oueenune Junos Enterprise Switching 10.a JUNIP Er NETWORKS Worldwide Education Services 1194 North Matha venue Suna, CA 94089. 408745:2000 wu riper net (Course Number: EDUWNJEX Detailed Lab GuideHet 3 3 = @ DVMMPDDDDADDHOHHDHDHHDHHHHHHHH HOD Lab 1: Implementing Layer 2 Switching Detaled) .. 1 Pa Logg the CU 12 arta ae 2 ces 13 Par: enon ar 2 Stig Opis a0 Lab2: implementing Vitual Networks (Detaled) : pee at Fat Meatpap be ain cotgrston ae Part2 Cogn and Noting Vs Necks 23 Par Cong ard Notre. Rating aha {Lab 3; Implementing Spanning Tree (Detailed) : soon BA Pat oc ust Corigrston a2 Fart: Caving a Nooig 8S 36 For: Coin an Neng SP Ptoton a Lab 4: Inplomerting Pot Securty (Detaled) el Pat Vosges artigason “2 Par copa and erg in as er: Connon Montereg ONC? Srp ani Sac ied ae Lab: Iplomerting Storm Control and Frawall Firs (Detaled)... 5a at: Moding te Eig Cotigraton at 2: Conigutng end orang Stra Coa Pat 5: Cou end Manag Ful ites. Lab 6: Implementing LAGS and RTG (Detailed) at: Corfigrg a Montong 3 19G Pat 2: on ad Marry Resid nk rap Lab 7: Implementing Vitual Chassis Systems (Detailed) ......... 1 at ere ara chasis 72 art 2: Mody cofguraton nd eng Operations fr New Ernie +40 Part estoy the Seclone Suthes tae Appendix A: Lab Diagrams aIw comons JUNIP er e € e d e e e € e e € e e € € € € € € € € € € « € € € . € € € € ‘Course Overview Thistwocy couse degre prove tors wih seat switching row a arguraten erampies scours oes an cre ching cores ana operate ual US VMS, spatang vee prea, port ond deve secu estes and haha Ione Tico based onthe unos peatng system sate 701828 iy ‘Tech derensations andhandsonlas, students wlan experience nconing and ‘Objectives Imoering he nes 0 and manta device opens. ata: sucestay completing ths course you shoul be abe: Intended Audience st beneascf implemen itched LAN Desert wonpaent igog concepts nd operations Destbe oms and des consiteatons lr sihed LA st enterprise plato that suppor Lye 2 suecig confi iteraens er Laye 2 sich operations: Display ond itrrathe Etheretstching ale: plain te coeept ov Desebe sere ands port meds: configure and ante ANS ‘este wee VAN and nate VAN concepts plane ¥LAN out operations Conte and monte er WLAN cut, plain when spanning woes equ: Destibe STP and STP operators: us same avaroge of sng RST ne ST orig and motor RT Deze he ridge petal eat unt(BPDU, op aot retcion ets: Conte and monte the BDU op, nae peter ese stand esrb varus pat ecu features: oni and ante pet sec features stoned cece sme dee sary ets oni and manta dee secretes Oesribe Fenster spot fr EX Saris Ebel stcas, Implement andere the ect el ie: List ond deste sme fess thst promote high asi orig and mont high aati eas Describe bse concep an opratonal deals of val chasis and Implement rl chasis wit rtp €X4200 shes ‘Tiscourse benefits indus responsi fr nfiguing sre menting EX Sts switches. ww now: curse Oven =v‘course Level Prorquistes anes Entei Shing an nsoducey lee couse ‘Students su have bas networking kroedge an an undestaning othe Open Syst Irtecon:ton (08) rage and ne cP prtca sate Students shoud ho tend te ‘recast ures Stare LS) nd kno Rtg Esco UR) cores protec ‘wow pret © ow wun er ee ee oe DUEDDDEDDADHDHMHHHHHH HHH HMM OHHH DAH HUSH HHKDYHHODOG @ w wo Course Agenda Day von junpecret chapter hap 2 Chapter 3: hap chap 5: hase chap aura vedio Layer 2 Seiching ab t:tnpmenig Laer 2 etches Veale zea Necks ab 2: peering Vitus Netarks spate Wee oe 3: tnpemenng paring oe Peet Sony Lab & Inpementing Pot Secu Dee Secu ona Feat tes oe 5: tnpemering Stam Como and Frval Fits igh ity ao 6: npomersing AG an TG La implementing Veta Chass Syste Course Anda + viLab 1 Implementing Layer 2 Switching (Detailed) = Overview ‘This ab demonstrates basic configuration and monitoring tasks when implementing Layer 2 switching on &X Series Ethernet Sutches, nth ab, you use te commar tine interface (CL) to configure and monitor Layor 2 interfaces and basic bridging operation. ‘The labs availabe nwo formats igh evel format designe to make you think through 2 ‘each step and a detalled format that offers stepby step instvuctions comple with ‘Simple cup from mest commands By completing this la, you il perferm the following tasks: + Configure and verity proper operation of Layer 2 network iterfaces. + Configure and moritr some Ethernet switching elements bowowaaa o www ‘emungernet Inplamening Lager? Swiching DaoIe = Lab 1 Toatarkee > fain norman a as TVVDDDAHTHHHHHTHTHHTHTHRTAAH TOM HMa DD » wuuungues tress Sitchin Part 1: Logging In Using the CLI In this lab part, you become fama withthe access details use to connect tothe lab equipment. Once you are farniar with the access details you wil use the CLIto Jog into your team's designated switch Note The lab equipment usedin his dass 5 likely remote from your physical locaton Te isructr will provide access deta to get you logged inte your assigned device Step 1 Ensure that you know to which switch you have been assigned. Check wth your instructor if You are not certain Const the management network diageam to ‘etermine your switch’s management address. ‘Question: What i the management adéress assigned to your snitch? ‘Anower The answer varies: inthis example theuser thas beenassigned to the exD-1 snitch, which ‘uses an P adress of 10:210.14.147/27. Your _answer wel depend on the ack of equipment our ‘lass using sup 1.2 ‘Access the CL for your switch using ether the console, Telnet, or SSH as directed by our instar, Refer tothe management netwerk diagram forthe IP address ‘associated with your team’s station. The following example uses Telnet to access ‘exD-1 using the SecureCRT program: i 2 » implanering Lay 2 Seiching (Dated) vwwruripernet TEDVPPDEDHMDHDMHHDHDHTDH HH OMHH TTT HD weoeoeoeeundueuw ow os Enterprise Switching ae anism ance! % Pat | Fmt [ioe Step 1.3 Log in as user Labith the password supped hy yur instntor exo (eeyuo) = guness 20.282.4 paste 2010-08-12 04:08:08 TEC foasterso) labaexd-1> Part 2: Configuring Layer 2 Interfaces In this la part, you will enter corguration mode and navigate tothe (east interfaces] hierar level that hirarcry level you wll enable some designated intorfaces for Layer 2 operations. You wl then veil ntrface status using the appropriate operational mode commands. Step 2.1 Enter configuration mode and navigate tothe (edit. interfaces) hierarchy level (naster:0} Inbox -2> configure Entering configuration mode vem pngernet Implementing Lye 2 Siching Detaled) + Lab 1-3ues Earrse Satcing [eseter:0} (ease TabooxD 24 edit snterfaces {easter:0} (edit interfaces! Taboexd-24 Step 2.2 Issue the show command and determine what interfacerelated configuration already eit, {eeaters0} (edie interfaces) Tabeeed-24 show neo unit 0 ( amily ines { ) tetee Fo atoaa ae, ' i Question. What interfacerelated configuration cents on your assigned switch? Answer: You should ony see the management Ethernet interface (meO) coviguatin a this time Step 23 Issue the set ge-0/0/6 unit 1 famiiy ? command and determine which family's used to enable an interface for Layer 2 switching operations, {vascer:0} fedit interfaces) TabooxD-28 set g0-0/0/6 unit 1 famiay 7 Possible completions + apply-aroups Groups from which co inherit configuration data apply-groupe-except Don't inherit configuration data fron these groupe 5 ethermer-awitehing fthernet evitching parameters, > nets ibys protocol paraneters 3 iso sr 180 protocol paraneters > apis pis protocol parameters, {nascer:0) feait interfaces) TabooxD-1# set ge-0/0/5 unit 1 fanily ‘Question: Which protocol familys used to enable ‘an Ethernet interface fr Layer 2 stitching operations? Answer: You use the ethernet-avitching ‘protec faily to enable an Ethernet interface for Layer 2 switching operations. ab 1-4 + inplomening Lye 2 Swen Oesied ‘wo jupernet es I e> e3 es unos Enric Sutching step 24 Firishthe curent command by adding the atihernet -awit ching slatemert emp to activate the newly added Layer 2 interface using the coum command. [nsecerso} (ease incertaces) Tapoee)-14 set ge-0/0/6 unit 1 fansly athernet-owitehing [nsecer:0} lodst interfaces) abaexd-1# come (edit invertsces ge-0/0/6) Only unit 0 ie valid for this encapsulation error: Configuration check-out failed (Question: Does the commit operation succeed? It rt wy? Answer-No, as shown inthe sample outpat the ‘eornmit operation should not succeed due to an ‘wali unit umber. Remember tna you can aly ‘use unit with Layer 2 interfaces on Ex Series ‘itches. Stop 25 Use the rename command tochange the unit number fom one to zero and attempt {econ operation ence again. {naster:0) edit interfaces] Tabsexd-14 rename ge-0/0/6 unit 1 to unit 0 [neaver:0) edie interfaces] Tabsexd-14 coanse configuration check succeedscomit conplete (Question: Does tne wom uperaton succeed? Answer: Yes, as shown inthe sample output the commit operation should now succeed with the logical uni number st to. ‘om ripen ‘planting Laer? Suing ated)» Lah 1-5os Eres Snitching Step 2.6 Refer to the network siagram fr this lab and configure the remainder ofthe Layer 2 interfaces listed for your snitch, You might want to use the eopy command for this task {easter:o} fodit interfaces} InbsexD “18 copy g8-0/0/6 te ge-0/0/7 {nascerso} (eate sncertaces) AabsexD-18 copy ge-0/0/6 to ge-0/0/8 {naster:0} edit interfaces} Iabaex0-18 show se-0/o/e | onde 0 { family etherner-ewieehing, d 38-0/0/7 | unit 0 family ethernet-anitehingy ) ) 30-0/0/8 | vote : y ethernet-ewitching ) eo Geseripeion “MONT INTERFACE ~ 0 NOT DELETES; sates ; ; 2 : ) Step 2.7 ctvat the newly added interfaces using the comms command Nex, Issue the run how Interfaces tereecommand to determine the status ofthe Lay 2 interfaces. {naster:0} (edie incertacee) Taboexd-14 commit, configuration check succeedsconmit complete nos rispise Sting {raeter:0} edit interfaces! Tapeex)-14 run ehow interfaces ters Intestace ‘hdmin Link Prato Lecal Renate ge-0/0/0 up dove, 3e-0/0/1, ue owe, g0-0/0/2 ue owe, e-0/0/3, ue owe -0/0/8 ue owe oe ° oe Sp eth-outeen e-0/0/8 oo -0/0/8.0 up Sp thawte ‘Question: Whats the status ofthe recently defined Layer 2 interfaces? Answer As shown inihe sample output the status ‘forthe recently defined Layer 2 imerfaces should ‘bo up physically and amiistratively ‘Question: What information inthe displayed output cates that these inerfaces are operating in a Layer 2 apocty? Answer: Under th protocol column you shout see {the prtocal family etn-ewitch Ths protocol ‘amily is associat with Layor 2 operations Step 28 Issue the save /var/tap/individual-interfaces.2onf command to save the current interface configuration. {rsscer:0} ledse dnvertaces Tapeeed-14 save /var/teo/individ Wrote 26 Lines of coat iguration to */var/emp/ individual ~interfaces.cont Step 29 Dolete the recerly defined Layer 2 interfaces and activate te configuration chang. (raster:0} [edie intert: Lnbeexd-18 wildeard matched: g0-0/0/6 wnatehed: ge-0/0/7 Inatehed: ge-0/0/8 pelete 3 cbseces? {yes,no) (no) yes 7 Ti