1 Daikree

Vlan Auto Stg Assignment Notebook

Example: Configuring Automatic VLAN Administration Using MVRP on EX Series Switches

As a network expands and the number of clients and VLANs increases, VLAN administration becomes complex and the task of efficiently configuring VLANs on multiple EX Series switches becomes increasingly difficult. To automate VLAN administration, you can enable Multiple VLAN Registration Protocol (MVRP) on the network.

MVRP also dynamically creates VLANs, further simplifying the network overhead required to statically configure VLANs.

Note: Only trunk interfaces can be enabled for MVRP.

This example describes how to use MVRP to automate administration of VLAN membership changes within your network and how to use MVRP to dynamically create VLANs:

Requirements

This example uses the following hardware and software components:

  • Two EX Series access switches
  • One EX Series distribution switch
  • Junos OS Release 10.0 or later for EX Series switches

Overview and Topology

MVRP is used to manage dynamic VLAN registration in a LAN. It can also be used to dynamically create VLANs.

This example uses MVRP to dynamically create VLANs on the switching network. You can disable dynamic VLAN creation and create VLANs statically, if desired. Enabling MVRP on the trunk interface of each switch in your switching network ensures that the active VLAN information for the switches in the network is propagated to each switch through the trunk interfaces, assuming dynamic VLAN creation is enabled for MVRP.

MVRP ensures that the VLAN membership information on the trunk interface is updated as the switch’s access interfaces become active or inactive in the configured VLANs in a static or dynamic VLAN creation setup.

You do not need to explicitly bind a VLAN to the trunk interface. When MVRP is enabled, the trunk interface advertises all the VLANs that are active (bound to access interfaces) on that switch. An MVRP-enabled trunk interface does not advertise VLANs that have been configured on the switch but that are not currently bound to an access interface. Thus, MVRP provides the benefit of reducing network overhead—by limiting the scope of broadcast, unknown unicast, and multicast (BUM) traffic to interested devices only.

When VLAN access interfaces become active or inactive, MVRP ensures that the updated information is advertised on the trunk interface. Thus, in this example, distribution Switch C does not forward traffic to inactive VLANs.

Note: This example shows a network with three VLANs: finance, sales, and lab. All three VLANs are running the same version of Junos OS. If switches in this network were running a mix of Junos OS releases that included Release 11.3, additional configuration would be necessary—see Configuring Multiple VLAN Registration Protocol (MVRP) (CLI Procedure) for details.

Access Switch A has been configured to support all three VLANS and all three VLANS are active, bound to interfaces that are connected to personal computers:

  • ge-0/0/1—Connects PC1 as a member of finance, VLAN ID 100
  • ge-0/0/2—Connects PC2 as a member of lab, VLAN ID 200
  • ge-0/0/3—Connects PC3 as a member of sales, VLAN ID 300

Access Switch B has also been configured to support three VLANS. However, currently only two VLANs are active, bound to interfaces that are connected to personal computers:

  • ge-0/0/0—Connects PC4 as a member of finance, VLAN ID 100
  • ge-0/0/1—Connects PC5 as a member of lab, VLAN ID 200

Distribution Switch C learns the VLANs dynamically using MVRP through the connection to the access switches. Distribution Switch C has two trunk interfaces:

  • xe-0/1/1—Connects the switch to access Switch A.
  • xe-0/1/0—Connects the switch to access Switch B.

Figure 1 shows MVRP configured on two access switches and one distribution switch.

Figure 1: MVRP Configured on Two Access Switches and One Distribution Switch for Automatic VLAN Administration

Table 1 explains the components of the example topology.

Table 1: Components of the Network Topology

SettingsSettings

Switch hardware

  • Access Switch A
  • Access Switch B
  • Distribution Switch C

VLAN names and tag IDs

finance, tag 100
lab, tag 200
sales, tag 300


Interfaces

Access Switch A interfaces:

  • ge-0/0/1—Connects PC1 to access Switch A.
  • ge-0/0/2—Connects PC2 to access Switch A.
  • ge-0/0/3—Connects PC3 to access Switch A.
  • xe-0/1/1—Connects access Switch A to distribution Switch C (trunk).

