Configuring Ethernet Interfaces

Ethernet was developed in the early 1970s at the Xerox Palo Alto Research Center as a data-link control layer protocol for interconnecting computers. It was first widely used at 10 Mbps over coaxial cables and later over unshielded twisted pairs using 10BaseT. More recently, 100BaseTX (Fast Ethernet, 100 Mbps), Gigabit Ethernet (1 Gbps), and 10 Gigabit Ethernet have become available.

Juniper Networks routers support Fast Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet interfaces; a management Ethernet interface, which is an out-of- band management interface within the router; an internal Ethernet interface, which connects the Routing Engine to the Packet Forwarding Engine; and, an aggregated Ethernet interface, a logical linkage of Fast Ethernet or Gigabit Ethernet physical connections.

Configuring Ethernet Physical Interface Properties

To configure Fast Ethernet-specific physical interface properties, include the fastether-options statement:

 [edit interfaces  interface-name  ]  link-mode (full-duplex  half-duplex); speed (10m  100m) fastether-options {   802.3ad ae  x  ;   (flow-control  no-flow-control);   ingress-rate-limit  rate  ;   (loopback  no-loopback);   source-address-filter {  mac-address  ;   }   (source-filtering  no-source-filtering); } 

To configure Gigabit Ethernet-specific physical interface properties, include the gigether-options statement:

 [edit interfaces  interface-name  ]  gigether-options {   802.3ad ae  x  ;   (flow-control  no-flow-control);   (loopback  no-loopback);   source-address-filter {  mac-address  ;   }   (source-filtering  no-source-filtering); } 

To configure aggregated Ethernet-specific physical interface properties, include the aggregated- ether -options statement:

 [edit interfaces  interface-name  ]  aggregated-ether-options {   (flow-control  no-flow-control);   (loopback  no-loopback);   minimum-links  number  ;   source-address-filter {  mac-address  ;   }   (source-filtering  no-source-filtering); } 

On Fast Ethernet and Gigabit Ethernet interfaces, you can associate a physical interface with an aggregated Ethernet interface. Specify the interface instance number x to complete the link association; x can range from 0 through 15, for a total of 16 aggregated interfaces, by including the 802.3ad statement:

 802.3ad ae  x  ; 

On aggregated Ethernet interfaces, you can configure the minimum number of links that must be up for the bundle as a whole to be labeled up by including the minimum-links statement. The default minimum is 1, and the number can be a value from 1 through 8.

 [edit interfaces  interface-name  aggregated-ether-options]  minimum-links  number  ; 

On aggregated Ethernet, Fast Ethernet, and Gigabit Ethernet interfaces, you can enable source address filtering, which blocks all incoming packets to that interface. To enable the filtering, include the source-filtering statement:

 [edit interfaces  interface-name  aggregated-ether-options]  or [edit interfaces  interface-name  fastether-options] or [edit interfaces  interface-name  gigether-options] source-filtering; 

When source address filtering is enabled, you can configure the interface to receive packets from specific MAC addresses by specifying the MAC addresses in the source-address-filter statement. Specify the MAC address as nn : nn : nn : nn : nn : nn or nnnn . nnnn . nnnn , where n is a hexadecimal number.

 [edit interfaces  interface-name  aggregated-ether-options]  or [edit interfaces  interface-name  fastether-options] or [edit interfaces  interface-name  gigether-options] source-address-filter {  mac-address  ;   <  additional mac-address  ;> } 

By default, local aggregated Ethernet, Fast Ethernet, or Gigabit Ethernet interfaces connect to a remote system. To place an interface in loopback mode, include the loopback statement:

 [edit interfaces  interface-name  aggregated-ether-options]  or [edit interfaces  interface-name  fastether-options] or [edit interfaces  interface-name  gigether-options] loopback; 

By default, the router imposes flow control to regulate the amount of traffic sent out a Fast Ethernet or Gigabit Ethernet interface. This is useful if the remote side of the connection is a Fast Ethernet or Gigabit Ethernet switch. To disable flow control if you want the router to permit unrestricted traffic, include the no - flow-control statement:

 [edit interfaces  interface-name  aggregated-ether-options]  or [edit interfaces  interface-name  fastether-options] or [edit interfaces  interface-name  gigether-options] no-flow-control; 

