EX Series Technical Details

Transcription

1 education services courseware EX Series Technical Details Student Guide

2 NOTE: Please note this Student Guide has been developed from an audio narration. Therefore it will have conversational English. The purpose of this transcript is to help you follow the online presentation and may require reference to it. Slide 2 EX Series Technical Details 2011 Juniper Networks, Inc. All rights reserved. Worldwide Education Services Welcome to Juniper Networks EX Series Technical Details elearning module. Course Juniper Networks, Inc. 2

3 Slide 3 Course Objectives After completing this course, you will be able to discuss features of the EX2200, EX3200, EX4200, EX4500, and the EX8200: Features to Enable IP Communications Metro Ethernet Features Port Security User Authentication Access Control Lists Class of Service (CoS) Monitoring, Mirroring and Accounting 4 After completing the course, you will be able to discuss features of the EX2200, EX3200, EX4200, EX4500, and the EX8200: Features to enable IP communications Metro Ethernet features Port Security User Authentication Access Control Lists Class Of Service (or CoS), and Monitoring, Mirroring, and Accounting Course Juniper Networks, Inc. 3

4 Slide 4 Agenda: EX Series Technical Details Enabling IP Communications on the EX Series Ethernet Switches EX Series Metro Ethernet Features Port Security and the EX Series Ethernet Switches User Authentication on EX Series EX Series Access Control Lists EX Series Class of Service (CoS) Monitoring, Mirroring and Accounting 5 This course consists of seven sections. The seven main sections are provided in sequential order and are titled as follows: Enabling IP Communications on the EX Series Ethernet Switches EX Series Metro Ethernet Features Port Security and the EX Series Ethernet Switches User Authentication on EX Series EX Series Access Control Lists EX Series Class of Service (CoS), and Monitoring, Mirroring and Accounting Course Juniper Networks, Inc. 4

5 Slide 5 EX Series Technical Details Enabling IP Communications on the EX Series Ethernet Switches 2011 Juniper Networks, Inc. All rights reserved. Worldwide Education Services Let s start with a discussion of Enabling IP Communications on the EX Series Ethernet Switches. Course Juniper Networks, Inc. 5

6 Slide 6 Section Objectives After successfully completing this section, you will be able to discuss the following IP communications features: Power over Ethernet (PoE) Voice VLAN Link Layer Discovery Protocol (LLDP) Link Layer Discovery Protocol Media Endpoint Devices (LLDP-MED) 7 After successfully completing this section, you will be able to discuss the following IP communications features: Power over Ethernet (PoE) Voice VLAN Link Layer Discovery Protocol (LLDP), and Link Layer Discovery Protocol Media Endpoint Devices (LLDP-MED) Course Juniper Networks, Inc. 6

7 Slide 7 IP Communication Features Power over Ethernet is the ability to deliver regulated -48V DC power over a standard copper Ethernet network cable Voice VLAN enables access ports to accept both data and voice traffic from directly connected IP phones Link Layer Discovery Protocol (LLDP) is a protocol that allows network devices to advertise their identity and capabilities on the LAN Link Layer Discovery Protocol Media Endpoint Devices (LLDP-MED) is an extension to LLDP to support interoperability between VoIP endpoint devices and other networking end-devices 8 What are some of the features and functionalities to enable unified communications or IP communications on the EX platform? We want to talk about four. The first is power over Ethernet or PoE. Next is Voice VLAN, a key feature. Link Layer Discovery Protocol has two parts: LLDP and LLDP-MED. We ll go over each of these briefly. Course Juniper Networks, Inc. 7

8 Slide 8 Components of Power Over Ethernet (PoE) Two primary components of a PoE deployment: Powered device (PD) that accepts and utilizes delivered power Power sourcing equipment (PSE) such as an EX2200, EX3200 or EX4200 Series switch EX P-4G 24 ports PoE EX P-4G 48 ports PoE EX T- 8 ports PoE* EX T- 8 ports PoE* EX P- 24 ports PoE* EX P- 48 ports PoE EX T- 8 ports PoE* EX T- 8 ports PoE* EX P- 24 ports PoE* EX P- 48 ports PoE* EX2200 Series EX3200 Series EX4200 Series * Enhanced PoE support EX with Junos 11.1 update 9 There are two primary components of power over Ethernet. One is a powered device, meaning a VoIP phone, access point, video camera, or other device that requires power from power-sourcing equipment. The other is that power-sourcing equipment, which, in our case is the EX2200, EX3200 or the EX4200 Series of products. This slide shows the model numbers, the number of ports, and the number of PoE ports provided. Remember that there is no power management and no additional configuration on the power-sourcing equipment. You can plug a powered device into a PoE-capable port on the EX Series switches. If that device negotiates power, that s fine. If it doesn t, it gets the full 15.4 watts of power. You don t need to worry about having a limited power budget on that device and having to portion out that power budget on a port-by-port basis. Enhanced PoE will be supported in the 11.1 release of Junos for the EX3200 and EX4200 models that support PoE. This will deliver 18.6 watts per port. Customers who are familiar with other vendors product lines sometimes ask, How do you do power management? or What power management is available on the device? or How many ports of PoE do you have? The answers are very simple: we have no power management because we don t need it, we provide power on every port, and all ports are powered. Course Juniper Networks, Inc. 8

