Category: juniper

Ethernet Ring Protection Switching (G.8032) with Juniper and Cisco

Introduction

The Juniper and Cisco lab used.

In this article we take a look at how to configure an Ethernet Ring Protection Switching (ERPS) between a Cisco ASR 903 and two Juniper MX series routers (a MX 104 and MX 80). This article only shows how to configure the nodes. There are enough articles on the web to explain how ERPS (or G.8032) works.

Topology

To configure ERPS a minimal of three devices  are needed. To have two extra routers to test end-to-end connectivity two logic systems are created on the Juniper routers. The topology looks like:

Topology, click for larger picture, opens in a new tab.

Configure the RPL owner (node1)

To configuration of the RPL owner, the interfaces are configured first:

set interfaces xe-2/0/0 description "Connection to ASR903 gi-0/0/1"
set interfaces xe-2/0/0 vlan-tagging
set interfaces xe-2/0/0 encapsulation flexible-ethernet-services
set interfaces xe-2/0/0 unit 1 family bridge interface-mode trunk
set interfaces xe-2/0/0 unit 1 family bridge vlan-id-list 100-1000
set interfaces xe-2/0/1 description "Connection to mx80 xe-0/0/0"
set interfaces xe-2/0/1 vlan-tagging
set interfaces xe-2/0/1 encapsulation flexible-ethernet-services
set interfaces xe-2/0/1 unit 1 family bridge interface-mode trunk
set interfaces xe-2/0/1 unit 1 family bridge vlan-id-list 100-1000

Next the protection group is configured:

set protocols protection-group ethernet-ring pg101 node-id 00:01:01:00:00:01
set protocols protection-group ethernet-ring pg101 ring-protection-link-owner
set protocols protection-group ethernet-ring pg101 east-interface control-channel vlan 100
set protocols protection-group ethernet-ring pg101 east-interface control-channel xe-2/0/1.1
set protocols protection-group ethernet-ring pg101 east-interface ring-protection-link-end
set protocols protection-group ethernet-ring pg101 west-interface control-channel vlan 100
set protocols protection-group ethernet-ring pg101 west-interface control-channel xe-2/0/0.1
set protocols protection-group ethernet-ring pg101 data-channel vlan 200
set protocols protection-group ethernet-ring pg101 data-channel vlan 300

Next the virtual switch is configured:

set routing-instances vs instance-type virtual-switch
set routing-instances vs interface xe-2/0/0.1
set routing-instances vs interface xe-2/0/1.1
set routing-instances vs interface xe-2/0/2.200
set routing-instances vs bridge-domains bd1 vlan-id 100
set routing-instances vs bridge-domains bd200 vlan-id 200
set routing-instances vs bridge-domains bd300 vlan-id 300

The configuration of the logical system is as follows:

The physical interface is a back-to-back connection to another physical interface on the same router:

set interfaces xe-2/0/3 description "Back-to-back connection to xe-2/0/2"
set interfaces xe-2/0/3 vlan-tagging
set interfaces xe-2/0/3 encapsulation flexible-ethernet-services
set interfaces xe-2/0/3 gigether-options auto-negotiation
set logical-systems LS1 interfaces xe-2/0/3 unit 200 vlan-id 200
set logical-systems LS1 interfaces xe-2/0/3 unit 200 family inet address 10.8.8.1/24

Configuration of Node2

The configuration is almost similar, except there can only be one RPL owner in the ring. So this node is configured as a normal node.

The ring interfaces are configured first:

set interfaces xe-0/0/0 description "Connection to mx104 xe-20/0/1"
set interfaces xe-0/0/0 vlan-tagging
set interfaces xe-0/0/0 encapsulation flexible-ethernet-services
set interfaces xe-0/0/0 unit 1 family bridge interface-mode trunk
set interfaces xe-0/0/0 unit 1 family bridge vlan-id-list 100-1000
set interfaces ge-1/0/0 description "Connection to ASR903 gi-0/0/0"
set interfaces ge-1/0/0 vlan-tagging
set interfaces ge-1/0/0 encapsulation flexible-ethernet-services
set interfaces ge-1/0/0 unit 1 family bridge interface-mode trunk
set interfaces ge-1/0/0 unit 1 family bridge vlan-id-list 100-1000

The configuration of the protection group is as follows:

set protocols protection-group ethernet-ring pg102 east-interface control-channel vlan 100
set protocols protection-group ethernet-ring pg102 east-interface control-channel ge-1/0/0.1
set protocols protection-group ethernet-ring pg102 west-interface control-channel vlan 100
set protocols protection-group ethernet-ring pg102 west-interface control-channel xe-0/0/0.1
set protocols protection-group ethernet-ring pg102 data-channel vlan 200
set protocols protection-group ethernet-ring pg102 data-channel vlan 300

