EX Series Technical Details
|
|
- Erica Roberts
- 7 years ago
- Views:
Transcription
1 education services courseware EX Series Technical Details Student Guide
2 NOTE: Please note this Student Guide has been developed from an audio narration. Therefore it will have conversational English. The purpose of this transcript is to help you follow the online presentation and may require reference to it. Slide 2 EX Series Technical Details 2011 Juniper Networks, Inc. All rights reserved. Worldwide Education Services Welcome to Juniper Networks EX Series Technical Details elearning module. Course Juniper Networks, Inc. 2
3 Slide 3 Course Objectives After completing this course, you will be able to discuss features of the EX2200, EX3200, EX4200, EX4500, and the EX8200: Features to Enable IP Communications Metro Ethernet Features Port Security User Authentication Access Control Lists Class of Service (CoS) Monitoring, Mirroring and Accounting 4 After completing the course, you will be able to discuss features of the EX2200, EX3200, EX4200, EX4500, and the EX8200: Features to enable IP communications Metro Ethernet features Port Security User Authentication Access Control Lists Class Of Service (or CoS), and Monitoring, Mirroring, and Accounting Course Juniper Networks, Inc. 3
4 Slide 4 Agenda: EX Series Technical Details Enabling IP Communications on the EX Series Ethernet Switches EX Series Metro Ethernet Features Port Security and the EX Series Ethernet Switches User Authentication on EX Series EX Series Access Control Lists EX Series Class of Service (CoS) Monitoring, Mirroring and Accounting 5 This course consists of seven sections. The seven main sections are provided in sequential order and are titled as follows: Enabling IP Communications on the EX Series Ethernet Switches EX Series Metro Ethernet Features Port Security and the EX Series Ethernet Switches User Authentication on EX Series EX Series Access Control Lists EX Series Class of Service (CoS), and Monitoring, Mirroring and Accounting Course Juniper Networks, Inc. 4
5 Slide 5 EX Series Technical Details Enabling IP Communications on the EX Series Ethernet Switches 2011 Juniper Networks, Inc. All rights reserved. Worldwide Education Services Let s start with a discussion of Enabling IP Communications on the EX Series Ethernet Switches. Course Juniper Networks, Inc. 5
6 Slide 6 Section Objectives After successfully completing this section, you will be able to discuss the following IP communications features: Power over Ethernet (PoE) Voice VLAN Link Layer Discovery Protocol (LLDP) Link Layer Discovery Protocol Media Endpoint Devices (LLDP-MED) 7 After successfully completing this section, you will be able to discuss the following IP communications features: Power over Ethernet (PoE) Voice VLAN Link Layer Discovery Protocol (LLDP), and Link Layer Discovery Protocol Media Endpoint Devices (LLDP-MED) Course Juniper Networks, Inc. 6
7 Slide 7 IP Communication Features Power over Ethernet is the ability to deliver regulated -48V DC power over a standard copper Ethernet network cable Voice VLAN enables access ports to accept both data and voice traffic from directly connected IP phones Link Layer Discovery Protocol (LLDP) is a protocol that allows network devices to advertise their identity and capabilities on the LAN Link Layer Discovery Protocol Media Endpoint Devices (LLDP-MED) is an extension to LLDP to support interoperability between VoIP endpoint devices and other networking end-devices 8 What are some of the features and functionalities to enable unified communications or IP communications on the EX platform? We want to talk about four. The first is power over Ethernet or PoE. Next is Voice VLAN, a key feature. Link Layer Discovery Protocol has two parts: LLDP and LLDP-MED. We ll go over each of these briefly. Course Juniper Networks, Inc. 7
8 Slide 8 Components of Power Over Ethernet (PoE) Two primary components of a PoE deployment: Powered device (PD) that accepts and utilizes delivered power Power sourcing equipment (PSE) such as an EX2200, EX3200 or EX4200 Series switch EX P-4G 24 ports PoE EX P-4G 48 ports PoE EX T- 8 ports PoE* EX T- 8 ports PoE* EX P- 24 ports PoE* EX P- 48 ports PoE EX T- 8 ports PoE* EX T- 8 ports PoE* EX P- 24 ports PoE* EX P- 48 ports PoE* EX2200 Series EX3200 Series EX4200 Series * Enhanced PoE support EX with Junos 11.1 update 9 There are two primary components of power over Ethernet. One is a powered device, meaning a VoIP phone, access point, video camera, or other device that requires power from power-sourcing equipment. The other is that power-sourcing equipment, which, in our case is the EX2200, EX3200 or the EX4200 Series of products. This slide shows the model numbers, the number of ports, and the number of PoE ports provided. Remember that there is no power management and no additional configuration on the power-sourcing equipment. You can plug a powered device into a PoE-capable port on the EX Series switches. If that device negotiates power, that s fine. If it doesn t, it gets the full 15.4 watts of power. You don t need to worry about having a limited power budget on that device and having to portion out that power budget on a port-by-port basis. Enhanced PoE will be supported in the 11.1 release of Junos for the EX3200 and EX4200 models that support PoE. This will deliver 18.6 watts per port. Customers who are familiar with other vendors product lines sometimes ask, How do you do power management? or What power management is available on the device? or How many ports of PoE do you have? The answers are very simple: we have no power management because we don t need it, we provide power on every port, and all ports are powered. Course Juniper Networks, Inc. 8
9 Slide 9 PoE Considerations (1 of 2) 10 When selecting products to meet requirements you must factor Power over Ethernet (PoE) into your selection process. PoE ports provide electrical current to devices through the network cables so that separate power cords for devices such as IP phones, wireless access points, and security cameras are unnecessary. Full PoE models (Class 3 PoE on all ports) are primarily used in IP telephony environments. Partial PoE models (only 8 of the ports supply PoE) such as some of the EX3200 and EX4200 models, are used in environments where, for example, only a few ports for wireless access points or security cameras are required. PoE was first defined in the IEEE 802.3af standard. In this standard, the amount of power that can be supplied to a powered device is limited to 15.4 W. A later standard, IEEE 802.3at, defined PoE+, which increases the amount of power to 30 W. The PoE+ standard provides support for legacy PoE devices an IEEE 802.3af powered device can operate normally when connected to IEEE 802.3at (PoE+) power sourcing equipment. When selecting a switch to supply PoE power you will need to know the PoE Class of each device being powered and how many total devices you are connecting. This will establish the PoE budget that is needed. Each switch capable of delivery PoE power has a PoE budget which is the maximum amount of PoE power it can deliver. Another consideration is redundant power within the switch. This can provide the benefit of power redundancy in case of a power supply failure, data will still flow and devices will maintain power. Also, the power supplies will share the load of powering the switch and PoE devices, extending the lifetime of the power supplies. Course Juniper Networks, Inc. 9
10 Slide 10 PoE Considerations (2 of 2) * EX2200 is also available in non-poe models. **EX3200 and EX port models use the first eight ports on the switch to supply PoE. ***DC versions do not supply PoE. 11 EX Series switches with PoE ports support either IEEE 802.3af or IEEE 802.3at. The EX3200 and EX4200 switches support IEEE 802.3af; the EX2200 switch supports IEEE 802.at (PoE+). Starting with Junos operating system release 11.1, we will provide enhanced PoE on EX3200 and EX4200 switches. Enhanced PoE is the Juniper Networks extension to the IEEE 802.3af standard that allows up to 18.6 W per PoE port. Here is a breakdown on PoE capabilities in Juniper products: EX2200 switches are available with full (all 24 or 48 built-in ports) or no PoE capability. EX2200 switches running Junos release 10.3 or later can supply up to 30 W to individual PoE ports, supporting powered devices that comply with IEEE 802.3af (PoE) and IEEE 802.3at (PoE+). EX3200 switches with an AC power supply installed have options of full (all 24 or 48 ports) or partial (8 ports) PoE capability. EX3200 switches with a DC power supply installed do not provide PoE. EX4200 switches with an AC power supply installed have options of full (all 24 or 48 ports) or partial (8 ports) PoE capability. EX4200 switches with a DC power supply installed do not provide PoE. PoE is not available on the following models: The EX F, EX4500, EX8200 Series, and QFX3500 switches. Course Juniper Networks, Inc. 10
11 Slide af Power over Ethernet IEEE 802.3af has an optional power classification feature and should be a minimum requirement for any PoE deployment LAN switch (PSE) budgets require power based upon the class of attached devices Significantly reduces power capacity requirements With power classification: Switch identifies power needs and reserves power based upon class Without power classification: Unclassified devices treated as default (Class 0) with full 15.4W power budgeted per port 12 Power over Ethernet follows IEEE specification 802.3af, which puts powered devices into one of four classes. 0 is the default, meaning that the device doesn t negotiate at all, it just reserves the full 15.4 watts. Class 1 devices, including some VoIP phones, draw 4 watts. Some IP phones draw more than that, particularly the ones with LCD displays. Those are Class 2 devices. Class 3 is the full 15.4 watts. Class 3 devices include things like access points. We support all these classes in the EX Series of switches and the EX3200 and 4200 will negotiate Class 1, 2, or 3, but are capable of supplying the full 15.4 watts on all ports at all times. Course Juniper Networks, Inc. 11