a8 + tnplomening Layer? Saictng Deaied ‘winger vomepnperne| Tplomring ay wing beg)» Lab 7uns Enterise Sci {oaster:0} edie interfaces] Tabeexd-14 show neo { Seertorion 1MQRT DHTEREACE - 00 NOT ORLETE fasily ssec [ setae 20.210.14.247/27 1 ) {nastes:0} edie incertaces) abaexo-14 commit configuration Step 2.10 Define a new interface range named £2-intertaces, Include the ge-0/0/6, 1g+0/0/7, and ge-0/0/8 interfaces 3s part ofthis new interface range and enable it far Layer 2 operations. (naster:0} edit interface Inbieso-1# set Saterface-range 12-Snbert smonber-range 92-0/0/6 to ge-0/0/8 (naster:0} [edit interface Inbiexo-i8 got interface-range 12-interfeces wait 0 fantly ethernet-avitching (nasver+0) feait interfaces} Iabaexo-1 show Snterface-range L2-intertsces [ renberrange ge-0/0/6 £9 90-0/0/6; unite | Fanily ethernet-suitching: ) , seo { description ‘wont IITEAACE - D0 or DHLETE tomity inet { ‘sedeeee 10,210.14.147/27; 101-8 + lamenting yer? Sateting eng ‘nero DDRDDTO PTT EHR EAD TT HTH HTH | PKCD HOODOO ODED DEOD ane Jones Ener Switching Step2.11 ‘Activate the configuration and return to operational mode using the comms t and-quit comand. Nex, suethe show interfaces terse commando vay the staus of he interfaces within the nenly defined interface range. [nsster:o} least interfaces) Tabooxd-14 come and-quit configuration check succeedscomit complete citing configuration node {nasver:0) Inbiexd-1> show interfaces terse interface ‘dnin Link Proto Local Renate: -ge-0/0/0 up down ‘32-0/0/2 % down 32-0/0/2 op down 3°-0/0/3 ep down 3e-0/0/¢ ep down '30-0/0/5 op down 35-0/0/6 oD ‘36-0/0/6.0 &p up erh-owiten ‘36-0/0/7 > 36-0/0/7-0 up eth-ewitch 0-0/0/8 DF 36-0/0/8.0 Pp eth-owitch ‘Question: what i the state othe three itertaces Participating in the recently defined interface range? ‘Answer:As shown in the sample capture al tee Interfaces (20/076, ge-0/0/7, and ge-/0/8) ‘Should show up both prysically and ‘adminsratively, ‘wiper ae Implementing Layer 2 Swictirg Detaled) Uab1-9une Eneise Siting Part 3: Monitoring Layer 2 Switching Operations In this tab part, you wil view the Ethernet suitching able (bridge table) before and after afc passes trough your desgated snitch, You wll then define some state [MAC ervies inthe Ethernet switching table forthe MAC addresses associated wth the connected devices, You wl ned to log nto your designated SRX Series ‘Services Gateway to perform some tasks outed inthis part step 31 Issue the show ethernet-awitching table commandto view the cure entries in your sete’ bridge table (naster:o} IabeexD-1> show ethernet-evitching table thernet-awitehing table: 1 entries, 0 learned vLaN MAC address Type age Interfaces Question: Does your suitch’s bridge table show any ypamically learned MAC table enies? “Answer As shown inthe sample capture, the only ‘entry that shoud curendyexst at this time isthe Flood entry associated with the default VLAN. you. ‘do'see dynamically earned MAC erties, you cen ‘manually clear hem using the clear ethernet-svitching table command. Ne "Yu wil raw nto your assigned SRK Series gateway, The gateway is Configured with multiple vitual routers, ‘whch ate gical device created on your ‘assigned gutenay. Most of the configuration requied forthe SRX Series ‘galemays hs already been defined. You wil however, be required to modify the ‘existing configuration throughout the labs, Refer othe management network diagram forthe IP aieress of your assigned ‘SRK Series gateway. needed, work wth ‘your instructor to bal the requited Information. ts 10 + imlemering Layer 2 Sehing Detaled ‘wn joer ROMHHMM HH AM be HHELUHHHeYD Cl TIADRDTDTMHH AH weed OOD ests Suching step 32 ‘pen a separate session to your assigned gateway. Note ou can connect to yur gtenay ising the conse connection ough te ena saver of Ueougt a {elnet er SS sesson using the SX Stes gatenays management adeess. Consulwth your stretr you have questions, (ce: tharane [2018197 sepas Login to your assigned SRX Series gatenay using the Lab user account and the password provided by your instructor. srxd-i (teyuo) Logins Lab = guwos 10,282.8 built 2010-05-21 05:92:14 UTC Step 34 From your assigned gateway. ping the vitual routes connected through your [EX Series switch. Refer to the network diagram for this lab fr I adressng deta, venient Iparenting Lay 2 Switching Dela)» Lab 1-11os Eriepise Sitchin Noe ‘Some sample ouputsinclude unspecified vaiables in the for oy. These Unspectied variables are unique to your device and thei values canbe found on the 1ab's associated network dagiam. If ‘needed, work with you instructor to determine the values, Aabear0-1> ping 172.23.y1.100 count 5 bine 372,23.13,200.(372,23.11.200)+ 56 daca bytes 4 byces from 172,23.11.100" onp.s tine=23.770 a8 4 bytes from 172,23.11.100: iemp_ Himes0.974 me 4 byses from 172123.11.100: tempo G4 bytes from 172.23.11.100: iemp_aer tine=0.962 aa 64 bytes from 172,29.12.100: iomp_s finest 067 9 172.23.11.100 ping statistics --~ 3 packeta tranamitted, § packets received, OF packet lose round-trip min/avg/max/scédev = 0.915/5,542/23.170/9.114 me LabeorxD-1> ping 172,23.42.100 count 5 ping 172.23.12/100 (172,29.12.10017 56 dat 64 bytes frou 172.23.12.100; icmp seaeo te 4 bytes fron 172.23.32.100! Lemp 64 bytes from 172.23.12.100' icmp 4 bytes fron 172.23.32,100! emp 64 bytes from 172.23.12,100 ions 5 packete trananiteed, 5 packets received, ot packet lose found: trip min/avg/nak/acaev ~ 0.976/5.289/22.262/8.497 as ‘Question: Are the ping tests suncesstul? Answer: As shown in the sample capture, the png tests should suoceed, {nb 12 + inplemening Layer 2 Swichirg Dealed ‘wowuripernet ADDETHDDAPDHAHDDTDHHAHORHHDHO HOOT © boeoe vue vous urs erie Sing ‘Question: Based on the ping test results and the information shown on the network dagram for bis lab, what MAC adéress would you expect to be associated with the ge 0/0/6.0 inthe bidge table fon yur assigned switch? ‘Answer: The ansnet depends on your assigned Ste yu be aasigd hoe fepresers th od ve, ou should se MAC ‘adress 002580:02"706 assole wth ‘9°-0/0/60. you are assed ex: again where represents he po value, you shoud see MAC ‘adress 00258602:5:06 Ve vor te corterts ‘tthe ridge able na subsequee sep. step a8 Return to your EX Series switch, Issue the show ethernet-switching table command to very the curent MAC address entries in the bridge table {naster:0) Iabuexd-1> show ethernet-avitching table Bthernet-ovitehing table: 4 entries, 3 learned ‘vant NAC address Type default : Pleo Age Interfaces 6 ge-0/0/6.0 8 ge-0/0/7.0 © ge-0/0/8.0 ‘Question: Does the bridge table show dynamically eared MAG aes eates? Answer: Yes, your switchs bridge table should now ‘show dynamically earned MAC address entries ‘These envi show atype of Learn, as shown in the sample capture, ‘Question: Do thebridge teble entries shown match ‘the cetas illustrated on Ve network diagram fr this ab? Answer: The bulge table entries should match the etal ilustrated on ths labs network diagram. I rot check with your instructor vn jnpernee implementing Lager2Swichng Dead) = Lab 3-13anos Ents Sting Step 36 Issue the clear ethernet-ewitching table command to clea the eared [MAG enves, Next issue the show ethernet -awitehing table command to ‘ensure the dynamically eared ensies have been removed. (waster:0} InboexD-1> clear ethernet-evitching table {saster:0) eeeneew DTH R HOHE HEH ‘unos Enterprise Siting Stop 3.0 ‘Aatvate the configuration changes and tum to operational mode using the commit and-quit command (naster:o} [edit ethernet-owitehing-options) Tabeeed-24 coamét and-quit configuration check succeedacomit complete Exiting configuration mode ae cap ous eee oo SE Geet cae > defaute : Fleod Alt-mesbers esse : Se hindi 3 ‘ridge table ents, ee een a oe 2 ME Cae ace ea neta ry ttre = ee Day aie ce een ea ‘eaten aoe gatenay and virtual routers, Associate the MAC aderesses with the corresponding ie MAC table e Prese Irverfaces an your teams such. Question: How can you tell these MAC entries are aan abGexd-1# set static vlan default mac 00:26:88:02:y7:88 next-hop ge-0/0/a.0 ‘show Static rather than Learn, {master:0} (edit ethernet-switching-options) ‘Step 3.17 ie ee a tmevepeynoimtyobesetsris pore enaudean ara eae eres Ste gry nes ) ‘3 ti aaa eet ror eeerosters Swtcring Laboaexd-1s ping 172.23. 64 bytes from 72.23.21 1.200 count 5 23.11.100)+ 56 data bytes 664 bytes from 172,22.11.100. eelage fimect 073 66 bytes from 172,3-11-100: eele6e times 030 6 byees from 172,23.11.100. telsee timest 036 6 byees from 172,23.11,100: iemplseqed telaet eimect 093 Beaga 5 packets transmittee, 5 packets received, OF packet loss round-trip sin/ava/mat/atadev = 1-016/1-091/1.141/0.045 ms IabesexD-1> ping 172.23.y2.100 count § pine 172.23.12100 (172.24-12,100)7 56 data bytes ‘64 bytes rom 12,25.12.100: icmp seged telest timest.121 we ‘64 bytes from 172.7312 100: iemplaegel ttl-s4 timese.240 wo, ‘64 bytes from 172.73.12.100: icnplaege2 tti-sd timest_027 we, ‘64 bytes Erom 172.23.12.100: ienplaedea ttizes tines0.962 oe ‘64 bytes from 172.2312. 100: ienpueeqed ttived tinest 311 oe ++ 192.23,12,100 ping azartatics --- 5 packets tratemitted, § packets receives, O¥ packet lose round-trip sia/avg/max/acaaey ~ 0.983/2,1%6/6,240/2.058 a2 Question: De the ping tests suoceed withthe stabicaly denned MAC table eles? Asie: Yes, a shown inthe preceding cutput the ping tests succeed wth the static MAC tale rates, (Question: What do you think would happen if MAC adress change occured on the connected ‘evices? ‘Answer: The switch wl etainthe static MAC entry ‘and add anew dynamic MAC ent forthe new MAC dress. You can limit the number of MAC ‘addresses learned through a switch port but the default behavior isto eam all MAC addresses sourced through an interface. The folowing capture ilustrates a dynamic and static etry forthe {960/016 0 itertace: (1-76 + iplomerting Layer 2 Sting Denied non eee eared odededoudaw DORDDRDRAR HMDA DRED DME TOEHST a ios reprise Smt {easter:a} TabsexD-1> show ethernet-evitching table Ethernet-svitening cable: 3 entice, 1 learned via NAC addcess | Type Age Inteztac serauit : Fleoa © All-msbers Getauie 00:26:88:02:02:a1 Learn 0 ge-0/0/6.0 Getauie 00:26 :88:02:76.87 Static Seeauit 00:26:88:02:74:88 static ‘mugen Tell our instructor that you have completed Lab 1 Inplemening Lye 2 Swichirg Dataled) » ab 1-17i] S= ees a = es Lab 2 2 . Implementing Virtual Networks (Detailed) — es es Overview es "Wislab demersal basi configuration an menting tas when implementing es virtual networks on EX Series Ethernet Switches. In this lb, you use the commandiine as itrace (LD o cage and monty VAs ner VAN ag operons Thelabisavaloble nto mas ight rma dese tomako you rth es ‘each step and a detailed format that offers step-by-step instructions complete with SSipe ipa ret onc es ‘By completing this nb, you wil perform te follwing tasks: es + Update the existing configuration. es + Configure and monitor VLANs. a + Ganga maitre