Professional Documents
Culture Documents
Published: 2013-10-14
ii
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Using the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Merging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Part 1
Overview
Chapter 1
Chapter 2
Chapter 3
Part 2
Configuration
Chapter 4
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Example: Configuring Storm Control to Prevent Network Outages on EX Series
Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Chapter 5
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Configuring Unknown Unicast Forwarding (CLI Procedure) . . . . . . . . . . . . . . . . . . 17
Configuring Autorecovery From the Disabled State on Secure or Storm Control
Interfaces (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Disabling or Enabling Storm Control (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . 18
Disabling Storm Control on Broadcast Traffic . . . . . . . . . . . . . . . . . . . . . . . . . 20
Disabling Storm Control on All Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . 20
Disabling Storm Control on Registered Multicast Traffic (EX8200 Switches
Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Disabling Storm Control on Unregistered Multicast Traffic (EX8200 Switches
Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Disabling Storm Control on Unknown Unicast Traffic . . . . . . . . . . . . . . . . . . . 20
Enabling Storm Control on Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
iii
Chapter 6
Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
[edit ethernet-switching-options] Configuration Statement Hierarchy . . . . . . . . 23
action-shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
disable-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
ethernet-switching-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
no-broadcast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
no-multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
no-registered-multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
no-unknown-unicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
no-unregistered-multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
port-error-disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
storm-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
unknown-unicast-forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Part 3
Administration
Chapter 7
Routine Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Verifying That Unknown Unicast Packets Are Forwarded to a Trunk Interface . . . 45
Verifying That the Port Error Disable Setting Is Working Correctly . . . . . . . . . . . . . 46
Chapter 8
Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
show ethernet-switching table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Part 4
Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
iv
List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Part 3
Administration
Chapter 8
Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Table 3: show ethernet-switching table Output Fields . . . . . . . . . . . . . . . . . . . . . 49
vi
To obtain the most current version of all Juniper Networks technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.
Supported Platforms
For the features described in this document, the following platforms are supported:
EX Series
vii
If the example configuration does not start at the top level of the hierarchy, the example
is a snippet. In this case, use the load merge relative command. These procedures are
described in the following sections.
From the HTML or PDF version of the manual, copy a configuration example into a
text file, save the file with a name, and copy the file to a directory on your routing
platform.
For example, copy the following configuration to a file and name the file ex-script.conf.
Copy the ex-script.conf file to the /var/tmp directory on your routing platform.
system {
scripts {
commit {
file ex-script.xsl;
}
}
}
interfaces {
fxp0 {
disable;
unit 0 {
family inet {
address 10.0.0.1/24;
}
}
}
}
2. Merge the contents of the file into your routing platform configuration by issuing the
Merging a Snippet
To merge a snippet, follow these steps:
1.
From the HTML or PDF version of the manual, copy a configuration snippet into a text
file, save the file with a name, and copy the file to a directory on your routing platform.
For example, copy the following snippet to a file and name the file
ex-script-snippet.conf. Copy the ex-script-snippet.conf file to the /var/tmp directory
on your routing platform.
commit {
file ex-script-snippet.xsl; }
2. Move to the hierarchy level that is relevant for this snippet by issuing the following
viii
[edit]
user@host# edit system scripts
[edit system scripts]
3. Merge the contents of the file into your routing platform configuration by issuing the
For more information about the load command, see the CLI User Guide.
Documentation Conventions
Table 1 on page ix defines notice icons used in this guide.
Meaning
Description
Informational note
Caution
Warning
Laser warning
Table 2 on page ix defines the text and syntax conventions used in this guide.
Description
Examples
ix
Description
Examples
| (pipe symbol)
broadcast | multicast
# (pound sign)
[ ] (square brackets)
; (semicolon)
[edit]
root@# set system domain-name
domain-name
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
GUI Conventions
Bold text like this
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can send your comments to
techpubs-comments@juniper.net, or fill out the documentation feedback form at
JTAC hours of operationThe JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
xi
xii
PART 1
Overview
CHAPTER 1
Access privilege levels configurable for login classes and user templates.
gaining access to the LAN. EX Series switches support Extensible Authentication Protocol
(EAP) methods, including EAP-MD5, EAP-TLS, EAP-TTLS, and EAP-PEAP.