By default, the router's management Ethernet interface, fxp0 , autonegotiates whether to operate in full-duplex or half-duplex mode. Fast Ethernet interfaces can operate in either full-duplex or half-duplex mode, and all other interfaces can operate only in full-duplex mode. For Gigabit Ethernet, the link partner must also be set to full duplex. To explicitly configure an Ethernet interface to operate in either full-duplex or half-duplex mode, include the link-mode statement:

 [edit interfaces  interface-name  ]  link-mode (full-duplex  half-duplex); 

On Fast Ethernet 12-port and 48-port PIC interfaces and the management Ethernet interface ( fxp0 ) only, you can explicitly set the interface speed to either 10 Mbps or 100 Mbps by including the speed statement:

 [edit interfaces  interface-name  ]  speed (10m  100m); 

On Fast Ethernet 8-port, 12-port, and 48-port PIC interfaces only, you can apply port-based rate limiting to the ingress traffic that arrives at the PIC by including the ingress-rate-limit statement. rate can range in value from 1 through 100 Mbps.

 [edit interfaces  interface-name  fastether-options]  ingress-rate-limit  rate  ; 

Configuring 802.1Q VLANs

For Ethernet, Fast Ethernet, and Gigabit Ethernet interfaces, the JUNOS software supports a subset of the IEEE 802.1Q standard for channelizing an Ethernet interface into multiple logical interfaces, allowing many hosts to be connected to the same Gigabit Ethernet switch, but preventing them from being in the same routing or broadcast domain. The software supports receiving and forwarding routed Ethernet frames with 802.1Q Virtual Local Area Network (VLAN) tags and supports running VRRP over 802.1Q-tagged interfaces. To configure the router to receive and forward frames with 802.1Q VLAN tags, include the vlan-tagging statement:

 [edit interfaces  interface-name  ]  vlan-tagging; 

Gigabit Ethernet interfaces can be partitioned; you can assign up to 4,095 different logical interfaces, one for each VLAN, but you are limited to a maximum of 1,024 VLANs on any single Gigabit Ethernet port. You can configure any VLAN ID in the range from 0 through 4,094. Fast Ethernet interfaces can also be partitioned, with a maximum of 1,024 logical interfaces for the four-port Fast Ethernet PIC and 16 logical interfaces for the M40e and M160 Fast Ethernet 48-port PIC.

To bind a VLAN ID to a logical interface, include the vlan-id statement:

 [edit interfaces  interface-name  unit  logical-unit-number  ]  vlan-id  number  ; 

Ethernet interfaces with VLAN tagging enabled can use VLAN circuit cross-connect (CCC) encapsulation. To configure the encapsulation on a physical interface, include the encapsulation vlan-ccc statement:

 [edit interfaces  interface-name  ]  encapsulation vlan-ccc; 

Ethernet interfaces in VLAN mode can have multiple logical interfaces, but in CCC mode VLAN IDs from 0 through 511 are reserved for normal VLANs, and VLAN IDs from 512 through 4,095 are reserved for CCC VLANs.

In general, you configure an interface's encapsulation at the [edit interfaces interface-name ] hierarchy level. However, for some encapsulation types, including Ethernet VLAN-CCC, you also can configure the encapsulation type that is used inside the VLAN circuit itself. To do this, include the following encapsulation statement:

 [edit interfaces i  nterface-name  unit  logical-unit-number  ]  encapsulation vlan-ccc; 

You cannot configure a logical interface with an encapsulation of vlan-ccc unless you also configure the physical device with the same encapsulation. The logical interface must also have a VLAN ID in the range from 512 through 4,095; if the VLAN ID is 511 or lower, it is subject to the normal destination filter lookups in addition to source address filtering.

Configuring Static ARP Table Entries

For Ethernet, Fast Ethernet, and Gigabit Ethernet interfaces, you can configure static ARP table entries, defining mappings between IP and MAC addresses. To do this, include the arp statement:

 [edit interfaces  interface-name  unit  logical-unit-number  family inet address  address  ] arp  ip-address  (mac  multicast-mac)  mac-address  <publish>; 

The IP address that you specify must be part of the subnet defined in the enclosing address statement. To associate a multicast MAC address with a unicast IP address, include the multicast-mac statement. Specify the MAC address as six hexadecimal bytes in one of the following formats: nnnn . nnnn . nnnn or nn : nn : nn : nn : nn : nn . For example, 0011.2233.4455 or 00:11:22:33:44:55 . If you include the publish option, the router replies to ARP requests for the specified IP address. The JUNOS software does not support proxy ARP.