The configuration of the virtual switch:

set routing-instances vs instance-type virtual-switch
set routing-instances vs interface xe-0/0/0.1
set routing-instances vs interface xe-0/0/2.200
set routing-instances vs interface ge-1/0/0.1
set routing-instances vs bridge-domains bd1 vlan-id 100
set routing-instances vs bridge-domains bd200 vlan-id 200
set routing-instances vs bridge-domains bd300 vlan-id 300

The logical system configuration on this node, needs two physical interfaces. To achieve this, the interfaces xe-0/0/1 and xe-0/0/2 are connected back-to-back:

set interfaces xe-0/0/1 description "Back to back connection to xe-0/0/2"
set interfaces xe-0/0/1 vlan-tagging
set interfaces xe-0/0/1 encapsulation flexible-ethernet-services
set interfaces xe-0/0/2 description "Back to back connection to xe-0/0/1"
set interfaces xe-0/0/2 vlan-tagging
set interfaces xe-0/0/2 encapsulation flexible-ethernet-services
set interfaces xe-0/0/2 unit 200 family bridge interface-mode trunk
set interfaces xe-0/0/2 unit 200 family bridge vlan-id-list 200

The logical system is configured as:

set logical-systems LS1 interfaces xe-0/0/1 unit 200 vlan-id 200
set logical-systems LS1 interfaces xe-0/0/1 unit 200 family inet address 10.8.8.2/24

The configuration of node3 (Cisco ASR903)

The configuration start with configuring the g8032 part:

ethernet cfm ieee
ethernet cfm global
ethernet cfm domain g8032_domain level 0
service g8032_domain evc evc_name vlan 100 direction down
continuity-check
continuity-check interval 3.3ms
!
!
ethernet ring g8032 profile g8032_profile
 timer wtr 1
!
ethernet ring g8032 g8032_ring
 port0 interface GigabitEthernet0/0/1
 port1 interface GigabitEthernet0/0/0
 instance 1
  profile g8032_profile
 inclusion-list vlan-ids 100,150-2999
 aps-channel
  level 0
  port0 service instance 1
  port1 service instance 1
  !
 !
!
ethernet evc evc_name
!

Next configure the bridge domains:

bridge-domain 100
bridge-domain 200
bridge-domain 300

Next the ring interfaces are configured:

!
interface GigabitEthernet0/0/0
 no ip address
 negotiation auto
 service instance 1 ethernet evc_name
 encapsulation dot1q 100
 bridge-domain 100
 cfm mep domain g8032_domain mpid 2
  continuity-check static rmep
  rmep mpid 1
!
service instance trunk 1000 ethernet
 encapsulation dot1q 150-2999
 rewrite ingress tag pop 1 symmetric
 bridge-domain from-encapsulation
 !
!
interface GigabitEthernet0/0/1
 no ip address
 negotiation auto
 service instance 1 ethernet evc_name
 encapsulation dot1q 100
 bridge-domain 100
  cfm mep domain g8032_domain mpid 1
   continuity-check static rmep
   rmep mpid 2
!
service instance trunk 1000 ethernet
 encapsulation dot1q 150-2999
 rewrite ingress tag pop 1 symmetric
 bridge-domain from-encapsulation
 !
!

Verifying the configuration

On the node1 use the following commands to verify if the ring is working:

show protection-group ethernet-ring configuration

Ethernet Ring configuration information for protection group pg101

G8032 Compatibility Version : 2
East interface (interface 0) : xe-2/0/1.1
West interface (interface 1) : xe-2/0/0.1
Restore interval : 5 minutes
Wait to Block interval : 5 seconds
Guard interval : 500 ms
Hold off interval : 0 ms
Node ID : 00:01:01:00:00:01
Ring ID (1 ... 239) : 1
Node role (normal/rpl-owner/rpl-neighbour) : rpl-owner
Node RPL end : east-port
Revertive mode of operation : 1
RAPS Tx Dot1p priority (0 .. 7) : 0
Node type (normal/open/interconnection) : Normal
Control Vlan : 100
Physical Ring : No
Data Channel Vlan(s) : 200,300

Next check the ring aps status:

run show protection-group ethernet-ring aps
Ethernet Ring Request/state RPL Blocked No Flush BPR Originator Remote Node ID
pg101 NR Yes No 0 Yes NA