12 Slide 12 EX2200, EX3200 and EX4200 PoE Power Requirements EX2200 has one 550W power supply There are 3 different power supply capacities for EX3200 and EX4200: 320W, 600W, 930W Any power supply can be installed on any EX3200 or EX4200 model. However, installing higher capacity power supply will not increase the number of PoE supported on the switch Use the same power supply capacity when redundant power supplies are installed on an EX4200 When capacities are not equal to each other, the switch will budget the total power pool based on the lower capacity power supply 13 This shows the PoE power requirements for the EX2200, EX3200 and EX4200. The EX2200 power supply is 550 watts. There are 3 different power supplies available for the EX3200 and EX4200: a 320 watt supply, a 600 watt supply, and a 930 watt supply. The power supplies are consistent across the EX3200 and EX4200 units. They use the same power supplies. The 320 watt power supply is typically used on the 24T and the 48T, the partial PoE models. The 600 watt power supply is typically used on the 24P models, the models with a full 24- port PoE capability. The 930 watt power supply goes with the 48P models those with a full 48-port PoE capability. Note that on the EX4200, with the redundant power capability, you need to use the same power supply model on both. You don t want to have a 930 watt supply fail and have a 320 watt supply in the redundant slot because you ll lose a lot of your PoE capability. That is not an officially supported configuration. Course Juniper Networks, Inc. 12
13 Slide 13 Understanding Voice VLAN In order to reduce switch port counts, common enterprise VOIP edge deployments consist of an IP phone and end-host machine connected in tandem attached to the same switch port VoIP solutions require separation of voice and data traffic in the network Sound quality of an IP phone call can deteriorate when large bursts of data traffic creates network congestion that leads to packet loss or delay It s desirable to provide higher end-to-end SLAs to voice traffic due to its susceptibility to jitter, delay and packet loss The EX2200, EX3200 and EX4200 voice VLAN feature enables access ports to accept both untagged (data) and tagged (voice) traffic from directly connected IP phones and separate these traffic into different VLANs (namely data VLAN and Voice VLAN) 14 Voice VLAN is typically used in the case where you have voice over IP phones and desktop devices connected to the same port. Customers do that to reduce the switch port count instead of having a VoIP phone connected to one port and the desktop devices connected to another port. You can do that with a switch built into the VoIP phone, allowing you to use just a single port on a switch. From an operational standpoint, it saves money relative to the number of ports deployed in a customer environment. However, there are associated issues. Voice traffic typically requires limited amounts of jitter, and some kind of traffic guarantee across a network. Data is typically a best-effort type of application, depending on the prioritization. It can starve out any kind of voice traffic, and that s something you obviously want to avoid. Voice VLAN enables you to designate a port as a Voice VLAN port so that untagged (data) traffic and tagged (voice) traffic from directly connected devices can access VLANs on those ports namely the data VLAN for data traffic and the voice VLAN for voice traffic. That way, the necessary traffic characteristics can be provided for the voice traffic versus the data traffic. Essentially, on the same port, you have a voice device and a data device connected, but it will recognize that there are two devices. Voice traffic thus goes to one VLAN that s given the appropriate quality of service. The data traffic goes to another VLAN that s given the appropriate quality of service for that traffic. This is deployed on all EX3200 and EX4200 devices. Course Juniper Networks, Inc. 13
14 Slide 14 Understanding LLDP and LLDP-MED Link Layer Discovery Protocol (IEEE 802.1AB): a Layer 2 protocol that allows network devices to advertise their identity and capabilities on the LAN When LLDP is enabled on a device, it is called an LLDP agent LLDP exchanges occur between LLDP agents Simple one-way neighbor discovery protocol with periodic transmissions of LLDPDU LLDP frames are constrained to a local link LLDP-MED (media endpoint devices) is an extension to LLDP developed by TIA (ANSI/TIA-1057) to support interoperability between VoIP endpoint devices and other networking end-devices LLDP-MED is focused mainly on discovery running between network devices and end-points such as IP phones 15 As part of enabling unified IP communications, we also support Link Layer Discovery Protocol or LLDP, as well as some of the media endpoint device extensions to LLDP LLDP- MED. LLDP is based on IEEE specification 802.1AB. It is a Layer 2 protocol that essentially allows network devices to advertise their identity: I am a phone or I am a desktop device and so on. That way, you can provide configuration information for a particular port as far as configuration of VLANs. LLDP works in conjunction with other protocols that are out there so that you configure a port to take the characteristics required for voice traffic or data traffic. The MED or media endpoint extension to that is an ANSI specification that supports interoperability between the VoIP endpoint devices and any other type of endpoint device, such as desktop, being able to interconnect data and voice devices on the same port and recognize them as such. Course Juniper Networks, Inc. 14
15 Slide 15 Section Summary In this section, you have learned to discuss the following IP communications features : Power over Ethernet (PoE) Voice VLAN Link Layer Discovery Protocol (LLDP) Link Layer Discovery Protocol Media Endpoint Devices (LLDP-MED) For more information and the latest technical specifications: 16 In this section, you have learned to discuss the following IP communications features: Power over Ethernet (or PoE) Voice VLAN Link Layer Discovery Protocol (or LLDP), and Link Layer Discovery Protocol Media Endpoint Devices (or LLDP-MED) Course Juniper Networks, Inc. 15
16 Slide 16 Learning Activity 1: Question 1 What amount of power does an EX3200 provide for a PoE powered device that does not negotiate power? A) 0 watts B) 4 watts C) 7 watts D) 15.4 wattse Submit Clear Clear 17 Answer the following questions to review what you ve learned in this section. Learning Activity 1: Question 1 What amount of power does an EX3200 provide for a PoE powered device that does not negotiate power? Course Juniper Networks, Inc. 16
17 Slide 17 Learning Activity 1: Question 2 How does Voice VLAN prevent data traffic from impacting the quality of voice traffic on the same port? A) It disables the data VLAN when the voice VLAN on the same port is active. B) It blocks data packets when packets are present on the voice VLAN. C) It puts voice traffic on a VLAN with higher QoS than the data VLAN.. B) It gives voice traffic a path with lower latency than the data traffic. n the data traffic. Submit ClearClear 18 Learning Activity 1: Question 2 How does Voice VLAN prevent data traffic from impacting the quality of voice traffic on the same port? Course Juniper Networks, Inc. 17
18 Slide 18 Learning Activity 1: Question 3 What does LLDP allow devices to advertise about themselves? A) Availability B) PoE class C) Requested packet rate D) Identity Submit Clear Clear 19 Learning Activity 1: Question 3 What does LLDP allow devices to advertise about themselves? Course Juniper Networks, Inc. 18
19 Slide 19 EX Series Technical Details EX Series Metro Ethernet Features 2011 Juniper Networks, Inc. All rights reserved. Worldwide Education Services Now, let s take a look at the EX Series Metro Ethernet Features. Course Juniper Networks, Inc. 19
20 Slide 20 Section Objectives After successfully completing this section, you will be able to discuss: Q-in-Q Private VLAN (PVLAN) 21 After successfully completing this section, you will be able to discuss: Q-in-Q, and Private VLAN (or PVLAN) Course Juniper Networks, Inc. 20
21 Slide 21 Metro Ethernet Features Q-in-Q allows the stacking of a multiple customer VLANs over a service provider network Private VLAN (PVLAN) is a method to provide Layer 2 isolation between hosts within the same VLAN 22 We have two Metro Ethernet features to talk about with customers. The first is Q-in-Q, which allows the stacking of VLANs. The EX Series switches support up to 4000 VLANs, but Q-in-Q also allows you to have an interim label there, which provides you with 4000 different customer instances each of 4000 VLANs, so it provides what we refer to as stacking of VLANs the ability to segment customers. Private VLAN is another method to provide Layer 2 isolation between hosts within a particular VLAN. Both of these features are valuable in deployment of Metro Ethernet types of environments. Course Juniper Networks, Inc. 21
22 Slide 22 Understanding EX Q-in-Q Tunneling EX Series Q-in-Q tunneling based on enterprise bridging implementation Allows stacking of a single S-VLAN (service VLAN) tag to a customer packet upon egress of an uplink S-VLAN trunk port Packet s ingress customer access port is classified and associated into a S-VLAN and is considered untagged regardless of their incoming dot1q tag (C-VLAN/Customer VLAN tag) Customer packet can be either untagged, single-tagged or multiple-tagged Modeled as a VLAN (S-VLAN) rather than a pt-to-pt tunnel S-VLAN can have as many ports (uplink trunk or customer access port) as possible Traffic can be bridged among all ports within a S-VLAN MAC-addresses learning and lookup are done on S-VLAN basis 23 Juniper follows a typical Q-in-Q implementation. We allow the stacking of a single service VLAN tag to a customer packet. In turn, that customer may support up to 4,096 VLANs within their network. The use of that outer tag provides a segregation of customers within a Metro environment. For example, if you deploy in a multiple tenant unit where you re providing a service to a number of different customers, each one being an apartment, or in a university environment where you re providing connectivity to students in a dorm room, you usually don t want traffic to be able to cross the boundaries, apartment to apartment or user to user. You typically want it to go to a centralized type of environment in the core of that network. You do that by segmenting those customers. Q-in-Q is one method of doing that. There are other methods as well. Today the EX Series supports Q-in-Q tunneling to provide that segmentation and segregation of customers for these Metro Ethernet types of deployments. Course Juniper Networks, Inc. 22
23 Slide 23 Metro Ethernet Ring Deployment EX4200 deployed in CPE locations Q-in-Q GbE or 10GbE used for ring extension 100km span Virtual chassis simplifies the metro ring by logically appearing as a single chassis Dual ring for added redundancy Junos scripts automate provisioning, troubleshooting and growth 24 This slide shows examples of Metro Ethernet deployments. You have a number of multitenant units. It could be other customer types of environments. This shows you a typical configuration with the EX4200 deployed in a Virtual Chassis configuration using a metro ring. The red ring you see there is a 10-gig ring. That metro environment could be a single Virtual Chassis or a number of Virtual Chassis interconnected into a headend Virtual Chassis, so you want to think of it as a ring of rings. The advantage that we have, in talking with service provider customers that want to deploy these Metro Ethernet rings, is that Virtual Chassis. With the flexibility of the Virtual Chassis design, the ease of management with fewer logical devices, we now have the ability to support that segmentation of customers using the Q-in-Q type of architecture. Course Juniper Networks, Inc. 23
