Qori Samsuri Firdaus
Ini adalah Qori Juara 1
Friday, June 3, 2016
Juniper dan Cisco Switch : Cara Konfigurasi VLAN
Hi all, para pembaca blog routecloud, atau barangkali yang lagi mampir mau nyari-nyari gimana ya caranya konfigurasi vlan perangkat juniper dan cisco switch. Sebetulnya untuk melakukan konfigurasi vlan di perangkat manapun, anda perlu memahami setidaknya konsep vlan itu seperti apa, atau kalo mau set vlan itu apa ja yang perlu diset? Nah pertanyaan ane itu anda seharusnya sudah mengerti. Klo belum paham silahkan ikut dan perhatikan gambar berikut ini
gimana bro, ada gambaran kira2, apa yang harus dilakukan jika diberi tugas seperti gambar diatas? mari kita lihat satu persatu. Jadi ada 2 device layer 2 (L2) yaitu switch juniper dan switch cisco. Cisco device punya interface Gig0/1 yang terhubung dengan device juniper dengan port ge-0/0/0 itu nanti akan diset jadi mode trunk alias vlan-id nya di tag di kedua port tersebut. Di device Cisco juga terdapat port Gig0/2 yang terhubung dengan sebuah PC itu portnya di set jadi mode access alias vlan di untag. Sama halnya dengan port ge-0/0/1 pada device juniper di set dengan mode access.
#Juniper
Step 1: Create VLAN
set vlans vlan100 vlan-id 100
set vlans vlan101 vlan-id 101
set vlans vlan201 vlan-id 200
set vlans vlan101 vlan-id 101
set vlans vlan201 vlan-id 200
Step 2 : Set interface ge-0/0/0 as trunk mode and tag vlan 100,101
cara 1: anda bisa tag langsung vlan-id
set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 100
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 101
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 100
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 101
cara 2: atau anda bisa tag nama dari vlan-nya.
set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan100
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan101
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan200
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan100
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan101
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan200
klo anda set native vlan begini cara nambahinnya.
set interfaces ge-0/0/0 unit 0 family ethernet-switching native-vlan-id vlan200
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan200
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan200
Loh kok ditambahin lagi ke vlan members, ya ini klo di juniper untuk native vlan itu opsional, artinya boleh dimasukin atau enggak, tapi sebaiknya dimasukkan klo menurut case yang pernah ane lakukan. Tapi nanti klo anda lakukan pada Cisco untuk native vlan harus dimasukin ke dalam vlam membernya.
Step 3: Configure interface ge-0/0/1 as access mode.
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan100
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan100
#Cisco
Step 1: Create VLAN
Switch>enable
Switch#configure terminal
Switch(config)#hostname SW-L2-CSCO
SW-L2-CSCO(config)#vlan 100
SW-L2-CSCO(config-vlan)#name vlan100
SW-L2-CSCO(config-vlan)#exit
SW-L2-CSCO(config)#vlan 101
SW-L2-CSCO(config-vlan)#name vlan101
SW-L2-CSCO(config-vlan)#exit
SW-L2-CSCO(config)#vlan 200
SW-L2-CSCO(config-vlan)#name vlan200
SW-L2-CSCO(config-vlan)#exit
Switch#configure terminal
Switch(config)#hostname SW-L2-CSCO
SW-L2-CSCO(config)#vlan 100
SW-L2-CSCO(config-vlan)#name vlan100
SW-L2-CSCO(config-vlan)#exit
SW-L2-CSCO(config)#vlan 101
SW-L2-CSCO(config-vlan)#name vlan101
SW-L2-CSCO(config-vlan)#exit
SW-L2-CSCO(config)#vlan 200
SW-L2-CSCO(config-vlan)#name vlan200
SW-L2-CSCO(config-vlan)#exit
Step 2: Configure interface Gig0/1 as mode trunk
SW-L2-CSCO(config)#int Gig0/1
SW-L2-CSCO(config-if)#switchport mode trunk
SW-L2-CSCO(config-if)#switchport trunk allowed vlan 100,101,200
SW-L2-CSCO(config-if)#switchport native vlan 200
SW-L2-CSCO(config-if)#exit
SW-L2-CSCO(config)#int Gig0/1
SW-L2-CSCO(config-if)#switchport mode trunk
SW-L2-CSCO(config-if)#switchport trunk allowed vlan 100,101,200
SW-L2-CSCO(config-if)#switchport native vlan 200
SW-L2-CSCO(config-if)#exit
Oke klo anda menggunakan device switch L3. Bisa anda lakukan dengan cara berikut.