WAN ting es es. e232 és es es es es es es es es es — Thies 2s Vere a os aan = TR es eses els roe Ears thing dia nos rere Sting Part 1: Modiyng the Existing Configuration | eo NS unis 9 { inthis ab pat you wi mote eng coniguaton nyourassignedswtento og | Bee nee AE roparo fr subsequent ab prt, i : ; step es ) copeecerttseaaaecputamaswineinwote elgg (edit incerfacea) hisarchy ev ° {oaster:9} e3 Navigate ote oc hierarchy level and delet the state MAC table entries currently Isbeex5-3> configure | defined under he [ethernet-ewitching-opt ions) herarchylvel. Activate Entering configuration mode € i 3 ‘the changes using the commit command. (master: 0} {edit} ae Se ee Tabse0 18 ete Ancerta els naster:0} f@se sotertaces] eg eel oe faasterso} E> IESE TH thw atnenet-vitohng-pttons stop 12 ej? vias defaule { Doleto the current interface related configuration. Next use the Load marge es SEE ooizeveasoarnsce7 sox-nop 90-2/9/2.05 Command tolood the individuals tatertaces, cont configration Tis sored i Serre eer eae inthe /ar/imp/ decry Notte individual incertaces.cont e3 , onion le wos coated and saved inte previs lab a2 {nascer:0} edit sntertaces] i eer 1absexo 14 = Delete everything under this level? [yet,nol (no) ye Se ee ee ee ee ©] > teaser) eases Tsbtewo "14 commie {master 0) (edit interfaces] , ‘configuration check succeedscommit complete Uaboew0-18 “oad werge /vat/tmp/indtvidual- interfaces. cont a * ‘heck eucoved - oad compe S[F igurersey toate abacxo-1¢ {naster:0) ait incertaces] ! Tabexo-14 how a e-o/076 { ©] 2 Patt2.contguing and Montorng tual Networks ene 8 eee == Inti par, yu wena ard monitor VANS Fst youl deine the ) en ‘equited VANS, Net You wil caniqure terface as access etek pots, Final, -30-0/0/7 | i Jol wl asociie tho dntigued nerfaces wth tho especie VLAN, You vl nie 8 ee ‘ed oer tothe neti agra for this laf Some ofthe conga asks caniLy ethernet-ovitching: i performed inthis lb pa. i= i 7 sep2a ei? ‘ssuethe run show vlans command to view the cuent LAN assignments on uni 6 your sutch Eom ly athernet-muitchingy i? ) ee ror ) So ee ee me ee es 2 30-0/0/6.0%, ge-0/0/7.0%, ge-0/0/8.0% 2 1882-9» nig en ac rt eo 0 em Taplerig al ets eed» La -8 | es | ej?anos Eee Sitching ‘Question: What VLAN) exists on your switch? Answer: As shownin the sample capture, ont the “default VLAN should erst on your switch, Myou ‘see other VLANs inthe output, check your ‘configuration and, needed, consult with your Instructor. ‘Question: What imerfaces belong tothe default ‘vane -Ansner: You should see the ge 0/0/6.0, {9¢-0/0/70, and ge-0/0/8.0 terfaces associated ‘th the default VAN. ‘Step 22 Configure the ge-0/0/1 interface for Layer 2 operations and activate the configuration change, (waster:0}(eate) TaboekD-24 copy Antertaces g6-0/0/6 to ge-0/0/2 [rester:0} feast) Tabsexd-21 show interfaces se-070/? { ate o | fanily ethernet-switehing: ) 0-0/0/6 { wunie 0 { Tamily ethernet-switening, b 9-0/0/7 nit 0 family ethernet-awitching } se-0/0/8 | nie @ | )_ faRity ethernet-avstchiags 1b 2-4 + nplomening vel Nets Detaiee) worsunpeene DODD HH boobed ddd oedinne bueuuuue e e e e e e e e € e e . 6 . * ® . * = . weovonuns nila a4 ao peuuuuud oa w nos reise Swing eo { Gescription "MONT INTEREAGE - 09 NOT DELETE; unit of family inet { ‘adres 10,210.24,347/27; } ) ) (nasver:0) edie) configuration check aucceedscemnit complete Step 23 Issuethe run show vians default command to view the interfaces curently assigned tothe default VAN, (naster:0} (edit) Inbox 34 run show vlans default kane fag Tnverfaces Sefauie we-0/0/1.0, g2-6/0/6.0%. g@-0/0/7.0%, c@-0/0/8.0% ‘Question: ste e.0/0/1 interface associated with ‘thedotaure VLAN? “suet: Yes, you should now see the ge-0/0/.0, Jimerface associated with the default VLAN, ‘Question: Whats diferent between the ge.0/0/1 Interface and the other interfoces associted with ‘ye default VLAN? Can yu explain tis ference? ‘Answer: lliterfaces, except ge 0/0/1.0, have an asterisk (*) nex to them, The lack of an asterisk indicates thatthe interface isnot operational. The Folawing sample capture lustrates his pot: [rescerso} (edie TabesxD-1 run show interfaces terse | match *0/2 |0/6 |0/7 [0/8 = ge-0/0/2 tp down 9e-0/0/6 »@ 5e-0/0/7 oP 5e-0/0/8 op Stop 24 Navigate tothe fea%e vans) hierarcy, Use the details shown on the network «diagram fr this lab and configure the VLANs associated with the go-0/0/6 and (92-0/0/7 interfaces. vom anpernet Implamering Val Netwerts Detaled) Lab 2-5ros Ete Switching {nascez:0) feast] abeexo-1# edit viene {nasver:0) (edit visnal Isbtexo-18 set vyt vian-d yt {nasver:0} {edit vians) 1sbsaxO-18 set vy? vian-id y2 {nascer:0} {edit vians) Inboex0-18 show vin{ Wian-id 31; ) wa ( vlan-id 32; ) {naster:0} edit vians) Iabeexo-1 ‘Step 2.5 Nouigatetothe (edit interfaces} hieratcty level and define the ge0/0/6 and {ge070/7 interfaces as access ports and associate them with thei respective ‘VLAN. Refer to the network dlagam as needed, (naster:0} (eatt viansl 1nbeexD-1n top edse interfaces ff © 2} 3 @ unos ertepise Seng [nsscerso} (odie intertacee! TabeexD-20 show ge-0/0/7 unit 0 | faniiy ethemet-awitching { port-node access ven { wmenbers viz; d ) ) {[naster:o} (edit interfaces) ‘Step 2.6 Consigue the go-0/C/8 interface as a vunk port and associate Ie with the VLANS ‘associated wth the ge-/0/6 and ge-0/0/7 IntrTaces, Refer to the network déagram as needed [rescers0) teait incertaces) InboeeD-24 et ge-0/0/3 unit 0 family ethernet-evitching port-aode trvak: [rssterso} (edit incertacea) TapoexD-14 et ge-0/0/3 unit 0 family ethernet-cvitching vlan meabers [yi wal [reacersa) (edit interfaces) TapeexD-28 ehow ge-0/0/8 unieo { family ethernet-avitching [ port-nede erunt? PADMTDADPDADDADH HHT HTD THOM i i i i {ascor:a) (edit intertaces! s fant {Bfson0"sh et ge-0/0/€ unit 0 family atherset-avitching port-eode aco | usbere (721 viz 1s i (naster:o} [edit interfaces) I ie lab@exD-1 set ge-0/0/6 unit 0 family ethernet-switching vlan members vyl i = t {nascor:a} (edit interfaces) i Sepa27 ISESIUISSE ACUI Ele sanity saternt-seitontag port-aoseaccens i sett th conigraon changes seg te coma command Nt se the (naster:0} [edit interfaces) | Puanmmeias Shoeno-2h eet g0-0/0/1 unit 0 family ethernet-avitching vlan gesbere v2 [> feces oie sntrtacen Sheen: some {master:0} [edit interfaces) — ‘configuration check succeedsconmit complete Tnpoexd-24 show ge-0/0/6 5 ee | (naster:0) ait intertaces) sanity ethernec-ovitching { [Sse So ow vane poresnede acces i sae too" incertacer the i SeFnore eabers vit; i? ge-0/0/2.¢ ’ a i i? 9-0/0/6.¢%, g0-0/0/8.9" ' oe 2 2 9°-0/0/7.¢%, g9-0/0/8.9% i" (2 102-6 + leering al os Oe error a Toor ru Nets eed» Lab v2 iS |os Erterise Swtcing (Question: Hom mary VLANs are listed now? How ‘mary of those VLANS are tagged VLANs? ‘Answer: As shown in the sample output, you should ‘nom see three VLANs fisted. Only two ofthe Isted ‘Alls should be tagged (ether v11 and v¥20rv21 ‘and v22, depending on your assigned device, ‘Question: Whi the go-0/0/8 interface listed under both user-defined VLANS? Answer: The go.0/0/8 interface was defined 03 0 {tunk port and configured to carry afc for both of the defined VLANS. Remember that trunk ports are sed to cary tagged traffic fr one ar move VLANs. You can add the detaia or extensive option to the show viane commandto viewthe tagged and untagged interfaces. A sample capture iustating this pat ols (naster:0) {adit interfaces) Inboexd-19 run how viane extensive VINK: default, Created at: Sun May 16 06:53:43 2010 Internal index: 2, Adsin State: Enabled, Origin; static Protocol: Port Mode, Wac aging tine, 300 sects Wonber of intertaces: Tagged 0 (Active = 0), Untagged 1 (Active - 01 'g0-0/0/1-0, untagged, access ‘uns: vit, Created at: Mon May 17 03:09:01 2020 802.30 Tag: 11, Internal index: 4, Admin State; Enabled, Origin: static Protecol: ort Mode, Mac aging tine: 300 seconds Nuaber of interfaces: Tagged 1 (Active = 3), Untagged 1 {Active = 1) ‘as-0/0/8 82, taggea, trunk 0-0/0/6.0%, snagged, access Vian: viz, Created at: Mon May 17 03:09:01 2020 802.19 Tag: 12, Internal index: 6, Admin Staves fhabled, Origin: static Protocol: ort ode, Mac aging tine 300 seconds Number of interfaces: Tagged 1 (Active = 1), Untagged 1 (Active = 2) ‘ge-0/0/8.0, tagged, trunk 9¢-0/0/7.0%, unagged, access aeaw eeu e e e € € e e e € e € @euuaeavaua pooeweade eeeug unos Enterprise Sitching Note The next ab steps require you to perform tasks on your assigned SRX Ser es Services Gateway. Most of te configuration Feud for the SX Series gatevays has aready been defined. You wl however, be Fequced to modify the existing configuration thoughout the abs, Refer to the management network dlagam forthe IP adoress of your assigned gatonay. If ‘eeded, work wih your instruct to obtain the required infermation, Step 2.8 nour assigned gy sie contain mt andra fae snderfacee] here lve Lavesnxd-1» contigues (easel east interfaces! Tabeersd-i step 29 Delete the corfiguration details curently associated withthe ge-0/0/8 interface ‘and configure e-0/0/8 for Layer 2 operations and asa unk port for ll possible VANS (hit: use the a keyword), [eait incerfaces) acesrxD-18 ghow ge-0/0/8 unit 0 { fanity inet ( ‘agoress 172.23.21.10/247 address 172.23.12.10/24; ) ) [edie invectaces] IabosexD-if delete ge-0/0/8 [edie invectaces] Labosrxd-i8 set ge-0/0/8 unit 0 fanity etherne fevitching port-mde trunk feat incerfacea) Inbosrso-i# set ge-0/0/8 unit 0 family ethere wivehing vlan senbers all 1802-8 + Inplorening vtual Neowrs(etaiee) ‘em riper at THADDODRDTDEDDDHA MODDED wade vwanungernet| Iplomering Veal Networks Detaled) + La 2-8sures Eerie Switching (edit interfaces) Tabesrxo-18 show ge-0/0/8 anne { family ethernet-enitehing [ port-node trunk; van [ wenbers ally ) 2 Step 210 Activate the configured uns esscited wth the VLAN interface on your SRX Series gato. (edie sovectaces! Isbesrc- in show vlan Inactive: unit ai { ‘eelflorene 172,23.11.20/24 » } inactive: unit 12 ( family inet { ‘address 172.23.12.10/24, 1 ) [edit invecfacesi Iabeeexd-14 activate vlan unit y1 (edie ineztaces! Isbosrad-if activate vlan untt y2 edie sntesfaces! Iabesead-i# show vlan imac. 00:26 88102"74:90, oneal { family inet [ ‘edaress 172,23.11.10/247 ' } inst 22 ( family inet { eases 372.20.12,10/24) ) nro unos Ene Sting Step 2.11 Novigate tothe (edit vans] hierarchy level and activate ll configured VANS. [edit inertaces) LabeorsD-14 top edit vane (edie vians) Jabasnd-18 show inactive: vii { vian-id 11; electace vian ate inective: via ( vian-s 12; 1 Belseeetate vis. insetive: vat { i insetive: v22_{ yeas a [edie viene) Iaboeexd-19 actévare wat {edie viane) Iaboasx0-19 activate viz {edie viane) IaboesxD-1# activate v2 vans! bvi# eottvate v22 viens! sD-ih chow v2 f vat ( Vian-td 22; va { lease vine! Tabaerxd-14 1262-10 + Implementing tual Natori ated) ‘piper TAME OPDHDDMDRHDTPHHTH DETTE THe HH HH vwnnprpernet Implementing Wal Networks Detaled) + La),Jnestreepse Sting ‘Step 2.12 Issue the commit and-qut. command toactivate the configuration changes and Fetutn to operational mode. [eats visnal abders0-1# come and-quit commit complete Exiting configuration mode labesexd-t> Step 2.13, Use the ping utility to verity reachability from your assigned gatenay tothe vitua routers attached to your EX Setles sth, labserxb-1» ping 272.73.y2.300 count 5 rng 172.23.11-200.