Application Notes for Configuring Juniper Networks

Avaya Solution & Interoperability Test Lab

Application Notes for Configuring Juniper Networks “Simply Connected Network for Unified Services and Collaboration” utilizing Avaya Aura® Telephony Environment – Issue 1.0

Abstract

These Application Notes describe the steps for configuring Juniper Networks “Simply Connected Enterprise network for Unified Services and Collaboration”.

The sample configuration presented in these Application Notes provides an IP Infrastructure to support Avaya Aura® Communication Manager, Avaya Aura® Session Manager, One-X Communicators, Avaya Flare and Avaya WiFi Phones.

Information in these Application Notes has been obtained through DevConnect compliance testing and additional technical discussions. Testing was conducted via the DevConnect Program at the Avaya Solution and Interoperability Test Lab.

1. Introduction These Application Notes describe the steps for configuring Juniper Networks “Simply Connected Enterprise network for Unified Services and Collaboration”. The sample configuration presented in these Application Notes provides an IP Infrastructure to support Avaya Aura® Communication Manager, Avaya Aura® Session Manager, One-X Communicators, Avaya Flare and WiFi Phones.

Juniper Networks “Simply Connected Network for Unified Services and Collaboration” provides reference architecture for enterprises that wish to deploy Unified Communications (UC) services such as real-time voice, video and collaboration on a Juniper network. The architecture provides a converged IP Infrastructure to support the demands of UC on both the wired and wireless local area networks as well as across the WAN or public Internet.

This application note documents a tested configuration for running Avaya-based Unified Communications across a campus, large branch or small branch environment using Juniper Networks EX-Series PoE Ethernet Switches, Branch SRX-Series Security Gateways and WLC/WLA-Series Wireless Controllers and Access Points. The environment was tested using Avaya Aura® Communication Manager, Avaya Aura® Session Manager, various 9600-Series endpoints, Avaya one-X® Communicator, Avaya Flare and Avaya wireless endpoints.

1.1. Highlights The sample network provided in these Application Notes implements the following features to provide a reliable and robust converged network for unified communications.

Quality of Service QoS is required in converged networks to prioritize real-time latency sensitive traffic such as voice or video appropriately over other enterprise or internet-destined traffic that does not have such a strict real-time requirement. The design uses DSCP-based classification from the UC endpoints to provide 5 levels of service

Chassis Clustering UC requires an always-on network with high-9s uptime. Deploying redundant devices in a Chassis Cluster to provide additional device-level resiliency in the event of a failure can ensure this. The design uses VirtualChassis Clustering on EX-Series Switches which allows you to extend a single switching infrastructure across up to 10 physical switches, in addition to providing sub-second failover of both forwarding and routing engines. The campus and large branch designs use SRX Clustering, which provides for stateful failover of IP and VPN traffic between two SRX Devices. This ensures rapid failover- times without impacting existing sessions or VPNs in the event of a failure of an SRX device.

Link Aggregation To provide additional active paths between the access switch and the core switch, Link Aggregation (LAG) was used in the campus design. LAG links provide additional

bandwidth and redundancy by load-balancing traffic at Layer 2 across all active links. If a link or device fails, LACP automatically detects this failure and re-directs traffic over the other links, providing for sub-second failover. LAG was also used between the access switch and the core firewall in the large branch configuration to provide additional link-redundancy and sub-second failover between the access layer and firewall layer.

Redundant WAN Interfaces / VPN Tunnels Redundant WAN interfaces on the SRX series, as well as multihoming with more than one service provider, dramatically increase the reliability of the connection between a branch and the centralized locations from which the UC service is provided. Adding redundant interfaces allows you to preserve the full UC user experience in the event of an outage, without deploying a separate survivable branch service and dedicated PSTN connections at each branch. Examples for this approach include a managed service provider WAN with Internet access as a backup, or a DSL broadband connection to the Internet with a wireless WAN (3G/4G/LTE) connection for backup.