24 Slide 24 Understanding Private VLAN Private VLAN is a method to provide Layer 2 isolation between hosts within the same VLAN Private VLAN consists of three VLAN domains Community VLAN a secondary VLAN where a set of ports that can communicate at Layer 2 with each other within the same Community VLAN but cannot communicate with ports in other Community or Isolated VLANs Isolated VLAN a secondary VLAN where ports within this VLAN cannot communicate with each other at the Layer 2 level Primary VLAN this VLAN consists of all the elements in a private VLAN domain Private VLAN is defined with a primary VLAN within which all hosts reside, and a set of secondary VLANs that hosts can be isolated from one another 25 Private VLAN is another method to provide Layer 2 isolation between hosts on the same VLAN. Private VLAN consists of three types of domains. There s a community VLAN, a set of ports that communicate with other ports. There are isolated VLANs where those ports can talk only to other devices that are part of that VLAN. Then there s a primary VLAN, which interconnects all the VLANs to one another. It s a way of segmenting and segregating different types of devices within a Metro Ethernet environment. It also can be used in an enterprise type of environment to segment different parts of the network where there s a need to prevent communication between different organizations. Course Juniper Networks, Inc. 24
25 Slide 25 Understanding Private VLAN (Cont d.) Furthermore, Private VLAN introduces three designations for switch ports Promiscuous port - this port can communicate with ports in different community VLANs and/or Isolated VLANs Community port - ports in community VLAN can talk to any other ports in the same community VLAN, however, ports in different community VLANs cannot communicate without going through the promiscuous port Isolated port - ports in Isolated VLAN cannot talk to any other ports in the same Isolated VLAN, as well as ports in other community VLANs without going through the promiscuous port 26 Here we touch on interconnectivity between the different port modes: isolated ports versus community ports and whether connectivity between other isolated or community ports is allowed. Ports in community VLANs are allowed to talk to one another. Ports in isolated VLANs can communicate only with ports on that VLAN. Course Juniper Networks, Inc. 25
26 Slide 26 Section Summary In this section, you have learned to discuss: Q-in-Q Private VLAN (PVLAN) For more information and the latest technical specifications: 27 In this section, you have learned to discuss: Q-in-Q, and Private VLAN (or PVLAN) Course Juniper Networks, Inc. 26
27 Slide 27 Learning Activity 2: Question 1 What advantages does the EX4200 provide in a Metro Ethernet ring deployment? (Select three.) A) Unlimited ring size B) Ease of management C) Flexibility D) Customer segmentation Submit Clear Clear 28 Answer the following questions to review what you ve learned in this section. Learning Activity 2: Question 1 What advantages does the EX4200 provide in a Metro Ethernet ring deployment? (Select three.) Course Juniper Networks, Inc. 27
28 Slide 28 Learning Activity 2: Question 2 What does Private VLAN provide? A) Layer 2 isolation between hosts B) Layer 3 isolation between hosts C) Layer 4 isolation between hosts D) Layer 3 aggregation of hosts Submit Clear Clear 29 Learning Activity 2: Question 2 What does Private VLAN provide? Course Juniper Networks, Inc. 28
29 Slide 29 EX Series Technical Details Port Security and the EX Series Ethernet Switches 2011 Juniper Networks, Inc. All rights reserved. Worldwide Education Services Now, let s take a look at the EX Series Metro Ethernet Features. Course Juniper Networks, Inc. 29
30 Slide 30 Section Objectives After successfully completing this section, you will be able to discuss: MAC Limiting DHCP Snooping Dynamic ARP Inspection Unicast Reverse-Path Forwarding (RPF) 31 After successfully completing this section, you will be able to discuss: MAC Limiting DHCP Snooping Dynamic ARP Inspection, and Unicast Reverse-Path Forwarding (or RPF) Course Juniper Networks, Inc. 30
31 Slide 31 Port Security Features MAC limiting prevents MAC flooding and spoofing by limiting and explicitly configuring the number of MAC addresses that can be learned on a given port DHCP Snooping inspects all DHCP packets received on untrustedports Dynamic ARP Inspection (DAI) prevents ARP spoofing and intercepts ARP packets on untrustedports Unicast Reverse-Path Forwarding (RPF) is a security mechanism to cope with DoS or DDoS attacks where source addresses are spoofed 32 Here s some information on four specific port security features of the EX platform. MAC limiting prevents MAC flooding and spoofing by limiting and explicitly configuring the number of MAC addresses that can be learned on a given port. MAC limiting is available on all ports of the EX3200, EX4200, and EX8200 platforms. DHCP Snooping inspects all DHCP packets received on an untrusted port. Dynamic ARP inspection is another important feature. It can prevent ARP spoofing and intercepts any ARP packets. RPF or Reverse-Path Forwarding copes with DoS or DDoS attacks where source addresses are spoofed. Course Juniper Networks, Inc. 31
32 Slide 32 Understanding MAC Limiting MAC limiting prevents MAC flooding by limiting the number of MAC addresses that can be learned on a given port MAC limiting prevents MAC spoofing by explicitly configuring allowed MAC addresses on a given port MAC limiting is available on Layer 2 access ports of the EX2200, EX3200, EX4200 and EX What are the benefits of the MAC limiting feature? MAC limiting prevents MAC flooding attacks by limiting the number of MAC addresses that can be learned on a particular port. Also MAC limiting prevents MAC spoofing by explicitly configuring what is allowed on a particular port. Lastly, MAC Limiting is available in any Layer 2 access port. Course Juniper Networks, Inc. 32
33 Slide 33 MAC Limiting Methods MAC limiting can be configured using either of the following methods: 34 There are two methods that MAC Limiting can use to achieve the desired effect. Looking at the left side, you can see that the first method is called allowed MAC address or static binding. Basically, a user can statically bind a specific MAC address to a particular port. For example, as you see on this diagram on the left side, once you know the MAC address the particular host is handing out, you can statically bind that MAC address to the particular port. If an unrecognized host comes along and tries to connect to the network, it will be denied access. The method on the right side is called MAC address limiting. There can be multiple hosts perhaps through a hub on a single port. From the perspective of the virtual chassis switch, only a single port will be active, but in reality there are multiple hosts on it. By design, you can define how many hosts are allowed on that particular port. In the example, only up to two MAC addresses have been allowed to be learned on that particular port. The third one that comes along will not gain access to the network. The method that the MAC limiting feature uses to achieve the desired effect has been covered. Course Juniper Networks, Inc. 33
34 Slide 34 MAC Limiting Action Types When a MAC address limit has been exceeded or an invalid MAC address is detected on a port with MAC Limiting, the port can perform one of the following actions: 35 There are three types of actions that the switch can perform when a MAC address limit has been exceeded or an invalid MAC address is detected on a port with MAC Limiting. The first one is called Syslog Only mode. A violation consists in seeing the unrecognized host on a static binding port or exceeding the number of allowed MAC addresses on the particular port. When there is a violation, the Syslog Only action can generate an error log in the Syslog. However the traffic from the unrecognized or violating host still goes through. To cope with this, there s a second action type, called Drop and Syslog. In addition to the action taken by Syslog Only mode, Drop and Syslog mode drops the offending traffic from the unrecognized or violating host or violating MAC addresses. The most restrictive action you can take is to shut down. Although this does not bring the Layer 1 link down, Shutdown disables any kind of MAC learning or traffic forwarding on the particular port, so it is effectively shut down. Course Juniper Networks, Inc. 34
35 Slide 35 Understanding DHCP Snooping: Step By Step DHCP Snooping inspects all DHCP packets received on untrustedports All access ports are untrusted by default All trunk ports are trusted by default Switch allows only DHCP DISCOVERY/ REQUEST from untrusted ports; all other DHCP traffic types dropped Switch creates new entry in DHCP Snooping database with host MAC address and its associated port Original DHCP DISCOVERY/REQUEST packet then forwarded to the DHCP server When DHCP server responds, response is intercepted by the switch Switch completes DHCP Snooping entry in database by adding newly offered IP address DHCP response is relayed to requested host, completing the DHCP process By intercepting all DHCP messages bridged within the subnet, DHCP Snooping acts as a firewall between hosts and the DHCP server while keeping all information in DHCP Snooping database 36 Let s examine DHCP Snooping. Once DHCP Snooping is enabled, the switch inspects all DHCP packets received on untrusted ports. Looking at the untrusted port, there are two ways that DHCP snooping defines the port. First are access ports. Access ports are typically considered to be where the hosts are connected, so these are untrusted by default. Second are trunk ports. All trunk ports are trusted by default because hosts generally should not be connected on these ports. Once that switch is actually enabled, the switch will only allow two messages DHCP Discovery and DHCP Request from an untrusted port. The switch drops any other DHCP traffic types on untrusted ports. However, trusted or untrusted states can be overridden statically by user intervention. When the switch intercepts DHCP Discovery or DHCP Request packets from the untrusted port, it creates a new entry in the DHCP snooping binding data base with host MAC address and its associated port. For example, if a host with the MAC address ABCDEF comes along on the protocol Gigabit Ethernet 0/0/1, the switch makes a note of that and creates a partial entry in its DHCP snooping binding database. The original DHCP Discovery or the Request packet will then be forwarded to the DHCP server without any modification. Course Juniper Networks, Inc. 35