Perform the same commands on node2:

show protection-group ethernet-ring configuration

Ethernet Ring configuration information for protection group pg102

G8032 Compatibility Version : 2
East interface (interface 0) : ge-1/0/0.1
West interface (interface 1) : xe-0/0/0.1
Restore interval : 5 minutes
Wait to Block interval : 5 seconds
Guard interval : 500 ms
Hold off interval : 0 ms
Node ID : A8:D0:E5:59:4E:E8
Ring ID (1 ... 239) : 1
Node role (normal/rpl-owner/rpl-neighbour) : normal
Revertive mode of operation : 1
RAPS Tx Dot1p priority (0 .. 7) : 0
Node type (normal/open/interconnection) : Normal
Control Vlan : 100
Physical Ring : No
Data Channel Vlan(s) : 200,300
run show protection-group ethernet-ring aps
Ethernet Ring Request/state RPL Blocked No Flush BPR Originator Remote Node ID
pg102 NR Yes No 0 No 00:01:01:00:00:01

On node3:

show ethernet ring g8032 configuration

Ethernet ring g8032_ring
Port0: GigabitEthernet0/0/1 (Monitor: GigabitEthernet0/0/1)
Port1: GigabitEthernet0/0/0 (Monitor: GigabitEthernet0/0/0)
Exclusion-list VLAN IDs:
Open-ring: no
Instance 1
Description:
Profile: g8032_profile
RPL:
Inclusion-list VLAN IDs: 100,150-2999
APS channel
Level: 0
Port0: Service Instance 1
Port1: Service Instance 1
State: configuration resolved

Next check the status:

show ethernet ring g8032 status
Ethernet ring g8032_ring instance 1 is Normal Node node in Idle State
Port0: GigabitEthernet0/0/1 (Monitor: GigabitEthernet0/0/1)
APS-Channel: GigabitEthernet0/0/1
Status: Non-RPL
Remote R-APS NodeId: 0001.0100.0001, BPR: 0
Port1: GigabitEthernet0/0/0 (Monitor: GigabitEthernet0/0/0)
APS-Channel: GigabitEthernet0/0/0
Status: Non-RPL
Remote R-APS NodeId: 0001.0100.0001, BPR: 0
APS Level: 0
Profile: g8032_profile
WTR interval: 1 minutes
Guard interval: 500 milliseconds
HoldOffTimer: 0 seconds
Revertive mode

On node1 ping is done from the the logical system to the logical system on node2:

ping logical-system LS1 10.8.8.2 count 5
PING 10.8.8.2 (10.8.8.2): 56 data bytes
64 bytes from 10.8.8.2: icmp_seq=0 ttl=64 time=1.128 ms
64 bytes from 10.8.8.2: icmp_seq=1 ttl=64 time=2.468 ms
64 bytes from 10.8.8.2: icmp_seq=2 ttl=64 time=1.004 ms
64 bytes from 10.8.8.2: icmp_seq=3 ttl=64 time=1.025 ms
64 bytes from 10.8.8.2: icmp_seq=4 ttl=64 time=1.340 ms

--- 10.8.8.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.004/1.393/2.468/0.551 ms

How to create layer 2 trunk port and access vlans on a Juniper SRX

Introduction

Creating vlans on a Juniper SRX is not as straight forward if you’re used to Cisco gear for example. In this article I hope to explain how to create:

      • One port as a trunk port
      • Other ports as access port
      • Add a mgmt L3 interface

Creating the trunk port

Let’s first create the trunk port. The interface fe-0/0/0 is used as a uplink port to another switch, and this ports carriers multiple tagged vlans. And it carriers only tagged vlans. No untagged vlan is allowed on this port.

To configure the port as a trunk port, the  port-mode has to be set to “trunk” and the allowed vlans needs to be configured. In this case the tagged vlan id’s are: 100,102:

set interfaces fe-0/0/0 description UPLINK-BB-SLV-LAN-P1.0.12
set interfaces fe-0/0/0 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/0 unit 0 family ethernet-switching vlan members vlan-102
set interfaces fe-0/0/0 unit 0 family ethernet-switching vlan members vlan-100

Note that the vlan names are used, which at this point still needs to be created. It’s also possible to specify the vlanid here:

set interfaces fe-0/0/0 description UPLINK-BB-SLV-LAN-P1.0.12
set interfaces fe-0/0/0 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/0 unit 0 family ethernet-switching vlan members 102
set interfaces fe-0/0/0 unit 0 family ethernet-switching vlan members 100

Create the vlans

Creating the vlans is straightforward:

set vlans vlan-100 vlan-id 100
set vlans vlan-102 vlan-id 102

Create the access ports

Creating the access ports is just like creating a trunk port, accept the port-mode is set to .. yes you guessed it.. ‘access‘.  So let’s assume we want to set the ports fe0/0/01 – fe0/0/7 as access ports with vlan 102.

set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-102
set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-102
set interfaces fe-0/0/3 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-102
set interfaces fe-0/0/4 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-102
set interfaces fe-0/0/5 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-102
set interfaces fe-0/0/6 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-102
set interfaces fe-0/0/7 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-102

However, this is a lot of typing. With junos it’s possible to use an interface range configuration. This is somewhat different to Cisco’s IOS or IOS-XE.