LLDP-MED / Voice-VLAN Assignment Most enterprises wish to connect IP Phones to the network without any special switchport configuration; LLDP-MED helps facilitate that by identifying the type of device connected to the network, and assigning the Voice VLAN to media endpoint devices such as IP phones, video phones and conferencing systems. This eliminates the need for static port configurations on access switches for UC devices.

DHCP Server with Options The JunOS DHCP Server was used to provide IP address assignment and custom DHCP options to Avaya endpoints. These simplified provisioning by allowing new or factory- default devices to bootup and obtain their initial configuration from the Avaya provisioning server by passing a custom DHCP options message.

Wireless Multi-Media (WMM) WMM provides bandwidth allocation for voice and video traffic across the wireless LAN. Bandwidth can be allocated as a percentage of total bandwidth for voice or video calls, and call admission control can be enforced at the WLC controller. The UC Endpoints must support WMM

Application-Layer Gateways (ALGs) SIP and H323 traffic traversing a firewall requires special consideration, ALGs help facilitate the opening and closing of pinholes as the protocol requires, and for example when a SIP INVITE is responded to, the corresponding RDP pinholes must be opened in the stateful firewall. When the SIP BYE message is received, the pinholes must be closed for that session. This allows the firewall to dynamically allocate sessions for corresponding RTP flows for both SIP and H323 traffic traversing the device.

2. General Test Approach and Test Results All test cases were performed manually. The general approach was to place various types of calls (SIP, H.323, wireless, oneX-Communicator w/ video, and Flare) to and from stations through the VPN tunnel. For feature testing, the types of calls included inbound and outbound calls through the VPN tunnel, transferred calls, conference calls, MWI and voicemail. For serviceability testing, failures such as cable pulls, and resets were applied. All test cases passed.

Note: All Juniper devices were preconfigured by a Juniper engineer, before the actual test. The configuration Notes on Juniper devices were provided by the Juniper engineer, and included in Appendix. 2.1. Interoperability Compliance Testing The interoperability compliance test included feature and serviceability testing. The feature testing evaluated the VPN tunnel between SRXs with inbound, outbound, transfer, conference, MWI, and voicemail. The serviceability testing introduced failure scenarios to see if Juniper devices could resume operating after failure recovery. The following features were tested:

1) VPN Failover 2) Wireless through VPN tunnel 3) Wireless Roaming 4) Link Level Resiliency 5) Device Level Resiliency 6) Quality of Service end to end 7) POE / LLDP-MED / Voice VLAN

DevConnect Compliance Testing is conducted jointly by Avaya and DevConnect members. The jointly-defined test plan focuses on exercising APIs and/or standards-based interfaces pertinent to the interoperability of the tested products and their functionalities. DevConnect Compliance Testing is not intended to substitute full product performance or feature testing performed by DevConnect members, nor is it to be construed as an endorsement by Avaya of the suitability or completeness of a DevConnect member’s solution.

2.2. Test Results All test cases were executed and verified.

2.3. Support Technical support on Juniper Network devices can be obtained through the following: Phone: (888) 314-5822 Web: http://www.juniper.net/support/requesting-support.html

3. Reference Configuration The sample network implemented for these Application Notes is shown in Figure 1 and Figure 2. Three office locations are included, a “Campus” a “Large Branch” and a “Small branch”

The Main Campus consists of two Juniper SRX240s, named “SRX240-A” and “SRX240-B” operating in a chassis cluster and functioning as perimeter security devices and IPSec VPN head- ends. Juniper Networks SRX Cluster connect to a Juniper EX4500 Virtual Chassis, named “EX4500-A” and “EX4500-B” which provides core switching and routing within the campus and acts as the default route for all LAN endpoints as well as offers DHCP Services. EX3300 Switches, “EX3200-A” and “EX3200-B” operate as Layer 2 access switches for connecting UC servers and UC endpoints to the campus environment. These devices run PoE and LLDP/MED services to identify UC endpoints and automatically assign them to the Voice VLAN.

For the wireless infrastructure, “WLC800-Campus” provides wireless controller functionality within the campus environment, it managed two APs “WLC421-A” and “WLC421-B” in a single mobility domain to provide seamless roaming within the enterprise. Two SSIDs were used, one for user traffic, and a separate for UC traffic.