36 Slide 36 DHCP Snooping Benefits: Impact on Clients None for good hosts Hosts are not aware that requests / responses are being snooped; no need to change client software Malicious hosts trying to attack switch by snooping DHCP messages can no longer do so Available on EX2200, EX3200 and EX4200, refer to product roadmap for EX By intercepting these DHCP messages within the subnet, the DHCP snooping feature effectively acts as a firewall between the host and the DHCP server. This process does not affect the client. The switch and the server on the left and the right side are completely unaware that there is any kind of snooping going on, while the switch is collecting information and building up the DHCP snooping binding database. This makes it a lot harder for any kind of attacks to succeed. Course Juniper Networks, Inc. 36
37 Slide 37 Understanding Dynamic ARP Inspection Prevents ARP Spoofing DAI intercepts ARP packets on untrusted ports (by default, all access ports) and validates them against DHCP snooping database If ARP packet s source MAC address does not match a valid entry in the DHCP snooping database, the packet is dropped and local ARP cache will not be updated with information in that packet Unlike access ports, trunk ports are trusted by default; therefore, ARP packets received on trunk ports will bypass DAI DHCP snooping is required Ideally, ARP resolution should be consistent with DHCP database Dynamic ARP Inspection can be enabled/ disabled for each VLAN, but not for each port Default is disabled on all VLANs Available on EX2200, EX3200, and EX4200 Refer to product roadmap for EX Let s next discuss Dynamic ARP Inspection (DAI). This feature is similar to DHCP snooping. Once it is turned on, instead of intercepting the DHCP packets going back and forth, the DAI intercepts the ARP packets on untrusted ports and validates them against the DHCP snooping database. For example, if the ARP packet does not match the valid entry in the DHCP snooping data base, the switch drops the packet and does not update the local ARP cache with the information in that packet. As with the DHCP snooping feature, the access ports and trunk ports are treated differently. If the switch receives an ARP packet on a trunk port, the packet bypasses DAI, because the trunk port is trusted. By default any access port is untrusted and any trunk port is trusted, as discussed earlier with DHCP snooping. Course Juniper Networks, Inc. 37
38 Slide 38 Understanding Unicast Reverse-Path Forwarding (RPF) Unicast Reverse Path Forwarding (RPF) is a security mechanism to cope with DoS or DDoS attacks where source addresses are often spoofed Unicast RPF is used to verify the path of an incoming packet is consistent with the forwarding table. This is achieved by performing a reverse path look-up using the source IP address of an incoming packet to determine the current path to that IP address. The validity of this path determines whether Unicast RPF passes or drops the packet If the receiving interface is the interface that switch would use to send the packet to the source network, the packet is forwarded on If the receiving interface is not the interface that switch would use to send the packet to the source network, the packet is dropped 39 Reverse-Path Forwarding is another security mechanism, primarily intended to cope with denial of service or distributed denial of service attacks where, in this particular case, the DoS or DDoS are attacks where the source addresses are often spoofed. This means that a source address could appear on a port that it is typically not configured on, and therefore is going to be able to send traffic across the network with the intent of causing downtime in that environment. RPF works by passing or dropping traffic based on consistency with the forwarding table. Each EX product builds a forwarding table. It recognizes where source addresses should be located. If the receiving interface is the interface the switch would use to send the packet, then the packet can be forwarded on. However, if it s not the interface that a source address is typically associated with, that packet is dropped since it s assumed to be a DoS attack. Course Juniper Networks, Inc. 38
39 Slide 39 Unicast Reverse-Path Forwarding (Cont d.) Unicast RPF supports the following interfaces: Layer 3 LAG Routed VLAN Interface Unicast RPF is enabled on switch globally Default is disabled BOOTP/DHCP Packets Bootp/DHCP requests with source IP as and destination MAC as broadcast MAC are not subjected to RPF checks Default route Packets received on a validated ingress interface as indicated by the default route will be considered valid and forwarded ECMP The switch does not perform unicast RPF filtering on equal-cost multipath ECMP traffic 40 There are a number of different pieces for RPF or Reverse Path Forwarding: whether it s supported on Layer 3 interfaces, on LAG interfaces, or routed VLAN interfaces. Since it looks at IP addresses, it has to be a Layer 3 interface. By default, it is disabled. There are some implementation pieces here. The information here is noteworthy to system engineers interested in RPF. Course Juniper Networks, Inc. 39
40 Slide 40 Section Summary In this section, you have learned to discuss: Mac Limiting DHCP Snooping Dynamic ARP Inspection Unicast Reverse-Path Forwarding (RPF) For more information and the latest technical specifications: 41 In this section, you have learned to discuss: Mac Limiting DHCP Snooping Dynamic ARP Inspection, and Unicast Reverse-Path Forwarding (or RPF) Course Juniper Networks, Inc. 40
41 Slide 41 Learning Activity 3: Question 1 What hosts will Allowed MAC Address reject? A) One whose MAC address does not match the known IP address. B) One whose MAC address is not recognized for that port. C) One whose MAC address does not fall within the allowed range. D) One that exceeds the maximum number of MAC addresses for the port. Submit Clear Clear 42 Answer the following questions to review what you ve learned in this section. Learning Activity 3: Question 1 What hosts will Allowed MAC Address reject? Course Juniper Networks, Inc. 41
42 Slide 42 Learning Activity 3: Question 2 What kind of DHCP packets will an EX switch allow by default on untrusted ports with DHCP snooping enabled? A) None B) All C) Offer and Release D) Discovery and Request Submit Clear Clear 43 Learning Activity 3: Question 2 What kind of DHCP packets will an EX switch allow by default on untrusted ports with DHCP snooping enabled? Course Juniper Networks, Inc. 42
43 Slide 43 Learning Activity 3: Question 3 What does Dynamic ARP Inspection require to work? A) DHCP snooping B) MAC limiting C) Unicast RPF D) A populated ARP lookup table Submit Clear Clear 44 Learning Activity 3: Question 3 What does Dynamic ARP Inspection require to work? Course Juniper Networks, Inc. 43
44 Slide 44 EX Series Technical Details User Authentication on EX Series 2011 Juniper Networks, Inc. All rights reserved. Worldwide Education Services Next up, we ll talk about User Authentication on the EX Series. Course Juniper Networks, Inc. 44
45 Slide 45 Section Objectives After successfully completing this section, you will be able to discuss: 802.1X MAC-RADIUS 46 After successfully completing this section, you will be able to discuss: 802.1X, and MAC-RADIUS Course Juniper Networks, Inc. 45
46 Slide 46 Authentication Features 802.1X defines a way to authenticate and provide users with specific network access rights based on their profile MAC-RADIUS provides a solution to authenticate non-802.1x compliant end-hosts 47 All switches in the EX portfolio now support these two features. We ll now talk in greater detail regarding two things related to user authentication: 802.1X and MAC-RADIUS. Course Juniper Networks, Inc. 46
47 Slide 47 Understanding 802.1X 802.1X is an IEEE standard for access control and authentication 802.1X defines a way to authenticate and provide users with specific network access rights based on their profile The 802.1X equation includes three essential elements: 802.1X Host (Supplicant), Switch (Authenticator) and RADIUS Server 802.1X requires the Host to use 802.1X client software Windows XP and Windows Vista include an 802.1X client by default; other OS versions usually require separate software 48 First of all, 802.1X is the IEEE standard for access control and authentication, as well as authorization X defines a way to authenticate and provide users with specific network access rights based on their profile. It does this on a per-user basis. On this slide, the most essential part is the terminology used on the standard. In the diagram, first is the host, which the standard refers to as the supplicant. The RADIUS server on the right is the authentication server and the switch in the middle is the 802.1X authenticator, or just the authenticator. The EX acts as the authenticator in this example. It accepts any host requests and forwards them to the authentication server. Then it replies with any messages from that authentication server back to the host. Course Juniper Networks, Inc. 47
48 Slide 48 Understanding 802.1X (Cont d.) The switch controls physical access to the network; when a host first connects to a switch, it will not be able to send normal traffic over the link The switch acts as a proxy, requesting identity information from the host and relaying it to the RADIUS server 49 Traffic between the host and the authenticator is EAPOL. Traffic between the authenticator and the RADIUS server is RADIUS type traffic. We use EAP or the Extensible Authentication Protocol. This gets converted to RADIUS. The switch acts as a proxy to the authentication server. The host cannot send normal traffic over the link until it is authenticated. Course Juniper Networks, Inc. 48