Configuring VRRP

For Ethernet, Fast Ethernet, and Gigabit Ethernet interfaces, you can configure the Virtual Router Redundancy Protocol (VRRP). VRRP allows hosts on a LAN to make use of redundant routers on that LAN without requiring more than the static configuration of a single default router on the hosts. The VRRP routers share the IP address corresponding to the default router configured on the hosts. At any time, one of the VRRP routers is the master (active), and the others are backups . If the master fails, one of the backup routers becomes the new master, thus always providing a virtual default router and allowing traffic on the LAN to be routed without relying on a single router.

To configure basic VRRP support, configure VRRP groups on an interface by including the following statements:

 [edit interfaces  interface-name  unit  logical-unit-number  family inet address  address  ] vrrp-group  group-number  {   virtual-address [  addresses  ];   priority  number  ; } 

An interface can be a member of one or more VRRP groups. For each group, you must configure the following:

• Group number ”Identifies the VRRP group. It can be a value from 0 through 255. If you also enable MAC source address filtering on the interface, you must include the virtual MAC address in the list of source MAC addresses that you specify in the source-address-filter statement. MAC addresses ranging from 00:00:5E:00:01:00 t hrough 00:00:5E:00:01:FF are reserved for VRRP, as defined in RFC 2338. The VRRP group number must be the decimal equivalent of the last hexadecimal byte of the virtual MAC address.

• Addresses of one or more virtual routers that are members of the VRRP group ”Virtual IP addresses associated with the virtual router in the VRRP group. Normally, you configure only one virtual IP address per group. The virtual IP addresses must be the same for all routers in the VRRP group. In the addresses, specify the address only. Do not include a prefix length.

  If you configure a virtual IP address to be the same as the interface's address (the address configured with the address statement), the interface becomes the master virtual router for the group. In this case, you must configure the priority to be 255, and you must configure preemption by including the preempt statement. If you have multiple VRRP groups on an interface, the interface can be the master virtual router for only one of the groups.

  If the virtual IP address you choose is not the same as the interface's address, you must ensure that this address does not appear anywhere else in the router's configuration. Check that you do not use this address for other interfaces, for the IP address of a tunnel, or for the IP address of static ARP entries.

• Priority for this router to become the master virtual router ”Value used to elect the master virtual router in the VRRP group. It can be a number from 1 through 255. The default value for backup routers is 100. A larger value indicates a higher priority. The router with the highest priority within the group becomes the master router.

Within a single VRRP group, the master and backup routers cannot be the same router.

All VRRP protocol exchanges can be authenticated to guarantee that only trusted routers participate in the AS's routing. By default, VRRP authentication is disabled. You can configure simple authentication, which uses a text password included in the transmitted packet, or the MD5 algorithm, which creates the authentication data field in the IP authentication header that is used to encapsulate the VRRP protocol data unit (PDU). Each VRRP group must use the same method: To enable authentication and specify an authentication method, include the authentication-type statement:

 [edit interfaces  interface-name  unit  logical-unit-number  family inet address  address  vrrp-group  group-number  ] authentication-type  authentication  ; 

authentication can be none , simple , or md5 . The authentication type must be the same for all routers in the VRRP group. If you include the authentication-type statement to select an authentication method, you can configure a key (password) on each interface by including the authentication-key statement. The key is an ASCII string. For simple authentication, it can be 1 through 8 characters long. For MD5 authentication, it can be 1 through 16 characters long. If you include spaces, enclose all characters in quotation marks (" "). The key must be the same for all routers in the VRRP group.

 [edit interfaces  interface-name  unit  logical-unit-number  family inet address  address  vrrp-group  group-number  ] authentication-key  key  ; 

By default, the master router sends VRRP advertisement packets every second to all members of the VRRP group. These packets indicate that the master router is still operational. If the master router fails or becomes unreachable, the backup router with the highest priority value becomes the new master router. To modify the time between the sending of VRRP advertisement packets, include the advertise-interval statement. The interval can range from 1 through 255 seconds. The interval must be the same for all routers in the VRRP group.