(172.23.11.200); 56 data bytes Se bytes Crow 172-23,31.100. EeLa6t time-1.103 ne ‘from 392. 23/21.200. ceda6e Csmet 048 oe from 172.23.11/100. celece timed 977 a 64 bytes from 172.29111.100 telsee eimest090 me G4 byeeo fom 192139113. 300 CGISS eines oes me 172.23.11.100 ping statietics 5 packets transnitted, 5 packets received, Ot packet loss round-trip min/avg/max/stadev ~ 0.977/1.061/1.103/0.048 ms Iabesrxd-1> ping 172.23.y2.100 count 5 brig 172.23.12.100 (172°23.12. 190} 56 data bytes 4 bytes from 172,23.12'100: ienp_seqeo tti-et eimer22.552 4 bytes from 172,23.12.100: iexp-seqel ttiaed tine=0.979 me 64 bytes from 172,23.12.100: iemp_eeqe? tti-ed tines0.933 me 6 bytes fron 172.23.12.100: ienpseqed teiseé tine=0.967 me 664 bytes from 172.23.12.100: sonpoaeqed tlined tinerl.246 me s+ 172.23.12.200 ping atatistics -- 5 packets tranemicted, 5 packet received, 0 packet loss round-trip min/ava/max/atédev ~ 0.993/5.395/22°352/8.609 ms ‘Question: Dothe ping tests succeed? Answer: As shown inthe sample ouput, the ping tests should bath suced. eau TOHRHH HHT HHH s = 3 noses Shing ‘Question: How does te tafe gnerated in these tests differ as lis recaled on ge-0/0/8.0 and ‘wansmited out ge-0/0/6.0 and ge-0/0/7.0.0n your EX Series suc? Answer: ll uafic received through and sent out [pot g-0/0/8.0 wil be tagged vnereas al rtf ‘ont out andrecelved through pots ge0/0/6.0 ‘and ge.0/0/70 wil be untagged. Step 2.14 Return tothe session opened for your assigned EX Seties swith, Issue the run show ethernet switching table command toview the current erties inthe bridge table {nasters0} ledit interfaces) ‘sbsex0-1# run show ethernet-awitehing table Btheene:-awitehing cable: 6 entries, 4 learned vin WAC address Type ‘ge Interfaces “a : Plead S hlicmebers set 00:26:68:02:74:06 Learn 0 ge-o/o/6-0, “a 00:26:68:02:74:90 Learn 0 ge-0/0/8-0 2 : Flood © Aii-nenbers m2 60:26:68:02:74:67 Learn © ge-0/0/7-0 “a 00:26:88:02:74:50 tearn 0 9¢-0/0/8.0 ‘Question: How many enties curently xs in your switchs bridge table? How ate these erries organized? Answer: At a minimum you should see two Food entries. You coud also See four dynamically learned (Learn) enties depending on the duration between this step and the ast lab step. In ether ase the eites should be ergenized based en their associated VIAN. 1a 2-12 + inplanening vil Networks etait) worunpernet TRDMODDHMPDHODRADHOTTHEMS varie ‘leering Vrun Netnorks Det)» Lab213unos Eterris Sichng Part 3: Configuring and Monitoring Inter-VLAN Routing ‘es Eres satcnng {naster:0) {edie vianel d ers Ietseer'te Show nth a par. you wil configure aed merit AN oing Fst you il aos Cefine te reqed IAN fest. you il associate te defined VLAN > eee frac with the espace VAN, ay you wl ely ong operations a Setvosnthecongured Vans Yow nad tree tote newark cae is ae labor some of theconigrton aks pertmedin tsb part es a Say tinea etn. (On your EX Seis sch, configure the ajr 3 VLAN interface wth two units an Uhedesgated acess: au subet asks Mstatedonthe network dogan {naster:0) teste vians] fertisleb a Shresieset) {aster:0} (edit intertaces) Stop 33 iobeexD-14 set vlan unit yl fam{ly inet address 172.23.y1.1/24 es ‘Activate the configuration changes and return to operational mode using the Ll ais connie. and-guit commana ie, ase the show soute cmmord te freecte‘ ah Set‘ sassate ok emuiy scar asorenn 272.25.24.2/34 dktermine' th pected rote erties fr the LAN ices hve bee od to Y - aa thevout table {asters0} fedte interfaces) {oaar:0) teat vist sSete ths ee Ce me erat oeerheer ney cent configucet son check suteecdecomnit coeplete tanily iner ( G2 —Eeiting contiguestion wede } € 9 (nasterso} [Shtera-12 stow rouse unit 12 ( es tantly ioe { 3 190.0: 8 destinations, # routes (8 active, 0 holddowe, 0 niaden address 172.23.12.1/24; es += Active Route, = = Last see ee ‘+ = Both ene } ) © se.ato.ss.tzn/27 tpizece/o} 22:19:24 Sap32 © 3 so.zio.ss.rar/aa sfuseanyoy 22:19:24 Navigate tothe feait. vans} hitarchy kvl and associate the nly detmed é tecal via ued.0 VLAN interfaces with their respective VLANs. 3 172.23.12.0/24 + (Direct /0} 00:00:18 fosesrio) aie tacertacen © sasaaya — stusen/o"Goroon10 ahoesD-14 top adit visne tocal via vlaa.at oF : © 3 saasazome — spigecr/l eocaoise SSeS © vaasazana —siusen/ol"caoo.se vian-id 11; ea TRIMMED. occa ae ce (Question: Have the expectod route entries fr the PF ata a ea new defined WAN skeiaes been ado our a michsrone able? {master:0) (edit vlans) es {ShecnD ih set wy 13-intertace vien.2t a —_________ { Pe 7) Answer: You should now see a local and direct route | fnszer:0) (edie via inyoursymcs ut ble fr bth een labeexD-1# set vy2 13-interface vlan.y2 & added VLAN interfaces, e {he 14 » perng a Naws D wre wer ‘npn Wn Nowa Dod)» Ln 8 e aines Enerpise Snitching Step a4 elu. Une session opener yor ssid SR Sev yang _Atempt a ping test between the virtual routers attached to your E Sees switch. Do not forget to source your ICMP trafic from the proper routing instance. Labeasxd-1» ping 172.73.y2.100 routing-inetance veyt count 5 ping 172,23.32.100 {172123-12.100)- 56 data byces ing: sendto: No route to host ~~ 192.23.12.100 ping statieries 5 packets trancaitted, 0 packets received, 100% packet loas labosrxd-1» ping 172.23.y1,100 routing-snatance vey? count 5 Ping 172, 28,12,100 (172123,11.100): 96 dete bytes ing: senso: No route to Rose 5 packets transmitted, 0 packets received, 100% packet loss ‘Question: Were the ping tests successful? Base an the results, can you explain wy? Answer: The ping ests should not suoceed at this time, Based on the resis, appears thal the virtual routers do not have the proper outing Information installed in their rote ables Tiss Confemed in the felling sample ouput: veil inet.0: 2 destinations, 2 zoutes (2 active, 0 helddown, 0 hidden) 172.23.12.0/24 [Direct /o} 22:38:08 > via ge-0/0/6.0 372,23.12.100/32 sttsea/o) 22434:20 Tocet via ge 0/0/6.0 {nb2-76 + implementing Veal Nabors etaled) ‘wont 3 3 e9 a SRS SCHTHUHEUHHEHOYOE " . nos Erp Swtcip LaboeraD-L> ahow route table vey2. net. vel2.inet.0: 2 destinations, 2 routes (2 active, 0 holédown, 0 hidcen! 492.23.12.0/24 —*tDirect/o) 22:34:34 Seis gee0/a/7 172.23.12.100/22 *{uocal/a) 22°34:28 Teeal via ge-0/0/7.0 Step 35 Entor configuration mode and nmvigatetothe (adit ronting-inatances} hierarchy evel Iaboerxo-1s configure feast] Isposrx0-1# edit routina-instances [edit routing-inatances! Taposrso-18 step 36 ‘Aetvate the zout ing-opt ions hierarchy level within each of the defined routing Instances, feait routing-instences] Tsbesrxo-18 show wnt { snetance-type virtual-router; interface ge-0/0/6-0; descr; Hosting cptions ( SEAN Teste 0.0.0.0/0 next-bop 172.23.13.17 ) ) ) vez { intertace ge-0/0/7.01 inactive: routing-opeions { static { route 0.0.0.0/0 next-top 172.23.12.1¢ ) , ledie routing-instances] Tabosrs ih activate wry couting-options [edit routing-instances! Jabosrso-if activate vry2 routing-options ve angen Implemeing ital Natwets Detaled)» (ab 217sinos reise Suiching teait routing-inatances} Iabosn0-14 show vant inerface ge-0/0/6-0; Fouting-optione { static { FoUuEe 0.0.0.0/0 next-hop 172.23.12.15 ) , b wna { instance-type virtual rout interface ge-0/0/7.0; routing-optione { static | ‘route 0.0.0.0/0 next-hop 172.23.32.47 , ) ) Step 3.7 Activate the configuration changes and return to operational mode using the commit and-quit command. Nox. veya default static route has been added foreach virtual router by issuingthe show route table vey1.inet.0 and show route table vry2.inet.0 commands, where y represents the value assigned to your virtual reuters. [edie routing-inevances! Iabosrxd-1# commit and-quit ‘commit complete Exiting configuration mode Inbesrx0-1> show route table vezl.inet.o Vrii.inet.o: 4 destinatsone, 3 routes (3 active, 0 holddowa, 0 hidden) Vs Active Route, = Last Active, * = Both 9.0.0.0/0 siseatic/s) 09:00:32 > 20 192-23.13.1 via ga-0/0/6.0 sTpirect/0} 12:47:55 > vis ge-0/0/6.0 ‘sTuoeai/o) 23:48:09 Vocal via ge-0/0/6.0 172.23.12.0/24 72.23.11.100/32 1202-18 + Inpenering Vitus Networks Daaiee) ‘wo japon TIDOTTDPDDDTHTRDHHTTHTDHTHAOA eeevuuvues eeu ures Etre Suing Tabeerencts hea rane taht ve tna yrta.inet.0; 3 destinations, 3 routes [2 active, 0 holddown, ¢ hidden) s{eeatic/s] 00:00:42 sto 172,29.12.1 via ge-0/0/7.0 sIoirece 5] 32:48:08 s via ge-0/0/7.0, supeal/0) 22:48:28 toca via ge-0/0/7.0 0.0.0.0/0 172.23.12.0/24 172.23.12.100/32 ‘Question: the default static route present in route ‘able for your assigned vitual routers? Answer: Ys, the default static route should now be present inthe route table foreach of your assigned ‘tual routers. I, check your configuration and, ‘fmeeded, consult with your instructor. sup 38 ‘tempt a ping test betwoen the vitua routers attached to your EX Sees switch Do ‘at frget to soe your ICMP trafic rom the prope outing instance. Isvosrad-1> ping 172.73.y2.100 xoueing- ping 172,23.12,300 (172.23.32.100)+ 66 dat G4 byzes from 172,23.12. 200. from 172,23.12, 200 from 172123112. 300. from 172123132. 200. from 172123.32.200: iemp_eeged tE1263 timent 056 ee s+ 172.23.12.100 ping statistics 5 packets transmitted, 5 packets = Found-trip min/evg/mex/acdev = 0-626/0.967/1.087/0.098 ms Invosrx0-1> ping 172.23.y1.100 routing-inatance vey? count 5 33.11,300. (32.23.2110): 56 dat from 172.23.12.100: t from 172,23.12. 200. os from 172.23.13.200: ts from 172123112, 200. = from 172123.12200. os co+ 172.23.11,100 ping statistics 5 packets trananictes, 5 packe! yea, OF packet Los Found-trip min/evg/nex/seadev = 0-916/0-968/1.050/0.05: 99 ‘ew aripernee ‘eertng ita Neto Detaled)» Lab 219aires Enepie Sch (Question: Were the ping tests successful? Answer: As shown inthe sample output, the ping ‘ests should now succeed, cS Tell your instructor that you have completed Lab 2. 