 by Juniper Networks, Inc. All rights reserved. Juniper Networks Juniper Networks Junos NetScreen ScreenOS Juniper Networks, Inc. Junose Junipe

AirMac ネットワーク構成の手引き

SB6/SB11a/SB11 スイッチバージョン コンフィグレーションガイド

AirMac ネットワーク for Windows

AMFマルチテナントソリューション

HP ProCurveSwitchはじめて.ppt

untitled

untitled

Inter-IX IX/-IX 10/21/2003 JAPAN2003 2

FW Migration Guide (Single)

アライドテレシス・コアスイッチ AT-x900 シリーズとディストリビューションスイッチ AT-x600 シリーズで実現するACLトラフィックコントロール

アライドテレシス コア・スイッチ SBx8100 シリーズで実現するクアッドコア・リダンダンシーシステム

Juniper Networks Corporate PowerPoint Template

Cisco Aironet 1130AG アクセス ポイント クイック スタート ガイド

N A/006A インテリジェントスイッチ

untitled

アライドテレシス コア・スイッチ AT-x900 シリーズ とディストリビューションスイッチ AT-x600 シリーズ で実現するOSPFv3/OSPFv2 & RIP/RIPng デュアルスタック ・ ネットワーク

total.dvi

Teradici Corporation # Canada Way, Burnaby, BC V5G 4X8 Canada p f Teradici Corporation Teradi

CSS のスパニングツリー ブリッジの設定

コア・スイッチSBx8100シリーズとディストリビューション・スイッチx610シリーズで実現する大容量テラビットバックプレーンソリューション

コア・スイッチSBx8100 シリーズで実現するスター型冗長コアソリューション

Juniper Networks EXシリーズ

Cisco Small Business シリーズ スマート スイッチ アドミニストレーション ガイド

RT107eセミナー用資料

アライドテレシスコア・スイッチAT-x900シリーズとディストリビューションスイッチAT-x600シリーズで実現するPVST + Compatibility + VCS ネットワーク

EX2200 Ethernet Switch

IGMPS.dvi

IP.dvi

Junos Space

SRX License

SRX IDP Full IDP Stateful Inspection 8 Detection mechanisms including Stateful Signatures and Protocol Anomalies Reassemble, normalize, eliminate ambi

CPE9V1.0&AP615V2.0-C01说明书-电子档

Lync Server 2010 Lync Server Topology Builder BIG-IP LTM Topology Builder IP Lync 2010 BIG IP BIG-IP VE Virtual Edition BIG-IP SSL/TLS BIG-IP Edge Web

FortiSwitchセキュアアクセススイッチ ― データシート

migrating_to_2-node_cluster_flyer.ps

untitled

NetAttest EPS設定例

BRANCH SRX <2010Q3 > 2 Copyright 2010 Juniper Networks, Inc.

PowerConnect June / 2007 PowerConnect 6200 PowerConnect 5300 PowerConnect 3400 PowerConnect 2700 PowerConnect

QOS.dvi

Cisco 1711/1712セキュリティ アクセス ルータの概要

MPLS Copyright 2008 Juniper Networks, Inc. 1

2 BIG-IP 800 LTM v HF2 V LTM L L L IP GUI VLAN.

アライドテレシス コア・スイッチ SwitchBlade x908 / x900シリーズとディストリビューションスイッチ x600シリーズで実現するIPv4/v6 デュアルスタック・リングネットワーク

AXシリーズ 簡易設定例集

Packet Tracer: 拡張 ACL の設定 : シナリオ 1 トポロジ アドレステーブル R1 デバイスインターフェイス IP アドレスサブネットマスクデフォルトゲートウェイ G0/ N/A G0/

Microsoft PowerPoint - 検証レポート_ARUBA.ppt

実習 : シングルエリアでの OSPFv3 の基本設定 トポロジ 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. 1 / 11 ページ

設定例集_Rev.8.03, Rev.9.00, Rev.10.01対応

AMF Cloud ソリューション

IPV6MU.dvi

untitled

アライドテレシス ディストリビューションスイッチ x610シリーズで実現するVRF-Lite + Tagging + EPSR for x610

2008, 2009 TOSHIBA TEC CORPORATION All rights reserved

VMware NFSまたはVMware VMFSでのVNXeシステムの使用

EPSRスーパーループプリベンション(SLP) ネットワーク

Katsuhito Asano Fujitsu LTD /Apr/2002 1

ScreenOS Copyright (C) 2005 NOX Co., Ltd. All Rights Reserved. Version1.00

橡2-TrafficEngineering(revise).PDF

ApresiaNPシリーズ ユーザーズガイド

SR-Sシリーズ セキュアスイッチ コマンド設定事例集

MLDS.dvi

Agenda IPv4 over IPv6 MAP MAP IPv4 over IPv6 MAP packet MAP Protocol MAP domain MAP domain ASAMAP ASAMAP 2

設定手順

untitled

GA-1190J

HP MSM Controller シリーズ

RADIUS設定ガイド

DS_BIG-IP LTM VE_jp.indd

fusion.PDF

Catalyst 3560-C and 2960-C Getting Started Guide (Japanese)

ScreenOS 5.0 ScreenOS 5.0 Deep Inspection VLAN NetScreen-25/-50/-204/-208 HA NetScreen-25 HA Lite NetScreen-25 NetScreen-50) ALG(Application Layer Gat

アライドテレシス コア・スイッチ AT-x900シリーズとディストリビューションスイッチ AT-x600シリーズで実現するsFlow リアルタイム トラフィックモニターネットワーク

---> 1 <------IP configurationの1を選択 2. IP address: Subnet mask: > 2 < IP addressの1を選択 Enter IP address: 192.