49 Slide 49 Understanding MAC-RADIUS MAC-RADIUS provides a scalable solution to authenticating non-802.1x compliant end-hosts in a large environment by using the MAC address of end-host as the client identity to authenticate with the centralized authentication server IEEE 802.1X provides a framework for network access control, however, it requires the supplicant to have software that can communicate via 802.1X as a part of the framework This may not be possible on some customer environments where devices connected do not support 802.1X printers, PoE cameras, etc. There is a method where such devices that do not support 802.1X can bypass the authentication by statically configuring the MAC address on the switch locally 50 MAC-RADIUS provides a solution for authenticating any non-802.1x-compliant end host. In the case of the previous slide, we would have to have an 802.1X supplicant or agent residing on that host device to get authenticated. But there are things on the network, such as cameras and printers, which do not have an 802.1X agent and are not an 802.1X supplicant. That s where MAC-RADIUS comes into play. We statically configure MAC addresses on the product so we can allow those devices access to the network. Course Juniper Networks, Inc. 49
50 Slide 50 Understanding MAC-RADIUS (Cont d.) When a new MAC address appears on MAC-RADIUS enabled interface, the switch will communicate with the RADIUS server using client s MAC address as credential. If the new MAC address is accepted by the RADIUS server, then access would be granted As with 802.1X, the authenticator (EX Series switch) behavior and configuration as well as all attributes sent by the RADIUS server are identical When there are multiple authentication mechanisms available on a given interface, the order of authentication is: 1. Static MAC bypass X 3. MAC-RADIUS 4. Guest VLAN or Auth-failed VLAN 51 When a new MAC address appears on a MAC-RADIUS enabled interface, the switch communicates to the RADIUS server using the client s MAC address as its credential. If that MAC address is in the RADIUS server s database, access is granted. If not, access is not granted and the port is shut down. The EX Series switch, acting as the authenticator, has the ability to shut that port off and deny that device access to the network. If there are multiple authentication methods available on an interface, there are ways the device can authenticate, as shown in the list. The first method attempted is static MAC address. Then comes 802.1X, MAC-RADIUS, and lastly guest VLAN or authorization-failed VLAN. Course Juniper Networks, Inc. 50
51 Slide 51 Section Summary In this section, you have learned to discuss: 802.1X MAC-RADIUS For more information and the latest technical specifications: 52 In this section, you have learned to discuss: 802.1X, and MAC-RADIUS Course Juniper Networks, Inc. 51
52 Slide 52 Learning Activity 4: Question 1 What are the main components of 802.1X? (Select three.) A) RADIUS server B) RADIUS client C) Supplicant D) Authenticator Submit Clear Clear 53 Learning Activity 4: Question 1 What are the main components of 802.1X? (Select three.) Course Juniper Networks, Inc. 52
53 Slide 53 Learning Activity 4: Question 2 Is the following statement true or false? In 802.1X, when a host first connects to an EX switch, it cannot send normal traffic over the link. A) True B) False Submit Clear Clear 54 Learning Activity 4: Question 2 Is the following statement true or false? In 802.1X, when a host first connects to an EX switch, it cannot send normal traffic over the link. Course Juniper Networks, Inc. 53
54 Slide 54 Learning Activity 4: Question 3 MAC-RADIUS is a method for granting network access to what type of device? A) Devices that do not have MAC addresses B) Devices that do not support 802.1X C) Devices that cannot communicate using RADIUS D) Devices that lack IEEE-RADIUS certification Submit Clear Clear 55 Learning Activity 4: Question 3 MAC-RADIUS is a method for granting network access to what type of device? Course Juniper Networks, Inc. 54
55 Slide 55 EX Series Technical Details EX Series Access Control Lists 2011 Juniper Networks, Inc. All rights reserved. Worldwide Education Services EX Series Access Control Lists Course Juniper Networks, Inc. 55
56 Slide 56 Section Objectives After successfully completing this section, you will be able to discuss: Firewall filters (ACLs) Port-based filters VLAN-based filters Router-based filters Firewall filter processing Firewall filter entry programming 57 After successfully completing this section, you will be able to discuss: Firewall filters (ACLs) Port-based filters VLAN-based filters Router-based filters Firewall filter processing, and Firewall filter entry programming Course Juniper Networks, Inc. 56
57 Slide 57 Types of Filters (ACLs) Port-based firewall filter (PACL) Applied directly to a Layer 2 switch port VLAN-based firewall filter (VACL) Applied to a Layer 2 VLAN Router-based firewall filter (RACL) Applied directly to Layer 3 routed interface The same firewall filter can be used as a port firewall filter or VLAN firewall filter Distinction determined by point of policy enforcement Firewall filter processing on EX Series switches is done in hardware (PFE) Firewall filter (ACL) entries are programmed in PFE TCAM lookups and enforcements are performed at line rate EX2200 support 1,500 ACLs EX3200 and EX4200 support 7k ACLs EX8200 supports 54k security ACLs 58 Last on the access security topic list is the Firewall Filter, also known as Access Control List or ACL. There are three different types of firewall filter or ACL. The first one is a port-based firewall filter; the second one is a VLAN-based firewall filter; the last one is the router-based firewall filter. For those who are familiar with ACL terminology, these are referred to as PACL, VACL, and RACL. The port-based firewall filter is applied directly to the Layer 2 switch port. The VLAN-based filter is applied to the Layer 2 VLAN. The router-based firewall filter is applied directly to the Layer 3 routed interface or RVI. These firewall filters are the same as those that are available in Junos. The difference in role depends on where the firewall filter has been applied. The EX3200 and EX4200 scale to 7000 access control lists per device. In the case of the EX4200, that s 7,000 lists across a Virtual Chassis. Because it s usually supported in much larger core environments, the EX8200 scales to 54,000 firewall filters or ACLs. Course Juniper Networks, Inc. 57
58 Slide 58 Understanding Firewall Filters Order of precedence in ingress firewall filter processing is Port FF, VLAN FF, Router FF Egress firewall filter processing is done in the reverse order Router firewall filter does not apply to switched packets in same VLAN 59 In the diagram, the blue box in the middle is the switch. Assume the host on Gigabit Ethernet 1/0/1 wants to send traffic to the host on Gigabit Ethernet 1/0/4. The packets received by the switch will first go through the port-based firewall filter. Then they will traverse the VLANbased firewall filter. Last, they go through the router-based firewall filter. On the egress side, packets go through the router-based firewall filter and then the VLAN-based firewall filter. Then the packets go out. This order is important because this firewall filter role differs depending on where it is enforced. Say a user would like to apply a firewall filter, but the firewall filter is applied where the router firewall filter is located. If the traffic that the user was trying to block was limited to the VLAN itself, the example that we see is under the bottom left corner where the host is hanging from the gigabit 1/0/0 is communicating with 1/0/1. In that case, if the firewall filter is applied on the router interface RVI, that firewall filtering will never take place, because that traffic will never traverse the router interface of that particular VLAN. That is why we need to keep in mind the order of firewall filters: port-based filter, VLAN-based filter, and router-based filter, and vice versa on the output or egress. Course Juniper Networks, Inc. 58
Configure IOS Catalyst Switches to Connect Cisco IP Phones Configuration Example
Configure IOS Catalyst Switches to Connect Cisco IP Phones Configuration Example Document ID: 69632 Introduction Prerequisites Requirements Components Used Conventions Background Information Configure
More information48 GE PoE-Plus + 2 GE SFP L2 Managed Switch, 375W
GEP-5070 Version: 1 48 GE PoE-Plus + 2 GE SFP L2 Managed Switch, 375W The LevelOne GEP-5070 is an intelligent L2 Managed Switch with 48 x 1000Base-T PoE-Plus ports and 2 x 100/1000BASE-X SFP (Small Form
More informationHow To Configure Voice Vlan On An Ip Phone
1 VLAN (Virtual Local Area Network) is used to logically divide a physical network into several broadcast domains. VLAN membership can be configured through software instead of physically relocating devices
More information802.1X Authentication, Link Layer Discovery Protocol (LLDP), and Avaya IP Telephones
802.1X Authentication, Link Layer Discovery Protocol (LLDP), and Avaya IP Telephones Abstract The purpose of this document is to discuss 802.1X Authentication and Link Layer Discovery Protocol (LLDP) in
More informationJuniper Networks EX Series Ethernet Switches/ Cisco VoIP Interoperability Test Results. September 25, 2009
Juniper Networks EX Series Ethernet Switches/ Cisco VoIP Interoperability Test Results September 25, 2009 Executive Summary Juniper Networks commissioned Network Test to assess interoperability between
More informationVLANs. Application Note
VLANs Application Note Table of Contents Background... 3 Benefits... 3 Theory of Operation... 4 IEEE 802.1Q Packet... 4 Frame Size... 5 Supported VLAN Modes... 5 Bridged Mode... 5 Static SSID to Static
More informationDEPLOYING IP TELEPHONY WITH EX SERIES ETHERNET SWITCHES
APPLICATION NOTE DEPLOYING IP TELEPHONY WITH EX SERIES ETHERNET SWITCHES Optimizing Applications with Juniper Networks Access Switches Copyright 2011, Juniper Networks, Inc. 1 Table of Contents Introduction.....................................................................................................3
More informationJUNOS Cheat-Sheet Quick Reference www.cciezone.com
JUNOS Cheat-Sheet Active /config/juniper.conf.gz Rollbacks n = 1-3 n = 4-49 Stored in /config/juniper.conf.n.gz Stored in /config/db/config/juniper.conf.n.gz Rescue /config/rescue.conf.gz JUNOS Images
More informationOptimizing VoIP Applications with Juniper Networks EX3200 and EX4200 Line of Ethernet Switches
APPLICATION NOTE Deploying IP Telephony with JUNIPER NETWORKS ETHERNET Switches Optimizing Applications with Juniper Networks EX3200 and EX4200 Line of Ethernet Switches Copyright 2009, Juniper Networks,
More informationExample: Configuring VoIP on an EX Series Switch Without Including 802.1X Authentication
Example: Configuring VoIP on an EX Series Switch Without Including 802.1X Authentication Requirements You can configure voice over IP (VoIP) on an EX Series switch to support IP telephones. To configure
More informationWireless Local Area Networks (WLANs)
4 Wireless Local Area Networks (WLANs) Contents Overview...................................................... 4-3 Configuration Options: Normal Versus Advanced Mode.............. 4-4 Normal Mode Configuration..................................