1282-20 + Inpleeing vu! Neos Detaled) wiper ee) é eeuvovaue TIDOTTODEMAHRMDHMTHTR THT T TAHT » we = 3 3 3 "en ipa Lab 3 Implementing Spanning Tree (Detailed) ‘is ab demonstrates basi coniguration and monitering tasks when implementing panning tee and some related protection features on EX Series Ethernet Switches. In ths lab, you use the commands interface (CL) to configure and monitor RSTP as well, 2 bridge protocol data unit (BPDU) and loop protection, ‘he abs availabe in two formats high 4evel format designed to make you think trough fea step anda detailed format that offers step-by step instructions complete with ‘sample culpa rom mest commands. ‘2 completing this ab, you wil perform the olning tasks: + Update the existing configuration, + Configure and monitor RSTP, + Configure ane moniter RPO protection Tplonering Speming Tee Detaled)» Lab 3-7 TaaiaiResos Ete Stching Part 1: Modifying the Existing Configuration In this part, you will modify the existing caniguration on your assigned devices to Prepare for subsequent la parts. Refer to network cag fr this la for topological and configuration deals, Step 1.1 (On your assigned EX Series switch, enter configuration mode and navigate tthe [edit vians) hierarchy level {naster:0) Entering configuration mode {master:0} (edie lnbtesd-1# east vane {naster:0) ledée viens! labaend-18 Step 12 ‘Ad the VLANs assigned to virtual routers attached tothe emote team’s switch. (Once this step is dane, you should see a ttl of four VLANs defined on your switch, 11,12, v2I, and v2. {naster:0} east viansl lnbtex-18 show mt 1 elaestace vian aay nat 1 {naster:0} oie viens! AabiesD-14 ge wt Viana yt {nester:0o) edit viansl ibies-18 get vy? vian-sa y2 {naster:0} eate viens! iabiesD-18 show “rt 2 | ) [b3-2 + Implamening Sparing res Datales) ‘pre THDDOTHAHTHMHHH HHH HDD VHHTT HOSTS OKEHTHEHHHHHHHHHEHHHHELHVES TIDDPHMEDRDERDRDDT unos trteprse uci var ( Mania 23 , waa ( ania 22 , ‘Step 1.3 Navigate tothe (edit. interfaces) hierarchy ad associate ge-0/0/8.0 with all vans. {restersa) eat viane) TabeexD-10 top edlt Antertaces {saeters0) (eait interfaces) TapeexD-14 show ge-0/0/8 unto { family ethernet-ovitehing ( port-node Crunk ‘nae imenbere ( vi2 v32 1; , , ) {eaeter:0} [edit incertaces) 1Sbo=x):1H deleve go-0/0/@ untt 0 fandly ethernet-evitehing vlan {naster:0} (edit incerfaces) 1ab0exd-11 set ge-0/0/8 unit 0 fani2y ethernet-switching vlan esbers all {naster:0} [edit Tabeexd:34 show wnito | cantly sthernet-evitehing ( ort-node trun var { ‘members #11 b , ) [esecer:o) edit interfaces! TabaexD-18 veomuripernet Implementing Spanning Toe Denied) » (ab 3-3ros Eres Siching Step 1.4 Use the copy command to replicate the configuration asseciated with ge. 0/0/8 10 the ge-070/10 interface, {easter:o) (edit interfaces) TabooxD-18 copy ge-0/0/8 to ge-0/0/10 {easter:o} [edit interfaces} TaboexD-18 show ge-0/0/10 unite ( family ethernet-awitehing ( port-node trunk; van { imenbere all Activate the configuration changes and issue the run show etheraet-ewitching interfaces command [nsscer:o} [eat sncerfaces! Taboend-14 come ‘configuration check succe Jecoamit complete [nseter:o} [east interfaces Tapoekd-14 Tun show ethernet itching interfaces Intertace’ state YuAN senbers Tag Tagging Blocking sge-0/2/1-0 down default untagged unblocked e-0/0/6.0 up vin 11 untagged unblocked ge-0/3/7-0 up viz 12 untagged unblocked 60/9/80 up vd 11 tagued unblocked m2 12 tagged unblocked Bm 21 tagged unblocked va 22 taaged g0-0/9/20.0 up vid ni tagged wa 22 tagged va 22 tagged ‘Question: Based on the resulting output, are any of the sted interfaces curently blocking trafic? Answer As shown i the sample ouput, you should ‘Seeallinerfacesinthe unblocked blocking state, ‘ubich means al interfaces shouldbe forwarcing \raffic rater than blocking traffic. you do not see similar auput on your sith, check your ‘eonfiguraton and, needed, consul with your Instructor. Implementing Spanning ee Dsaled ‘wwsuripernet ” SOFT VHKKHTHKHT OTHE HHKHH HHT HWEHHLHODWY © TAMDTRTDOTTPDADHHDRTHs a nes Eres Sthing Note "The ne lab steps ave paformed on your assigned SEX Series Sevies Gateway. It ‘needed, refer fo the management network sagram for access details ‘step 16 (On your assigned gateway, ence coniguaton mode and navigat= to the [edit interfaces) hiecarcty. ebesexD-1> configure Entering configurarion mode tester Iabenred-14 edit intense (edit ineertaces! ‘Step 17 Activate the ge-0/0/1, .0/0/2, and go-0/0/10 intarfaces. sue the comet ‘and-qust command a activate the configuration changes and retum a Operational mode (edit interfaces! Isbasrxd-1# actsva 30-0/0/2 legit interfaces! lebgorxd-1# activate ge-0/0/2 (edie intertaces) LabssrxD-16 activate e-0/0/10 (edie interfaces) labasexD-1# commit and-quit commit complete Bileing configuration mode uasesri-t+ © Do not proceed un the rernote team has rished ths lab part. bem Tear Sree Deak = DSirs rte Sateting Part 2: Configuring and Monitoring RSTP Inths bb pat, you vill configure and monitor RSTP, Fst you will peform some ping tests to identify the need for spanning ee within a Layer 2 network, Next you ‘nil crfigure RSTP on your assigned devices. Finally jou Wil vty the effects of ‘enabling RSTP ina Layer 2 network wth redundant paths. You vill ned to refer to {the network diagram fr this ab for same of the corviguation tasks performed in this tab part. Step 2.1 (On your assigned SRX Series gateway, attempt to ping the IP addresses assigned to te VLAN interfaces defined on your EX Sees sch. Refer tothe network daa {or thislab, needed, vt» ping 172.23. Gt bytes from 272.23. sogrt etIeS4 timert2 025 ae 4 byes from 272.23.12.3 rege etlese timert2 524 ms (DUH) 4 bytes from 172.23 113 rege? ttlese timeci sea ae 4 bytes from 17212312112: iemplsege? tela64 tineci3.916 == (DUPI) “> 172.23,11.1 ping statistics ~~ 4 packets tranamittec, 2 packets received, +2 duplicates, 508 packet lose round-trip min/ava/men/atddev = 32.015/33,090/13.916/0.764 ne aaboaexd-1> ping 172.23.92.2 pig 172.23.02-1 (092,a3-42-4) 5 packets trangaiteed, 5 packets received, «2 duplicates, OF packet lows round-trip min/avg/mex/stadev = 13,06/15.801/18-205/1.657 me! 56 data nyt Jenp_seq-d telee tineni4.a36 ne Somplneqei telsee timecis 606 me Somplecqs teloes timecig 171 me (DUP!) Somplneql? telaee timecié 185 me Semplaeqld elves finest? 915 me Semplaegd Celu64 Eines 606 me ‘Question: Do the ping tests sueceed? What might. these esultindieate? Answer: Your results may vary from these shown ‘above. Inthe sample output the ping tests are not Cleary successful In some situations you may not ‘see ay tesporse whe i ober situations you may See some inermitert replies; inluding duplicate ICMP echo replies. These results are aten Indicative ofa Layer 2 loop. nb 3-6 + Implementing Spanning Tree Deals) wenger DDDDHADHHHDHTDH HH HH DOH | THDHTHDDHDD HROKHHHHKKHKEROHTHO HOHE DEH EDLOYD os Enterprise Sitching ‘Stop 22 (On your assigned SAX Series gateway, enter configuration mode and activate the SIP configuration. Issue the commie and-qui command to activate the change and rtum to operational mode, labesrad-L> configure (easel Tabosra0-1# show protocols inactive: rstp | bridge priority 4, fesse Tsbe0r00-14| comme and-quit Eonmit complete Exiting configuration soe abearxo-1> Step 2.3 Return to your assigned EX Series switch Enable the RSTP protocol, Next, activate the configuration changes and return to ‘operational mode. {aasver:0} edit interfaces) Tabsex)-14 top eet protocole xatp {master:0) cate inzortacco) InbaexD-16 comit and-quit configuration check aucceedacommit complete Belting configuration mode (vaster:0) AsbaexD-1> ‘Question: Based on te priority values listed onthe ‘network diagram fr this lab, can you predict which ‘device wil be elected theron xldge?” Answer: Based on the assigned rity values, ‘hut, where xrepresents your assigned pod vale, should be elected the rot bridge. Before proceeding ensure hat theremate team in your po fnshes the previous step. opps phn spaeiy Tw Outed)» Lab 7os Erp Satching Stop 24 Issue the show spanning-tree bridge command, (nastec:0) Isbeex0-1> show epanning-tree bridge uP bridge paranetere Enabled protoco Reve Root port se-0/0/a.0 Maison age 20 seconde Forward delay 35 seconds Nunber of topology changes 2 ‘Tine since last topoiogy change: 1093 seconde ‘Topology change init saror e-0/0/8.0 ‘Topology change lest recvd. from | 90126:8002:60:88 Extended system 10 eternal Snetance 19 Se 1803-8 + inplomening Spanning res Dated) ‘wowjunpecnet 32769.00:19:¢2:51:65:80 Question: What is your switchs bridge 1D? ‘Answer: The answer wil vary. n the sample output, ‘the bridge ID is 32768 .00:29:02:51765:80, Remember thatthe bridge ID is created by ‘combining the bridge prieriy (32K by default) and the system MAC address. The sytem NAC address ' typically the same as the public base address for the device. Te public base address canbe viewed ‘on EX Sees suliches using the fllonirg commana 00:19+62:51:65:80 6 Question: Gan you determine which device is lected asthe rot brige? Answer: The sxx device, where x represents your assigned pod value, shoul be electod as the roct. bridge based on the bridge priority value of 4096, 3 3 : 2 s 3 a 3 3 3 3 3 3 s 3 3 3 3 3 = 3 2 3 3 3 3 3 PTET TDD DTDDDDDDDHDTTDH HDHD HOH HAD nes Eerie Stcing ‘Question: Which interface on your switch has been ‘selected asthe root por? Asner: he ans depends our asned device. ifyour assianed witch is ex, where 2 epresents yout assigned pod vale, you should see {920/0/8.0 elected asthe roe port. your Assigned switch is e1¢2, where zrefresents your {assigned pod value, you should see g2-0/0/10.0, flected asthe rock pot. sample capture taken fiom exD.2 flows: Isbsex 2 show apanning-tree Bridge stp bridge parameters Context 10 ° Enabled protocol ee Root port 36-0/0/10.0 Monber of topology ehenges 2 ‘Tine wince Tast topology change: 3612 seconds ‘Topology ‘90-0/0/30-0, ‘Topology change last recvd. from: 00:26:08:02:6b ‘bridge 10 : 22 76e,00:191¢2:55:26:00 ‘Question: What isthe cumulative cos othe roct bridge fom your designated snitch? rover: Reguaes of our assigned stn we Cau test tote oo ge shout 2° 20000 td on th ce topology ‘ww pngernee Implementing Sparing Teo (Daaied) + Lab 3-9es es oe : sos Sting Step 2.5. ee ‘Step 2.6 Sein te ahon sanning-ten incertacecoommndtoddinetiesae 8 rss eh Staal is ee perro memoria {master:0} (rascors — @exD-1> show spanning-tree interface es lab@exD-1> show ethernet-ewitching interfs a es SSait. ie Er Eases NE oe ee eaae pS aeereg tom ae aes f ignated eet fort state note e;3 Sens ta {2 Gnesgged unblocked gectvors.o raisin "aaaisaa aanetvabisezsissso —“fos00 mm ves ee ee 32 tobned unblocked Boverse ENED unis Mtencaictes Miso Reese i . 