The Avaya S8710 Media Server and Avaya G650 Media Gateway are also located at the main campus, on the Voice VLAN, connected directly to the EX4500 Core switch. The main campus is mapped to Network Region 1 in Avaya Aura ® Communication Manager.

Small Branch consists of a single SRX210 Security Gateway, “SRX210-A” which provides routing, security and PoE-enabled switching for the small office location. Two WAN connections provide additional resiliency for the small branch in the event of a failure of a single WAN connection; UC services are automatically re-routed to the second WAN connection without loosing connectivity and without any call drops. This provides a superior mechanism for Branch office survivability and eliminates the need for PSTN failover in environments with redundant WAN connectivity options. The Small Branch is mapped to Network Region 3 in Avaya Communication Manager.

Large Branch consists of a cluster of SRX240 Security Gateways, “SRX240-C” and “SRX240- D” which provide security, VPN termination, and LAN/WAN routing within the large branch, WAN routing is provided across redundant WAN links, while LAN connectivity is accomplished through a fully meshed LAG group to the EX-Series Access Switches, “EX3300-C” and “EX3300-D” which provide Layer 2 connectivity, PoE and LLDP-MED services for UC endpoints. “WLC800R-Branch” provides wireless LAN controller functionality for the large branch, which manages two APs “WLC421-C” and “WLC421-D”. These APs are connected to separate access layer devices. The large branch is mapped to Network Region 2 in Avaya Aura ® Communication Manager.

WAN Connectivity / VPN Design: Each location has two Layer 3 WAN connections from separate providers. All traffic between sites is encrypted in IPSec tunnels, and one IPSec tunnel is created for each WAN connection. VPN Monitoring is used to monitor the tunnel status and re-route traffic to an alternate tunnel/WAN connection within 3 seconds in the event of a failure.

VPN Failover is stateful on SRX Devices, which means in the event of such a failure voice and video calls will not be impacted, and no calls will be dropped.

Table 1 summarizes the Network Region IP address mappings.

Network IP Address Juniper Office Region Range SSG

1 192.168.0.0 /17 - Main Campus 2 192.168.216.0/21 A Large Branch 3 192.168.232.0/22 B Small Branch

Table 1 – Network Region Mappings

The following figures show the tested environment: Figure 1 – Avaya Configuration Figure 2 – Juniper Networks Configuration

Figure 1: Avaya Configuration

Figure 2: Juniper Networks Configuration

4. Equipment and Software Validated Table 2 lists the equipment and software/firmware versions used in the sample configuration provided.

Device Description Versions Tested Avaya Aura® Communication Manager on 6.0.1(R016x.00.1.510.1) Avaya S8300D Server Avaya Aura® Session Manager 6.1.5 Avaya Aura® System Manager 6.1.5 Avaya 9600-Series H.323 Telephones 3.1 Avaya 9600-Series SIP Telephones 2.6.2 Avaya A175 Desktop Video Device (Flare) 1.0.2 Avaya 3641 WiFi Phones 117 056 Juniper Networks SRX240 JunOS 11.4r1.6 Juniper Networks SRX210 JunOS 11.4r.16 Juniper Networks EX4500 JunOS 11.4r1.6 Juniper Networks EX3300 JunOS 11.4r.16 Juniper Networks WLC800R WLC Version 7.6.2.3.0

Table 2 – Equipment and Software Validated

5. Avaya Aura® Communication Manager Configuration All the commands discussed in this section are executed on Avaya Communication Manager using the System Access Terminal (SAT). This section assumes that basic configuration on Avaya Communication Manager has been already completed.

5.1. VPNremote Phone Configuration An Avaya VPNremote Phone is configured the same as other IP telephones within Avaya Communication Manager. Even though the Avaya VPNremote Phone is physically located outside of the corporate network, the Avaya VPNremote Phone will behave the same as other Avaya IP telephones located locally on the corporate LAN once the VPN tunnel has been established.

