Version 8 (modified by ibaldin, 9 years ago)

--

Notes on setting up and configuring VLANs on the Juniper EX3200 platform

General notes

The EX3200 and related small switches are a flexible inexpensive platform for provisioning VLANs. They are capable of provisioning vlans in trunk or access mode to multiple ports. Their port naming convention is as follows: [ge|xe]-chassis/pic/port.unit where 'ge' refers to Gigabit Ethernet interfaces, XE are 10G optical interfaces.

Configuring configuration access

There are a number of options possible for passing XML commands to the EX3200. This document describes how to enable them. For ORCA we are using SSL based approach.

Configuring a vlan to access ports and passing it over the trunk

In this configuration we are provisioining a slice vlan to a number of access GigE ports and passing it through the uplink 10GE port configured as trunk. First we create the vlan

[edit]
set vlans <vlan name> vlan-description “<Vlan description>”

set vlans <vlan name> vlan-id <numeric vlan tag>

then we add access ports into it

[edit]
set interfaces ge-0/0/46 unit 0 description "<Port description>”

set interfaces ge-0/0/46 unit 0 family ethernet-switching port-mode access

set interfaces ge-0/0/46 unit 0 family ethernet-switching vlan members <vlan name>

set vlans <vlan name> interface ge-0/0/46.0

Finally we make sure this vlan goes through the trunk port

[edit]
set interfaces xe-0/1/0 unit 0 description “<Port description>”

set interfaces xe-0/1/0 unit 0 family ethernet-switching port-mode trunk

set interfaces xe-0/1/0 unit 0 family ethernet switching vlan members <vlan name>

Unconfiguring a vlan

Use 'delete' instead of 'set'

Committing configuration

[edit]
commit

Creating an SSL certificate for a device

On a host with openssl installed, create a self-signed certificate and package it with the private key (replace XXX with some descriptive name of the device, no spaces allowed):

openssl req -x509 -nodes -newkey rsa:1024 -keyout certificate-file.pem -out junos-ssl-cert-XXX.pem

For the DN inside the certificate you can use something like this:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:NC
Locality Name (eg, city) []:Chapel Hill
Organization Name (eg, company) [Internet Widgits Pty Ltd]:RENCI
Organizational Unit Name (eg, section) []:NRIG
Common Name (eg, YOUR name) []:EX3200-Euca-RENCI
Email Address []:ben-ops@renci.org

Installing and enabling the certificate

You can scp the certificate file into the device:

scp junos-ssl-cert-renci-ex3200.pem ex3200.renci.ben:~/

Now ssh to the EX3200 and perform the following commands (replace orca-ssl-cert with whatever name you want to give the certificate):

ibaldin> file list    

/var/home/remote/:
.ssh/
junos-ssl-cert-renci-ex3200.pem

ibaldin> edit            
Entering configuration mode

[edit]
ibaldin# set security certificates local orca-ssl-cert load-key-file ./junos-ssl-cert-renci-ex3200.pem 

[edit]
ibaldin# set system services xnm-ssl local-certificate orca-ssl-cert 

[edit]
ibaldin# commit 
commit complete

This enables the certificate use and also enables SSL-over-TCP command channel with default rate-limited settings.