To use a interface range, first create a interface range name. For example ‘access-ports’. Then the name ‘access-ports’ can be used to add members. Next the properties of the interfaces can be assigned.

This might sound complex, but it’s quite simple and easy to use (and powerful):

set interfaces interface-range access-ports member "fe-0/0/[1-7]"
set interfaces interface-range access-ports unit 0 family ethernet-switching port-mode access
set interfaces interface-range access-ports unit 0 family ethernet-switching vlan members vlan-102

Assign the interfaces to the vlans

In the last step, the interfaces needs to be assigned to the vlans. So to assign the trunk port and access port to vlan 102 we need to do the following:

set vlans vlan-102 interface fe-0/0/0.0
set vlans vlan-102 interface fe-0/0/1.0
set vlans vlan-102 interface fe-0/0/2.0
set vlans vlan-102 interface fe-0/0/3.0
set vlans vlan-102 interface fe-0/0/4.0
set vlans vlan-102 interface fe-0/0/5.0
set vlans vlan-102 interface fe-0/0/6.0
set vlans vlan-102 interface fe-0/0/7.0

Note: the interfaces added are added by using the unit number, which is 0 here.

The above could be done in one command: simply by using the previous defined interface range ‘access-port’:

set vlans vlan-102 interface access-ports

When the an interface range is used, the trunk ports needs to be added as well:

set vlans vlan-102 interface fe-0/0/0.0

At this point the configuration can be committed:

commit

At this point, the layer 2 configuration is complete. The most easiest way to check if everything works is to look at the mac table. The command to do this is:

show ethernet-switching mac-learning-log

If everything is well it’s shows the learned mac addresses.

Create a Layer 3 management interface

To manage the SRX, it might be handy to have management vlan. In this case vlan id 100 is used.

To add a layer 3 vlan interface the next configuration is needed:

First create the vlan interface:

set interfaces vlan unit 100 family inet address 10.90.0.14/24

Next the interface can be added to the vlan 100:

set vlans vlan-100 l3-interface vlan.100

To activate to configuration don’t forget to do a commit:

commit

Password recovery on SRX 100

Password recovery on Juniper SRX 100

One day when I arrived at the office I did find a little blue box on my desk, which turned out to be a Juniper SRX 100 firewall. While looking at this tiny device I remembered that a colleague of my told me he would give a Juniper SRX to me.

And since I really like hardware, even the small boxes 🙂 I’m very pleased he brought this SRX, and give it to me.. So a big thanks!

Up for a challenge

At the end of the day, well actually later that evening, after I had something to eat, it was time to power the SRX on. The original adapter was missing, but since I got a box full of adapters , finding the right adapter shouldn’t be a problem. And sure enough.. after a while I came up with an adapter which delivers 12V and 1.5A.

The adapter has its ground (-) on the outerside, and the plus (+) on the middle pin.

The SRX needs 12V and 1A, so this adapter will do just fine. After searching for a console cable (a standard Cisco console cable just works) I connected the SRX, plugged in the console and power, and switched the device on.

After a few moments I was greeted with a banner, telling me the device once belonged to Ziggo. And that also told me right away that a simple password recovery is not going to work.

The SRX has a reset button, which can be used to reset the password..  However through a configuration setting this button can be disabled.. And since this device once belong to Ziggo, I know for sure that they disabled this button. Of course I tried the reset button.. and yes.. it did nothing at all.

So how to get into this device….

Using an USB device

Their is only one way around this.. and that is: installing / upgrading the SRX. This can be done by putting a Junos image (.tgz file) on a USB device, or putting the image on a tftp server.

The first problem is: how to get a Junos file.. Well I don’t have a support contract with Juniper.. so I had to google for a while but finally found a torrent file.

This is however not recommended, for one: it’s illegal. And two: the image can be tempered with, and could hide some nasty stuff.  I don’t like the illegal stuff, and in my lab I can perfectly live with the possible security risk.

Anyway, once I got the software I formatted a USB stick, and copied the junos image. After inserting the usb stick in the SRX 100 I interrupted the boot sequence. This can be done by hitting the spacebar while connected to the serial console at boot time.

Once the boot process was interrupted I was looking for a command “install”. Unfortunately this command was not present in the u-shell.

So I rebooted pressing the reset button while booting, and this activated a second boot partition. This version had the install command.

From there I tried o load the image from the USB stick.. but that didn’t work. Well not to worry.. I got a tftp server.. Copied over the junos image to my tftp server and started a install by tftp..

 

And that worked 🙂 After completing the upgrade.. I can logging with the root user and no password.