2 Sn tnicced Sa ae e 128:521 4096 .002688027490 20000 FND Ron —s v2 Ape ee rae see ee ee fe eee «js “a Eo ume fisciel yo x eo such arent hve erp ue oe eee inte kg sts wale i> a eee es. a a ac Oregon mre mace should have one switch port in the blocking (BLK) ! ie ‘state. The actual interface in the blocking state will eis Sep ono ap dnc. ya sed els smth sou nearest i Dingess nese, bed where represents your assigned po value, you els ‘Answer: Rogardless of your assigned swith, you should see ge.0/0/4 0 the Blocking tte A i ‘should have te Ethernet stching pats ine Sal capreakenFom ates els Sostrgaie nabs gea/OH 0 sabe Diet I? bause tipsy Te (nascerso) 9 Senators beck cow opera reset) eee geese aici gente nts ‘ oe aptmtng-te inet els Subnet ropes acim poehe, Spanning tree interface parameters for instance 0 es. Sea ooo: eee eae eee cererteeet tion a eas tei ine 6: our assigned pod value, you should see Pert ieee: po ae i” ge 0/078 Om hebiocin sate Tne second eros. uae ianins antielotasseco “Son om ese SD ‘arc eso bnng nod 6 raothe '92-0/0/7.0 1281820 —«g8:sz0 32768 ooisezssz609 20000 MD beed, i Feast cost path caleulation tothe root bridge. g2-0/0/8.0 128:521 128:521 8192..002688026b90 20000 BLK © ALT > i ere els & 1, cls el, lea ee es eS eae i a. di, iJunostrespiseSwicing Step 2.7 Issue the show spanning-tree interface ge-0/0/y detai1 command forthe interface curently designated as the root pat (ge 0/078 of e-0/0/10 ‘depending on your assigned sit), (naster:0) IabeexD-1> show epanning-teee interface ge-0/0/y detail Spanaing tree inters. Interface same Pore identifier Designated pore 15 Designated bridge xp Pore role Link type Boundary port 0-0/0/8.0 $096.00:26:68:02:74:90 Pe-Pe (NoweDGE Question; What isthe Linke type for this merece? “Answer: The Link type forthe oot port should be e-PE/NONEDGE. This is the defaut ink ype fo ‘an interface operating in full duplex that receives POU. OOOOH veeddveueae DODRDTDRTEDRDHH HDD ooue nos Ete Stcing Step 2.8 Issue the show spanning-tree interface go-0/0/6 detait command (nastee:0} IsbiexD-1> show gpanning-tree interface ge-0/0/6 detatt Spansing tree interface paraneters for instance 0 interface mane g2-0/0/6.0 Pore identifier Yae.s19, Bort state Forwarding Designated bridge 20 32768-00:19:42:51:65:80 (Question: What isthe Zink type fr this interface? Can you explain wt tis ifferent than the root port? Answer: The Link ype fr ge-070/6 should be 'Pt-pt/DGE, This the expected lnk type for this Interface because its operating in full: dupex and isnot receiving BPDUS fom the connected vitual router. Fr an interface operating in hal dupe mode, you see a nk typeof shared rather than pinto point. The folowing output cantms the ‘current duplex setting for ge-0/076: (master:o} Isbosxd-1> show interfaces ge-0/0/6 exteraive | match "Zink node* Link sede: Full-duplex, low control: tone, Resote fault: OK, Step 29 Return to the session cpened for your assigned SRX Sees gateway Use te ping uty and atempt to ping the IP adresses assigned to the VLAN interfaces dined on your EX Series switch, Refer to the network diagram for this lab, needed, Aabasex0-1> ping 172.23.z1.1 count 10 rapid Ping'172.23.11-1 (273.2). 41.2); 56 data bytes mn 153-12 + implementing Spanning reo ied) ‘pero TTTT DPPH TeTAOD ve onbernet| Iplorentng Sparring reo Dated) + Lab 13os Energise Siching ~ 172.23.11.1 ping seatintien --- 20 packet trinemitted, 10 packet received, 04 packet loss round-trip mia/avg/max)/atédev = 1,073/2,999/6.528/1.718 ma Aebaerxd-1> ping 172.23.42.1 count 10 capi ping 392.23.12.1 (272,23.42.2); 6 date bytes 420 packets transmitted, 10 packets received, OF packet loss round-trip min/avg/nax/stddev = 1-105/2.344/¢.006/2.217 me ‘Question: Do the ping ests succeed? Answer: Yes, at this time te ping tests should ‘succeed, I your ping tests donot succaed, check. your configuration and, f needed, work withthe ‘emote team and your instruct. Part 3: Configuring and Monitoring BPOU Protection. In this lab par, you wil enable some protection features Fist, you will enable he ‘ge-0/0/9.0 interface fo Layer 2 operations as an edge pot. Nex, you will cantigre BBPDU protection and monitor the effets of this protection feature. Final. you wi administratively clear @ BPDU error condition, ‘step 3.1 Return to the session opened fr your assigned EX Seles switch, Enter configuration mode and navigateto the (edit interfaces) hierary leva [nsster:o} Inboexs-2> costigure Entering conf guration node oaster:o} (ease) [naster:o} (ea: interfaces! Taboexd-24 ‘Step 32 Enable ge-0/0/9 for Layer 2 operations as an access port fr the default VLAN, {raster:0) (edit interfaces) TnboexD-18 set ge-0/0/9 unit 0 faniay ethernet-awitohing 1b 3-14 + implomerting Sparing ree Deas) ‘riper at n wo i w a a oboe bedouuan webouuug RTAMDAEDADDADHDDTDDHTMRADH DDD DO MHH woe wv os Eres Sting Step 33 Navigate tothe fedit protocols stp} hierarchy. Define ge-0/0/9.0 as an ‘edge port. Next, issue the commie command to activate the configuration changes. [rseters0} (edie ineertaces) Tapoexd-24 top edie protocols ety {rascer:0} (edie protocols xetp) Tnpoeeo-24 set snterface ge-0/0/9.0 edge [rssters0} (edit protocols xerp) Tapoexd 24 coamee Configucation check succeedacomit complete [rseter:0} (east protecale x2tp) Taeexo-1# step 34 Issue the run show spanaing-tree interface ge-0/0/9.0 detail command, [nsocer:0} (edit protocols rete Isboexd-14| un show spaaning-eree interface ge-0/0/9.0 detail Spanning tree interface paraneters for instance 6 roterface sane ‘g0-0/0/8.0 Pore identifier Ya.s22 Senignated pore TD 326.522 Pore cost + 20000, Designsted bridge 1D 32768-00719 162151265280 pore role Bemignstes tink type 1 PecPe/ EDGE Boundary port is Question: Is g2.0/0/.0 designated as an edge port? Answer es, g6-0/0/9.0 should now be desiated ‘38 a porto point edge (Pe -PT/RDGE)intaface ‘25 shown in the sample output, ‘Question What is the state and role of e-0/0/9.02 Answer: A this time the nenly addestintesface should be present inthe generated cutput and should assume te forwarding state end designated ral. vewmjnpernet Ipleenting Spring Tee Osta)» ab 315nos Etats Satehing Step 35 Enable the BPDU protection feature under the {east protocols retp) Fierarchy and activate the configuration change using the coma t command, {easter:0} (east protocols rstp) TabsexD-10 set bpdu-block-on-e2ge {naster:0} (edie protocols retp! Inboow-14 comtt configuration check succeedeconmit complete Step 36 Issue the run show ethers yeitching interfaces command. foaes 1abdex0-18 run show ether £10) odie protocots rat) E-switehing intertac Tale @ re a ee THOTT TOD HT HHH rs Erie Swiching Step 38 Activate the ge-0/0/9 interface. Next, issue the come command to activate the configuration change, (edit interfaces! Tabeersd-18 how g0-0/0/9 WH inaceive: interfaces 36-0/0/9 ince 0 { fanily etheret-awitching ( portonede trunk; vlan { ‘members all ) 2 3 Interface, “State” WEAN members ag Staying slacking i i ge-0/0/2.0 down default untagged blocked by STP > feos i wnt 11 ntegged unblocked i sedis tavertucess Soon te via 12 egged unblocked ee gros tp wis 1 tagget” unblocked i aboarnD-AH activate ge we 12 tagged Gnblocked tots toartoo sey 2 typed tmoleckea ~ _fedie sncercacen! wa 2 tagged unblocked ers oa s2-0/0/9.0. wp Getavte snagged blocked ee Se0/o/isre tp wat a tagged blocked’ by sre 3 step 39 va 12 tagged blocked by STP Se are eee oe els Retin othe session open or your assed Xx Seis witch va 22 tagged blocked by STP 1 Issue the run show ethernet-switching interfaces command to eis determine the curent state of the ge-0/0/9.0 imerface. (Question: What ae the interface and blocking 1 Blots fr ge-0/0/9.07 SPS deter ey prscote ste 2 —ntertace acate” VIA eesbere, ‘Teg Tagoing Blocking 1 g2-0/0/1.0 down default untagged blocked by STP Answer: The interface and blocking states for —s 3e-0/0/6.0 up vil 31 untagged unblocked na 2-0/9) imerface ge 070/90 shal be wp and “a aaa ey 22) Gitesged unblocked ‘unblocked especialy eq? Seen Se Hi Sorel" block a 4? Ss 2 tagged taplockea we 32 Glgsed_nblocked Return tothe session opened for your assigned SRX Series gateway. © i 3 ge-0/0/9.0 down default untagged Disabled by bpdu-control. Enter configuration mode and navigate tothe (edit interfaces} hierarchy fa Pees fy eee ie evel 1 wa Ho taygea bleccea ay or labesrxD-1> configure e i? v22 22° tagged blocked by STP Saeering configuration mode els tease] 1 1abserx0-18 edkt interfaces a? eate sncortaces) & i? [Sbeseet-t8 as a. {9-76 tape ong Tie Ova pipe C. Tnpererg Spring ree Ole)» (ab 3-17 ee siaosrpisesutcing ‘Question: What are the interface and locking Slats fr 3¢0/0/9.07 Answer: Te interface and blocking states for interface 20/0/90 should be down an disabled by bpdu-control respectively. ‘Step 3:10 Issue the run show epanaing-tree interface ge-0/0/9.0 detatt commana {easter:0} (edit protocols rate) Jabiend-14 run show spanning-tree interface ge-0/0/9.0 detail Spanaing tree interface parameters for instance 0 interface mane + g0-0/0/9.0 Pore identitver Yaa.saa Designates port 9 328.522 ore state Blocking Designated bridge 29 4096,.00:26:00:02:74:90 Port role Disabled (Bpds Incone: erent) Link type pespe/ence Boundary port a (Question: What i the state and role of ge.0/0/8.07 Answer: Currently, the ge-0/0/9.0 interface should show the Blocking slate and Disabled (epau- inconsistent} portrole ‘Step 3.11 Return tothe session opened for your assigned SRX Seles gateway. Deactivate the ge-0/0/9 interface, Net, issue the comait and-guit command {oactvate the configuration change and return tn operational mode. TAMHH HHO HOM OH HHH HHTHHH OE DHEHEOHHEYD i | i I i i | | i I aos Erie Stehing [edit tntestaces} Iabesrxd-14 deactivate ge-(/0/# legit intectaces! Jabssrxd-1# show ge-0/0/8 #8 snactiver interfaces 0-0/0/3 te thir 0 ( faniiy ethemet-awitching ( port-node runes vies { i 1 } 1 legit interfaces! sbaoexd-1# comet and-qust commit complete Exiting configuration mode aabaaexD-15 ‘Step 3.12 Return tothe session opened for your assigned EX Series switch. (tear the current BPDU enor condition, Next issue the run show ethernet-avitching interfaces ge-0/0/9.0 comrand to verify the ‘tor condltion nas been cleared, [nasterso} [east protocols rato] Iapoeeo-24 run clear ethene “itching bpdu-error {s20rer:0} (edit protocols rtp Iapeex)-14 run chow ethernet-owitching énterfaces ge-0/0/9.0 Intezface Grate VLAN senbere ‘ag Tagging Blocking e-0/0/9.0 wp defaule tneagged unblocked ‘Question: Has the error condtion been administratively removed? Answer Yes, a shown in the sample output, the ‘error condion should row be gone thanks tothe ilustrated c1ear command. Ihe ear condition [efsists, cick the configurations on your assigned ‘ovis ar if nseded, work with our ntructer, e Tel your instructor that you have completed Lab 3 1b 3-18 + iplemerting Sparing es Detaled unger net € € e e € « € e e e e « . « © . . fis eis eis ee . u =——— Inplomorarg Spanning ee (oe = ad 14w os Emeise ching Lab 4 Implementing Port Security (Detailed) Overview ‘This lab demonstrates basic configuration and monitoring tasks when implementing pert security features on EX Series Ethernet Suitches,Inths fab, you use the cammanine interface (CL) to configure and monitor various pot security features. The abs avalabe in two formats a high fvel format designed to make you think trough lech step anda detailed format that oles step-by-step instructions complete with, sample output ffom most commands. By completing this lab, you will perform the following tasks: + Update the existing configuration + Configure and monitor MAC kiting, + Coniigure and moritor DHCP snooping and P source guard, ‘wonnperne Implementing Po Sent (Detaled) » Lab 1 {3-20 + plemerting Sparing ree Deas) vem np at Toatatne REDD DDTDRADEMDHDDDDRADDHDRH HRM DODD 3 3 > 3 3 2 3 3 3 3 3 3 3 2 3 3 2 3 3 2 3 3 3 3 a 3 s 2 3 2 3ros Emergis Sching Part 1: Modifying the Existing Configuration In this ab part. you will mod the esting