9 Slide 9 PoE Considerations (1 of 2) 10 When selecting products to meet requirements you must factor Power over Ethernet (PoE) into your selection process. PoE ports provide electrical current to devices through the network cables so that separate power cords for devices such as IP phones, wireless access points, and security cameras are unnecessary. Full PoE models (Class 3 PoE on all ports) are primarily used in IP telephony environments. Partial PoE models (only 8 of the ports supply PoE) such as some of the EX3200 and EX4200 models, are used in environments where, for example, only a few ports for wireless access points or security cameras are required. PoE was first defined in the IEEE 802.3af standard. In this standard, the amount of power that can be supplied to a powered device is limited to 15.4 W. A later standard, IEEE 802.3at, defined PoE+, which increases the amount of power to 30 W. The PoE+ standard provides support for legacy PoE devices an IEEE 802.3af powered device can operate normally when connected to IEEE 802.3at (PoE+) power sourcing equipment. When selecting a switch to supply PoE power you will need to know the PoE Class of each device being powered and how many total devices you are connecting. This will establish the PoE budget that is needed. Each switch capable of delivery PoE power has a PoE budget which is the maximum amount of PoE power it can deliver. Another consideration is redundant power within the switch. This can provide the benefit of power redundancy in case of a power supply failure, data will still flow and devices will maintain power. Also, the power supplies will share the load of powering the switch and PoE devices, extending the lifetime of the power supplies. Course Juniper Networks, Inc. 9

10 Slide 10 PoE Considerations (2 of 2) * EX2200 is also available in non-poe models. **EX3200 and EX port models use the first eight ports on the switch to supply PoE. ***DC versions do not supply PoE. 11 EX Series switches with PoE ports support either IEEE 802.3af or IEEE 802.3at. The EX3200 and EX4200 switches support IEEE 802.3af; the EX2200 switch supports IEEE 802.at (PoE+). Starting with Junos operating system release 11.1, we will provide enhanced PoE on EX3200 and EX4200 switches. Enhanced PoE is the Juniper Networks extension to the IEEE 802.3af standard that allows up to 18.6 W per PoE port. Here is a breakdown on PoE capabilities in Juniper products: EX2200 switches are available with full (all 24 or 48 built-in ports) or no PoE capability. EX2200 switches running Junos release 10.3 or later can supply up to 30 W to individual PoE ports, supporting powered devices that comply with IEEE 802.3af (PoE) and IEEE 802.3at (PoE+). EX3200 switches with an AC power supply installed have options of full (all 24 or 48 ports) or partial (8 ports) PoE capability. EX3200 switches with a DC power supply installed do not provide PoE. EX4200 switches with an AC power supply installed have options of full (all 24 or 48 ports) or partial (8 ports) PoE capability. EX4200 switches with a DC power supply installed do not provide PoE. PoE is not available on the following models: The EX F, EX4500, EX8200 Series, and QFX3500 switches. Course Juniper Networks, Inc. 10

11 Slide af Power over Ethernet IEEE 802.3af has an optional power classification feature and should be a minimum requirement for any PoE deployment LAN switch (PSE) budgets require power based upon the class of attached devices Significantly reduces power capacity requirements With power classification: Switch identifies power needs and reserves power based upon class Without power classification: Unclassified devices treated as default (Class 0) with full 15.4W power budgeted per port 12 Power over Ethernet follows IEEE specification 802.3af, which puts powered devices into one of four classes. 0 is the default, meaning that the device doesn t negotiate at all, it just reserves the full 15.4 watts. Class 1 devices, including some VoIP phones, draw 4 watts. Some IP phones draw more than that, particularly the ones with LCD displays. Those are Class 2 devices. Class 3 is the full 15.4 watts. Class 3 devices include things like access points. We support all these classes in the EX Series of switches and the EX3200 and 4200 will negotiate Class 1, 2, or 3, but are capable of supplying the full 15.4 watts on all ports at all times. Course Juniper Networks, Inc. 11

12 Slide 12 EX2200, EX3200 and EX4200 PoE Power Requirements EX2200 has one 550W power supply There are 3 different power supply capacities for EX3200 and EX4200: 320W, 600W, 930W Any power supply can be installed on any EX3200 or EX4200 model. However, installing higher capacity power supply will not increase the number of PoE supported on the switch Use the same power supply capacity when redundant power supplies are installed on an EX4200 When capacities are not equal to each other, the switch will budget the total power pool based on the lower capacity power supply 13 This shows the PoE power requirements for the EX2200, EX3200 and EX4200. The EX2200 power supply is 550 watts. There are 3 different power supplies available for the EX3200 and EX4200: a 320 watt supply, a 600 watt supply, and a 930 watt supply. The power supplies are consistent across the EX3200 and EX4200 units. They use the same power supplies. The 320 watt power supply is typically used on the 24T and the 48T, the partial PoE models. The 600 watt power supply is typically used on the 24P models, the models with a full 24- port PoE capability. The 930 watt power supply goes with the 48P models those with a full 48-port PoE capability. Note that on the EX4200, with the redundant power capability, you need to use the same power supply model on both. You don t want to have a 930 watt supply fail and have a 320 watt supply in the redundant slot because you ll lose a lot of your PoE capability. That is not an officially supported configuration. Course Juniper Networks, Inc. 12