Transcription:

APPLICATION NOTE J SRX Copyright 2014, Juniper Networks, Inc.

...4...4...4...5...6 Junos OS 11.2...6 J...6 SRX...7 2...7 VLAN...7 VLAN...8...8 RVI Routed VLAN Interface...9...11 STP Spanning Tree Protocol...13 STP Spanning Tree Protocol IEEE 802.1D...13 RSP Rapid Spanning Protocol IEEE 802.1w...14 MSTP Multiple Spanning Tree Protocol...15 IEEE 802.1X...16 IGMP...18 802.1Q...19 LLDP Link Layer Discover Protocol LLDP-MED... 20 J SRX...22...22...22 VLAN...22...23 VLAN...23... 24... 24... 26... 26... 28 RSTP... 28...32 IEEE 802.1X...33... 34 IGMP... 34... 34 802.1Q Q-in-Q...35... 36... 36 2 Copyright 2014, Juniper Networks, Inc.

1...6 2 VLAN...9 3...9 4 VLAN VLAN...10 5...11 6 STP Spanning Tree Protocol...13 7 RSTP Rapid Spanning Tree Protocol...14 8 MSTP Multiple Spanning Tree Protocol...15 9 IEEE 802.1X...17 10 IGMP...18 11 Q-in-Q...19 12 LLDP LLDP-MED... 20 13...22 14 VLAN...22 15 VLAN...23 16... 24 17... 26 18 RSTP... 28 19 IEEE 802.1X...33 20 IGMP... 34 21 802.1Q...35 Copyright 2014, Juniper Networks, Inc. 3

SRX J SRX / 2 / Junos OS 9.2 2 J SRX J SRX Junos OS 2 SRX SRX1400 SRX3000 SRX5000 SRX SRX100 SRX200 SRX650 J SRX SRX SRX 1 UPIM MPIM XPIM J2320 6 3 6 6 J2350 6 3 6 6 J4350 6 3 6 6 J6350 6 3 6 6 SRX100 3 6 6 6 SRX110 3 6 6 6 SRX210 3 6 6* 6 SRX220 3 6 6* 6 SRX240 3 6 6* 6 SRX650 6 6 6 3** * SRX210 SRX240 1 SFP MPIM **Junos OS 10.2 10GbE XPIM J SRX EX Junos OS 11.2 J SRX 2 RVI Routed VLAN Interface STP Spanning Tree Protocol RSTP Rapid Spanning Tree Protocol MSTP Multiple Spanning Tree Protocol LACP Link Aggregation Control Protocol GVRP GARP VLAN Registration Protocol IEEE 802.1X 4 Copyright 2014, Juniper Networks, Inc.

- / / - VLAN - VLAN server-reject VLAN - RADIUS - MAC - - VoIP VLAN IGMP IEEE 802.1ad dot1q Q-in-Q LLDP Link Layer Discovery Protocol Junos OS 11.2 EX J SRX EX J SRX - 2 ACL Access Control List - QoS Quality of Service - SNMP MIB 2 - - - L2 CoS J J 1 upim universal PIM MSTP SRX210 IGMP Q-in-Q SRX100 J SRX100 VLAN VLAN server- reject VLAN VoIP VLAN 802.1X RADIUS MAC SRX100 Q-in-Q SRX650 SRX SRX Junos OS Future Support Reference Copyright 2014, Juniper Networks, Inc. 5

フォワーディング ルックアップ VLAN 間 トラフィック(2つの 異 なるVLAN 間 のトラフィック) VLAN 内 トラフィック(2つの 同 じVLAN 間 のトラフィック) Screens 静 的 NAT 宛 先 NAT ルート ゾーン ポリシー リバース 静 的 NAT ソース NAT サービス ALG セッション いいえ 一 致 一 致 Per Packet Policer Per Packet Filter セッション と 一 致? Screens TCP NAT サービス ALG Per Packet Filter Per Packet Shaper 2C 2B イーサネットスイッチチップ 2A 1 2D 1 1. VLAN CLI/ J-Web VLAN MAC STP VLAN 2. VLAN VLAN / 2A. VLAN 2B. VLAN MAC RVI 2C. VLAN VLAN 2D. VLAN Junos OS 11.2 J J 2 upim J upim L2 [chassis fpc pic ethernet] 6 PIM fpc 6 { pic 0 { ethernet { pic-mode enhanced-switching; 1 upim universal PIM 6 Copyright 2014, Juniper Networks, Inc.

