Good news as the following layer 2 security features were added in 13.2 release of Junos:
We’re still running the recommended 12.3R6.6 in production at this time so we’re going to have to test the 13.2 features in the lab before putting them on production systems.
EX-2200 and EX-3300 series switches running 12.3R3.4 have a bug where Receiver signal average optical power values don’t display correctly. The recommended version that contains a fix for this bug is12.3R4-S1. We’ve tested this update on a few switches and it had resolved the bug.
12.3R3.4:
user@j33s> show interfaces diagnostics optics ge-0/1/0
Physical interface: ge-0/1/0
Laser bias current : 5.566 mA
Laser output power : 0.2820 mW / -5.50 dBm
Module temperature : 31 degrees C / 88 degrees F
Module voltage : 3.3680 V
Receiver signal average optical power : 0.0000 mW / - Inf dBm
12.3R4-S1:
user@j33> show interfaces diagnostics optics ge-0/1/0
Physical interface: ge-0/1/0
Laser bias current : 5.508 mA
Laser output power : 0.2810 mW / -5.51 dBm
Module temperature : 31 degrees C / 88 degrees F
Module voltage : 3.3680 V
Receiver signal average optical power : 0.2811 mW / -5.51 dBm
Cisco Discovery Protocol (CDP) is an invaluable protocol that was created to ease troubleshooting by providing remote device identification. On multi-vendor networks, the use of this propitiatory protocol can cause headaches as it may pass though non-Cisco equipment and falsely identify remote devices. We’ve instituted a standard it to use the Link Layer Discovery Protocol (LLDP) in favor of CDP.
To help clean up excess multicast traffic, we’ve applied the following filter on our Juniper devices that face Cisco equipment.
Lab Topology
Cisco Catalyst connected to an EX switch over a LACP connection. The filter gets applied to the native vlan, which in my lab testing is was vlan 1. 
Firewall Filter
Use the load merge terminal command to easily import the following filter. The count cdp-count term is optional and you may find that you have no use for it.
firewall {
family ethernet-switching {
filter block-cdp {
term block-cdp {
from {
destination-mac-address {
01:00:0c:cc:cc:cc/48;
}
}
then {
discard;
count cdp-count;
}
}
term traffic-allow {
then accept;
}
}
}
}
Use filter counters to confirm that the filter is being hit or confirm by issuing a show cdp neighbors command on your Cisco devices.
root> show firewall filter block-cdp Filter: block-cdp Counters: Name Bytes Packets cdp-count 4760 24
Use these with the load merge terminal command for easy cut-and-pasting in Junos.
policy-options {
prefix-list localhost {
127.0.0.1/32;
}
prefix-list martians-IPv4 {
0.0.0.0/8;
10.0.0.0/8;
127.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
192.168.0.0/16;
}
prefix-list multicast {
224.0.0.0/4;
}
prefix-list multicast-all-systems {
224.0.0.1/32;
}
prefix-list rfc1918 {
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
}
prefix-list martians-IPv6 {
::/96;
::1/128;
fe80::/10;
fec0::/10;
ff00::/8;
ff02::/16;
}
prefix-list other-bad-src-addrs-IPv6 {
::/128;
::ffff:0.0.0.0/96;
::ffff:10.0.0.0/104;
::ffff:127.0.0.0/104;
::ffff:172.16.0.0/108;
::ffff:192.168.0.0/112;
::ffff:224.0.0.0/100;
::ffff:240.0.0.0/100;
::ffff:255.0.0.0/104;
2001:db8::/32;
2002:0000::/24;
2002:0a00::/24;
2002:7f00::/24;
2002:ac10::/28;
2002:c0a8::/32;
2002:e000::/20;
2002:ff00::/24;
3ffe::/16;
fc00::/7;
}
}
Unlike Cisco 2960-X switches, 802.3az does not come enabled by default on Juniper EX3300 models. Use ether-options ieee-802-3az under the interface-range tree to enable this energy saving protocol.
interfaces {
interface-range WIRED_PORTS {
member-range ge-0/0/0 to ge-0/0/47;
ether-options {
ieee-802-3az-eee;
}
}
}
When committing this option, we noticed around 8 seconds of connectivity loss for 96 wired connected hosts. Be careful when enabling this in a production setting.
While bringing up a number of Aruba 135 APs attached to a Juniper EX2200-C PoE+ switch, we noticed that only three out of the seven APs were coming online. Given that the EX2200-C switch has a maximum on paper PoE budget of 100W and our Aruba 135’s are rated at drawing 12.5W, we were confused as to why only three were coming online and not the expected seven as seven would total 87.5W and be within the PoE budget.
The show poe interface command was showing a max power value of 30W per port, which is why we were seeing only three APs power on given the maximum allotment of 100W. The behavior on Juniper PoE switches we saw was that devices on the lowest ports get power first so only the three APs on ge-0/0/0, ge-0/0/1, and ge-0/0/2 power up.
user@ex2200> show poe interface
Interface Admin Oper Max Priority Power Class
status status power consumption
ge-0/0/0 Enabled ON 30W Low 7.5W 4
ge-0/0/1 Enabled ON 30W Low 7.5W 4
...
You can change the maximum-power value assigned to each port under the poe tree. Our solution was to set the poe value to static and define a maxium-power value for our interface group as seen here:
poe {
management static;
interface WIRELESS_ACCESS_PORTS {
maximum-power 14.2;
}
}
Confirming PoE allocation changes with the show poe interface command:
user@ex2200> show poe interface
Interface Admin Oper Max Priority Power Class
status status power consumption
ge-0/0/0 Enabled ON 14.2W Low 7.5W 4
ge-0/0/1 Enabled ON 14.2W Low 7.5W 4
...
The Aruba datasheet states a maximum draw of 12.5W, but given power loss in the cables, we set the value to a maximum of 14.2W, which is the the maximum we can assign and power seven devices. Typically in this building we only see a 7-10W draw, but we wanted to maximize the allotment.
This month I have begun my JNCIA training and hope to take the exam this Spring to further my professional development. I passed the CCNA in September of 2013 and started working with Juniper devices in October of 2013 so the Juniper world is relatively new to me.
I currently work with EX2200, 3300, and 4200 switches on a daily basis so I hope that the majority of the material in the Juniper Enterprise Switching book will be review and improving my proficiency with JuneOS. A few months ago I even added a EX2200-C to my home setup so I can have more experience with the OS.
So far I am amazed at the design of the JuneOS platform. The candidate configuration, roll-back, and processor isolation of switching and routing processes is very different than a Cisco device where you are locked into the Cisco shell. I am beginning to see the power of the Juniper world.
Data Engineering 