SW-L2-CSCO(config)#int Gig0/0/1
SW-L2-CSCO(config-if)#switchport trunk encapsulation dot1q
SW-L2-CSCO(config-if)#switchport trunk allowed vlan 100,101,200
SW-L2-CSCO(config-if)#switchport native vlan 200
SW-L2-CSCO(config-if)#exit
SW-L2-CSCO(config-if)#switchport trunk encapsulation dot1q
SW-L2-CSCO(config-if)#switchport trunk allowed vlan 100,101,200
SW-L2-CSCO(config-if)#switchport native vlan 200
SW-L2-CSCO(config-if)#exit
Nah klo di cisco, yang bisa anda tag adalah vlan id nya, jadi klo juniper lebih fleksible. kemudian untuk native vlan di bagian trunk allow anda harus menyertakannya.
Step 3: Configure interface Gig0/1 as mode access
SW-L2-CSCO(config)#int Gig0/2
SW-L2-CSCO(config-if)#switchport mode access
SW-L2-CSCO(config-if)#switchport access vlan 100
SW-L2-CSCO(config-if)#switchport mode access
SW-L2-CSCO(config-if)#switchport access vlan 100
#Verification
#Cisco
show vlan brief
show interface trunk
show interface switchport
show vlan brief
show interface trunk
show interface switchport
#Juniper
show vlans
show configuration vlan
show interface terse
show vlans
show configuration vlan
show interface terse
#Best Practice
Yang anda lakukan diatas adalah best practice agar ketika anda atur vlan baik di cisco atau juniper dapat bekerja dengan baik hehe. Jadi apa point2nya, pertama saat anda melakukan set vlan di interface trunk anda bisa aja atur dengan vlan all, akan tetapi bagi saya tidak direkomendasikan, jadi anda harus tag satu persatu, fungsi lainnya biar network anda aman, anda juga tau network mana yang ingin dilewatkan. Nah ini sangat penting saat anda menangani network serive provider dengan ratusan dan ribuan network customer. Sangat tidak mungkin dan sangat tidak direkomendasikan anda melakukan set vlan all. Semoga bermanfaat 
Good Luck!
Transparent Mode Pada Juniper SRX
Transparent mode itu apa ya? Merupakan konsep untuk merubah perangkat juniper SRX menjadi sebuah switch L2. Loh emang SRX fungsinya apa? SRX meruapakan salah satu router firewall juniper, yang namanya router firewall itu memiliki fungsi security dan juga fungsi layer 3 (L3) seperti routing (static dan dynamic), NAT, IPSec VPN, dan lain-lain. Selanjutnya? Yang perlu anda bayangkan dan lakukan adalah memperlakukan perangkat juniper SRX layaknya sebuah switch L2 buakan lagi sebagai router firewall. Klo begitu silahkan perhatikan gambar berikut ini untuk lebih jelasnya.
Step implemntasi ini, anda hanya perlu fokus di perangkat SRX juniper.
Step 1:
Lakukan reset pada juniper SRX dan hapus semua konfigurasi yang ada di SRX. Untuk menghapus konfigurasi bisa anda lakukan dengan perintah delete. Selanjutnya adalah create password root dan atur service port untuk manajemen SRX.
Step 2:
Perhatikan gambar Core Switch SRX 240 diatas, port ge-0/0/0, ge-0/0/1, ge-0/0/03 itu diset sebagai trunnk, sedangkan untuk port ge-0/0/2 itu di set sebagai port access. ikuti step dan command dibawah ini.
set interfaces ge-0/0/0 vlan-tagging
set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/3 vlan-tagging
set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/3 vlan-tagging
command vlan-tagging di atas, supaya nanti interfacenya bisa dibagi ke subinterface atau lebih dari satu unit, dan dibawah juga terlihat kenapa disini saya menggunakan vlan-id-list, kerana dalam satu interface ada banyak vlan yang harus di tag.