SRX SRX 2 3 IPv4 IPv6 ISO 3 2 unit 0 interface { ge-<slot number>/0/<port number> { unit 0 { family ethernet-switching; VLAN VLAN Virtual LAN VLAN VLAN VLAN 2 VLAN VLAN J SRX VLAN ID 1 [vlans] VLAN VLAN ID vlans { <vlan name> { vlan-id <id>; J SRX VLAN ID 2 J SRX VLAN VLAN J 1-4094 SRX100 1-4094 SRX110 1-4094 SRX210 1-4094* SRX220 1-4094* SRX240 1-3967 SRX650 1-3967 *VLAN 4093 SRX200 Copyright 2014, Juniper Networks, Inc. 7

VLAN VLAN 2 2 [interface <name> unit 0 family ethernet-switching] VLAN interface { ge-<slot number>/0/<port number> { unit 0 { family ethernet-switching { vlan members <vlan name or id> 2 [vlan <vlan name> interface] VLAN vlans { <name> { interfaces { <interface name>; <interface name>; VLAN IEEE 802.1Q VLAN 12 VLAN VLAN VLAN VLAN VLAN interface { ge-*/*/* { unit 0 { family ethernet-switching { port-mode trunk; vlan { members [<vlan name or id> <vlan name or id> ] 8 Copyright 2014, Juniper Networks, Inc.

VLANオレンジ VLANブルー VLANオレンジ VLANブルー Jシリーズ/ブランチ 向 けSRXシリーズ Jシリーズ/ブランチ 向 けSRXシリーズ VLANオレンジ VLANブルー VLANオレンジ VLANブルー Jシリーズ/ブランチ 向 けSRXシリーズ Jシリーズ/ブランチ 向 けSRXシリーズ VLANオレンジ VLANブルー VLANオレンジ VLANブルー 2 VLAN [family ethernet-switching] portmode trunk 1 VLAN VLAN VLAN VLAN ID VLAN レイヤー2 upimでローカル にスイッチング されるVLAN 内 トラフィック VLAN オレンジ VLAN ブルー VLAN レッド ge-4/0/0 トランク ge-4/0/1 アクセス ge-4/0/2 アクセス ge-4/0/3 アクセス 3 RVI Routed VLAN Interface VLAN VLAN VLAN VLAN 3 / VLAN VLAN J SRX RVI Routed VLAN Interface 3 VLAN RVI 2 3 VLAN 3 VLAN Junos OS Copyright 2014, Juniper Networks, Inc. 9

Junos OS fwdd レイヤー3 fwddに 送 信 されるVLAN 間 ルーティング トラフィック インタフェースvlan.0 インタフェースvlan.1 インタフェースvlan.2 レイヤー2 Intra-VLAN traffic locally switched in the upim VLAN オレンジ VLAN ブルー VLAN レッド ge-4/0/0 トランク ge-4/0/1 アクセス ge-4/0/2 アクセス ge-4/0/3 アクセス 4 VLAN VLAN 3 RVI [interfaces vlan] l3-interface VLAN interfaces { vlans { vlan { unit <unit number> { family { inet { address <ip address>/<netmask>; <vlan name> { l3-interface vlan.<unit of newly created vlan ifl>; Junos OS RVI 3 RVI RVI 3 10 Copyright 2014, Juniper Networks, Inc.

2 2 2 STP Spanning Tree Protocol / RSTP MSTP 1 LACP IEEE 802.3ad NIC Network Interface Card VLANオレンジ VLANブルー Jシリーズ/ブランチ 向 けSRXシリーズ トランクポート AE0.0 Jシリーズ/ブランチ 向 けSRXシリーズ VLANオレンジ VLANブルー 5 chassis { aggregated-devices { ethernet { device-count <number of aggregated interfaces to create>; ae0 ae<device-count -1> gigabit-ethernet-options Copyright 2014, Juniper Networks, Inc. 11

interface { <interface name> { gigabit-ethernet-options { 802.3ad { <bndle interface name>; LACP 1 LACP aggregated-ethernet-options LACP PDU 1 aggregatedethernet-options link-speed minimum-links "up" J SRX minimum-links 1 AE LAG 8 interface { <aggregate interface name> { aggregated-ether-options { link-speed [100m 1g]; minimum-links <number from 1 to 8>; lacp { active passive; VLAN VLAN VLAN 12 Copyright 2014, Juniper Networks, Inc.

STP Spanning Tree Protocol 2 2 J SRX STP RSTP MSTP 2 BPDU Bridge Protocol Data Unit STP BPDU BPDU STP BPDU / LAN 2 2 STP Spanning Tree Protocol IEEE 802.1D STP IEEE 802.1D STP [edit protocol] 宛 先 転 送 宛 先 転 送 ルートポート 転 送 宛 先 転 送 ルートポート 転 送 代 替 ブロック 6 STP Spanning Tree Protocol protocols { stp { bridge-priority <bridge priority>; interface <interface name> { cost <interface cost>; Junos OS STP Spanning Tree Protocol L2 Junos OS [protocols stp] bridge priority 4k 0 60k bridge priority 32k 1 STP [protocols stp interface <interface name] Junos OS hello-time forward-delay max-age Copyright 2014, Juniper Networks, Inc. 13

RSP Rapid Spanning Protocol IEEE 802.1w STP 30 50 / RSTP Rapid Spanning Tree Protocol IEEE RSTP STP / / / / RSTP protocols { rstp { bridge-priority <bridge priority>; interface <interface name> { cost <interface cost>; interface <interface name> { edge; エッジポート エッジポート 宛 先 転 送 宛 先 転 送 ルートポート 転 送 宛 先 転 送 ルートポート 転 送 エッジポート エッジポート 代 替 ブロック エッジポート エッジポート 7 RSTP Rapid Spanning Tree Protocol STP RSTP RSTP RSTP BPDU [protocols stp interface <interface name] 14 Copyright 2014, Juniper Networks, Inc.