Access Switch B interfaces:

  • ge-0/0/0—Connects PC4 to access Switch B.
  • ge-0/0/1—Connects PC5 to access Switch B.
  • xe-0/1/0—Connects access Switch B to distribution Switch C. (trunk)

Distribution Switch C interfaces:

  • xe-0/1/1—Connects distribution Switch C to access Switch A. (trunk)
  • xe-0/1/0—Connects distribution Switch C to access Switch B. (trunk)

Configuring VLANs and MVRP on Access Switch A

To configure VLANs on the switch, bind access interfaces to the VLANs, and enable MVRP on the trunk interface of access Switch A, perform these tasks:

CLI Quick Configuration

To quickly configure access Switch A for MVRP, copy the following commands and paste them into the switch terminal window of Switch A:





Note: As recommended as a best practice, default MVRP timers are used in this example. The default values associated with each MVRP timer are: 200 ms for the join timer, 1000 ms for the leave timer, and 10000 ms for the leaveall timer. Modifying timers to inappropriate values might cause an imbalance in the operation of MVRP.

Step-by-Step Procedure

To configure access Switch A for MVRP:

  1. Configure the finance VLAN:
  2. Configure the lab VLAN:
  3. Configure the sales VLAN:
  4. Configure an Ethernet interface as a member of the finance VLAN:
  5. Configure an Ethernet interface as a member of the lab VLAN:
  6. Configure an Ethernet interface as a member of the sales VLAN:
  7. Configure a trunk interface:
  8. Enable MVRP on the trunk interface:

Results

Check the results of the configuration on Switch A:

Configuring VLANs and MVRP on Access Switch B

To configure three VLANs on the switch, bind access interfaces for PC4 and PC5 to the VLANs, and enable MVRP on the trunk interface of access Switch B, perform these tasks:

CLI Quick Configuration

To quickly configure Access Switch B for MVRP, copy the following commands and paste them into the switch terminal window of Switch B:






Step-by-Step Procedure

To configure access Switch B for MVRP:

  1. Configure the finance VLAN:
  2. Configure the lab VLAN:
  3. Configure the sales VLAN:
  4. Configure an Ethernet interface as a member of the finance VLAN:
  5. Configure an Ethernet interface as a member of the lab VLAN:
  6. Configure a trunk interface:
  7. Enable MVRP on the trunk interface:

    Note: As we recommend as a best practice, default MVRP timers are used in this example. The default values associated with each MVRP timer are: 200 ms for the join timer, 1000 ms for the leave timer, and 10000 ms for the leaveall timer. Modifying timers to inappropriate values might cause an imbalance in the operation of MVRP.

Results

Check the results of the configuration for Switch B:

Configuring VLANS and MVRP on Distribution Switch C

CLI Quick Configuration

To quickly configure distribution Switch C for MVRP, copy the following commands and paste them into the switch terminal window of distribution Switch C:


Step-by-Step Procedure

To configure distribution Switch C for MVRP:

  1. Configure the trunk interface to access Switch A:
  2. Configure the trunk interface to access Switch B:
  3. Enable MVRP on the trunk interface for xe-0/1/1 :
  4. Enable MVRP on the trunk interface for xe-0/1/0 :

Results

Check the results of the configuration for Switch C:

Verification

To confirm that the configuration is updating VLAN membership, perform these tasks:

Verifying That MVRP Is Enabled on Access Switch A

Purpose

Verify that MVRP is enabled on the switch.

Action

Show the MVRP configuration:

Meaning

The results show that MVRP is enabled on the trunk interface of Switch A and that the default timers are used.

Verifying That MVRP Is Updating VLAN Membership on Access Switch A

Purpose

Verify that MVRP is updating VLAN membership by displaying the Ethernet switching interfaces and associated VLANs that are active on Switch A.

Action

List Ethernet switching interfaces on the switch:



Interface State VLAN members Tag Tagging Blocking ge-0/0/1.0 up finance 100 untagged unblocked ge-0/0/2.0 up lab 200 untagged unblocked ge-0/0/3.0 up sales 300 untagged unblocked xe-0/1/1.0 up finance 100 untagged unblocked lab 200 untagged unblocked

Meaning

MVRP has automatically added finance and lab as VLAN members on the trunk interface because they are being advertised by access Switch B.

Verifying That MVRP Is Enabled on Access Switch B

Purpose

Verify that MVRP is enabled on the switch.

Action

Show the MVRP configuration:

Meaning

The results show that MVRP is enabled on the trunk interface of Switch B and that the default timers are used.