More informationDeploying IP Telephony with EX-Series Switches
Application Note Deploying IP Telephony with EX-Series Switches Optimizing VoIP Applications with EX 3200 and EX 4200 Series Ethernet Switches Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale,
More informationSecurity Considerations in IP Telephony Network Configuration
Security Considerations in IP Telephony Network Configuration Abstract This Technical Report deals with fundamental security settings in networks to provide secure VoIP services. Example configurations
More informationEX 3500 ETHERNET SWITCH
PRODUCT SPEC SHEET EX 3500 ETHERNET SWITCH EX 3500 ETHERNET SWITCH EQUIPPED THE WIRED ETHERNET SWITCH FOR UNIFIED WIRED-WIRELESS NETWORKS GET ALL THE WIRED NETWORKING FEATURES YOU NEED, PLUS THE SIMPLICITY
More informationNetwork Security. Ensuring Information Availability. Security
Ensuring Information Availability Security - Ensuring Information Availability Introduction The advent of the Internet and the huge array of connected devices has led to an insatiable demand for access
More informationIMPLEMENTING CISCO SWITCHED NETWORKS V2.0 (SWITCH)
IMPLEMENTING CISCO SWITCHED NETWORKS V2.0 (SWITCH) COURSE OVERVIEW: Implementing Cisco Switched Networks (SWITCH) v2.0 is a five-day instructor-led training course developed to help students prepare for
More informationJuniper Networks EX Series/ Cisco Catalyst Interoperability Test Results. May 1, 2009
Juniper Networks EX Series/ Cisco Catalyst Interoperability Test Results May 1, 2009 Executive Summary Juniper Networks commissioned Network Test to assess interoperability between its EX4200 and EX8208
More informationVLAN and QinQ Technology White Paper
VLAN and QinQ Technology White Paper Issue 1.01 Date 2012-10-30 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any
More informationAbstract. MEP; Reviewed: GAK 10/17/2005. Solution & Interoperability Test Lab Application Notes 2005 Avaya Inc. All Rights Reserved.
Configuring Single Instance Rapid Spanning Tree Protocol (RSTP) between an Avaya C360 Converged Switch and HP ProCurve Networking Switches to support Avaya IP Telephony Issue 1.0 Abstract These Application
More information20 GE PoE-Plus + 4 GE PoE-Plus Combo SFP + 2 GE SFP L2 Managed Switch, 370W
GEP-2672 Version: 1 20 GE PoE-Plus + 4 GE PoE-Plus Combo SFP + 2 GE SFP L2 Managed Switch, 370W The LevelOne GEP-2672 is a Layer 2 Managed switch with 24 x 1000Base-T PoE-Plus ports associated with 4 x
More informationRecommended IP Telephony Architecture
Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings
More informationEVOLVING ENTERPRISE NETWORKS WITH SPB-M APPLICATION NOTE
EVOLVING ENTERPRISE NETWORKS WITH SPB-M APPLICATION NOTE EXECUTIVE SUMMARY Enterprise network managers are being forced to do more with less. Their networks are growing in size and complexity. They need
More informationCLOUD NETWORKING FOR ENTERPRISE CAMPUS APPLICATION NOTE
CLOUD NETWORKING FOR ENTERPRISE CAMPUS APPLICATION NOTE EXECUTIVE SUMMARY This application note proposes Virtual Extensible LAN (VXLAN) as a solution technology to deliver departmental segmentation, business
More informationJuniper Networks Certified Internet Specialist Fast Track
Juniper Networks Certified Internet Specialist Fast Track Varighet: 1.00 Days Kurskode: JNCIS-ENT Beskrivelse: Prepare to operate Juniper based networks and pass the JNCIA-Junos exam. Gain the foundation
More informationJuniper / Cisco Interoperability Tests. August 2014
Juniper / Cisco Interoperability Tests August 2014 Executive Summary Juniper Networks commissioned Network Test to assess interoperability, with an emphasis on data center connectivity, between Juniper
More informationEnabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches
print email Article ID: 4941 Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches Objective In an ever-changing business environment, your
More informationSecuring end devices
Securing end devices Securing the network edge is already covered. Infrastructure devices in the LAN Workstations Servers IP phones Access points Storage area networking (SAN) devices. Endpoint Security
More informationINDIAN INSTITUTE OF TECHNOLOGY BOMBAY MATERIALS MANAGEMENT DIVISION : (+91 22) 2576 8800 (DR)
Item CORE SWITCH: 24 Ports Item Description 1)General requirements: Switch- modular operating system, non-blocking wire speed performance. Switch solution-capable of providing complete redundancy by using
More information20 GE + 4 GE Combo SFP + 2 10G Slots L3 Managed Stackable Switch
GTL-2691 Version: 1 Modules are to be ordered separately. 20 GE + 4 GE Combo SFP + 2 10G Slots L3 Managed Stackable Switch The LevelOne GEL-2691 is a Layer 3 Managed switch with 24 x 1000Base-T ports associated
More informationConfiguring DHCP Snooping
CHAPTER 19 This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping on Catalyst 4500 series switches. It provides guidelines, procedures, and configuration examples.
More informationNetwork Design Best Practices for Deploying WLAN Switches
Network Design Best Practices for Deploying WLAN Switches A New Debate As wireless LAN products designed for the enterprise came to market, a debate rapidly developed pitting the advantages of standalone
More informationCCT vs. CCENT Skill Set Comparison
Operation of IP Data Networks Recognize the purpose and functions of various network devices such as Routers, Switches, Bridges and Hubs Select the components required to meet a given network specification
More informationSecurity Technology White Paper
Security Technology White Paper Issue 01 Date 2012-10-30 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without
More informationhp ProLiant network adapter teaming
hp networking june 2003 hp ProLiant network adapter teaming technical white paper table of contents introduction 2 executive summary 2 overview of network addressing 2 layer 2 vs. layer 3 addressing 2
More informationMS Series: VolP Deployment Guide
Solution Guide MS Series: VolP Deployment Guide JULY 2013 How to deploy a distributed VoIP infrastructure with Meraki MS switches. Table of Contents Introduction 3 Getting Started 4 Setting up VoIP using
More informationHARTING Ha-VIS Management Software
HARTING Ha-VIS Management Software People Power Partnership HARTING Management Software Network Management Automation IT - with mcon Switches from HARTING With the Ha-VIS mcon families, HARTING has expanded
More informationLANs and VLANs A Simplified Tutorial
Application Note LANs and VLANs A Simplified Tutorial Version 3.0 May 2002 COMPAS ID 90947 Avaya Labs 1 Companion document IP Addressing: A Simplified Tutorial COMPAS ID 92962 2 Introduction As the name
More informationDatasheet. Managed PoE+ Gigabit Switches with SFP. Models: ES-8-150W, ES-16-150W, ES-24-250W, ES-24-500W, ES-48-500W, ES-48-750W
Managed PoE+ Gigabit Switches with SFP Models: ES-8-150W, ES-16-150W, ES-24-250W, ES-24-500W, ES-48-500W, ES-48-750W Non-Blocking Throughput Switching Performance Gigabit Ethernet RJ45 and SFP+/SFP Ports
More informationIP SAN BEST PRACTICES
IP SAN BEST PRACTICES PowerVault MD3000i Storage Array www.dell.com/md3000i TABLE OF CONTENTS Table of Contents INTRODUCTION... 3 OVERVIEW ISCSI... 3 IP SAN DESIGN... 4 BEST PRACTICE - IMPLEMENTATION...