MSTP Multiple Spanning Tree Protocol RSTP STP LAN VLAN STP STP J SRX MSTP MSTP MSTP MSTI Multiple Spanning-Tree Instance MSTI VLAN VLANレ ッド の 転 送 ( MSTI 102) VLANブ ル ー の ブ ロ ック( MSTI 101) VLANブルーの 転 送 (MSTI 101) VLANレッドのブロック(MSTI 102) 8 MSTP Multiple Spanning Tree Protocol MSTP 64 MSTI MSTI 1 4094 VLAN protocols { mstp { configuration-name <region name); bridge-priority <bridge priority>; interface <interface name> { cost <interface cost>; interface <interface name> { edge; msti <msti id> { bridge-priority <bridge priority>; vlan <vlan id or vlan name list>; interface <interface name> { cost <interface cost>; MSTP STP RSTP OSPF MSTP MSTI VLAN CIST Junos OS CIST MSTI MSTP CIST [protocol mstp] MSTI MSTI VLAN [protocols mstp msti <msti id>] MSTI MSTI MSTI CIST Copyright 2014, Juniper Networks, Inc. 15

IEEE 802.1X IEEE 802.1X LAN 802.1X RADIUS J SRX 3 802.1X 802.1X EX EX 802.1X J SRX VLAN VLAN RADIUS VLAN ID VLAN 802.1X 802.1X LAN Server-reject VLAN 802.1X server-reject VLAN RADIUS RADIUS MAC RADIUS MAC 802.1X MAC RADIUS VLAN MAC RADIUS VoIP IP 802.1X 802.1X 802.1X VoIP RADIUS VLAN ID VLAN VoIP VLAN RADIUS J SRX - RADIUS - RADIUS - VLAN VLAN - MAC J SRX 802.1X MAC 3 J SRX 802.1X SRX100 SRX110 SRX210 SRX220 SRX240 SRX650 J VLAN 6 6 3 3 3 3 6 3 3 3 3 3 3 3 VLAN 6 6 3 3 3 3 6 VLAN 6 6 3 3 3 3 6 Server-reject VLAN 6 6 3 3 3 3 6 6 6 3 3 3 3 6 VoIP VLAN 6 6 3 3 3 3 6 RADIUS 3 3 3 3 3 3 6 MAC RADIUS MAC 3 3 3 3 3 3 6 16 Copyright 2014, Juniper Networks, Inc.

RADIUSサーバー ネットワーク リソース Jシリーズ/ ブランチ 向 け SRXシリーズ (オーセンティケータ) サプリカント 9 IEEE 802.1X protocols { dot1x { authenticator { authentication-profile-name abc; static { <mac radius>/mask; interface { <interface name> { supplicant (single single-secure multiple); guest-vlan <vlan name>; server-reject-vlan <vlan name>; server-fail (permit deny vlan-name <vlan name> cache); access { radius-server { <RADIUS server IP> secret <RADIUS share secret> profile <profile name> { authentication-order radius; radius { authentication-server <RADIUS sever IP>; Copyright 2014, Juniper Networks, Inc. 17

802.1X [protocols dot1x authenticator] [protocols dot1x authenticator interface <interface name> supplicant mode] single single-secure multiple 3 VLAN server-reject VLAN MAC [protocols dot1x authenticator interface <interface name>] [protocols dot1x authenticator static] 802.1X RADIUS RADIUS [edit access profile] RADIUS [protocols dot1x authenticator authentication-profile-name] IGMP 2 VLAN J SRX Junos OS IGMP IGMP Internet Group Management Protocol IGMP LAN IGMP LAN PIM/IGMP ルーター マルチキャスト ルーター インタフェース ソース Jシリーズ/ブランチ 向 けSRXシリーズ (IGMPスヌーピング 機 能 ) マルチキャストレシーバ 10 IGMP protocols { igmp-snooping { vlan vlan10; IGMP [protocols] VLAN IGMP PIM IGMP IGMP join/report IGMPv1 IGMP leave timeout IGMP/PIM Junos OS SRX100 18 Copyright 2014, Juniper Networks, Inc.

802.1Q Q-in-Q 2 2 J SRX PE Provider Edge PE VLAN VLAN PE VLAN 2 VLAN Jシリーズ/ブランチ 向 けSRXシリーズ C-VLANタグ 付 き サービス プロバイダ Jシリーズ/ブランチ 向 けSRXシリーズ S-VLAN + C-VLANタグ 付 き C-VLANタグ 付 き 顧 客 11 Q-in-Q Q-in-Q VLAN C-VLAN VLAN 802.1Q S-VLAN Service VLAN 802.1Q S-VLAN 802.1Q Q-in-Q MAC MAC VLAN MAC VLAN vlans { <vlan name> { vlan-id <vlan id>; dot1q-tunneling { customer-vlans (native <vlan id range>); interface { <interface name> { mapping { (native <vlan id>) { push; Copyright 2014, Juniper Networks, Inc. 19

no-mac-learning; ethernet-switching-options { interfaces { <interface name> { no-mac-learning; Q-in-Q J SRX C-VLAN S-VLAN 3 dot1q-tunneling [vlan <vlan name>] VLAN S-VLAN 1 customer-vlans [vlan <vlan name>] S-VLAN C-VLAN C-VLAN mapping [vlan <vlan name>] C-VLAN S-VLAN 1 C-VLAN SRX650 SRX SRX100 J VLAN MAC [vlan <vlan name>] no-mac-learning [ethernet-switching-options interface <interface name>] SRX100 LLDP Link Layer Discover Protocol LLDP-MED LLDP-MED Link Layer Discover Protocol Media Endpoint Discovery LAN LLDP TLV Type, Length, and Value ID TLV Junos OS LLDP-MED IP IP TLV PoE Power over Ethernet PoE TLV PoE IP IP Jシリーズ/ブランチ 向 けSRXシリ ー ズ( LLDP/LLDP-MED) ネットワーク 周 辺 機 器 12 LLDP LLDP-MED 20 Copyright 2014, Juniper Networks, Inc.