13 Slide 13 Understanding Voice VLAN In order to reduce switch port counts, common enterprise VOIP edge deployments consist of an IP phone and end-host machine connected in tandem attached to the same switch port VoIP solutions require separation of voice and data traffic in the network Sound quality of an IP phone call can deteriorate when large bursts of data traffic creates network congestion that leads to packet loss or delay It s desirable to provide higher end-to-end SLAs to voice traffic due to its susceptibility to jitter, delay and packet loss The EX2200, EX3200 and EX4200 voice VLAN feature enables access ports to accept both untagged (data) and tagged (voice) traffic from directly connected IP phones and separate these traffic into different VLANs (namely data VLAN and Voice VLAN) 14 Voice VLAN is typically used in the case where you have voice over IP phones and desktop devices connected to the same port. Customers do that to reduce the switch port count instead of having a VoIP phone connected to one port and the desktop devices connected to another port. You can do that with a switch built into the VoIP phone, allowing you to use just a single port on a switch. From an operational standpoint, it saves money relative to the number of ports deployed in a customer environment. However, there are associated issues. Voice traffic typically requires limited amounts of jitter, and some kind of traffic guarantee across a network. Data is typically a best-effort type of application, depending on the prioritization. It can starve out any kind of voice traffic, and that s something you obviously want to avoid. Voice VLAN enables you to designate a port as a Voice VLAN port so that untagged (data) traffic and tagged (voice) traffic from directly connected devices can access VLANs on those ports namely the data VLAN for data traffic and the voice VLAN for voice traffic. That way, the necessary traffic characteristics can be provided for the voice traffic versus the data traffic. Essentially, on the same port, you have a voice device and a data device connected, but it will recognize that there are two devices. Voice traffic thus goes to one VLAN that s given the appropriate quality of service. The data traffic goes to another VLAN that s given the appropriate quality of service for that traffic. This is deployed on all EX3200 and EX4200 devices. Course Juniper Networks, Inc. 13

14 Slide 14 Understanding LLDP and LLDP-MED Link Layer Discovery Protocol (IEEE 802.1AB): a Layer 2 protocol that allows network devices to advertise their identity and capabilities on the LAN When LLDP is enabled on a device, it is called an LLDP agent LLDP exchanges occur between LLDP agents Simple one-way neighbor discovery protocol with periodic transmissions of LLDPDU LLDP frames are constrained to a local link LLDP-MED (media endpoint devices) is an extension to LLDP developed by TIA (ANSI/TIA-1057) to support interoperability between VoIP endpoint devices and other networking end-devices LLDP-MED is focused mainly on discovery running between network devices and end-points such as IP phones 15 As part of enabling unified IP communications, we also support Link Layer Discovery Protocol or LLDP, as well as some of the media endpoint device extensions to LLDP LLDP- MED. LLDP is based on IEEE specification 802.1AB. It is a Layer 2 protocol that essentially allows network devices to advertise their identity: I am a phone or I am a desktop device and so on. That way, you can provide configuration information for a particular port as far as configuration of VLANs. LLDP works in conjunction with other protocols that are out there so that you configure a port to take the characteristics required for voice traffic or data traffic. The MED or media endpoint extension to that is an ANSI specification that supports interoperability between the VoIP endpoint devices and any other type of endpoint device, such as desktop, being able to interconnect data and voice devices on the same port and recognize them as such. Course Juniper Networks, Inc. 14

15 Slide 15 Section Summary In this section, you have learned to discuss the following IP communications features : Power over Ethernet (PoE) Voice VLAN Link Layer Discovery Protocol (LLDP) Link Layer Discovery Protocol Media Endpoint Devices (LLDP-MED) For more information and the latest technical specifications: 16 In this section, you have learned to discuss the following IP communications features: Power over Ethernet (or PoE) Voice VLAN Link Layer Discovery Protocol (or LLDP), and Link Layer Discovery Protocol Media Endpoint Devices (or LLDP-MED) Course Juniper Networks, Inc. 15

16 Slide 16 Learning Activity 1: Question 1 What amount of power does an EX3200 provide for a PoE powered device that does not negotiate power? A) 0 watts B) 4 watts C) 7 watts D) 15.4 wattse Submit Clear Clear 17 Answer the following questions to review what you ve learned in this section. Learning Activity 1: Question 1 What amount of power does an EX3200 provide for a PoE powered device that does not negotiate power? Course Juniper Networks, Inc. 16

17 Slide 17 Learning Activity 1: Question 2 How does Voice VLAN prevent data traffic from impacting the quality of voice traffic on the same port? A) It disables the data VLAN when the voice VLAN on the same port is active. B) It blocks data packets when packets are present on the voice VLAN. C) It puts voice traffic on a VLAN with higher QoS than the data VLAN.. B) It gives voice traffic a path with lower latency than the data traffic. n the data traffic. Submit ClearClear 18 Learning Activity 1: Question 2 How does Voice VLAN prevent data traffic from impacting the quality of voice traffic on the same port? Course Juniper Networks, Inc. 17

18 Slide 18 Learning Activity 1: Question 3 What does LLDP allow devices to advertise about themselves? A) Availability B) PoE class C) Requested packet rate D) Identity Submit Clear Clear 19 Learning Activity 1: Question 3 What does LLDP allow devices to advertise about themselves? Course Juniper Networks, Inc. 18

19 Slide 19 EX Series Technical Details EX Series Metro Ethernet Features 2011 Juniper Networks, Inc. All rights reserved. Worldwide Education Services Now, let s take a look at the EX Series Metro Ethernet Features. Course Juniper Networks, Inc. 19

20 Slide 20 Section Objectives After successfully completing this section, you will be able to discuss: Q-in-Q Private VLAN (PVLAN) 21 After successfully completing this section, you will be able to discuss: Q-in-Q, and Private VLAN (or PVLAN) Course Juniper Networks, Inc. 20