More informationSSVVP SIP School VVoIP Professional Certification
SSVVP SIP School VVoIP Professional Certification Exam Objectives The SSVVP exam is designed to test your skills and knowledge on the basics of Networking, Voice over IP and Video over IP. Everything that
More informationForeScout CounterACT. Device Host and Detection Methods. Technology Brief
ForeScout CounterACT Device Host and Detection Methods Technology Brief Contents Introduction... 3 The ForeScout Approach... 3 Discovery Methodologies... 4 Passive Monitoring... 4 Passive Authentication...
More informationDatasheet. Managed Gigabit Fiber Switch. Model: ES-12F. Non-Blocking Throughput Switching. High Performance and Low Latency
Managed Gigabit Fiber Switch Model: ES-12F Non-Blocking Throughput Switching High Performance and Low Latency Gigabit Ethernet SFP and RJ45 Ports Deployment Examples Advanced Switching Technology for the
More informationOS3 Fiber Day Broadband networks - Network Architecture. May 20, 2016 / Jan Martijn Metselaar Vodafone
OS3 Fiber Day Broadband networks - Network Architecture May 20, 2016 / Jan Martijn Metselaar Vodafone Quizzz Dual play, Triple play, Multi play IP all the way! But what does the end-user care? 2 Current
More informationDatasheet. Managed PoE+ Gigabit Switches with SFP. Models: ES-24-250W, ES-24-500W, ES-48-500W, ES-48-750W
Managed PoE+ Gigabit Switches with SFP Models: ES-24-250W, ES-24-500W, ES-48-500W, ES-48-750W Non-Blocking Throughput Switching Performance Gigabit Ethernet RJ45 and SFP+/SFP Ports Auto-Sensing IEEE 802.3af/at
More informationVLAN 802.1Q. 1. VLAN Overview. 1. VLAN Overview. 2. VLAN Trunk. 3. Why use VLANs? 4. LAN to LAN communication. 5. Management port
1. VLAN Overview 2. VLAN Trunk 3. Why use VLANs? 4. LAN to LAN communication 5. Management port 6. Applications 6.1. Application 1 6.2. Application 2 6.3. Application 3 6.4. Application 4 6.5. Application
More informationAbstract. Avaya Solution & Interoperability Test Lab
Avaya Solution & Interoperability Test Lab Sample Configuration for using Link Layer Discovery Protocol (LLDP) with Cisco Catalyst 4500 or 3750 Switches for VLAN Assignment for Avaya 9600 and 1600 Series
More informationDCRS-5650 Dual Stack Ethernet Switch Datasheet
DCRS-5650 Dual Stack Ethernet Switch Datasheet DCRS-5650-28C Product Overview DCRS-5650 series switch is L3 Fast Ethernet switch which meets the requirements of security and intelligent networks for education
More informationDCS-3950-28CT-POE fully loaded AT PoE Switch Datasheet
DCS-3950-28CT-POE fully loaded AT PoE Switch Datasheet DCS-3950-28CT-POE Product Overview DCS-3950-28CT-POE is fully loaded PoE switch for carrier and enterprises. It supports comprehensive QoS, enhanced
More informationInteroperability between Avaya IP phones and ProCurve switches
An HP ProCurve Networking Application Note Interoperability between Avaya IP phones and ProCurve switches Contents 1. Introduction... 3 2. Architecture... 3 3. Checking PoE compatibility... 3 4. Configuring
More informationUse MAC-Forced Forwarding with DHCP Snooping to Create Enhanced Private VLANs
How To Use MAC-Forced Forwarding with DHCP Snooping to Create Enhanced Private VLANs Introduction In a large network where internal users cannot be trusted, it is nearly impossible to stop a host from
More informationCourse Contents CCNP (CISco certified network professional)
Course Contents CCNP (CISco certified network professional) CCNP Route (642-902) EIGRP Chapter: EIGRP Overview and Neighbor Relationships EIGRP Neighborships Neighborship over WANs EIGRP Topology, Routes,
More informationNetworking 4 Voice and Video over IP (VVoIP)
Networking 4 Voice and Video over IP (VVoIP) Course Objectives This course will give delegates a good understanding of LANs, WANs and VVoIP (Voice and Video over IP). It is aimed at those who want to move
More informationBASIC ANALYSIS OF TCP/IP NETWORKS
BASIC ANALYSIS OF TCP/IP NETWORKS INTRODUCTION Communication analysis provides powerful tool for maintenance, performance monitoring, attack detection, and problems fixing in computer networks. Today networks
More informationVMware ESX Server 3 802.1Q VLAN Solutions W H I T E P A P E R
VMware ESX Server 3 802.1Q VLAN Solutions W H I T E P A P E R Executive Summary The virtual switches in ESX Server 3 support VLAN (IEEE 802.1Q) trunking. Using VLANs, you can enhance security and leverage
More informationConfiguring the Transparent or Routed Firewall
5 CHAPTER This chapter describes how to set the firewall mode to routed or transparent, as well as how the firewall works in each firewall mode. This chapter also includes information about customizing
More informationWhite Paper Creating a Video Matrix over IP
White Paper Creating a Video Matrix over IP As the worlds of AV and IT converge, software is rapidly becoming the new frontier of AV development. In the old days, once there was a picture on the screen
More informationChapter 3. Enterprise Campus Network Design
Chapter 3 Enterprise Campus Network Design 1 Overview The network foundation hosting these technologies for an emerging enterprise should be efficient, highly available, scalable, and manageable. This
More information24 GE + 2 GE SFP L2 Managed Switch
GEL-2670 Version: 1 24 GE + 2 GE SFP L2 Managed Switch The LevelOne GEL-2670 is an intelligent L2 Managed Switch with 24 x 1000Base-T ports and 2 x 100/1000BASE-X SFP (Small Form Factor Pluggable) slots.
More informationManagement Software. Web Browser User s Guide AT-S106. For the AT-GS950/48 Gigabit Ethernet Smart Switch. Version 1.0.0. 613-001339 Rev.
Management Software AT-S106 Web Browser User s Guide For the AT-GS950/48 Gigabit Ethernet Smart Switch Version 1.0.0 613-001339 Rev. A Copyright 2010 Allied Telesis, Inc. All rights reserved. No part of
More informationCCNA R&S: Introduction to Networks. Chapter 5: Ethernet
CCNA R&S: Introduction to Networks Chapter 5: Ethernet 5.0.1.1 Introduction The OSI physical layer provides the means to transport the bits that make up a data link layer frame across the network media.
