Nota: Este Post faz parte do guide de Switching.
Chapter 5 Device Security and Firewall Filters
Storm Control
O Storm Control monitoriza o broadcast, multicast e unknown unicast
By default o limite cumulativo em todas as interface e de 80%
set ethernet-switching-options storm-control interface all
É possível definir um novo limite bem como desativar o storm control individualmente
Storm Control Actions
set ethernet-switching-options storm-control interface all
set ethernet-switching-options storm-control action-shutdown
By default quando o limite é excedido o tráfego em excesso é descartado. É possível configurar para que a interface seja desativada
É possível usar a action shutdown e port-error-disable, permitindo fazer o recover automaticamente
!Executar manualmente para colocar novamente em servico
clear ethernet-switching port-error
Firewall Filters
Os firewall filters nos EX são analisados em hardware, no PFE.
Firewall Filter Types
Types:
Port-based
VLAN-based
Router-based
Port/VLAN based são usados na family ethernet-switching
Router-based usa a family inet ou family inet6
Building Blocks of Firewall Filters
Discard implicito na firewall rule (Default action)
As rules sao executadas sequencialmente, para reordenar usar o insert no CLI
É possível fazer match de grande parte dos header fields, inclui ainda:
Numeric range
Address
Bit field
user@Switch-1# set firewall family ethernet-switching filter test term test from ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don’t inherit configuration data from these groups
> destination-address Match IP destination address
> destination-mac-address Match MAC destination address
+ destination-port Match TCP/UDP destination port
> destination-prefix-list Match IP destination prefixes in named list
+ dot1q-tag Match Dot1Q Tag Value
+ dot1q-user-priority Match Dot1Q user priority
+ dscp Match Differentiated Services (DiffServ) code point
+ ether-type Match Ethernet Type
fragment-flags Match fragment flags (in symbolic or hex formats) – (Ingress
only)
+ icmp-code Match ICMP message code
+ icmp-type Match ICMP message type
> interface Match interface name
is-fragment Match if packet is a fragment
+ precedence Match IP precedence value
+ protocol Match IP protocol type
> source-address Match IP source address
> source-mac-address Match MAC source address
+ source-port Match TCP/UDP source port
> source-prefix-list Match IP source prefixes in named list
tcp-established Match packet of an established TCP connection
tcp-flags Match TCP flags (in symbolic or hex formats) – (Ingress only)
tcp-initial Match initial packet of a TCP connection – (Ingress only)
+ vlan Match Vlan Id or Name
Common Actions
Terminating actions:
accept
discard
reject
Action modifiers:
analyser
count
log
syslog
forwarding-class
loss-priotiry
policer
set firewall family ethernet-switching filter limit-MAC-ge006 term 1 from source-mac-address 00:26:88:02:74:86
set firewall family ethernet-switching filter limit-MAC-ge006 term 1 then accept
set firewall family ethernet-switching filter limit-MAC-ge006 term 2 then discard count ge006-invalid-MAC
set interface ge-0/0/6.0 family ethernet-switching vlan menbers v11
set interface ge-0/0/6.0 family ethernet-switching filter input limit-MAC-ge006
set firewall family ethernet-switching filter block-dest-MAC term 1 from destination-mac-address 01:80:c2:00:00:00
set firewall family ethernet-switching filter block-dest-MAC term 1 then discard count block-stp-bpdus
set firewall family ethernet-switching filter block-dest-MAC term 2 then accept
set vlans v11 vlan-id 11 l3-interface vlan.11 filter input block-dest-MAC
Chapter 6 Virtual Chassis
Ate 4 EX2200
Ate 10 EX3300,EX4200, EX4500
Ate 10 EX4500 e 4200 combinados
Ate 8 EX8200
RE redundantes permite implementar nonstop active routing (NSR) e nonstop bridging (NSB)
Virtual Chassis Ports (VCP) podem ser usadas as portas dedicadas e/ou portas de uplink
O interconnect entre os virtual chassis pode ser feito através de qualquer modelo EX
{master:0}
user@Switch-1> request virtual-chassis vc-port set pic-slot 1 port 0
{master:0}
user@Switch-1> show interfaces terse | match vcp-255
vcp-255/1/0 up down
Virtual Chassis cabling
A distancia máxima entre switches e de 5 metros (topologia daisy chained ring)
Também existe a topologia braided ring
Extended Virtual Chassis
O máximo da circunferência e de 100 km (usando 1/10 GbE uplinks)
Os switches RE0 e RE1 não tem os uplinks em qualquer das topologias
Recommended RE Placement
topologia daisy chained ring – RE0(#1) e RE1(#3), Uplinks Porta 2/4
topologia brainded ring – RE0(#2) e RE1(#3), Uplinks Porta 1/4
By default a feature Split Virtual chassis “split brain” está activa nos EX4200
Determinar o Mastership
1. Priority + alta , by default 128
2. Membro anteriormente a funcionar como master, após reboot
3. Membro com uptime superior (diference deve ser superior a 1 minuto)
4. Membro com o MAC-Address mais baixo
5. 2′ membro torna-se backup, os restantes como line cards
Caso o master ou backup falhe e elegido um dos line card switches usando o mesmo processo
Member ID é assignado manualmente ou dinamicamente através do master switch (este usualmente com ID 0)
Member ID preservado em caso de reboot
{master:0}
user@Switch-1> request virtual-chassis renumber member-id 0 new-member-id 5
To move configuration specific to member ID 0 to member ID 5, please
use the replace command. e.g. replace pattern ge-0/ with ge-5/
Do you want to continue ? [yes,no] (no) yes
{master:0}
user@Switch-1>
Switch-1 (ttyu0)
login: user
Password:
— JUNOS 10.1R2.8 built 2010-05-11 04:08:08 UTC
{master:5}
user@Switch-1>
{master:5}
user@Switch-1> request system halt member ?
Possible completions:
<member> Halt specific virtual chassis member (0..
{master:5}
user@Switch-1> request session member 1
— JUNOS 10.1R2.8 built 2010-05-11 04:08:08 UTC
{backup:1}
user@Switch-1>
Replacing a Member Switch
Quando e removido um switch a configuração permanece
Para efetuar o replacement:
Fazer recycle do member ID a ser substituido, torna-o menos prioritário
{master:0}
user@Switch-1>request virtual-chassis recycle member-id <member-id>
Management Connectivity
As Ethernet Ports (me0) nos switches são representados por uma unica virtual management Ethernet (VME) interface
Esta porta e configurada no master switch
set interfaces vme unit 0 family inet address 10.210.14.148/27
A porta de consola de qualquer dos membros do virtual chassis redireciona para a do master switch
{master:5}
user@Switch-1> request session member 1
— JUNOS 10.1R2.8 built 2010-05-11 04:08:08 UTC
{backup:1}
user@Switch-1>
Referências:
Notas estudo JNCIS-ENT parte 1
1 thought on “Notas estudo JNCIS-ENT parte 4”