set interfaces ge-0/0/0 native-vlan-id 1000
set interfaces ge-0/0/0 unit 1 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 1 family bridge vlan-id-list 2000
set interfaces ge-0/0/0 unit 2 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 2 family bridge vlan-id-list 2001
set interfaces ge-0/0/0 unit 3 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 3 family bridge vlan-id-list 2002
set interfaces ge-0/0/0 unit 4 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 4 family bridge vlan-id-list 2003
set interfaces ge-0/0/0 unit 5 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 5 family bridge vlan-id-list 2004
set interfaces ge-0/0/0 unit 6 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 6 family bridge vlan-id-list 2005
set interfaces ge-0/0/0 unit 7 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 7 family bridge vlan-id-list 2006
set interfaces ge-0/0/0 unit 8 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 8 family bridge vlan-id-list 1000
set interfaces ge-0/0/0 unit 1 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 1 family bridge vlan-id-list 2000
set interfaces ge-0/0/0 unit 2 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 2 family bridge vlan-id-list 2001
set interfaces ge-0/0/0 unit 3 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 3 family bridge vlan-id-list 2002
set interfaces ge-0/0/0 unit 4 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 4 family bridge vlan-id-list 2003
set interfaces ge-0/0/0 unit 5 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 5 family bridge vlan-id-list 2004
set interfaces ge-0/0/0 unit 6 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 6 family bridge vlan-id-list 2005
set interfaces ge-0/0/0 unit 7 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 7 family bridge vlan-id-list 2006
set interfaces ge-0/0/0 unit 8 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 8 family bridge vlan-id-list 1000
set interfaces ge-0/0/1 native-vlan-id 1000
set interfaces ge-0/0/1 unit 3 family bridge interface-mode trunk
set interfaces ge-0/0/1 unit 3 family bridge vlan-id-list 2003
set interfaces ge-0/0/1 unit 4 family bridge interface-mode trunk
set interfaces ge-0/0/1 unit 4 family bridge vlan-id-list 2004
set interfaces ge-0/0/1 unit 5 family bridge interface-mode trunk
set interfaces ge-0/0/1 unit 5 family bridge vlan-id-list 2005
set interfaces ge-0/0/1 unit 6 family bridge interface-mode trunk
set interfaces ge-0/0/1 unit 6 family bridge vlan-id-list 2006
set interfaces ge-0/0/1 unit 7 family bridge interface-mode trunk
set interfaces ge-0/0/1 unit 7 family bridge vlan-id-list 1000
set interfaces ge-0/0/1 unit 3 family bridge interface-mode trunk
set interfaces ge-0/0/1 unit 3 family bridge vlan-id-list 2003
set interfaces ge-0/0/1 unit 4 family bridge interface-mode trunk
set interfaces ge-0/0/1 unit 4 family bridge vlan-id-list 2004
set interfaces ge-0/0/1 unit 5 family bridge interface-mode trunk
set interfaces ge-0/0/1 unit 5 family bridge vlan-id-list 2005
set interfaces ge-0/0/1 unit 6 family bridge interface-mode trunk
set interfaces ge-0/0/1 unit 6 family bridge vlan-id-list 2006
set interfaces ge-0/0/1 unit 7 family bridge interface-mode trunk
set interfaces ge-0/0/1 unit 7 family bridge vlan-id-list 1000
set interfaces ge-0/0/3 native-vlan-id 1000
set interfaces ge-0/0/3 unit 1 family bridge interface-mode trunk
set interfaces ge-0/0/3 unit 1 family bridge vlan-id-list 2001
set interfaces ge-0/0/3 unit 2 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 2 family bridge vlan-id-list 2002
set interfaces ge-0/0/0 unit 3 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 3 family bridge vlan-id-list 1000
set interfaces ge-0/0/3 unit 1 family bridge interface-mode trunk
set interfaces ge-0/0/3 unit 1 family bridge vlan-id-list 2001
set interfaces ge-0/0/3 unit 2 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 2 family bridge vlan-id-list 2002
set interfaces ge-0/0/0 unit 3 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 3 family bridge vlan-id-list 1000
Barangkali anda akan bertanya mengapa setiap interface trunk, saya selalu memasukkan vlan native, di SRX untuk melewatkan vlan yang di tag, di interface perlu ada vlan native, meskipun anda tidak membutuhkan vlan tersebut, atau di switch yang terkoneksi dengan SRX tidak perlu anda create native vlan.
Berbeda dengan cara konfig interface mode trunk, untuk mode access anda hanya perlu menggunakan command vlan-id.
set interfaces ge-0/0/2 unit 0 family bridge interface-mode access
set interfaces ge-0/0/2 unit 0 family bridge vlan-id 2000
set interfaces ge-0/0/2 unit 0 family bridge vlan-id 2000
Step 3:
Lakukan konfigurasi bridge domain, klo pemahaman saya bridge domain disini sama dengan kita crea vlan di switch standar.