Port SecurityAccess port security features include:
DHCP snoopingFilters and blocks ingress DHCP server messages on untrusted ports;
builds and maintains an IP-address/MAC-address binding database (called the DHCP
snooping database).
Dynamic ARP inspection (DAI)Prevents ARP spoofing attacks. ARP requests and
replies are compared against entries in the DHCP snooping database, and filtering
decisions are made based on the results of those comparisons.
MAC move limitingDetects MAC movement and MAC spoofing on access ports.
Trusted DHCP serverWith a DHCP server on a trusted port, protects against rogue
DHCP servers sending leases.
DHCP option 82Also known as the DHCP relay agent information option. Helps
protect the EX Series switch against attacks such as spoofing (forging) of IP addresses
and MAC addresses and DHCP IP address starvation. Option 82 provides information
about the network location of a DHCP client, and the DHCP server uses this information
to implement IP addresses or other parameters for the client.
Unrestricted proxy ARPThe switch responds to all ARP messages with its own MAC
address. Hosts that are connected to the switchs interfaces cannot communicate
directly with other hosts. Instead, all communications between hosts go through the
switch.
Restricted proxy ARPThe switch does not respond to an ARP request if the physical
networks of the source and target of the ARP request are the same. It does not matter
whether the destination host has the same IP address as the incoming interface or a
different (remote) IP address. An ARP request for a broadcast address elicits no reply.
Device SecurityStorm control permits the switch to monitor unknown unicast and
broadcast traffic and drop packets, or shut down, or temporarily disable the interface
when a specified traffic level is exceeded, thus preventing packets from proliferating and
degrading the LAN. You can enable storm control on access interfaces or trunk interfaces.
Firewall FiltersAllow auditing of various types of security violations, including attempts
to access the switch from unauthorized locations. Firewall filters can detect such attempts
and create audit log entries when they occur. The filters can also restrict access by limiting
traffic to source and destination MAC addresses, specific protocols, or, in combination
with policers, to specified data rates to prevent denial of service (DoS) attacks.
Related
Documentation
CHAPTER 2
You can change the storm control level for a specific interface by configuring the
bandwidth value for the combined traffic streams that are subject to storm control on
that interface. The type of traffic stream (broadcast, unknown unicast, and multicast)
that is included within the bandwidth consideration depends on which types of traffic
are enabled for storm control monitoring on that interface.
You can enable storm control selectively for multicast traffic on a specific interface or
on all interfaces.
On all switchesYou can disable storm control selectively for either broadcast streams,
or multicast streams, or for unknown unicast streams.
On EX8200 switchesYou can also disable storm control selectively for either
registered multicast traffic, or unregistered multicast traffic, or for both types of
multicast traffic.
The sending and receiving of broadcast, multicast, and unicast packets are part of normal
LAN operation, so to recognize a storm, you must be able to identify when traffic has
reached a level that is abnormal for your LAN. Suspect a storm when operations begin
timing out and network response times slow down. As more packets flood the LAN,
network users might be unable to access servers or e-mail.
Monitor the level of broadcast, multicast, and unknown unicast traffic in the LAN when
it is operating normally. Use this data as a benchmark to determine when traffic levels
are too high. Then configure storm control to set the level at which you want to drop
broadcast traffic, multicast traffic, unknown unicast traffic, or two or all three of those
traffic types.
Related
Documentation
Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces
(CLI Procedure) on page 18
CHAPTER 3
10
PART 2
Configuration
11
12
CHAPTER 4
Configuration Examples
NOTE: Storm control does not apply to multicast traffic by default on EX2200,
EX3200, EX3300, EX4200, and EX6200 switches.
This example shows how to configure storm control on a single EX Series switch:
Requirements on page 13
Configuration on page 14
Requirements
This example uses the following hardware and software components:
13
unicast traffic to be allowed on an interface. You specify the storm control level as the
traffic rate in kilobits per second of the combined applicable traffic streams.