 [edit interfaces  interface-name  unit  logical-unit-number  family inet address  address  vrrp-group  group-number  ] advertise-interval  seconds  ; 

By default, a higher priority backup router preempts a lower priority master router. To explicitly allow the master router to be preempted, include the preempt statement:

 [edit interfaces  interface-name  unit  logical-unit-number  family inet address  address  vrrp-group  group-number  ] preempt; 

To prohibit a higher priority backup router from preempting a lower priority master router, include the no-preempt statement. The router that owns the IP addresses associated with the virtual router always preempts, independent of the setting of this statement.

 [edit interfaces  interface-name  unit  logical-unit-number  family inet address  address  vrrp-group  group-number  ] no-preempt; 

VRRP can track whether an interface is up or down and dynamically change the priority of the VRRP group based on the state of the tracked interface, which might trigger a new master router election. When interface tracking is enabled, you cannot configure a priority of 255, thereby designating the master router. For each VRRP group, 1 through 10 interfaces can be tracked. To configure an interface to be tracked, include the track statement. The priority cost is the value to be subtracted from the configured VRRP priority when the tracked interface is down, forcing a new master router election. The cost can range from 1 through 254. The sum of the costs for all tracked interfaces or routes must be less than or equal to the configured priority of the VRRP group.

 [edit interfaces  interface-name  unit  logical-unit-number  family inet address  address  vrrp-group  group-number  ] track {   interface  interface-name  priority-cost  cost  ; } 

To trace VRRP operations, include the traceoptions statement. By default, VRRP logs the error, DCD configuration, and routing socket events in a file in the /var/log directory. By default, this file is named /var/log/vrrpd . The default file size is 1 MB, and three files are created before the first one gets overwritten. To change the configuration of the logging file, include the file statement:

 [edit protocols vrrp traceoptions]  file {   filename  filename  ;   files  number  ;   size  size  ;   (world-readable  no-world-readable); } flag  flag  ; 

You can specify the following VRRP tracing flags:

• all ” VRRP operations

• database ” Database changes

• general ” General events

• interfaces ” Interface changes

• normal ” Normal events

• packets ” All packets sent and received

• state ” State transitions

• timer ” Timer events

Configuring the Management Ethernet Interface

The router's management Ethernet interface, fxp0 , is an out-of-band management interface. You must configure an IP address and prefix length for this interface, which you commonly do when you first install the software. You must configure the management Ethernet interface for the router to function.

 [edit]  interfaces {   fxp0 {     unit 0 {       family inet {  address  /  prefix-length  ;       }     }   } } 

Configuring the Internal Ethernet Interface

The router's internal Ethernet interface, fxp1 , connects the Routing Engine with the System Control Board (SCB), System and Switch Board (SSB), Forwarding Engine Board (FEB), or Switching and Forwarding Module (SFM), depending on router model, in the Packet Forwarding Engine. The router software automatically configures this interface. Do not modify or remove the configuration for the internal Ethernet interface that the software automatically configures. If you do, the router will stop functioning.

 user@host>  show configuration  ... interfaces { ...   fxp1 {     unit 0 {       family tnp {         address 1;       }     }   } } 

Configuring Aggregated Ethernet Interfaces

Link aggregation of Ethernet interfaces is defined in the IEEE 802.3ad standard. The JUNOS implementation of 802.3ad balances traffic across the member links within an aggregated Ethernet bundle based on the Layer 3 information carried in the packet. This implementation uses the same load balancing algorithm as for per-packet load balancing. You configure an aggregated Ethernet virtual link by specifying the link number as a physical device and then associating a set of ports that have the same speed and are in full-duplex mode. The physical interfaces can be either Fast Ethernet or Gigabit Ethernet devices but must not intermix within the same aggregated link.

To specify aggregated Ethernet interfaces, include the vlan-tagging statement at the [edit interfaces aex] hierarchy level and also include the vlan-id statement:

 [edit interfaces]  ae  x  {   vlan-tagging;   unit 0 {     vlan-id  identifier  ;     family inet {       address  address  ;     }   } }