802.1p CoS 802.1Q IP Protocols { lldp { interface <interface name>; lldp-med { interface <interface name>; LLDP LLDP-MED [protocols lldp] [protocols lldp-med] LLDP TLV ID MAC ID ID 256 256 IP LLDP-MED TLV LLDP-MED 0 15-0 - 1-2 ID - 3 MDI-PSE Medium-Dependent Interface Power-Sourcing Equipment - 4-5 15 LLDP-MED - 0-1 1-2 2-3 3-4 - 5 255 VLAN 2 3 ID 802.1Q VLAN 802.1p DiffServ MDI PSE Copyright 2014, Juniper Networks, Inc. 21

J SRX J SRX 2 13 ge-0/0/5 ge-0/0/9 13 set interfaces ge-0/0/5 unit 0 family ethernet-switching set interfaces ge-0/0/9 unit 0 family ethernet-switching ge-0/0/5 ge-0/0/9 VLAN regress@srx-1> show vlans Name Tag Interfaces default 1 ge-0/0/5.0*, ge-0/0/9.0* VLAN / SALES OPERATIONS 2 VLANS 14 OPERATIONS ge-0/0/7 ge-0/0/11 ge-0/0/5 ge-0/0/9 SALES 14 VLAN set vlans OPERATIONS vlan-id 20 set vlans SALES vlan-id 10 set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members SALES set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members OPERATIONS set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members SALES set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members OPERATIONS 22 Copyright 2014, Juniper Networks, Inc.

VLAN regress@srx-1> show vlans Name Tag Interfaces OPERATIONS 20 ge-0/0/7.0*, ge-0/0/11.0* SALES 10 ge-0/0/5.0*, ge-0/0/9.0* default 1 None VLAN / 3 15 VLAN 1 2 3 VLAN SALES OPERATIONS 2 HTTP OPERATIONS ネットワーク 10.1.2.0/24 ge-0/0/7 ge-0/0/11 ge-0/0/5 ge-0/0/9 SALES ネットワーク 10.1.2.0/24 15 VLAN set vlans OPERATIONS vlan-id 20 set vlans OPERATIONS l3-interface vlan.20 set vlans SALES vlan-id 10 set vlans SALES l3-interface vlan.10 set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members SALES set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members OPERATIONS set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members SALES set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members OPERATIONS set interfaces vlan unit 10 family inet address 10.1.1.1/24 set interfaces vlan unit 20 family inet address 10.1.2.1/24 set security zones security-zone SALES interfaces vlan.10 set security zones security-zone OPERATIONS interfaces vlan.20 source-address any destination-address any Copyright 2014, Juniper Networks, Inc. 23

application junos-http set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP then permit source-address any destination-address any application junos-http set security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP then permit VLAN VLAN VLAN regress@srx-1> show vlans Name Tag Interfaces OPERATIONS 20 ge-0/0/7.0*, ge-0/0/11.0* SALES 10 ge-0/0/5.0*, ge-0/0/9.0* default 1 None regress@srx-1> show interfaces vlan terse Interface Admin Link Proto Local Remote vlan up up vlan.10 up up inet 10.1.1.1/24 vlan.20 up up inet 10.1.2.1/24 SRX-2 SRX-1 ge-0/0/9 ge-0/0/11 ge-0/0/3 トランクポート ge-0/0/3 ge-0/0/5 ge-0/0/7 16 J SRX SRX 16 VLAN SALES OPERATIONS ge-0/0/3 SALES OPERATIONS VLAN 24 Copyright 2014, Juniper Networks, Inc.

SRX-1 set vlans OPERATIONS vlan-id 20 set vlans OPERATIONS l3-interface vlan.20 set vlans SALES vlan-id 10 set vlans SALES l3-interface vlan.10 set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members SALES set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members OPERATIONS set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members SALES set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members OPERATIONS set interfaces vlan unit 10 family inet address 10.1.1.1/24 set interfaces vlan unit 20 family inet address 10.1.2.1/24 set security zones security-zone SALES interfaces vlan.10 set security zones security-zone OPERATIONS interfaces vlan.20 source-address any destination-address any application junos-http set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP then permit source-address any destination-address any application junos-http set security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP then permit SRX-2 set vlans OPERATIONS vlan-id 20 set vlans OPERATIONS l3-interface vlan.20 set vlans SALES vlan-id 10 set vlans SALES l3-interface vlan.10 set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members SALES set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members OPERATIONS set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members SALES set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members OPERATIONS set interfaces vlan unit 10 family inet address 10.1.1.1/24 set interfaces vlan unit 20 family inet address 10.1.2.1/24 set security zones security-zone SALES interfaces vlan.10 set security zones security-zone OPERATIONS interfaces vlan.20 source-address any destination-address any application junos-http set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP then permit source-address any Copyright 2014, Juniper Networks, Inc. 25

