Notes on setting up and programmatically configuring VLANs on the Juniper EX3200 platform

General notes

The EX3200 and related small switches are a flexible inexpensive platform for provisioning VLANs. They are capable of provisioning vlans in trunk or access mode to multiple ports. Their port naming convention is as follows: [ge|xe]-chassis/pic/port.unit where 'ge' refers to Gigabit Ethernet interfaces, XE are 10G optical interfaces.

Configuring configuration access

There are a number of options possible for passing XML commands to the EX3200. This document describes how to enable them. For ORCA we are using SSL based approach.

Configuring a vlan to access ports and passing it over the trunk

In this configuration we are provisioining a slice vlan to a number of access GigE ports and passing it through the uplink 10GE port configured as trunk. First we create the vlan

[edit]
set vlans <vlan name> vlan-description “<Vlan description>”

set vlans <vlan name> vlan-id <numeric vlan tag>

then we add access ports into it

[edit]
set interfaces ge-0/0/46 unit 0 description "<Port description>”

set interfaces ge-0/0/46 unit 0 family ethernet-switching port-mode access

set interfaces ge-0/0/46 unit 0 family ethernet-switching vlan members <vlan name>

set vlans <vlan name> interface ge-0/0/46.0

Finally we make sure this vlan goes through the trunk port

[edit]
set interfaces xe-0/1/0 unit 0 description “<Port description>”

set interfaces xe-0/1/0 unit 0 family ethernet-switching port-mode trunk

set interfaces xe-0/1/0 unit 0 family ethernet switching vlan members <vlan name>

Unconfiguring a vlan

Use 'delete' instead of 'set'

Committing configuration

[edit]
commit

Sending commands over the tcp connection

Commands can be a mix of XML and plain text. For example, here is a login exchange:

EX3200:

<?xml version="1.0" encoding="us-ascii"?>
<junoscript xmlns="http://xml.juniper.net/xnm/1.1/xnm" xmlns:junos="http://xml.juniper.net/junos/10.0S3/junos" schemaLocation="http://xml.juniper.net/junos/10.0S3/junos junos/10.0S3/junos.xsd" os="JUNOS" release="10.0S3.1" hostname="" version="1.0">
<!-- session start at 2010-03-04 16:03:08 EST -->

User:

<?xml version="1.0" encoding="us-ascii"?>
<junoscript version="1.0" hostname="client1" release="9.0R1">
<rpc> <request-login> <username>someuser</username> <challenge-response>somepassword</challenge-response> </request-login> </rpc>

EX3200:

<rpc-reply xmlns:junos="http://xml.juniper.net/junos/10.0S3/junos">
<authentication-response>
<status>success</status>
<message>remote</message>
<login-name>someuser</login-name>
</authentication-response>
</rpc-reply>

User:

<rpc> 
<load-configuration action="merge" format="text"> 
<configuration-text>
 vlans { sliceVlan10 { vlan-id 212; } } interfaces { xe-0/0/1 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members sliceVlan10 } } } } }
</configuration-text>
</load-configuration>
</rpc>

EX3200:

<!-- No zombies were killed during the creation of this user interface -->
<!-- user remote, class j-super-user -->
<rpc-reply xmlns:junos="http://xml.juniper.net/junos/10.0S3/junos">
<load-configuration-results>
<load-success/>
</load-configuration-results>
</rpc-reply>

User:

<rpc> <commit-configuration/> </rpc>

EX3200:

<rpc-reply xmlns:junos="http://xml.juniper.net/junos/10.0S3/junos">
<commit-results>
<routing-engine junos:style="normal">
<name>re0</name>
<commit-success/>
</routing-engine>
</commit-results>
</rpc-reply>

User:

<rpc>
<request-end-session/> 
</rpc>

EX3200:

<rpc-reply xmlns:junos="http://xml.juniper.net/junos/10.0S3/junos">
<end-session/>
</rpc-reply>

User:

</junoscript>

EX3200:

<!-- session end at 2010-03-04 16:05:11 EST -->
</junoscript>

Note that commands can be sent using regular text instead of XML (using <configuration-text> instead of <configuration>). For deletion of elements from configuration, word "delete:" must be prepended to the path that is being deleted from the configuration and closed with a ';' :

delete: vlans sliceVlan;

inside the <configuration-text>.

QoS configuration

JUNOS has an extensive array of tools for QoS provisioning. For create rate-limited slices, the most straightforward configuration is to create a firewall policer, which is then included into the firewall filter. The filter is attached as an input filter to a VLAN like so (note that rate is in bps, and burst size is in bytes):

ibaldin# show firewall 
family ethernet-switching {
    filter qosFilter {
        term qosRule {
            then {
                count qosCounter;
                policer testPolicer;
            }
        }
    }
}
policer testPolicer {
    if-exceeding {
        bandwidth-limit 500k;
        burst-size-limit 50k;
    }
    then discard;
}

ibaldin# show vlans qosVlan 
description "QoS VLAN";
vlan-id 250;
interface {
    ge-0/0/2.0;
    ge-0/0/1.0;
}
filter {
    input qosFilter;
}

Creating an SSL certificate for a device

On a host with openssl installed, create a self-signed certificate and package it with the private key (replace XXX with some descriptive name of the device, no spaces allowed):

openssl req -x509 -nodes -newkey rsa:1024 -keyout certificate-file.pem -out junos-ssl-cert-XXX.pem

For the DN inside the certificate you can use something like this:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:NC
Locality Name (eg, city) []:Chapel Hill
Organization Name (eg, company) [Internet Widgits Pty Ltd]:RENCI
Organizational Unit Name (eg, section) []:NRIG
Common Name (eg, YOUR name) []:EX3200-Euca-RENCI
Email Address []:ben-ops@renci.org

Installing and enabling the certificate

You can scp the certificate file into the device:

scp junos-ssl-cert-XXX.pem ex3200.ip.address.or.FQDN:~/

Now ssh to the EX3200 and perform the following commands (replace orca-ssl-cert with whatever name you want to give the certificate):

ibaldin> file list    

/var/home/remote/:
.ssh/
junos-ssl-cert-XXX.pem

ibaldin> edit            
Entering configuration mode

[edit]
ibaldin# set security certificates local orca-ssl-cert load-key-file ./junos-ssl-cert-XXX.pem 

[edit]
ibaldin# set system services xnm-ssl local-certificate orca-ssl-cert 

[edit]
ibaldin# commit 
commit complete

This enables the certificate use and also enables SSL-over-TCP command channel with default rate-limited settings.

References

* JUNOS for EX3200