21 Slide 21 Metro Ethernet Features Q-in-Q allows the stacking of a multiple customer VLANs over a service provider network Private VLAN (PVLAN) is a method to provide Layer 2 isolation between hosts within the same VLAN 22 We have two Metro Ethernet features to talk about with customers. The first is Q-in-Q, which allows the stacking of VLANs. The EX Series switches support up to 4000 VLANs, but Q-in-Q also allows you to have an interim label there, which provides you with 4000 different customer instances each of 4000 VLANs, so it provides what we refer to as stacking of VLANs the ability to segment customers. Private VLAN is another method to provide Layer 2 isolation between hosts within a particular VLAN. Both of these features are valuable in deployment of Metro Ethernet types of environments. Course Juniper Networks, Inc. 21

22 Slide 22 Understanding EX Q-in-Q Tunneling EX Series Q-in-Q tunneling based on enterprise bridging implementation Allows stacking of a single S-VLAN (service VLAN) tag to a customer packet upon egress of an uplink S-VLAN trunk port Packet s ingress customer access port is classified and associated into a S-VLAN and is considered untagged regardless of their incoming dot1q tag (C-VLAN/Customer VLAN tag) Customer packet can be either untagged, single-tagged or multiple-tagged Modeled as a VLAN (S-VLAN) rather than a pt-to-pt tunnel S-VLAN can have as many ports (uplink trunk or customer access port) as possible Traffic can be bridged among all ports within a S-VLAN MAC-addresses learning and lookup are done on S-VLAN basis 23 Juniper follows a typical Q-in-Q implementation. We allow the stacking of a single service VLAN tag to a customer packet. In turn, that customer may support up to 4,096 VLANs within their network. The use of that outer tag provides a segregation of customers within a Metro environment. For example, if you deploy in a multiple tenant unit where you re providing a service to a number of different customers, each one being an apartment, or in a university environment where you re providing connectivity to students in a dorm room, you usually don t want traffic to be able to cross the boundaries, apartment to apartment or user to user. You typically want it to go to a centralized type of environment in the core of that network. You do that by segmenting those customers. Q-in-Q is one method of doing that. There are other methods as well. Today the EX Series supports Q-in-Q tunneling to provide that segmentation and segregation of customers for these Metro Ethernet types of deployments. Course Juniper Networks, Inc. 22

23 Slide 23 Metro Ethernet Ring Deployment EX4200 deployed in CPE locations Q-in-Q GbE or 10GbE used for ring extension 100km span Virtual chassis simplifies the metro ring by logically appearing as a single chassis Dual ring for added redundancy Junos scripts automate provisioning, troubleshooting and growth 24 This slide shows examples of Metro Ethernet deployments. You have a number of multitenant units. It could be other customer types of environments. This shows you a typical configuration with the EX4200 deployed in a Virtual Chassis configuration using a metro ring. The red ring you see there is a 10-gig ring. That metro environment could be a single Virtual Chassis or a number of Virtual Chassis interconnected into a headend Virtual Chassis, so you want to think of it as a ring of rings. The advantage that we have, in talking with service provider customers that want to deploy these Metro Ethernet rings, is that Virtual Chassis. With the flexibility of the Virtual Chassis design, the ease of management with fewer logical devices, we now have the ability to support that segmentation of customers using the Q-in-Q type of architecture. Course Juniper Networks, Inc. 23

24 Slide 24 Understanding Private VLAN Private VLAN is a method to provide Layer 2 isolation between hosts within the same VLAN Private VLAN consists of three VLAN domains Community VLAN a secondary VLAN where a set of ports that can communicate at Layer 2 with each other within the same Community VLAN but cannot communicate with ports in other Community or Isolated VLANs Isolated VLAN a secondary VLAN where ports within this VLAN cannot communicate with each other at the Layer 2 level Primary VLAN this VLAN consists of all the elements in a private VLAN domain Private VLAN is defined with a primary VLAN within which all hosts reside, and a set of secondary VLANs that hosts can be isolated from one another 25 Private VLAN is another method to provide Layer 2 isolation between hosts on the same VLAN. Private VLAN consists of three types of domains. There s a community VLAN, a set of ports that communicate with other ports. There are isolated VLANs where those ports can talk only to other devices that are part of that VLAN. Then there s a primary VLAN, which interconnects all the VLANs to one another. It s a way of segmenting and segregating different types of devices within a Metro Ethernet environment. It also can be used in an enterprise type of environment to segment different parts of the network where there s a need to prevent communication between different organizations. Course Juniper Networks, Inc. 24

25 Slide 25 Understanding Private VLAN (Cont d.) Furthermore, Private VLAN introduces three designations for switch ports Promiscuous port - this port can communicate with ports in different community VLANs and/or Isolated VLANs Community port - ports in community VLAN can talk to any other ports in the same community VLAN, however, ports in different community VLANs cannot communicate without going through the promiscuous port Isolated port - ports in Isolated VLAN cannot talk to any other ports in the same Isolated VLAN, as well as ports in other community VLANs without going through the promiscuous port 26 Here we touch on interconnectivity between the different port modes: isolated ports versus community ports and whether connectivity between other isolated or community ports is allowed. Ports in community VLANs are allowed to talk to one another. Ports in isolated VLANs can communicate only with ports on that VLAN. Course Juniper Networks, Inc. 25

26 Slide 26 Section Summary In this section, you have learned to discuss: Q-in-Q Private VLAN (PVLAN) For more information and the latest technical specifications: 27 In this section, you have learned to discuss: Q-in-Q, and Private VLAN (or PVLAN) Course Juniper Networks, Inc. 26

27 Slide 27 Learning Activity 2: Question 1 What advantages does the EX4200 provide in a Metro Ethernet ring deployment? (Select three.) A) Unlimited ring size B) Ease of management C) Flexibility D) Customer segmentation Submit Clear Clear 28 Answer the following questions to review what you ve learned in this section. Learning Activity 2: Question 1 What advantages does the EX4200 provide in a Metro Ethernet ring deployment? (Select three.) Course Juniper Networks, Inc. 27