Verifying That MVRP Is Updating VLAN Membership on Access Switch B

Purpose

Verify that MVRP is updating VLAN membership by displaying the Ethernet switching interfaces and associated VLANs that are active on Switch B.

Action

List Ethernet switching interfaces on the switch:

Meaning

MVRP has automatically added finance, lab, and sales as VLAN members on the trunk interface because they are being advertised by access Switch A.

Verifying That MVRP Is Enabled on Distribution Switch C

Purpose

Verify that MVRP is enabled on the switch.

Action

Show the MVRP configuration:

Verifying That MVRP Is Updating VLAN Membership on Distribution Switch C

Purpose

Verify that MVRP is updating VLAN membership on distribution Switch C by displaying the Ethernet switching interfaces and associated VLANs on distribution Switch C.

Action

List the Ethernet switching interfaces on the switch:

List the VLANs that were created dynamically using MVRP on the switch:


MVRP dynamic vlans for routing instance 'default-switch' (s) static vlan, (f) fixed registration VLAN ID Interfaces 100 xe-0/1/1.0 xe-0/1/0.0 200 xe-0/1/1.0 xe-0/1/0.0 300 xe-0/1/1.0

Note that this scenario does not have any fixed registration, which is typical when MVRP is enabled.

Meaning

Distribution Switch C has two trunk interfaces. Interface xe-0/1/1.0 connects distribution Switch C to Access Switch A and is therefore updated to show that it is a member of all the VLANs that are active on Switch A. Any traffic for those VLANs will be passed on from distribution Switch C to Switch A, through interface xe-0/1/1.0. Interface xe-0/1/0.0 connects distribution Switch C to Switch B and is updated to show that it is a member of the two VLANs that are active on Switch B. Thus, distribution Switch C sends traffic for finance and lab to both Switch A and Switch B. But distribution Switch C sends traffic for sales only to Switch A.

Distribution Switch C also has three dynamic VLANs created using MVRP: mvrp_100, mvrp_200, and mvrp_300. The dynamically created VLANs mvrp_100 and mvrp_200 are active on interfaces xe-0/1/1.0 and xe-0/1/1.0, and dynamically created VLAN mvrp_300 is active on interface xe-0/1/1.0.

Modified: 2014-09-24

[edit]
user@Access-Switch-A# show

interfaces {ge-0/0/1 {unit 0 {family ethernet-switching {vlan {members finance;}}}}ge-0/0/2 {unit 0 {family ethernet-switching {vlan {members lab;}}}}ge-0/0/3 {unit 0 {family ethernet-switching {members sales;}}}}xe-0/1/1 {unit 0 {family ethernet-switching {port-mode trunk;}}}}

protocols {mvrp {interface xe-0/1/1.0;}}

vlans {finance {vlan-id 100;}lab {vlan-id 200;}sales {vlan-id 300;}}

[edit]
user@Access-Switch-B# show

interfaces {ge-0/0/0 {unit 0 {family ethernet-switching {vlan {members finance;}}}}ge-0/0/1 {unit 0 {family ethernet-switching {vlan {members lab;}}}}xe-0/1/0 {unit 0 {family ethernet-switching {port-mode trunk;}}}}

protocols {mvrp {interface xe-0/1/0.0;}

}

vlans {finance {vlan-id 100;}lab {vlan-id 200;}sales {vlan-id 300;}}

[edit]
user@Distribution Switch-C# show

interfaces {xe-0/1/0 {unit 0 {family ethernet-switching {port-mode trunk;}}}xe-0/1/1 {unit 0 {family ethernet-switching {port-mode trunk;}}}}

protocols {mvrp {interface xe-0/1/0.0;interface xe-0/1/1.0;}

MVRP configuration MVRP status : Enabled MVRP dynamic VLAN creation : Enabled MVRP timers (ms): Interface Join Leave LeaveAll -------------- ----- -------- ----------- all 200 1000 10000 xe-0/1/1.0 200 1000 10000 Interface Status Registration Mode -------------- -------- ----------------- all Disabled Normal xe-0/1/1.0 Enabled Normal
MVRP configuration MVRP status : Enabled MVRP dynamic VLAN creation : Enabled MVRP timers (ms): Interface Join Leave LeaveAll -------------- ----- -------- ----------- all 200 1000 10000 xe-0/1/0.0 200 1000 10000 Interface Status Registration Mode -------------- -------- ----------------- all Disabled Normal xe-0/1/0.0 Enabled Normal