NOTE:
Storm control monitors the level of applicable incoming traffic and compares it with the
level that you specify. If the combined level of the applicable traffic exceeds the specified
level, the switch drops packets for the controlled traffic types. As an alternative to having
the switch drop packets, you can configure it to shut down interfaces or temporarily
disable interfaces (see the action-shutdown statement or the port-error-disable
statement) when the storm control level is exceeded.
The topology used in this example consists of one switch with 24 ports. The switch is
connected to various network devices. This example shows how to configure the storm
control level on interface ge-0/0/0 by setting the level to a traffic rate of 15,000 Kbps,
based on the traffic rate of the combined applicable traffic streams. If the combined
traffic exceeds this level, the switch drops packets for the controlled traffic types to
prevent a network outage.
Configuration
CLI Quick
Configuration
To quickly configure storm control based on the traffic rate in kilobits per second of the
combined traffic streams, copy the following command and paste it into the switch
terminal window:
[edit]
set ethernet-switching-options storm-control interface ge-0/0/0 bandwidth 15000
Step-by-Step
Procedure
Specify the traffic rate in kilobits per second of the combined traffic streams on a
specific interface:
[edit ethernet-switching-options]
user@switch# set storm-control interface ge-0/0/0 bandwidth 15000
Results
14
bandwidth 15000;
}
Related
Documentation
Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces
(CLI Procedure) on page 18
15
16
CHAPTER 5
Configuration Tasks
Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces
(CLI Procedure) on page 18
NOTE: Before you can configure unknown unicast forwarding within a VLAN,
you must first configure that VLAN.
1.
Configure unknown unicast forwarding for a specific VLAN (here, the VLAN name is
employee):
[edit ethernet-switching-options]
user@switch# set unknown-unicast-forwarding vlan employee
2. Specify the trunk interface to which all unknown unicast traffic will be forwarded:
[edit ethernet-switching-options]
user@switch# set unknown-unicast-forwarding vlan employee interface (Unknown Unicast
Forwarding) ge-0/0/3.0
Related
Documentation
Verifying That Unknown Unicast Packets Are Forwarded to a Trunk Interface on page 45
17
You can configure the switch to automatically restore the disabled interfaces to service
after a specified period of time. Autorecovery applies to all the interfaces that have been
disabled due to MAC limiting, MAC move limiting, or storm control errors.
NOTE: You must specify the disable timeout value for the interfaces to recover
automatically. There is no default disable timeout. If you do not specify a
timeout value, you need to use the clear ethernet-switching port-error command
to clear the errors and restore the interfaces or the specified interface to
service.
To configure autorecovery from the disabled state due to MAC limiting, MAC move limiting,
or storm control shutdown actions:
[edit ethernet-switching-options]
user@switch# set port-error-disable disable-timeout 60
Related
Documentation
Understanding MAC Limiting and MAC Move Limiting for Port Security on EX Series
Switches
18
You can disable storm control for all the applicable types of traffic on all interfaces or
on a specified interface, as follows:
On all switchesYou can selectively disable storm control for broadcast streams,
multicast streams, or for unknown unicast streams.
On EX6200 switchesYou can selectively disable storm control for each type of traffic
individually.
You can enable storm control for multicast traffic (both registered and unregistered) on
all interfaces or on a specific interface. This applies to all switches.