configuration on your assigned devices to Prepare for subsequent lab parts. Refer tothe network diagram for this lab as eeded. step 1.1 (On yourEX Sates switch, ensure you ae positioned atthe (edit. protocols stp] hierarchy level. Nxt, delete all detined parameters under the (esi protocols stp] hierarchy. Note that this should leave the RSTP prtocol, enabled (naster:o} [edit protocols rstp] TabeexD 201 how snterface 9@-0/0/9.0 { ‘dae; ) ‘bpdu-block-on-edge (naster:0} edit protocols rete) Delete everything under this level? tyes,nol (ne) yes step 12 Navigateto the (edit interfaces) hierarcylvel and delete the ge-0/0/, 19¢-0/0/9, and ge-0/0/10 interfaces {naster:0) edit protocols rstp 12b0e:0-11 top edie intertact {oaster:0) edit. interfaces) labaexd-19 delete g0-0/0/2 {naster:0) edit. interfaces) 1absex0-10| delete g0-0/0/9 {naster:0} edit. interfaces) 1abgexD-10 detete. ge-0/0/20 {aaster:0} [edit interfaces) IabaexD-14| show se-orare | family evberner-ovicching { port-mede access; vlan { ‘penbers vit; } [nb 4-2 + implementing Por Sect Detaead ‘wom anipernet SOOTHE eeeeD wow OOOOMHE OOOO ECO OO ee dedeadidoeD TARTAR AAAAMAMDTHAHTM PT TTT HOT HT HTH MH ou ines Erie Siting ge-0/0/7 | onit | sanily ethernet-owitching { Bere-tode access Wnenbers v2) ) ’ , , -30-0/0/8 ( unde. 8 family ethernet-switching { portomede eon wisn { ‘wenbere ally , , seo { weet a _ iS" gddress 10,210.14.147/27; ' wit 12 { amily inet ( : (24; , unit 12 { cemily inet ( ‘address 172,23,22.1/247 , , Step 1.3 [Navigate tothe (edit ethernet-ewitiching-opt ions) hierarchy and increase the MAC table aging interval to 10C0 seconds fom the defal value of 300 seconds Activate the change using the ecm t command, Note We increase the MAC aging mer t etend the feof the bridge table envi for testing purposes during this lab. This sot Fequled of necessarily recommended in ‘most production enuianmerts. ‘angen Implamering Per SecriyDetaed) + Lab 4-3os Eres Sitehirg {waster:0} (edit incertaces) 1apeexd-1h top edLe ethernet-evitehing-options {waster:o} feait Tabaexd 24 get me-tabl {naster‘0} edit athernet-owitching-opt ons) Tabaex0-14 omit configuration check succeedeconmie complete {saster:0) edit sthernet-owitching-opt ional beer 2 Stop 1.4 atu to the session opened for your assigned SRX Series Services Gateway. Enter configuration mode and navigate tothe (eait interfaceal hierarchy. ff ae IMAM weeeeae ff “ _ns tierra Swe ning -- 172.23.11.200 ping statistics --- 20 packets transaitted, 10 packets received, O¥ packet loss round-trip min/ava/nax/stddev = 0.918/1.587/6.659/1.632 95 taboaexd-t> ping 172.23.92.100 rapid count 10 ping 172.23.12-100 (172.23.12.100): 56 data bytes **'372.23.12.200 ping atatiatics --- 30 packets transmitted, 10 packets received, O¥ packes 1 round-trip min/avg/aax/stadew = 0-062/1-542/6.324/1-682 ‘Question: Do the ping tests succeed? ‘Asner: Ys, the ping tests should succeed as, istrated in th Sample ouput Part 2: Configuring and Monitoring MAC Limiting 6? toate) Iabeerx0-16 eit ia es inthis ab part, you wllconfigue and moritor MAC limiting. Fist, you wil verify the 1 Curent dyaicall eared MAC erties inthe brio table match the expected ledit intertaces} i 3 [MAC addresses listed on the network diagram for this lab. Next, you will configure abesexd-ia > MAC ating Finally, yu will make some eeniguraion austere on your Stop 15 i ssid SAX Series gatoa fo vei the effects of MAC liming, You wil need to eis oft tothe neterk gram for this lab fr some verification tasks Deactivate the g2.0/0/1, 98. 0/0/2, and ge 0/0110 itrfces sue he comme i and-guit cormmandto aivate the coiguratien changes and atu to els sepa ‘operational moe. Return tothe sesson opened for your assigned EX Saris switch (edie tneertaces! ei? jan asagesl Sach bathe cas aoa Isbascao-14 deactivate ge-0/0/1 els ‘command, Compare the dyamicaly learned MAC addresses against those listed on (edit tncextaces! ‘henetwork chara. Isbascso-14 deactivate ge-0/0/2 EF nascerso) tedtt ethesnet-avitching- options] IUEsck5.14 un show ethernet evitohing. table (edit interfaces} i > Bthernet-switching table: 10 entries, 4 learned Isbesrso-14 deactivate ge-0/0/20 eP va wc agarose Troe op tneectaces (edit interfaces! 2 G0:19:02:51:65:00 Seat 7 hawcer Tabesrx0-10 commit and-quit bile sate 00:26:88:02:74:85 Learn 3:31 ge-0/0/6.0 commie complete ! uh 20:26 06:02°74090 keaen 3:38 ge-0/0/8.0 Exiting configuration sode — va : Flood = Biceebers labesrxo-1> € i 2 v2 (00:26 :88:02:74:87 bearn, 3:09 ge-0/0/7.0 ae a7 wa eee eee panos ee cae Use the ping uty to very reachability rom your assigned SRX Sores gateway to es va . Foca 2 Minenbese the virtual routers tached to your EX Series Suitch Refer tothe network diagram i fer his ab as rooded eis Labosrao-t» ping 172.238.200 rep count 10 els ping. 172.23.11.100.(172123.31.2000 56 data bytee i Titi = » 3 3 3 3 s . VLAN MAC address ‘Type 3 labeexd-18 show i. oo eee Go eee a Matteo | ares Se 3 Soe eee oo eae ee Ce : Heo 2 Mtveeners 3 2 See thc getcomie comtete ee ee ae aed pocuinretdacca cei c seman aes ay iret acre A dss on al Se eee er eee one eee S cfs Ce a. Te ae Ea pg reer senior efe SSteh erento. Eel ee ees cesses lege ree pene ee & i 3 round-trip min/avg/max/stddev ~ 0,975/2.523/10.099/3.013 ms . i 3 JabserxD-1> ping 172.23.y2.100 rapid count 10 eas Be eee ee es Se eaecnaanoas eee cee area cereaaal ey 2 = atinose reps swecing ‘Question: trafic eurreny permited through the ‘access ports detnod on your assigned swch? Answer: Yes, raffle shouldcurrently be permitted ‘ough bath access portson all student stitches. Iftaftc i not permite a: this ime, check your work and, ifeeded, consult with your instructor step 25 Enter configuration made and navigate to‘he {eit interfaces) hierarchy labeerxo-1> configure ‘atering configuration node (eae) ft Anerfac (edie invertaces} Isbeaexd ih Stop 28 Change the currently defined MAC addresses by revetsing the last two digs (86 becomes 68 and '87 becomes :78). Activate the configuration changes. [edit incertaces) unico | amity inet ( ‘address 172,23.11.100/24; : 7076 } (eait incerfaces) Iabesexo-10 show ge-0/0/7 nico { amily inet ( ‘aderese 172.23.22,100/24 ) , [edie inertace Iabesnxd 10 '90-0/0/6 mac 00:26 [edit interfaces) UsbaarxD “14 wet ge-0/0/7 mac 00:26:88:025 9178 nos Etspise sting [edit incertaces! Iabosexd-19 ehow 30-0/0/6 unit 0 ( : amity inet ( ‘larese 472.23.12,200/245 ) , {edit incesfaces! Inbosexd-1# show 30-0/0/7 smac 00:26:86702174:76, Snir 3 [ sanity inet [ ‘adérens 172,29.12.100/24 , } t0p 27 Usethe run ping command and vet reachability from your SRX Series gateay tothe vtual outers now tha the MAC adresses associated wit the virtual outers hare boon changed [edit interfaces! Asbgerei-14 run ping 272.23.y1.100 rapid count 10 ING 172.25.11-100 (172-23-i1-i90)+ s€ daca byes ELY5Ha1.200 ping statiacies 420 packets eransniteed, 0 packers ret ved, 1008 packet oss {edie incecfaces! Labesexd-14 run ping 272.23.y2.100 rapid oount 10 PING 172.23.12-10) {272.23.12.100); 56 data bytes “312 123.12.100 ping statiaeics =~» 410 pockets eransnitted, 0 packets received, 100% packet loss ‘Question: Do the ping tests succeed? Why? Answer: No, as shown inthe sample output, the ping ests should not succeed at this time, This is the eapected behavior based onthe curent MAC limiting configuration applied othe student EX Series sites, {20.8 + implementing Per Sent Detaled) wr urbere DARATTDODAMATMADDAO TMT DTT THAN DATO TT SECC KKETHKOKTE HEHEHE HEH ‘ww ip net Implementing For Seay Deed) + Lab 9es aise sitching Step 2.8 Return tothe session opened for your assigned EX Series switch, Issue the show ethernet switching interfaces command tcview the current interface and blocking tate of the Layer 2 interfaces. {easter:o} IabeaxD-2> show sthernet-evitching interfaces Interface seate VuAN manbers, Tag Tagging Blocking ge-0/0/6.0 up vi 31) ntagged unblocked e-0/0/7.0 dom viz 32° untagged MAC Tinie exceeded 9e-0/0/8.0 up vii LL tagged unblocked va 32° tagged Unblocked val 21 tagged unblocked va 22° tagged unblocked ‘Question: What is the curent interface and blocking state ofthe ge-0/0/70 interface? Answer: As shown in the sample output the (92-0/0/70 interface shows an interface and blocking state of down and MAC mit exceeded respoctvaly. Step 2.9 Issue the clear ethernet-ewitching port-error inte .ge-0/0/7.0 command to clear the current MAC limiting violation, {vaster:o} TnboexD I> clear ethers witching port-orror interface g6-0/0/7.0 ‘Step 2.10 Issue the show ethernet-svitching interfaces commandto verify the [MAC limiting violation has been cleared and that the interface and bhcking states hhave been restored to up and unblocked respectively. [raster:a} IaheexD-1> ehov ethernet-evitching intertaces Interface Siate VLAN menbere ‘tag Tagging Blocking ge-0/0/6-0 up vit 1 untagged unblocked Be-0/9/9 8 pw 12 tneagged unblocked 32-0/0/8.0 up val Li eggea” Sabiockea va 12 tagged unblocked va 21 tagged unblocked va 22 tagged unblocked unos arise Sich ‘Question: Whats the curent interface and blocking state of the ge 0/0/70 interface? Answer As shonm in the sample ouput, the ‘9@0/0/7.0 interface shows an interface and Blocking tate of up and unblocked respectively, ‘Stop 2.11 Return tothe session opened for your assigned SRX Sees gateway. Issue the coltbacke 1 command flloned by the commit. and-quit command torevert back tothe original MAC addresses fr g.0/0/6.0 and ge-0/0/70. eate interfaces! eases Yabosra-1# show | compare roliback 1 (eat sncerfaces ge-0/0/61 a nae 00:26:88:02174: 867 imac 00:26 :88:02:74:68; Teait interfaces ge-0/0/91 [eased Isboerxd-1¢ rollback 1 [edie Jabessx0-26 commie and-qute scoamit complete Exiting configuration mode ‘Step 2.12 Use the ping utility once again to verify ceachabiliy from your gateway to the vitual routers attached to your sith has been restored, Aabessx0-1> pag 172.23.y1.100 rapid count 10 PING 172.23.11-200 (172123.12.100)1 96 data bytes round-trip min/ava/men/atddev = 0.905/1.013/2.216/0.085 2 Aabaarxd-1> ping 172.23.92.100 raps count 10 Ping 172.23.12.100 (172,23,12.100): 56 data bytes mri 184-10 + plementing Per Secnty Dead) ‘wo ipa TAMDATADDAMAHDMDHHTHDTHOH HH OHH TTT TH CESK HKSTE KOSH OKHHEH HEED HHH ve nge o| \mperrting ort Seni eta Lab ATTos Etec Sitchig 10 packets transmitted, 10 packets received, ¥ packet lose round-trip min/avg/max/stadev ~ 0.902/0.995/1,598/0"030 ms ‘Question: Do the ping tests now succeed? “Answer: Yos, as shown inthe sample output, the ping tests should now succeed Part 3: Configuring and Monitoring DHCP Snooping and IP Source Guard Inthis lab part, you wil configure and monitor DHCP snooping, You wl fst define the access ports as untrusted and the trunk por as wusted default setings fr ‘access and trunk pots respectively). You wll then enable DHCP snooping fr the two local VLANs assigned to your access ports and define some state DHCP stooping database entries. Finally you wil contigure and