destination-address any application junos-http set security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP then permit VLAN VLAN VLAN regress@srx-1> show ethernet-switching interfaces Interface State VLAN members Tag Tagging Blocking ge-0/0/3.0 up OPERATIONS 20 tagged unblocked SALES 10 tagged unblocked ge-0/0/5.0 up SALES 10 untagged unblocked ge-0/0/7.0 up OPERATIONS 20 untagged unblocked regress@srx-2> show ethernet-switching interfaces Interface State VLAN members Tag Tagging Blocking ge-0/0/3.0 up OPERATIONS 20 tagged unblocked SALES 10 tagged unblocked ge-0/0/9.0 up SALES 10 untagged unblocked ge-0/0/11.0 up OPERATIONS 20 untagged unblocked / ge-0/0/9 ge-0/0/11 SRX-2 ae0.0 トランクポート ae0.0 SRX-1 ge-0/0/5 ge-0/0/7 17 ge-0/0/1 ge-0/0/3 ae0 ae0.0 SALES OPERATIONS VLAN 26 Copyright 2014, Juniper Networks, Inc.

SRX-1 set vlans OPERATIONS vlan-id 20 set vlans OPERATIONS l3-interface vlan.20 set vlans SALES vlan-id 10 set vlans SALES l3-interface vlan.10 set chassis aggregated-devices thernet device-count 2 set interfaces ge-0/0/1 gigether-options 802.3ad ae0 set interfaces ge-0/0/3 gigether-options 802.3ad ae0 set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members SALES set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members OPERATIONS set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 unit 0 family ethernet-switching port-mode trunk set interfaces ae0 unit 0 family ethernet-switching vlan members SALES set interfaces ae0 unit 0 family ethernet-switching vlan members OPERATIONS set interfaces vlan unit 10 family inet address 10.1.1.1/24 set interfaces vlan unit 20 family inet address 10.1.2.1/24 set security zones security-zone SALES interfaces vlan.10 set security zones security-zone OPERATIONS interfaces vlan.20 source-address any destination-address any application junos-http set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP then permit source-address any destination-address any application junos-http set security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP then permit SRX-2 set vlans OPERATIONS vlan-id 20 set vlans OPERATIONS l3-interface vlan.20 set vlans SALES vlan-id 10 set vlans SALES l3-interface vlan.10 set chassis aggregated-devices ethernet device-count 2 set interfaces ge-0/0/1 gigether-options 802.3ad ae0 set interfaces ge-0/0/3 gigether-options 802.3ad ae0 set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members SALES set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members OPERATIONS set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 unit 0 family ethernet-switching port-mode trunk set interfaces ae0 unit 0 family ethernet-switching vlan members SALES set interfaces ae0 unit 0 family ethernet-switching vlan members OPERATIONS set interfaces vlan unit 10 family inet address 10.1.1.1/24 set interfaces vlan unit 20 family inet address 10.1.2.1/24 set security zones security-zone SALES interfaces vlan.10 set security zones security-zone OPERATIONS interfaces vlan.20 source-address any destination-address any application junos-http Copyright 2014, Juniper Networks, Inc. 27

set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP then permit source-address any destination-address any application junos-http set security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP then permit LAG collecting distributing L2 ae0 regress@srx-1> show lacp interfaces Aggregated interface: ae0 LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity ge-0/0/5 Actor No No Yes Yes Yes Yes Fast Active ge-0/0/5 Partner No No Yes Yes Yes Yes Fast Active ge-0/0/7 Actor No No Yes Yes Yes Yes Fast Active ge-0/0/7 Partner No No Yes Yes Yes Yes Fast Active LACP protocol: Receive State Transmit State Mux State ge-0/0/5 Current Fast periodic Collecting distributing ge-0/0/7 Current Fast periodic Collecting distributing regress@srx-1> show ethernet-switching interfaces Interface State VLAN members Tag Tagging Blocking ae0.0 up OPERATIONS 20 tagged unblocked SALES 10 tagged unblocked ge-0/0/5.0 up SALES 10 untagged unblocked ge-0/0/7.0 up OPERATIONS 20 untagged unblocked RSTP 18 J SRX SRX-3 SRX-1 SRX-2 RSTP SRX-2 ge-0/0/9 ge-0/0/11 ge-0/0/6 ge-0/0/8 SRX-3 ae0.0 ae1.0 ae1.0 ae0.0 ae0.0 ae1.0 SRX-1 ge-0/0/5 ge-0/0/7 18 RSTP RSTP Rapid Spanning Tree Protocol SRX-2 28 Copyright 2014, Juniper Networks, Inc.