This topic describes:
19
20
Related
Documentation
21
22
CHAPTER 6
Configuration Statements
23
nonstop-bridging;
port-error-disable {
disable-timeout timeout;
}
redundant-trunk-group {
group name {
preempt-cutover-timer seconds;
interface
primary;
}
interface
}
}
secure-access-port {
dhcp-snooping-file {
location (DHCP Snooping Database) local_pathname | remote_URL;
timeout seconds;
write-interval seconds;
}
interface (Access Port Security) (all | interface-name) {
allowed-mac {
mac-address-list;
}
(dhcp-trusted | no-dhcp-trusted );
fcoe-trusted;
mac-limit (Access Port Security) limit action action;
no-allowed-mac-log;
persistent-learning;
static-ip ip-address {
vlan (DHCP Bindings on Access Ports) vlan-name;
mac mac-address;
}
}
vlan (Access Port Security) (all | vlan-name) {
(arp-inspection | no-arp-inspection) [
forwarding-class (for DHCP Snooping or DAI Packets) class-name;
}
dhcp-option82 {
circuit-id {
prefix (Circuit ID for Option 82) hostname;
use-interface-description;
use-vlan-id;
}
remote-id {
prefix (Remote ID for Option 82) hostname | mac | none;
use-interface-description;
use-string string;
}
vendor-id [string];
}
(examine-dhcp | no-examine-dhcp) {
forwarding-class (for DHCP Snooping or DAI Packets) class-name;
}
examine-fip {
fc-map fc-map-value;
}
24
(ip-source-guard | no-ip-source-guard);
mac-move-limit limit action action;
}
}
static {
vlan name {
mac mac-address {
next-hop interface-name;
}
}
}
storm-control {
action-shutdown;
interface (all | interface-name) {
bandwidth bandwidth;
no-broadcast;
no-multicast;
no-registered-multicast;
no-unknown-unicast;
no-unregistered-multicast;
}
}
traceoptions (Access Port Security) {
file filename <files number> <no-stamp> <replace> <size size> <world-readable |
no-world-readable>;
flag flag <disable>;
}
unknown-unicast-forwarding {
vlan (Unknown Unicast Forwarding) (all | vlan-name) {
interface (Unknown Unicast Forwarding) interface-name;
}
}
voip {
interface (VoIP) (all | [interface-name | access-ports]) {
vlan (VoIP) vlan-name ;
forwarding-class (VoIP) (assured-forwarding | best-effort | expedited-forwarding |
network-control);
}
}
}
Related
Documentation
Understanding BPDU Protection for STP, RSTP, and MSTP on EX Series Switches
25
action-shutdown
Syntax
Hierarchy Level
Release Information
Description
Default
Required Privilege
Level
Related
Documentation
26
action-shutdown;
[edit ethernet-switching-options storm-control]
If you set both the action-shutdown and the port-error-disable statements, the interfaces
are disabled temporarily and recover automatically when the disable timeout expires.
If you set the action-shutdown statement and do not the specify the port-error-disable
statement, the interfaces that are enabled for storm control are shut down when the
storm control level is exceeded and they do not recover automatically from that
port-error condition. You must issue the clear ethernet-switching port-error command
to clear the port error and restore the interfaces to service.
The action-shutdown option is not enabled. When the storm control level is exceeded,
the switch drops applicable types of traffic on the specified interfaces. Depending upon
the configuration, applicable traffic could include broadcast, unknown unicast, and
multicast traffic.
systemTo view this statement in the configuration.
system-controlTo add this statement to the configuration.
port-error-disable on page 38
disable-timeout on page 28
Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces
(CLI Procedure) on page 18
bandwidth
Syntax
Hierarchy Level
Release Information
Description
bandwidth bandwidth;
[edit ethernet-switching-options storm-control interface (all | interface-name)]
Default
If you omit the bandwidth statement when you configure storm control on an interface,
the storm control level defaults to 80 percent of the combined applicable traffic streams.
Depending upon the configuration, applicable traffic could include broadcast, unknown
unicast, and multicast traffic.
Options
bandwidthTraffic rate in kilobits per second of the combined applicable traffic streams.
27
disable-timeout
Syntax
Hierarchy Level
Release Information
Description
disable-timeout timeout;
[edit ethernet-switching-options port-error-disable]
NOTE: If you modify the timeout value of an existing disable timeout, the
new timeout value does not impact the timing of restoration to service of
currently disabled interfaces that have been configured for automatic
recovery. The new timeout value is applied only during the next occurrence
of a port error.
You can bring up the currently disabled interfaces by running the clear
ethernet-switching port-error command.