28 Slide 28 Learning Activity 2: Question 2 What does Private VLAN provide? A) Layer 2 isolation between hosts B) Layer 3 isolation between hosts C) Layer 4 isolation between hosts D) Layer 3 aggregation of hosts Submit Clear Clear 29 Learning Activity 2: Question 2 What does Private VLAN provide? Course Juniper Networks, Inc. 28

29 Slide 29 EX Series Technical Details Port Security and the EX Series Ethernet Switches 2011 Juniper Networks, Inc. All rights reserved. Worldwide Education Services Now, let s take a look at the EX Series Metro Ethernet Features. Course Juniper Networks, Inc. 29

30 Slide 30 Section Objectives After successfully completing this section, you will be able to discuss: MAC Limiting DHCP Snooping Dynamic ARP Inspection Unicast Reverse-Path Forwarding (RPF) 31 After successfully completing this section, you will be able to discuss: MAC Limiting DHCP Snooping Dynamic ARP Inspection, and Unicast Reverse-Path Forwarding (or RPF) Course Juniper Networks, Inc. 30

31 Slide 31 Port Security Features MAC limiting prevents MAC flooding and spoofing by limiting and explicitly configuring the number of MAC addresses that can be learned on a given port DHCP Snooping inspects all DHCP packets received on untrustedports Dynamic ARP Inspection (DAI) prevents ARP spoofing and intercepts ARP packets on untrustedports Unicast Reverse-Path Forwarding (RPF) is a security mechanism to cope with DoS or DDoS attacks where source addresses are spoofed 32 Here s some information on four specific port security features of the EX platform. MAC limiting prevents MAC flooding and spoofing by limiting and explicitly configuring the number of MAC addresses that can be learned on a given port. MAC limiting is available on all ports of the EX3200, EX4200, and EX8200 platforms. DHCP Snooping inspects all DHCP packets received on an untrusted port. Dynamic ARP inspection is another important feature. It can prevent ARP spoofing and intercepts any ARP packets. RPF or Reverse-Path Forwarding copes with DoS or DDoS attacks where source addresses are spoofed. Course Juniper Networks, Inc. 31

32 Slide 32 Understanding MAC Limiting MAC limiting prevents MAC flooding by limiting the number of MAC addresses that can be learned on a given port MAC limiting prevents MAC spoofing by explicitly configuring allowed MAC addresses on a given port MAC limiting is available on Layer 2 access ports of the EX2200, EX3200, EX4200 and EX What are the benefits of the MAC limiting feature? MAC limiting prevents MAC flooding attacks by limiting the number of MAC addresses that can be learned on a particular port. Also MAC limiting prevents MAC spoofing by explicitly configuring what is allowed on a particular port. Lastly, MAC Limiting is available in any Layer 2 access port. Course Juniper Networks, Inc. 32

33 Slide 33 MAC Limiting Methods MAC limiting can be configured using either of the following methods: 34 There are two methods that MAC Limiting can use to achieve the desired effect. Looking at the left side, you can see that the first method is called allowed MAC address or static binding. Basically, a user can statically bind a specific MAC address to a particular port. For example, as you see on this diagram on the left side, once you know the MAC address the particular host is handing out, you can statically bind that MAC address to the particular port. If an unrecognized host comes along and tries to connect to the network, it will be denied access. The method on the right side is called MAC address limiting. There can be multiple hosts perhaps through a hub on a single port. From the perspective of the virtual chassis switch, only a single port will be active, but in reality there are multiple hosts on it. By design, you can define how many hosts are allowed on that particular port. In the example, only up to two MAC addresses have been allowed to be learned on that particular port. The third one that comes along will not gain access to the network. The method that the MAC limiting feature uses to achieve the desired effect has been covered. Course Juniper Networks, Inc. 33

34 Slide 34 MAC Limiting Action Types When a MAC address limit has been exceeded or an invalid MAC address is detected on a port with MAC Limiting, the port can perform one of the following actions: 35 There are three types of actions that the switch can perform when a MAC address limit has been exceeded or an invalid MAC address is detected on a port with MAC Limiting. The first one is called Syslog Only mode. A violation consists in seeing the unrecognized host on a static binding port or exceeding the number of allowed MAC addresses on the particular port. When there is a violation, the Syslog Only action can generate an error log in the Syslog. However the traffic from the unrecognized or violating host still goes through. To cope with this, there s a second action type, called Drop and Syslog. In addition to the action taken by Syslog Only mode, Drop and Syslog mode drops the offending traffic from the unrecognized or violating host or violating MAC addresses. The most restrictive action you can take is to shut down. Although this does not bring the Layer 1 link down, Shutdown disables any kind of MAC learning or traffic forwarding on the particular port, so it is effectively shut down. Course Juniper Networks, Inc. 34