set bridge-domains ROUTECLOUD domain-type bridge vlan-id 2000
set bridge-domains ROUTECLOUD domain-type bridge vlan-id 2001
set bridge-domains ROUTECLOUD domain-type bridge vlan-id 2002
set bridge-domains ROUTECLOUD domain-type bridge vlan-id 2003
set bridge-domains ROUTECLOUD domain-type bridge vlan-id 2004
set bridge-domains ROUTECLOUD domain-type bridge vlan-id 2005
set bridge-domains ROUTECLOUD domain-type bridge vlan-id 2006
set bridge-domains ROUTECLOUD domain-type bridge vlan-id 2001
set bridge-domains ROUTECLOUD domain-type bridge vlan-id 2002
set bridge-domains ROUTECLOUD domain-type bridge vlan-id 2003
set bridge-domains ROUTECLOUD domain-type bridge vlan-id 2004
set bridge-domains ROUTECLOUD domain-type bridge vlan-id 2005
set bridge-domains ROUTECLOUD domain-type bridge vlan-id 2006
set bridge-domains NATIVE domain-type bridge vlan-id 1000
Step 4:
Meskipun SRX akan berfungsi layaknya sebuah switch, anda tetap bisa mengatur rule policynya. berikut gambarannya.
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone trust interfaces ge-0/0/0.1
set security zones security-zone trust interfaces ge-0/0/0.2
set security zones security-zone trust interfaces ge-0/0/0.3
set security zones security-zone trust interfaces ge-0/0/0.4
set security zones security-zone trust interfaces ge-0/0/0.5
set security zones security-zone trust interfaces ge-0/0/0.6
set security zones security-zone trust interfaces ge-0/0/0.7
set security zones security-zone trust interfaces ge-0/0/0.8
set security zones security-zone trust interfaces ge-0/0/1.3
set security zones security-zone trust interfaces ge-0/0/1.4
set security zones security-zone trust interfaces ge-0/0/1.5
set security zones security-zone trust interfaces ge-0/0/1.6
set security zones security-zone trust interfaces ge-0/0/1.7
set security zones security-zone trust interfaces ge-0/0/3.1
set security zones security-zone trust interfaces ge-0/0/3.2
set security zones security-zone trust interfaces ge-0/0/3.3
set security zones security-zone trust interfaces ge-0/0/2.0
set security zones security-zone trust interfaces ge-0/0/2.0
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone trust interfaces ge-0/0/0.1
set security zones security-zone trust interfaces ge-0/0/0.2
set security zones security-zone trust interfaces ge-0/0/0.3
set security zones security-zone trust interfaces ge-0/0/0.4
set security zones security-zone trust interfaces ge-0/0/0.5
set security zones security-zone trust interfaces ge-0/0/0.6
set security zones security-zone trust interfaces ge-0/0/0.7
set security zones security-zone trust interfaces ge-0/0/0.8
set security zones security-zone trust interfaces ge-0/0/1.3
set security zones security-zone trust interfaces ge-0/0/1.4
set security zones security-zone trust interfaces ge-0/0/1.5
set security zones security-zone trust interfaces ge-0/0/1.6
set security zones security-zone trust interfaces ge-0/0/1.7
set security zones security-zone trust interfaces ge-0/0/3.1
set security zones security-zone trust interfaces ge-0/0/3.2
set security zones security-zone trust interfaces ge-0/0/3.3
set security zones security-zone trust interfaces ge-0/0/2.0
set security zones security-zone trust interfaces ge-0/0/2.0
Diatas saya create semua interface saya masukan kedalam satu zone. baru anda buat rule policy nya. dari zone trust ke trust.
set security policies from-zone trust to-zone trust policy P1 match source-address any
set security policies from-zone trust to-zone trust policy P1 match destination-address any
set security policies from-zone trust to-zone trust policy P1 match application any
set security policies from-zone trust to-zone trust policy P1 then permit
set security policies from-zone trust to-zone trust policy P1 match destination-address any
set security policies from-zone trust to-zone trust policy P1 match application any
set security policies from-zone trust to-zone trust policy P1 then permit
Loh kok trust ke trust, ya ini hasil production yang saya lakukan networknya gk mau dapat IP dari DHCP server, meskipun dalam satu zone. sebetulnya mau dibuat beda zone juga tidak masalah, intinya disini krena security tidak konsen lagi di SRX maka yang menjadi fokus adalah bagaimana network tersebut atau vlan-vlan tersebut bisa lewat melalui core switch SRX transparent mode.
Step 5:
Lakukan commit and-quit setalah itu lakukan reboot, dengan command request system reboot,. kenapa harus reboot, ya syaratnya harus di reboot, supaya menjadi switch.
Selamat mencoba. Klo ada pertanyaan silahkan comment dibawah