SRX-1 set vlans OPERATIONS vlan-id 20 set vlans OPERATIONS l3-interface vlan.20 set vlans SALES vlan-id 10 set vlans SALES l3-interface vlan.10 set chassis aggregated-devices ethernet device-count 2 set interfaces ge-0/0/1 gigether-options 802.3ad ae0 set interfaces ge-0/0/3 gigether-options 802.3ad ae0 set interfaces ge-0/0/15 gigether-options 802.3ad ae1 set interfaces ge-0/0/13 gigether-options 802.3ad ae1 set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members SALES set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members OPERATIONS set interfaces ae0 unit 0 family ethernet-switching port-mode trunk set interfaces ae0 unit 0 family ethernet-switching vlan members SALES set interfaces ae0 unit 0 family ethernet-switching vlan members OPERATIONS set interfaces ae1 unit 0 family ethernet-switching port-mode trunk set interfaces ae1 unit 0 family ethernet-switching vlan members SALES set interfaces ae1 unit 0 family ethernet-switching vlan members OPERATIONS set interfaces vlan unit 10 family inet address 10.1.1.1/24 set interfaces vlan unit 20 family inet address 10.1.2.1/24 set protocols rstp set protocols rstp interface ge-0/0/5.0 edge set protocols rstp interface ge-0/0/7.0 edge set security zones security-zone SALES interfaces vlan.10 set security zones security-zone OPERATIONS interfaces vlan.20 source-address any destination-address any application junos-http set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP then permit source-address any destination-address any application junos-http set security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP then permit Copyright 2014, Juniper Networks, Inc. 29

SRX-2 set vlans OPERATIONS vlan-id 20 set vlans OPERATIONS l3-interface vlan.20 set vlans SALES vlan-id 10 set vlans SALES l3-interface vlan.10 set chassis aggregated-devices ethernet device-count 2 set interfaces ge-0/0/1 gigether-options 802.3ad ae0 set interfaces ge-0/0/3 gigether-options 802.3ad ae0 set interfaces ge-0/0/15 gigether-options 802.3ad ae1 set interfaces ge-0/0/13 gigether-options 802.3ad ae1 set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members SALES set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members OPERATIONS set interfaces ae0 unit 0 family ethernet-switching port-mode trunk set interfaces ae0 unit 0 family ethernet-switching vlan members SALES set interfaces ae0 unit 0 family ethernet-switching vlan members OPERATIONS set interfaces ae1 unit 0 family ethernet-switching port-mode trunk set interfaces ae1 unit 0 family ethernet-switching vlan members SALES set interfaces ae1 unit 0 family ethernet-switching vlan members OPERATIONS set interfaces vlan unit 10 family inet address 10.1.1.2/24 set interfaces vlan unit 20 family inet address 10.1.2.2/24 set protocols rstp bridge-priority 4k set protocols rstp interface ge-0/0/9.0 edge set protocols rstp interface ge-0/0/11.0 edge set security zones security-zone SALES interfaces vlan.10 set security zones security-zone OPERATIONS interfaces vlan.20 source-address any destination-address any application junos-http set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP then permit source-address any destination-address any application junos-http set security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP then permit 30 Copyright 2014, Juniper Networks, Inc.

SRX-3 set vlans OPERATIONS vlan-id 20 set vlans OPERATIONS l3-interface vlan.20 set vlans SALES vlan-id 10 set vlans SALES l3-interface vlan.10 set chassis aggregated-devices ethernet device-count 2 set interfaces ge-0/0/13 gigether-options 802.3ad ae0 set interfaces ge-0/0/15 gigether-options 802.3ad ae0 set interfaces ge-0/0/0 gigether-options 802.3ad ae1 set interfaces ge-0/0/2 gigether-options 802.3ad ae1 set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members SALES set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members OPERATIONS set interfaces ae0 unit 0 family ethernet-switching port-mode trunk set interfaces ae0 unit 0 family ethernet-switching vlan members SALES set interfaces ae0 unit 0 family ethernet-switching vlan members OPERATIONS set interfaces ae1 unit 0 family ethernet-switching port-mode trunk set interfaces ae1 unit 0 family ethernet-switching vlan members SALES set interfaces ae1 unit 0 family ethernet-switching vlan members OPERATIONS set interfaces vlan unit 10 family inet address 10.1.1.3/24 set interfaces vlan unit 20 family inet address 10.1.2.3/24 set protocols rstp set protocols rstp interface ge-0/0/6.0 edge set protocols rstp interface ge-0/0/8.0 edge set security zones security-zone SALES interfaces vlan.10 set security zones security-zone OPERATIONS interfaces vlan.20 source-address any destination-address any application junos-http set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP then permit source-address any destination-address any application junos-http set security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP then permit Copyright 2014, Juniper Networks, Inc. 31

SRX-2 regress@srx-2> show spanning-tree bridge STP bridge parameters Context ID :0 Enabled protocol :RSTP Root ID :4096.00:22:83:99:b0:50 Hello time :2 seconds Maximum age :20 seconds Forward delay :15 seconds Message age :0 Number of topology changes :2 Time since last topology change :458 seconds Topology change initiator : ae1.0 Topology change last recvd.from :80:71:1f:a4:2b:01 Local parameters Bridge ID :4096.00:22:83:99:b0:50 Extended system ID :0 Internal instance ID :0 regress@elanta> show spanning-tree interface Spanning tree interface parameters for instance 0 Interface Port ID Designated Designated Port State Role port ID bridge ID Cost ae0.0 128:1 128:1 4096.00228399b050 20000 FWD DESG ae1.0 128:2 128:2 4096.00228399b050 10000 FWD DESG ge-0/0/9.0 128:522 128:522 4096.00228399b050 20000 FWD DESG ge-0/0/11.0 128:524 128:524 4096.00228399b050 20000 FWD DESG ID regress@srx-1> show spanning-tree bridge STP bridge parameters Context ID :0 Enabled protocol :RSTP Root ID :4096.00:22:83:99:b0:50 Root cost :10000 Root port : ae0.0 Hello time :2 seconds Maximum age :20 seconds Forward delay :15 seconds Message age :1 Number of topology changes :4 Time since last topology change :95 seconds Topology change initiator : ae1.0 Topology change last recvd.from :00:22:83:99:b0:c0 Local parameters Bridge ID :32768.00:1b:c0:53:69:88 Extended system ID :0 Internal instance ID :0 32 Copyright 2014, Juniper Networks, Inc.