Default
Options
28
Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces
(CLI Procedure) on page 18
ethernet-switching-options
Syntax
ethernet-switching-options {
analyzer {
name {
loss-priority priority;
ratio number;
input {
ingress {
interface (all | interface-name);
vlan (vlan-id | vlan-name);
}
egress {
interface (all | interface-name);
}
}
output {
interface interface-name;
vlan (vlan-id | vlan-name) {
no-tag;
}
}
}
}
bpdu-block {
disable-timeout timeout;
interface (all | [interface-name]);
}
dot1q-tunneling {
ether-type (0x8100 | 0x88a8 | 0x9100);
}
interfaces interface-name {
no-mac-learning;
}
mac-notification {
notification-interval seconds;
}
mac-table-aging-time seconds;
nonstop-bridging;
port-error-disable {
disable-timeout timeout;
}
redundant-trunk-group {
group name {
interface interface-name <primary>;
interface interface-name;
}
}
secure-access-port {
dhcp-snooping-file {
location local_pathname | remote_URL;
timeout seconds;
write-interval seconds;
}
29
30
no-unregistered-multicast;
}
}
traceoptions {
file filename <files number> <no-stamp> <replace> <size size> <world-readable |
no-world-readable>;
flag flag <disable>;
}
unknown-unicast-forwarding {
vlan (all | vlan-name) {
interface interface-name;
}
}
voip {
interface (all | [interface-name | access-ports]) {
vlan vlan-name ;
forwarding-class (assured-forwarding | best-effort | expedited-forwarding |
network-control);
}
}
}
Hierarchy Level
Release Information
Description
[edit]
Required Privilege
Level
Related
Documentation
Understanding BPDU Protection for STP, RSTP, and MSTP on EX Series Switches
31
interface
Syntax
Hierarchy Level
Release Information
Description
Default
Options
On EX2200, EX3200, and EX4200 switchesStorm control does not apply by default
to multicast traffic. The factory default configuration enables storm control for
broadcast and unknown unicast traffic on all switch interfaces, with the storm control
level set to 80 percent of the combined broadcast and unknown unicast streams.
allAll interfaces. The storm control settings configured with the all option affect only
those interfaces that have not been individually configured for storm control.
interface-nameName of an interface. The storm control settings configured with the
interface-name option override any settings configured with the all option.
32
interface
Syntax
Hierarchy Level
Release Information
Description
Required Privilege
Level
Related
Documentation
interface interface-name;
[edit ethernet-switching-options unknown-unicast-forwarding vlan (Unknown Unicast
Forwarding)(all|vlan-name)]
show vlans
multicast
Syntax
Hierarchy Level
Release Information
Description
multicast;
[edit ethernet-switching-options storm-control interface (all | interface-name)]
Default
Required Privilege
Level
Related
Documentation
On EX2200, EX3200, and EX4200 switchesStorm control does not apply to multicast
traffic by default.
33
no-broadcast
Syntax
Hierarchy Level
Release Information
Description
Default
Required Privilege
Level
Related
Documentation
34
no-broadcast;
[edit ethernet-switching-options storm-control interface (all | interface-name)]
no-multicast
Syntax
Hierarchy Level
Release Information
Description
Default
Required Privilege
Level
Related
Documentation
no-multicast;
[edit ethernet-switching-options storm-control interface (all | interface-name)]
no-registered-multicast on page 36
no-unregistered-multicast on page 37
35
no-registered-multicast
Syntax
Hierarchy Level
Release Information
Description
Default
Required Privilege
Level
Related
Documentation
no-registered-multicast;
[edit ethernet-switching-options storm-control interface (all | interface-name)]
no-multicast on page 35
no-unregistered-multicast on page 37
no-unknown-unicast
Syntax
Hierarchy Level
Release Information
Description
Default
Required Privilege
Level
Related
Documentation
36
no-unknown-unicast;
[edit ethernet-switching-options storm-control interface (all | interface-name)]
no-unregistered-multicast
Syntax
Hierarchy Level
Release Information
Description
Default
Required Privilege
Level
Related
Documentation
no-unregistered-multicast;
[edit ethernet-switching-options storm-control interface (all | interface-name)]
no-multicast on page 35
no-registered-multicast on page 36
37
port-error-disable
Syntax
Hierarchy Level
Release Information
Description
port-error-disable {
disable-timeout timeout ;
}
[edit ethernet-switching-options]
If you have enabled mac-limit (Access Port Security) with the shutdown option and
enable port-error-disable, the switch disables (rather than shuts down) the interface
when the MAC address limit is reached.