Interface State VLAN members Tag Tagging Blocking ge-0/0/0.0 up finance 100 untagged unblocked ge-0/0/1.0 up lab 200 untagged unblocked xe-0/1/1.0 up finance 100 untagged unblocked lab 200 untagged unblocked sales 300 untagged unblocked
MVRP configuration MVRP status : Enabled MVRP dynamic VLAN creation : Enabled MVRP timers (ms): Interface Join Leave LeaveAll -------------- ----- -------- ----------- all 200 1000 10000 xe-0/0/1.0 200 1000 10000 xe-0/1/1.0 200 1000 10000 Interface Status Registration Mode -------------- -------- ----------------- all Disabled Normal xe-0/0/1.0 Enabled Normal xe-0/1/1.0 Enabled Normal

Interface State VLAN members Tag Tagging Blocking xe-0/1/1.0 up __mvrp_100__ unblocked __mvrp_200__ unblocked __mvrp_300__ unblocked xe-0/1/0.0 up __mvrp_100__ unblocked __mvrp_200__ unblocked
SUMMARY STEPS

1.   enable

2.   configure terminal

3.   aaa new-model

4.   aaa authentication dot1x {default | listname} method1 [method2...]

5.   dot1x system-auth-control

6.   identity profile default

7.   interfacetypeslot/port

8.   dot1x port-control {auto | force-authorized | force-unauthorized}

  • auto--Enables IEEE 802.1X authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port changes from down to up or when an EAPOL-start frame is received. The router requests the identity of the supplicant and begins relaying authentication messages between the supplicant and the authentication server. Each supplicant attempting to access the network is uniquely identified by the router by using the supplicant MAC address.
  • force-authorized---Disables IEEE 802.1X authentication and causes the port to change to the authorized state without any authentication exchange required. The port sends and receives normal traffic without IEEE 802.1X-based authentication of the client. This is the default setting.
  • force-unauthorized--Causes the port to remain in the unauthorized state, ignoring all attempts by the supplicant to authenticate. The router cannot provide authentication services to the supplicant through the port.

9.   end

10.   show dot1x


DETAILED STEPS
 Command or ActionPurpose

Step 1

enable


Example:

Device> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 

Step 2

configure terminal


Example:

Device# configure terminal

 

Enters global configuration mode.

 

Step 3

aaa new-model


Example:

Device(config)# aaa new-model

 

Enables AAA.

 

Step 4

aaa authentication dot1x {default | listname} method1 [method2...]


Example:

Device(config)# aaa authentication dot1x default group radius

 

Creates a series of authentication methods that are used to determine user privilege to access the privileged command level so that the device can communicate with the AAA server.

 

Step 5

dot1x system-auth-control


Example:

Device(config)# dot1x system-auth-control

 

Globally enables 802.1X port-based authentication.

 

Step 6

identity profile default


Example:

Device(config)# identity profile default

 

Creates an identity profile and enters dot1x profile configuration mode.

 

Step 7

interfacetypeslot/port


Example:

Device(config-identity-prof)# interface fastethernet 0/1

 

Enters interface configuration mode and specifies the interface to be enabled for 802.1X authentication.

 

Step 8

dot1x port-control {auto | force-authorized | force-unauthorized}
  • auto--Enables IEEE 802.1X authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port changes from down to up or when an EAPOL-start frame is received. The router requests the identity of the supplicant and begins relaying authentication messages between the supplicant and the authentication server. Each supplicant attempting to access the network is uniquely identified by the router by using the supplicant MAC address.
  • force-authorized---Disables IEEE 802.1X authentication and causes the port to change to the authorized state without any authentication exchange required. The port sends and receives normal traffic without IEEE 802.1X-based authentication of the client. This is the default setting.
  • force-unauthorized--Causes the port to remain in the unauthorized state, ignoring all attempts by the supplicant to authenticate. The router cannot provide authentication services to the supplicant through the port.


Example:

Device(config-if)# dot1x port-control auto

 

Enables 802.1X port-based authentication on the interface.

 

Step 9

end


Example:

Device(config-if)# end

 

Exits interface configuration mode and enters privileged EXEC mode.

 

Step 10

show dot1x


Example:

Device# show dot1x

 

Shows that 802.1X authentication has been configured on the device.

 

Leave a Comment

(0 Comments)

Your email address will not be published. Required fields are marked *