Creating a Data and Voice Vlan with SSH access
To set-up separate VLANS for data and voice, the process is really quite simple. This will insure traffic is somewhat segregated between the two. Polish your toes and hold onto you straps as we dive into this one;
This document will be directed towards the EX line.
Login to the switch and enable cli then configure;
First we need to create the vlans;
set vlans datavlan vlan-id 10 set vlans voicevlan vlan-d 20
Next to speed things up we need to create an interface range;
set interfaces interface-range range0 member-range ge-0/0/0 to ge-0/0/23
If you have a larger switch or don't want the full range of the 24 port you can adjust this above.
Set the switch to trunk mode;
set interfaces interface-range range0 unit 0 family ethernet-switching port-mode trunk
Set interface range to be apart of both vlans (datavlan and voicevlan) and set data as native.
set interfaces interface-range range0 unit 0 family ethernet-switching vlan members voicevlan set interfaces interface-range range0 unit 0 family ethernet-switching native-vlan-id datavlan
This is how I diced up my vlans;
root> show vlans Name Tag Interfaces datavlan 10 ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0, ge-0/0/11.0, ge-0/0/12.0, ge-0/0/13.0, ge-0/0/14.0, ge-0/0/15.0, ge-0/0/16.0*, ge-0/0/17.0, ge-0/0/18.0*, ge-0/0/19.0, ge-0/0/20.0, ge-0/0/21.0, ge-0/0/22.0, ge-0/0/23.0 default ge-0/0/0.0*, ge-0/0/1.0, ge-0/0/2.0*, ge-0/0/3.0 voicevlan 20 ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0, ge-0/0/11.0, ge-0/0/12.0, ge-0/0/13.0, ge-0/0/14.0, ge-0/0/15.0, ge-0/0/16.0*, ge-0/0/17.0, ge-0/0/18.0*, ge-0/0/19.0, ge-0/0/20.0, ge-0/0/21.0, ge-0/0/22.0, ge-0/0/23.0 {master:0}
Once this is set-up we need some way to gain remote access to the switch encase we need to add additional options and or provide some management. My fist configuration of this was creating a default interface and using a port (ge-0/0/0) to tie the MGMT interface into. In the end I was using up a port and jontow came up with the below which works really well and we don't need to use MGMT(me0) at all. The below set-up is more of an inbound set-up across layer2;
First we need to enable SSH;
set system services ssh protocol-version v2 set system services netconf ssh
Once that is enabled we can add connectivity to the native vlan 10.
set interfaces vlan unit 10 family inet address 10.0.2.5/24 set vlan datavlan vlan-id 10 l3-interface vlan.10 set vlan default l3-interface vlan.0
That is it, you should be able to ping the switch from any working datavlan port.
Notes:
Since we will not be using the MGMT port we can turn the alarm off by;
- config mode:
set chassis alarm management-ethernet link-down ignore
- cli mode:
request system configuration rescue save
If you want to enable this configuration to utilize VOIP and lldp;
{master:0}[edit] root# delete interfaces interface-range range0 unit 0 family ethernet-switching port-mode trunk {master:0}[edit] root# set interfaces interface-range range0 unit 0 family ethernet-switching port-mode access {master:0}[edit] root# delete interfaces interface-range range0 unit 0 family ethernet-switching vlan members voicevlan {master:0}[edit] root# set interfaces interface-range range0 unit 0 family ethernet-switching vlan members datavlan {master:0}[edit] root# delete interfaces interface-range range0 unit 0 family ethernet-switching native-vlan-id {master:0}[edit] root# set ethernet-switching-options voip interface range0 vlan voicevlan {master:0}[edit] root# set ethernet-switching-options voip interface range0 forwarding-class assured-forwarding {master:0}[edit] root# show |compare [edit interfaces interface-range range0 unit 0 family ethernet-switching] - port-mode trunk; + port-mode access; [edit interfaces interface-range range0 unit 0 family ethernet-switching vlan] - members voicevlan; + members datavlan; [edit interfaces interface-range range0 unit 0 family ethernet-switching] - native-vlan-id datavlan; [edit ethernet-switching-options] + voip { + interface range0 { + vlan voicevlan; + forwarding-class assured-forwarding; + } + }
NOTES:
I just want to note that if you find that some phones are unwilling to accept lldp payloads, there was a major bug in lldp. Juniper has patched the bug but keep in mind that you might need to go to a lower JUNOS firmware. There are other hidden caveats with doing this so be careful.
Automate Some backups;
set routing-options static route 0.0.0.0/0 next-hop router-ip set system archival configuration transfer-on-commit set system archival configuration archive-sites "scp://junipersw@10.0.15.2:/home/junipersw/ctsw2" password "xxxxxx"
If the network is having high traffic problems, apply some cos over dscp;
set class-of-service classifiers dscp voip forwarding-class voip-telephony loss-priority low code-points ef set class-of-service classifiers dscp voip forwarding-class signalling loss-priority low code-points cs5 set class-of-service forwarding-classes class voip-telephony queue-num 2 set class-of-service forwarding-classes class signalling queue-num 1 set class-of-service interfaces ge-* scheduler-map scheduler-8q set class-of-service interfaces ge-* unit 0 classifiers dscp voip set class-of-service interfaces ge-* unit 0 rewrite-rules dscp re-voip set class-of-service rewrite-rules dscp re-voip forwarding-class signalling loss-priority low code-point cs5 set class-of-service rewrite-rules dscp re-voip forwarding-class voip-telephony loss-priority low code-point ef set class-of-service scheduler-maps scheduler-8q forwarding-class voip-telephony scheduler real-time set class-of-service schedulers real-time transmit-rate percent 20 set class-of-service schedulers real-time priority strict-high set ethernet-switching-options voip interface range0 forwarding-class voip-telephony
Just remember that with LLDP the COS is advertised to the phone so the phone will need to be set to the correct dscp values.