If you have enabled mac-move-limit with the shutdown option and you enable
port-error-disable, the switch disables (rather than shuts down) the interface when
the maximum number of moves to a new interface is reached.
If you have enabled storm-control with the action-shutdown option and you enable
port-error-disable, the switch disables (rather than shuts down) the interface when
applicable traffic exceeds the specified levels. Depending upon the configuration,
applicable traffic could include broadcast, unknown unicast, and multicast traffic.
Default
Required Privilege
Level
Related
Documentation
38
Not enabled.
systemTo view this statement in the configuration.
systemcontrolTo add this statement to the configuration.
action-shutdown on page 26
Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces
(CLI Procedure) on page 18
storm-control
Syntax
storm-control {
action-shutdown;
interface (all | interface-name) {
bandwidth bandwidth;
multicast;
no-broadcast;
no-multicast;
no-registered-multicast;
no-unknown-unicast;
no-unregistered-multicast;
}
}
Hierarchy Level
[edit ethernet-switching-options]
Release Information
Description
Required Privilege
Level
Related
Documentation
39
unknown-unicast-forwarding
Syntax
Hierarchy Level
Release Information
Description
unknown-unicast-forwarding {
vlan (Unknown Unicast Forwarding) (all | vlan-name){
interface (Unknown Unicast Forwarding) interface-name;
}
}
[edit ethernet-switching-options]
NOTE: Before you can configure unknown unicast forwarding within a VLAN,
you must first configure that VLAN.
40
Unknown unicast packets are flooded to all interfaces that belong to the same VLAN.
systemTo view this statement in the configuration.
system-controlTo add this statement to the configuration.
show vlans
vlan
Syntax
Hierarchy Level
Release Information
Description
Specify a VLAN from which unknown unicast packets will be forwarded or specify that
the packets will be forwarded from all VLANS. Unknown unicast packets are forwarded
from a VLAN to a specific trunk interface.
The interface statement is explained separately.
TIP: To display a list of all configured VLANs on the system, including VLANs
that are configured but not committed, type ? after vlan or vlans in your
configuration mode command line. Note that only one VLAN is displayed for
a VLAN range.
Options
allAll VLANs.
vlan-nameName of a VLAN.
Required Privilege
Level
Related
Documentation
show vlans
Verifying That Unknown Unicast Packets Are Forwarded to a Trunk Interface on page 45
41
42
PART 3
Administration
43
44
CHAPTER 7
Routine Monitoring
Verifying That Unknown Unicast Packets Are Forwarded to a Trunk Interface on page 45
Verifying That the Port Error Disable Setting Is Working Correctly on page 46
Action
Verify that a VLAN is forwarding all unknown unicast packets (those with unknown
destination MAC addresses) to a single trunk interface instead of flooding unknown
unicast packets across all interfaces that are members of the same VLAN.
Display the forwarding interface for unknown unicast packets for a VLAN (here, the VLAN
name is v1):
user@switch> show configuration ethernet-switching-options
unknown-unicast-forwarding {
vlan v1 {
interface ge-0/0/7.0;
}
}
Meaning
Age
24
37
Interfaces
All-members
ge-0/0/7.0
ge-0/0/3.0
45
Related
Documentation
Action
Verify that the port error disable setting is working as expected on MAC limited, MAC
move limited and rate-limited interfaces on an EX Series switch.
Meaning
Blocking
unblocked
MAC limit exceeded
MAC move limit exceeded
Storm control in effect
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
The sample output from the show ethernet-switching interfaces command shows that
three of the down interfaces specify the reason that the interface is disabled:
Port Security) error. The disabled interface is automatically restored to service when
the disable-timeout expires.
Related
Documentation
46
Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces
(CLI Procedure) on page 18
CHAPTER 8
Operational Commands
47
Release Information
Description
Options
interface.
management-vlan(Optional) Display the Ethernet switching table for a management
VLAN.
persistent-mac <interface interface-name>(Optional) Display the persistent MAC
addresses learned for all interfaces or a specified interface. You can use this
command to view entries that you want to clear for an interface that you intentionally
disabled.
sort-by (name | tag)(Optional) Display VLANs in ascending order of VLAN IDs or VLAN
names.
vlan vlan-name(Optional) Display the Ethernet switching table for a specific VLAN.