More informationOVERLAYING VIRTUALIZED LAYER 2 NETWORKS OVER LAYER 3 NETWORKS
OVERLAYING VIRTUALIZED LAYER 2 NETWORKS OVER LAYER 3 NETWORKS Matt Eclavea (meclavea@brocade.com) Senior Solutions Architect, Brocade Communications Inc. Jim Allen (jallen@llnw.com) Senior Architect, Limelight
More informationZyXEL GS2210-8HP V4.10(AASQ.1)C0 Release Note/Manual Supplement
ZyXEL GS2210-8HP V4.10(AASQ.1)C0 Release Note/Manual Supplement Date: May. 5, 2015 This document describes the features in the GS2210-8HP product for its 4.10(AASQ.1)C0 release. Support Platforms: ZyXEL
More informationChapter 1 Reading Organizer
Chapter 1 Reading Organizer After completion of this chapter, you should be able to: Describe convergence of data, voice and video in the context of switched networks Describe a switched network in a small
More informationExhibit n.2: The layers of a hierarchical network
3. Advanced Secure Network Design 3.1 Introduction You already know that routers are probably the most critical equipment piece in today s networking. Without routers, internetwork communication would
More informationConfiguring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
CHAPTER 5 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance This chapter describes how to configure the switch ports and VLAN interfaces of the ASA 5505 adaptive
More informationDatasheet. Managed Gigabit Switches with SFP. Models: ES-24-Lite, ES-48-Lite. Non-Blocking Throughput Switching Performance
Managed Gigabit Switches with SFP Models: ES-24-Lite, ES-48-Lite Non-Blocking Throughput Switching Performance Gigabit Ethernet RJ45 Ports SFP+/SFP Fiber Connectivity Options Deployment Examples VLAN 80
More informationAbstract. Avaya Solution & Interoperability Test Lab
Avaya Solution & Interoperability Test Lab Configuring NETGEAR PROSAFE 8-port, 16-port and 24-port switches Supporting Power over Ethernet with Avaya Communication Manager, Avaya one-x Quick Edition G10
More informationNetwork Virtualization Network Admission Control Deployment Guide
Network Virtualization Network Admission Control Deployment Guide This document provides guidance for enterprises that want to deploy the Cisco Network Admission Control (NAC) Appliance for their campus
More informationCisco EtherSwitch Network Modules
Cisco EtherSwitch Network Modules 16- and 36-Port 10/100 Ethernet Modules for Cisco 2600/2800/3600/3700/3800 Series Routers Figure 1. Cisco 16-Port and 36-Port EtherSwitch Network Modules The Cisco 16-
More informationA Guide to Simple IP Camera Deployment Using ZyXEL Bandwidth Solutions
A Guide to Simple IP Camera Deployment Using ZyXEL Bandwidth Solutions 2015/7/22 ZyXEL Communications Corporation Barney Gregorio Overview: This article contains guidelines on how to introduce IP cameras
More informationFiber Channel Over Ethernet (FCoE)
Fiber Channel Over Ethernet (FCoE) Using Intel Ethernet Switch Family White Paper November, 2008 Legal INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR
More informationvsphere Networking ESXi 5.0 vcenter Server 5.0 EN-000599-01
ESXi 5.0 vcenter Server 5.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions
More informationDell PowerVault MD Series Storage Arrays: IP SAN Best Practices
Dell PowerVault MD Series Storage Arrays: IP SAN Best Practices A Dell Technical White Paper Dell Symantec THIS WHITE PAPER IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN TYPOGRAPHICAL ERRORS AND
More informationDevelopment of the FITELnet-G20 Metro Edge Router
Development of the Metro Edge Router by Tomoyuki Fukunaga * With the increasing use of broadband Internet, it is to be expected that fiber-tothe-home (FTTH) service will expand as the means of providing
More informationALLNET ALL-SG8926PM Layer 2 FULL Management 24 Port Giga PoE Current Sharing Switch IEEE802.3at/af
ALLNET ALL-SG8926PM Layer 2 FULL Management 24 Port Giga PoE Current Sharing Switch IEEE802.3at/af 24-Port Giga PoE Current Sharing 500W PoE Budget IPv6 and IPv4 Dual Protocol SNMP v1/v2c/v3 SSH version
More informationUsing IEEE 802.1x to Enhance Network Security
Using IEEE 802.1x to Enhance Network Security Table of Contents Introduction...2 Terms and Technology...2 Understanding 802.1x...3 Introduction...3 802.1x Authentication Process...3 Before Authentication...3
More informationVXLAN: Scaling Data Center Capacity. White Paper
VXLAN: Scaling Data Center Capacity White Paper Virtual Extensible LAN (VXLAN) Overview This document provides an overview of how VXLAN works. It also provides criteria to help determine when and where
More informationDCS-3950-52C Fast Ethernet Intelligent Access Switch Datasheet
DCS-3950-52C Fast Ethernet Intelligent Access Switch Datasheet DCS-3950-52C Product Overview DCS-3950-52C switch is Fast Ethernet intelligent security access switch for carrier and MAN networks. It supports
More informationAbstract. Avaya Solution & Interoperability Test Lab
Avaya Solution & Interoperability Test Lab Sample Configuration for using Link Layer Discovery Protocol (LLDP) with Cisco Catalyst 4500 or 3750 Switches for VLAN assignment to Avaya 4600 Series IP Telephones
More informationNetwork Discovery Protocol LLDP and LLDP- MED
Network LLDP and LLDP- MED Prof. Vahida Z. Attar College of Engineering, Pune Wellesely Road, Shivajinagar, Pune-411 005. Maharashtra, INDIA Piyush chandwadkar College of Engineering, Pune Wellesely Road,
More informationLevel 1 Technical. Networking and Technology Basics. Contents
Level 1 Technical Networking and Technology Basics Contents 1 Glossary... 2 2 IP Networking Basics... 4 Fundamentals... 4 IP Addresses... 4 Subnet Masks... 5 Network Communication... 6 Transport Protocols...
More informationNetwork Discovery Protocol LLDP and LLDP- MED
Network LLDP and LLDP- MED Prof. Vahida Z. Attar College of Engineering, Pune Wellesely Road, Shivajinagar, Pune-411 005. Maharashtra, INDIA Piyush chandwadkar College of Engineering, Pune Wellesely Road,
More informationConfiguring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
CHAPTER 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance This chapter describes how to configure the switch ports and VLAN interfaces of the ASA 5505 adaptive
More informationVoice Over IP. MultiFlow 5048. IP Phone # 3071 Subnet # 10.100.24.0 Subnet Mask 255.255.255.0 IP address 10.100.24.171. Telephone.
Anritsu Network Solutions Voice Over IP Application Note MultiFlow 5048 CALL Manager Serv # 10.100.27 255.255.2 IP address 10.100.27.4 OC-48 Link 255 255 25 IP add Introduction Voice communications over
More informationIP SAN Best Practices
IP SAN Best Practices A Dell Technical White Paper PowerVault MD3200i Storage Arrays THIS WHITE PAPER IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES.
More informationSecure Networks for Process Control
Secure Networks for Process Control Leveraging a Simple Yet Effective Policy Framework to Secure the Modern Process Control Network An Enterasys Networks White Paper There is nothing more important than
More informationArchitecture Overview
Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and
More informationWireless Edge Services xl Module 2.0 Update NPI Technical Training June 2007
ProCurve Wireless Edge Services xl Module v.2 Software NPI Technical Training NPI Technical Training Version: 1.5 12 June 2007 2007 Hewlett-Packard Development Company, L.P. The information contained herein
More informationOverview of Routing between Virtual LANs
Overview of Routing between Virtual LANs This chapter provides an overview of virtual LANs (VLANs). It describes the encapsulation protocols used for routing between VLANs and provides some basic information
More informationAsynchronous Transfer Mode: ATM. ATM architecture. ATM: network or link layer? ATM Adaptation Layer (AAL)
Asynchrous Transfer Mode: architecture 1980s/1990 s standard for high-speed (155Mbps to 622 Mbps and higher) Broadband Integrated Service Digital Network architecture Goal: integrated, end-end transport
More informationNetwork Configuration Example
Network Configuration Example Configuring Multiple Port Mirroring Sessions on EX4200 Switches Published: 2014-04-09 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000
More informationExpert Reference Series of White Papers. VMware vsphere Distributed Switches
Expert Reference Series of White Papers VMware vsphere Distributed Switches info@globalknowledge.net www.globalknowledge.net VMware vsphere Distributed Switches Rebecca Fitzhugh, VCAP-DCA, VCAP-DCD, VCAP-CIA,
More informationCisco Small Business Managed Switches
Cisco SRW224P 24-Port 10/100 + 2-Port Gigabit Switch: WebView/PoE Cisco Small Business Managed Switches Secure, Reliable, Intelligent Switching with PoE for Growing Businesses Highlights Connects up to
More informationBroadband Network Architecture
Broadband Network Architecture Jan Martijn Metselaar May 24, 2012 Winitu Consulting Klipperaak 2d 2411 ND Bodegraven The Netherlands slide Broadband Services! Dual play, Triple play, Multi play! But what
More informationNetworking Devices. Lesson 6
Networking Devices Lesson 6 Objectives Exam Objective Matrix Technology Skill Covered Exam Objective Exam Objective Number Network Interface Cards Modems Media Converters Repeaters and Hubs Bridges and
More informationCarrier Ethernet: New Game Plan for Media Converters
Introduction IEEE Std. 802.3ah, also referred to as Ethernet in the First Mile (EFM) standard, has a well established name within the industry today. It lays out ground rules for implementing Ethernet
More information644-068. Cisco - 644-068 Advanced Routing and Switching for Field Engineers - ARSFE
Cisco - 644-068 Advanced Routing and Switching for Field Engineers - ARSFE 1 QUESTION: 1 Which three of the following are major trends that fuel the demand for routing and switching? (Choose three.) A.
More informationImproving Quality of Service
Improving Quality of Service Using Dell PowerConnect 6024/6024F Switches Quality of service (QoS) mechanisms classify and prioritize network traffic to improve throughput. This article explains the basic
More informationSymantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper
Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper Details: Introduction When computers in a private network connect to the Internet, they physically
More informationCisco Certified Network Associate Exam. Operation of IP Data Networks. LAN Switching Technologies. IP addressing (IPv4 / IPv6)
Cisco Certified Network Associate Exam Exam Number 200-120 CCNA Associated Certifications CCNA Routing and Switching Operation of IP Data Networks Operation of IP Data Networks Recognize the purpose and
More information