35 Slide 35 Understanding DHCP Snooping: Step By Step DHCP Snooping inspects all DHCP packets received on untrustedports All access ports are untrusted by default All trunk ports are trusted by default Switch allows only DHCP DISCOVERY/ REQUEST from untrusted ports; all other DHCP traffic types dropped Switch creates new entry in DHCP Snooping database with host MAC address and its associated port Original DHCP DISCOVERY/REQUEST packet then forwarded to the DHCP server When DHCP server responds, response is intercepted by the switch Switch completes DHCP Snooping entry in database by adding newly offered IP address DHCP response is relayed to requested host, completing the DHCP process By intercepting all DHCP messages bridged within the subnet, DHCP Snooping acts as a firewall between hosts and the DHCP server while keeping all information in DHCP Snooping database 36 Let s examine DHCP Snooping. Once DHCP Snooping is enabled, the switch inspects all DHCP packets received on untrusted ports. Looking at the untrusted port, there are two ways that DHCP snooping defines the port. First are access ports. Access ports are typically considered to be where the hosts are connected, so these are untrusted by default. Second are trunk ports. All trunk ports are trusted by default because hosts generally should not be connected on these ports. Once that switch is actually enabled, the switch will only allow two messages DHCP Discovery and DHCP Request from an untrusted port. The switch drops any other DHCP traffic types on untrusted ports. However, trusted or untrusted states can be overridden statically by user intervention. When the switch intercepts DHCP Discovery or DHCP Request packets from the untrusted port, it creates a new entry in the DHCP snooping binding data base with host MAC address and its associated port. For example, if a host with the MAC address ABCDEF comes along on the protocol Gigabit Ethernet 0/0/1, the switch makes a note of that and creates a partial entry in its DHCP snooping binding database. The original DHCP Discovery or the Request packet will then be forwarded to the DHCP server without any modification. Course Juniper Networks, Inc. 35

36 Slide 36 DHCP Snooping Benefits: Impact on Clients None for good hosts Hosts are not aware that requests / responses are being snooped; no need to change client software Malicious hosts trying to attack switch by snooping DHCP messages can no longer do so Available on EX2200, EX3200 and EX4200, refer to product roadmap for EX By intercepting these DHCP messages within the subnet, the DHCP snooping feature effectively acts as a firewall between the host and the DHCP server. This process does not affect the client. The switch and the server on the left and the right side are completely unaware that there is any kind of snooping going on, while the switch is collecting information and building up the DHCP snooping binding database. This makes it a lot harder for any kind of attacks to succeed. Course Juniper Networks, Inc. 36

37 Slide 37 Understanding Dynamic ARP Inspection Prevents ARP Spoofing DAI intercepts ARP packets on untrusted ports (by default, all access ports) and validates them against DHCP snooping database If ARP packet s source MAC address does not match a valid entry in the DHCP snooping database, the packet is dropped and local ARP cache will not be updated with information in that packet Unlike access ports, trunk ports are trusted by default; therefore, ARP packets received on trunk ports will bypass DAI DHCP snooping is required Ideally, ARP resolution should be consistent with DHCP database Dynamic ARP Inspection can be enabled/ disabled for each VLAN, but not for each port Default is disabled on all VLANs Available on EX2200, EX3200, and EX4200 Refer to product roadmap for EX Let s next discuss Dynamic ARP Inspection (DAI). This feature is similar to DHCP snooping. Once it is turned on, instead of intercepting the DHCP packets going back and forth, the DAI intercepts the ARP packets on untrusted ports and validates them against the DHCP snooping database. For example, if the ARP packet does not match the valid entry in the DHCP snooping data base, the switch drops the packet and does not update the local ARP cache with the information in that packet. As with the DHCP snooping feature, the access ports and trunk ports are treated differently. If the switch receives an ARP packet on a trunk port, the packet bypasses DAI, because the trunk port is trusted. By default any access port is untrusted and any trunk port is trusted, as discussed earlier with DHCP snooping. Course Juniper Networks, Inc. 37

38 Slide 38 Understanding Unicast Reverse-Path Forwarding (RPF) Unicast Reverse Path Forwarding (RPF) is a security mechanism to cope with DoS or DDoS attacks where source addresses are often spoofed Unicast RPF is used to verify the path of an incoming packet is consistent with the forwarding table. This is achieved by performing a reverse path look-up using the source IP address of an incoming packet to determine the current path to that IP address. The validity of this path determines whether Unicast RPF passes or drops the packet If the receiving interface is the interface that switch would use to send the packet to the source network, the packet is forwarded on If the receiving interface is not the interface that switch would use to send the packet to the source network, the packet is dropped 39 Reverse-Path Forwarding is another security mechanism, primarily intended to cope with denial of service or distributed denial of service attacks where, in this particular case, the DoS or DDoS are attacks where the source addresses are often spoofed. This means that a source address could appear on a port that it is typically not configured on, and therefore is going to be able to send traffic across the network with the intent of causing downtime in that environment. RPF works by passing or dropping traffic based on consistency with the forwarding table. Each EX product builds a forwarding table. It recognizes where source addresses should be located. If the receiving interface is the interface the switch would use to send the packet, then the packet can be forwarded on. However, if it s not the interface that a source address is typically associated with, that packet is dropped since it s assumed to be a DoS attack. Course Juniper Networks, Inc. 38

39 Slide 39 Unicast Reverse-Path Forwarding (Cont d.) Unicast RPF supports the following interfaces: Layer 3 LAG Routed VLAN Interface Unicast RPF is enabled on switch globally Default is disabled BOOTP/DHCP Packets Bootp/DHCP requests with source IP as and destination MAC as broadcast MAC are not subjected to RPF checks Default route Packets received on a validated ingress interface as indicated by the default route will be considered valid and forwarded ECMP The switch does not perform unicast RPF filtering on equal-cost multipath ECMP traffic 40 There are a number of different pieces for RPF or Reverse Path Forwarding: whether it s supported on Layer 3 interfaces, on LAG interfaces, or routed VLAN interfaces. Since it looks at IP addresses, it has to be a Layer 3 interface. By default, it is disabled. There are some implementation pieces here. The information here is noteworthy to system engineers interested in RPF. Course Juniper Networks, Inc. 39