moritor IP source quad Step 31 Return tothe session opened fr your assigned EX Series sultch (On your assigned switch, enter configuration mode and navigate tothe (ease ethernet-switching-options secure-acceas-port] hierarchy. (naster:0) Iaboexd-1> configure Entering configuration aode [resver:o} feast] Taboexd-19 edit ethernet [essverso} feat ethernet Tabeexd-4| Step 32 access-port) Conigure ge 0/0/6.0 and ge-0/0/70 as DHCP untrusted interfaces and ge-0/0/8.0 {a DHCP trusted. Note that these are the default settings for access and wrk pore: respectively {easter:0} [edit ethernet Tabsexd-1# set interface 9 tching-options secure-acceas-port) 9/0/60 no-dhep-trusted {vanver:0) (edit ethernet Jsbaex0-18 et interface ge ching-options secure-access-port) 70/7-0 no-dhep-erusted {vaster:0) [edi echernet Labgexo-18 sot interface ge 70/80 ahop- tested port] nO Onn ues EreprseSutcing ‘step 33 Enable DHCP snooping fr the VLANs associated with ne two access ports defined ‘on your assigned switch, {mascer:0) [edit ethernet-evitching-options secure-access-port] {esster:0} [edit ethernet-avitening-options secure-access-port] Tapeecd-24 set wlan vy? examine-dhop Step 34 Configure two static DHCP snooping database erties: one fer each tua router attached to your assigned switch, Use the information ilustated onthe network agra for this ab, [nsaver:0} least ethernet-switching-options secure-acce: Tabooxd-18 set interface ge-0/0/6.0 statie-ip 172.23.y1. wwitching-options secure-accest 0/0/6.0 static-tp 172.23. [nssver:0) lease ethernet Tabaexd-1# set Anterfa: {naster:0) edit. ethernet-evitching-options secure-accea gbaewD 18 sat Antertace ge-0/0/7.0 stationsp 172,29.92 oor26re8:02syys87 fnascer:0} (edit etherner-svitching-options secure InbaexD-14 get dntertace go-0/0/7.0 eeaticnip 172, svitching-options secure-access-port) 1076.0 seaticnip 192,23,12,100 vlan vit moe 00:26:88:02:74:86, Slloved-nac 00:26:88:02:74:867 ‘no-dhep-trusteds (naster:0} (edit ethernet: switehing-options secure-access-port 7077.0 saster:o} [east ethernet Taboexd-24 show inter tact smac'linit 2 acvion shoesovns ‘Beationip 172.23,32,100 vlan vi2 aac 00:26:60:02:74:67; povdhep trusted? 1a 4-12 + inplomerting Po Ses (Dataed) weniger SSCP TEHTEKHHEEEE TEE TRIEDDPDDDDDDRDDHDDHDHDH HDD H HM w vorunigerne mpleenting Pot Seciiy Detaled)» Lab 4-13os Enters Sithig Step 35 etivot the configuration changes using the comat : command andissue the rua ‘show dhop snooping binding command to view the DHCP snooping Gatabase contents, {oaster:0} [edit ethernet-seitching-options secure-access-port? Tabaexd-14 comet configuration check gucceedscomit complete {easter:0} edie exhere:-ovitehing-options secure-access-port Yabsex)-14 run thow dhop enooping binding Dice snooping taformation sac address TP address Lease (seconds) Type VIAN Intezface 00:26:88;02:74:06 172.23-31-100 “static vil) ge-0/0/6.0 0,26:88:02:74.87 172123.32.100 cofeasic wiz ge-0/0/7.0 ‘Question: Are both static DHCP snooping database ‘entries presenti the generated output? Answer: Yes, a shown inthe sample output, the [BHCP snooping datahace entries Should be present ‘Question: Do the details foreach erty match the dota ilustated on the newark diagram fr this abe Answer: The answer shouldbe yes. Thisis an ‘opportunity fr you to check your work and ensue ach entry is defined corocty step 36 Deactivate the curert MAC lnting configuration assoctated With g-0/0/6.0 and (9¢0/0/7.0, Use the coma command to activate the configuration changes. Note this tasks requited to test IP source quad in subsequent ab steps. {sserer:0} (edit ethernet-evitching-options secure-access-port] Iabeexd-24 deactivate interface ge-0/0/6.0 sllowed-nae [ssecers0} (edie ethernet avitching-options secure-access-port] Iapeexd-24 deactivate interface ge-0/2/7-0 aac-limie [rsscerso} tease eenernes-svicentng-opt ions secure-access-pore] Tapoeed-24 somte configuration check aucceedeconit complete ah 18 © baiaming Bs ety Dad) ‘wom pipet | I i | | | | | i i I PEVHTORHTKSHHHHOHKH DTH EHH KDE DHL EYD € e € e € € € e € € € e € € e € € e € € e e € © € € © € € e € € e © nes Eerie Sich Step 2.7 Return tothe session opened for your assigned SRX Sees gateway, [Enter configuration mode and issue the ro12back 1 and commit commands to revet ack tothe previously defined MAC addresses for ge-0/0/6.0 and e0/0/T0. laboarxD-1> configure Entering configuration aode feaie) Jabesrs0-1# show | compare roliback 1 (edit interfaces ge-0/0/6) {edit interfaces ge-0/0/7) [ease] sbasrxo-2# rollback 2 oad complere lease) Iaborex0-1# commit amit complete tease Tabperso-at Step 38 Use the run ping command to verify afc stil parmitted from your assigned gateway through your EX Series switch to the attachod vitual outs, toate) TabosrxD-18 run ping 172.23.y1.100 rapid count 20 ~ 172.23.11.100 ping statistics 10 packets tranmiteed, 10 packets received, 0% packet loss ‘round-trip min/avs/max/atdaev ~ 0.996/2.202/7,189/2.977 ma ease} sbaerxD-20 run ping 172.23.92.200 rapid count 10 PING 172.23.22-100 1172.23.12.100); 56 daca bytes 40 packets tranaslered, 10 packets received, O¥ packet loss oupd-trip sin/ave/nax/atédev = 0,889/0,997/1.210/0-118 naw | a e> steps ecg diss snes ris Schig question: ae sil permite fom your | {mater:0} leit ethernet-ovitching-eptions aecure-acceas-portl SiX eres gate treugh your EX Sates sch Ep3 — tabeeso-if connie marqute ‘both virtua ers? yes yi atl permits i ecatiguration check sucseedeconmit complete Considering the DHCP sndping etireis active or > Rtity configerstion mote rere 2 i Meena ©) 3 supsio es Issue tho show {p-source-guard command avi the|P soiree quid — database eration Anon Yes, shown nthe sample cup. ENP Fe) traf ss permite Remember tat the DACP gee ace tgescuror-guar Stoop etre es nat der nor ORC? elated Ie source guerd infrrmation traf but rahe only does DCP sever onsed 3 invertase “hay Fe aideeas me atcrese vs Aral on unused Sch pots. grape 07 ina iiice doaerebreisres06 win © 3 Foie o tmaasaaao Soiaeessanaey waa sup 39 els ee oo ; ‘Question: Bases onthe ssplaedntermatn, what Ratu to the session opened fr your asinod EX Sere swith Scarce and WAC adresses should now be Enable source gard forthe VLANs associated wth the altace ital outers es permite hough ge 0/076. Fetivate the configuration changes and retin operation mes sing the a commie anduquse conan 3 {caster:o} [edit ethernet-ovitcning-opeions secure-scces es ee {icon 2h sot vian vzt ip-aourcecouara es Anne: The answer depends on your asia {naster:0}(ecit ethernet -svitching-options secure-acce ‘eve. jou ore assigned ext} hero {Shoeno-2h sot vian vzt ip-aouroe-ovara es ‘represen our assigned pod ave 370/60 Sul on ecep ate the source and AC maater:0}{eait ethernet-avitching-options secure-access-port] es adresses etch 172.23.1.100 and Sheeso 26 show 00:26:20: 02-74 06 respect. you ae Interne se7o/e.0 ( es signed 2 here represents our signed Sravienip 479-23.41.200 vlan vit mac 00:26:86102176:867 Primes a onsoannowececer Inneeiver alloved-aae 00:26:00:02774:06; e>s Lionel oper raptrrab eer novdhp-teasteds aes 17223.21 100 and 90:26 88.02: 6b: 86 ee respects Incertace 9¢-0/0/7.0 ae Tnnctives maceiinfe 1 action shutdowns : Stoviecip 172.23.19.200° vlan vr2 may 00:26:80;02198:875 a tt | Seep taaes 2 Return to he session opened fo your assigned RX Sates gate. ee | es Usethe run ping command teri aff sil ited fom your assigned ‘nepecraatess a antes troup your Ex Sres sch tothe attach tual rots han via { oe cxanite-dheps 5 —_Esatrvo-16 won ping 172.23.91.100 rapia count 10 oe Gg Mm tnnah SsboTa at on eae tae than via 218153 an. 100 ing seatiacsee --- Se © To packace tranunitted, 0 pachata received, 1000 packer 1ose ) © 62 = {6 «ing PS ce =m Ss = Inlererin Pt Seary Deb) + Lb 4-17 es esunos Eres Stchirg (eased Yabostxd-L# mus ping 172.29.y2.200 xapia count 10 ping’ 172.23.12.100 (172.23.12.100): £6 data bytes 22132125 22.100 ping statistics 30 packees traneniteed, 0 packets received, 1008 packet loss ‘Question: straffie sul permitted from your gateway ttvough your EX Series switch to both virtual routers? Annee: No, as shawn inthe sample output, the TMP vaffic using an unauthorized source MAC Address is no longer permitted nou that I source qua is enabled, ‘Stop 3.12 Issue the roliback 2 and commit and-quit commands to revert back othe cxiginally defined MAC addresses for ge0/0/8.0 and ge-0/0/7.0 and exit ‘eriiguration made, Note that witen ths task is complete the MAC adcresses ‘efined on the specified interfaces should match the MAC addresses listed onthe ‘etwork diagram for this tease] Inbosr0-2# show | compere rollback 2 [edit incertaces ge-0/0/6) wee 00:26:08-02"74206 [edit interfaces ge-0/0/7) (ease Isbesrx0-19 rolback 2 feates Iabosex-10 commit and-quit connie coapete Exiting configuration mode Gb 4-10 mplomenting Por Saeinty (Oxas) ‘ncungernet SERCO THOT HOOKED THEO HD DHE OWYD TADRDATAMAAMADADDAHHHHHHMDHDHH NH HTH TD es hows Erarprse Stching ‘Stop 3.13 Use the ping uty to vr afi is ence again permited from your assigned {gateway through your EX Sates switch tothe attached virtual outers now that the ‘iginal and authorizes MAC addresses have been restored tothe interfaces associated wit the vitwal routers abeorxD-1> ping 172.23.y1.100 rapid count 10 PING 172.23.11-200 (172.23.11.100); 56 data bytes *'172.23.11.100 ping statistics 420 packets trananitced, 10 packets received, 0% packet loss round-trip tin/avg/max/atddev = 0.932/1.624/7-402/1.926 ma abtorx0-1» ping 172.23.y2.100 rapid count 10 ING 172.23.12-100 (172.23.12-100); 56 cata byces *'172.23.12.100 ping statistic 420 packets transnitted, 10 packets received, o¥ packet 1 round-trip 1in/avg/max/atddev = 0,069/0.962/1.117/0,089 ts ‘Question: Is traffic once again permitted from your gatowcay trough your EX Series switchto both Virtual routers? Answer: Yess shown inthe sample output, the ICMP tac using the erginal and authorized source MKC addresses Is once again parmitec e Tell your instructor that you have completed Lab 4 venience Inplonertng Port Seay Deal) + ab 19os Ereeprie Sutcing 0 + Imperenting Por Secray De weungernet ow w 3 3 3 3 3 3 3 obaw weeueee wow oe wea * e e e e e e e e e e e e€ e € e e € e e e € € © e € € e € . © € € © e w i i | i | | i | | i Lab 5 Implementing Storm Control and Firewall Filters (Detailed) Overview ‘Tis lab demonstrates basic coniguation and monitoring tasks when implementing storm contol and freval ters on EX Series Ethernet Switches. In this ab, you use the ‘command-line interface (CL) to configure and monitr storm corto ar fra fers. ble in two formats: high 4evel format designed to make you think trough ‘a delaled format that offers stepby step instructions complete with ‘sample output fom mest commands. 8y completing this lab, you wl perform the following tasks: + Ups existing contig ation, + Configure and moritor storm corral, + Configure and moritor firewall fiers. ‘eugene implementing Storm Corel and roel Fite Deal)» Toaranre0