Required Privilege
Level
Related
Documentation
48
view
Table 3 on page 49 lists the output fields for the show ethernet-switching table command.
Output fields are listed in the approximate order in which they appear.
Field Description
Level of Output
VLAN
All levels
Tag
extensive
All levels
Type
address.
persistent-mac
The time remaining before the entry ages out and is removed from the Ethernet
switching table.
All levels
Interfaces
All levels
Learned
For learned entries, the time which the entry was added to the Ethernet
switching table.
detail, extensive
Nexthop index
detail, extensive
persistent-mac
installed indicates MAC addresses that are in the Ethernet switching table and
uninstalled indicates MAC addresses that could not be installed in the table or
Sample Output
show ethernet-switching table
user@switch> show ethernet-switching table
49
15 learned, 2 persistent
Type
Age Interfaces
Flood
- All-members
Learn
0 ge-0/0/44.0
Static
- Router
Flood
- All-members
Static
- Router
Learn
0 ge-0/0/47.0
Flood
- All-members
Persistent
0 ge-0/0/46.0
Static
- Router
Persistent
0 ge-0/0/46.0
Static
- Router
Flood
- All-members
Static
- Router
Learn
0 ge-0/0/46.0
Static
- Router
Flood
- All-members
Learn
0 ge-0/0/15.0
Static
- Router
Learn
0 ge-0/0/15.0
Flood
- All-members
Static
- Router
Learn
0 ge-0/0/46.0
Static
- Router
Flood
- All-members
Static
- Router
Learn
0 ge-0/0/46.0
Static
- Router
Flood
- All-members
Static
- Router
Learn
0 ge-0/0/46.0
50
T2
T3
T3
T3
T3
T4
T4
T4
[output truncated]
00:19:e2:50:7d:e0
*
00:00:5e:00:01:02
00:19:e2:50:63:e0
00:19:e2:50:7d:e0
*
00:00:5e:00:01:03
00:19:e2:50:63:e0
Static
Flood
Static
Learn
Static
Flood
Static
Learn
0
0
Router
All-members
Router
ge-0/0/46.0
Router
All-members
Router
ge-0/0/46.0
51
52
MAC address
00:10:94:00:05:02
00:10:94:00:06:03
00:10:94:00:07:04
Type
Interface
uninstalled ge-0/0/16.0
uninstalled ge-0/0/16.0
uninstalled ge-0/0/16.0
PART 4
Index
Index on page 55
53
54
M
manuals
comments on.....................................................................x
multicast.....................................................................................33
Index
Symbols
#, comments in configuration statements......................x
( ), in syntax descriptions........................................................x
< >, in syntax descriptions......................................................x
[ ], in configuration statements............................................x
{ }, in configuration statements...........................................x
| (pipe), in syntax descriptions.............................................x
B
bandwidth statement............................................................27
braces, in configuration statements...................................x
brackets
angle, in syntax descriptions.........................................x
square, in configuration statements..........................x
C
comments, in configuration statements..........................x
conventions
text and syntax..................................................................ix
curly braces, in configuration statements........................x
customer support.....................................................................xi
contacting JTAC................................................................xi
D
disable-timeout statement
port-error-disable..........................................................28
documentation
comments on.....................................................................x
N
no-broadcast statement...............................................34, 37
no-multicast statement.......................................................35
no-unknown-unicast statement......................................36
P
parentheses, in syntax descriptions...................................x
port-error-disable statement............................................38
S
show ethernet-switching table command...................48
support, technical See technical support
syntax conventions..................................................................ix
T
technical support
contacting JTAC................................................................xi
topic1
sub-topic...........................................................................48
topic2
sub-topic...........................................................................48
U
unknown-unicast-forwarding statement
rate limiting......................................................................40
V
vlan statement
rate limiting.......................................................................41
E
ethernet-switching-options statement.........................29
F
font conventions.......................................................................ix
I
interface (Storm Control) statement...............26, 32, 39
interface statement
rate limiting.......................................................................33
55
56