40 Slide 40 Section Summary In this section, you have learned to discuss: Mac Limiting DHCP Snooping Dynamic ARP Inspection Unicast Reverse-Path Forwarding (RPF) For more information and the latest technical specifications: 41 In this section, you have learned to discuss: Mac Limiting DHCP Snooping Dynamic ARP Inspection, and Unicast Reverse-Path Forwarding (or RPF) Course Juniper Networks, Inc. 40

41 Slide 41 Learning Activity 3: Question 1 What hosts will Allowed MAC Address reject? A) One whose MAC address does not match the known IP address. B) One whose MAC address is not recognized for that port. C) One whose MAC address does not fall within the allowed range. D) One that exceeds the maximum number of MAC addresses for the port. Submit Clear Clear 42 Answer the following questions to review what you ve learned in this section. Learning Activity 3: Question 1 What hosts will Allowed MAC Address reject? Course Juniper Networks, Inc. 41

42 Slide 42 Learning Activity 3: Question 2 What kind of DHCP packets will an EX switch allow by default on untrusted ports with DHCP snooping enabled? A) None B) All C) Offer and Release D) Discovery and Request Submit Clear Clear 43 Learning Activity 3: Question 2 What kind of DHCP packets will an EX switch allow by default on untrusted ports with DHCP snooping enabled? Course Juniper Networks, Inc. 42

43 Slide 43 Learning Activity 3: Question 3 What does Dynamic ARP Inspection require to work? A) DHCP snooping B) MAC limiting C) Unicast RPF D) A populated ARP lookup table Submit Clear Clear 44 Learning Activity 3: Question 3 What does Dynamic ARP Inspection require to work? Course Juniper Networks, Inc. 43

44 Slide 44 EX Series Technical Details User Authentication on EX Series 2011 Juniper Networks, Inc. All rights reserved. Worldwide Education Services Next up, we ll talk about User Authentication on the EX Series. Course Juniper Networks, Inc. 44

45 Slide 45 Section Objectives After successfully completing this section, you will be able to discuss: 802.1X MAC-RADIUS 46 After successfully completing this section, you will be able to discuss: 802.1X, and MAC-RADIUS Course Juniper Networks, Inc. 45

46 Slide 46 Authentication Features 802.1X defines a way to authenticate and provide users with specific network access rights based on their profile MAC-RADIUS provides a solution to authenticate non-802.1x compliant end-hosts 47 All switches in the EX portfolio now support these two features. We ll now talk in greater detail regarding two things related to user authentication: 802.1X and MAC-RADIUS. Course Juniper Networks, Inc. 46

47 Slide 47 Understanding 802.1X 802.1X is an IEEE standard for access control and authentication 802.1X defines a way to authenticate and provide users with specific network access rights based on their profile The 802.1X equation includes three essential elements: 802.1X Host (Supplicant), Switch (Authenticator) and RADIUS Server 802.1X requires the Host to use 802.1X client software Windows XP and Windows Vista include an 802.1X client by default; other OS versions usually require separate software 48 First of all, 802.1X is the IEEE standard for access control and authentication, as well as authorization X defines a way to authenticate and provide users with specific network access rights based on their profile. It does this on a per-user basis. On this slide, the most essential part is the terminology used on the standard. In the diagram, first is the host, which the standard refers to as the supplicant. The RADIUS server on the right is the authentication server and the switch in the middle is the 802.1X authenticator, or just the authenticator. The EX acts as the authenticator in this example. It accepts any host requests and forwards them to the authentication server. Then it replies with any messages from that authentication server back to the host. Course Juniper Networks, Inc. 47

48 Slide 48 Understanding 802.1X (Cont d.) The switch controls physical access to the network; when a host first connects to a switch, it will not be able to send normal traffic over the link The switch acts as a proxy, requesting identity information from the host and relaying it to the RADIUS server 49 Traffic between the host and the authenticator is EAPOL. Traffic between the authenticator and the RADIUS server is RADIUS type traffic. We use EAP or the Extensible Authentication Protocol. This gets converted to RADIUS. The switch acts as a proxy to the authentication server. The host cannot send normal traffic over the link until it is authenticated. Course Juniper Networks, Inc. 48

49 Slide 49 Understanding MAC-RADIUS MAC-RADIUS provides a scalable solution to authenticating non-802.1x compliant end-hosts in a large environment by using the MAC address of end-host as the client identity to authenticate with the centralized authentication server IEEE 802.1X provides a framework for network access control, however, it requires the supplicant to have software that can communicate via 802.1X as a part of the framework This may not be possible on some customer environments where devices connected do not support 802.1X printers, PoE cameras, etc. There is a method where such devices that do not support 802.1X can bypass the authentication by statically configuring the MAC address on the switch locally 50 MAC-RADIUS provides a solution for authenticating any non-802.1x-compliant end host. In the case of the previous slide, we would have to have an 802.1X supplicant or agent residing on that host device to get authenticated. But there are things on the network, such as cameras and printers, which do not have an 802.1X agent and are not an 802.1X supplicant. That s where MAC-RADIUS comes into play. We statically configure MAC addresses on the product so we can allow those devices access to the network. Course Juniper Networks, Inc. 49