2 regress@srx-3> show spanning-tree interface Spanning tree interface parameters for instance 0 Interface Port ID Designated Designated Port State Role port ID bridge ID Cost ae0.0 128:1 128:2 32768.001bc0536988 10000 BLK ALT ae1.0 128:2 128:2 4096.00228399b050 10000 FWD ROOT ge-0/0/6.0 128:519 128:519 32768.80711fa42a90 20000 FWD DESG ge-0/0/8.0 128:521 128:521 32768.80711fa42a90 20000 FWD DESG IEEE 802.1X 802.1X ge-0/0/5 181.181.16.2 RADIUS サーバー ネットワーク リソース ge-0/0/0 ge-0/0/11 ge-0/0/5 サプリカント 19 IEEE 802.1X RADIUS [edit protocols dot1x static] MAC set interfaces ge-0/0/0 unit 0 family inet address 181.181.16.1/24 set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members SALES set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members SALES set protocols dot1x authenticator authentication-profile-name test set protocols dot1x authenticator static 00:11:22:33:55:66/48 set protocols dot1x authenticator interface ge-0/0/12.0 supplicant multiple set access radius-server 181.181.16.2 secret $9$K76WX-YgJHqfVwqfTzCAvWL set access profile test authentication-order radius Copyright 2014, Juniper Networks, Inc. 33

regress@srx-1# run show dot1x interface 802.1X Information: Interface Role State MAC address User ge-0/0/12.0 Authenticator Connecting regress@srx-1# run show dot1x interface 802.1X Information: Interface Role State MAC address User ge-0/0/12.0 Authenticator Authenticated 00:00:00:80:00:01 user1 regress@srx-1# run show dot1x authentication-bypassed-users MAC address Interface VLAN 00:11:22:33:55:66 ge-0/0/12.0 configured/default IGMP J SRX IGMP ge-0/0/9 ge-0/0/2 PIM/IGMP PIM/ IGMP set vlans SALES vlan-id 10 set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members SALES set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members SALES set protocols igmp-snooping vlan SALES PIM IGMP ルーター ソース ge-0/0/2 ge-0/0/9 マルチキャストレシーバ 20 IGMP ge-0/0/2 join PIM/IGMP regress@srx-1# run show igmp-snooping membership detail VLAN:SALES Tag:10 (Index:2) Router interfaces: ge-0/0/2.0 dynamic Uptime:00:04:48 timeout:219 Group:230.5.5.5 ge-0/0/9.0 timeout:233 Last reporter:23.23.23.2 Receiver count:1, Flags:<V2- hosts> 34 Copyright 2014, Juniper Networks, Inc.

802.1Q Q-in-Q J SRX 802.1Q PE Provider Edge SRX-2 ge-0/0/12 ge-0/0/8 サービス プロバイダ SRX-1 ge-0/0/8 ge-0/0/4 顧 客 21 802.1Q SRX-1 SRX-2 ge-0/0/4 ge-0/0/12 ge-0/0/8 SRX-1 set vlans SERVICE_PROVIDER vlan-id 100 set vlans SERVICE_PROVIDER dot1q-tunneling set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members SERVICE_ PROVIDER set interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members SERVICE_ PROVIDER SRX-2 set vlans SERVICE_PROVIDER vlan-id 100 set vlans SERVICE_PROVIDER dot1q-tunneling set interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members SERVICE_ PROVIDER set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members SERVICE_ PROVIDER Copyright 2014, Juniper Networks, Inc. 35

regress@srx-1# run show vlans detail VLAN:SERVICE_PROVIDER, 802.1Q Tag:100, Admin State:Enabled Dot1q Tunneling status:enabled Number of interfaces:2 (Active = 2) Untagged interfaces: ge-0/0/4.0* Tagged interfaces: ge-0/0/8.0* VLAN: default, 802.1Q Tag:1, Admin State:Enabled http://www.juniper.net/jp/ Twitter Facebook Juniper Networks, Inc. Juniper Networks International B.V. 163-1445 3-20-2 45F 03-5333-7400 FAX 03-5333-7401 541-0041 1-1-27 URL http://www.juniper.net/jp/ 1194 North Mathilda Ave Sunnyvale, CA 94089 USA 888-JUNIPER (888-586-4737) 408-745-2000 FAX 408-745-2100 URL http://www.juniper.net Boeing Avenue 240 1119 PZ Schiphol-Rijk Amsterdam, The Netherlands 31-0-207-125-700 FAX 31-0-207-125-701 Copyright 2014, Juniper Networks, Inc. All rights reserved. Juniper Networks Junos QFabric Juniper Networks Juniper Networks, Inc. 3500196-002 JP Apr 2014 36 Copyright 2014, Juniper Networks, Inc.

2024 © docsplayer.net プライバシー | 利用規約 | フィードバック