50 Slide 50 Understanding MAC-RADIUS (Cont d.) When a new MAC address appears on MAC-RADIUS enabled interface, the switch will communicate with the RADIUS server using client s MAC address as credential. If the new MAC address is accepted by the RADIUS server, then access would be granted As with 802.1X, the authenticator (EX Series switch) behavior and configuration as well as all attributes sent by the RADIUS server are identical When there are multiple authentication mechanisms available on a given interface, the order of authentication is: 1. Static MAC bypass X 3. MAC-RADIUS 4. Guest VLAN or Auth-failed VLAN 51 When a new MAC address appears on a MAC-RADIUS enabled interface, the switch communicates to the RADIUS server using the client s MAC address as its credential. If that MAC address is in the RADIUS server s database, access is granted. If not, access is not granted and the port is shut down. The EX Series switch, acting as the authenticator, has the ability to shut that port off and deny that device access to the network. If there are multiple authentication methods available on an interface, there are ways the device can authenticate, as shown in the list. The first method attempted is static MAC address. Then comes 802.1X, MAC-RADIUS, and lastly guest VLAN or authorization-failed VLAN. Course Juniper Networks, Inc. 50

51 Slide 51 Section Summary In this section, you have learned to discuss: 802.1X MAC-RADIUS For more information and the latest technical specifications: 52 In this section, you have learned to discuss: 802.1X, and MAC-RADIUS Course Juniper Networks, Inc. 51

52 Slide 52 Learning Activity 4: Question 1 What are the main components of 802.1X? (Select three.) A) RADIUS server B) RADIUS client C) Supplicant D) Authenticator Submit Clear Clear 53 Learning Activity 4: Question 1 What are the main components of 802.1X? (Select three.) Course Juniper Networks, Inc. 52

53 Slide 53 Learning Activity 4: Question 2 Is the following statement true or false? In 802.1X, when a host first connects to an EX switch, it cannot send normal traffic over the link. A) True B) False Submit Clear Clear 54 Learning Activity 4: Question 2 Is the following statement true or false? In 802.1X, when a host first connects to an EX switch, it cannot send normal traffic over the link. Course Juniper Networks, Inc. 53

54 Slide 54 Learning Activity 4: Question 3 MAC-RADIUS is a method for granting network access to what type of device? A) Devices that do not have MAC addresses B) Devices that do not support 802.1X C) Devices that cannot communicate using RADIUS D) Devices that lack IEEE-RADIUS certification Submit Clear Clear 55 Learning Activity 4: Question 3 MAC-RADIUS is a method for granting network access to what type of device? Course Juniper Networks, Inc. 54

55 Slide 55 EX Series Technical Details EX Series Access Control Lists 2011 Juniper Networks, Inc. All rights reserved. Worldwide Education Services EX Series Access Control Lists Course Juniper Networks, Inc. 55

56 Slide 56 Section Objectives After successfully completing this section, you will be able to discuss: Firewall filters (ACLs) Port-based filters VLAN-based filters Router-based filters Firewall filter processing Firewall filter entry programming 57 After successfully completing this section, you will be able to discuss: Firewall filters (ACLs) Port-based filters VLAN-based filters Router-based filters Firewall filter processing, and Firewall filter entry programming Course Juniper Networks, Inc. 56

57 Slide 57 Types of Filters (ACLs) Port-based firewall filter (PACL) Applied directly to a Layer 2 switch port VLAN-based firewall filter (VACL) Applied to a Layer 2 VLAN Router-based firewall filter (RACL) Applied directly to Layer 3 routed interface The same firewall filter can be used as a port firewall filter or VLAN firewall filter Distinction determined by point of policy enforcement Firewall filter processing on EX Series switches is done in hardware (PFE) Firewall filter (ACL) entries are programmed in PFE TCAM lookups and enforcements are performed at line rate EX2200 support 1,500 ACLs EX3200 and EX4200 support 7k ACLs EX8200 supports 54k security ACLs 58 Last on the access security topic list is the Firewall Filter, also known as Access Control List or ACL. There are three different types of firewall filter or ACL. The first one is a port-based firewall filter; the second one is a VLAN-based firewall filter; the last one is the router-based firewall filter. For those who are familiar with ACL terminology, these are referred to as PACL, VACL, and RACL. The port-based firewall filter is applied directly to the Layer 2 switch port. The VLAN-based filter is applied to the Layer 2 VLAN. The router-based firewall filter is applied directly to the Layer 3 routed interface or RVI. These firewall filters are the same as those that are available in Junos. The difference in role depends on where the firewall filter has been applied. The EX3200 and EX4200 scale to 7000 access control lists per device. In the case of the EX4200, that s 7,000 lists across a Virtual Chassis. Because it s usually supported in much larger core environments, the EX8200 scales to 54,000 firewall filters or ACLs. Course Juniper Networks, Inc. 57

58 Slide 58 Understanding Firewall Filters Order of precedence in ingress firewall filter processing is Port FF, VLAN FF, Router FF Egress firewall filter processing is done in the reverse order Router firewall filter does not apply to switched packets in same VLAN 59 In the diagram, the blue box in the middle is the switch. Assume the host on Gigabit Ethernet 1/0/1 wants to send traffic to the host on Gigabit Ethernet 1/0/4. The packets received by the switch will first go through the port-based firewall filter. Then they will traverse the VLANbased firewall filter. Last, they go through the router-based firewall filter. On the egress side, packets go through the router-based firewall filter and then the VLAN-based firewall filter. Then the packets go out. This order is important because this firewall filter role differs depending on where it is enforced. Say a user would like to apply a firewall filter, but the firewall filter is applied where the router firewall filter is located. If the traffic that the user was trying to block was limited to the VLAN itself, the example that we see is under the bottom left corner where the host is hanging from the gigabit 1/0/0 is communicating with 1/0/1. In that case, if the firewall filter is applied on the router interface RVI, that firewall filtering will never take place, because that traffic will never traverse the router interface of that particular VLAN. That is why we need to keep in mind the order of firewall filters: port-based filter, VLAN-based filter, and router-based filter, and vice versa on the output or egress. Course Juniper Networks, Inc. 58