For additional information regarding Avaya Communication Manager configuration, consult Administering Avaya Aura TM Communication Manager,

5.2. IP Codec Sets Configuration These Application Notes utilize the G.711 codec for the main campus location (Network Region 1) and the G.729 codec for the remote office locations with Avaya VPNremote Phones deployed. The high compression of the G.729 codec accommodates the limited bandwidth of the remote office WAN connection (i.e. DSL or Cable).

For more information on configuring codecs, please consult the Setting WAN Bandwidth Limits between Network Regions section of the Administering Avaya Aura TM Communication Manager, Enter the change ip-codec-set 1 command to define the G.711 codec as shown below. change ip-codec-set 1 Page 1 of 2

IP Codec Set

Codec Set: 1

Audio Silence Frames Packet Codec Suppression Per Pkt Size(ms) 1: G.711MU n 2 20 2: 3:

Enter the change ip-codec-set 2 command to define the G.729 codec as shown below. change ip-codec-set 2 Page 1 of 2

IP Codec Set

Codec Set: 2

Audio Silence Frames Packet Codec Suppression Per Pkt Size(ms) 1: G.729 n 3 30 2: 3:

Enter the list ip-codec-set command to verify the codec assignments. list ip-codec-set

IP CODEC SETS

Codec Codec 1 Codec 2 Codec 3 Codec 4 Codec 5 Set

1 G.711MU 2 G.729 3 G.711MU 4 G.711MU

5.3. IP Network Map Configuration Use the change ip-network-map command to define the IP addresses mapped to Network Region 2 and 3 as shown below. Refer to Table 1 – Network Region Mappings and Figure 2: Physical Network in Section 2. change ip-network-map Page 1 of 32 IP ADDRESS MAPPING

Emergency Subnet Location From IP Address (To IP Address or Mask) Region VLAN Extension 192 .168 .216.1 . . . 24 2 n 192 .168 .232.1 . . . 24 3 n ...... n ...... n

5.4. IP Network Regions Configuration Use the change ip-network-region 1 command to configure Network Region 1 parameters. Configure the highlighted fields shown below. All remaining fields can be left as default.

Select a descriptive name for Name. Intra-region and Inter-region IP-IP Direct Audio determines the flow of RTP audio packets. Setting to yes enables the most efficient audio path be taken. Codec Set 1 is used for Network Region 1 as described in Section 5.2. change ip-network-region 1 Page 1 of 19

IP NETWORK REGION Region: 1 Location: 1 Authoritative Domain: avaya.com Name: Main Campus MEDIA PARAMETERS Intra-region IP-IP Direct Audio: yes Codec Set: 1 Inter-region IP-IP Direct Audio: yes UDP Port Min: 2048 IP Audio Hairpinning? y UDP Port Max: 3327 DIFFSERV/TOS PARAMETERS RTCP Reporting Enabled? y Call Control PHB Value: 46 RTCP MONITOR SERVER PARAMETERS Audio PHB Value: 46 Use Default Server Parameters? y Video PHB Value: 26 802.1P/Q PARAMETERS Call Control 802.1p Priority: 6 Audio 802.1p Priority: 6 Video 802.1p Priority: 5 AUDIO RESOURCE RESERVATION PARAMETERS H.323 IP ENDPOINTS RSVP Enabled? n H.323 Link Bounce Recovery? y Idle Traffic Interval (sec): 20 Keep-Alive Interval (sec): 5 Keep-Alive Count: 5

Page 3 of the IP-Network-Region form defines the codec set to use for intra-region and inter- region calls. Avaya VPNremote Phones are mapped to Region 2 or 3. Calls within IP Network Region 1 use Codec Set 1 (G.711MU) while calls from IP Network Region 1 to IP Network Region 2 or 3 use Codec Set 2 (G.729). change ip-network-region 1 Page 3 of 19

Inter Network Region Connection Management

src dst codec direct Dynamic CAC rgn rgn set WAN WAN-BW-limits Intervening-regions Gateway IGAR 1 1 1 1 2 2 y :NoLimit n 1 3 2 y :NoLimit n 1 4

Enter the change ip-network-region 2 command to configure Network Region 2 parameters. Configure the highlighted fields shown below. All remaining fields can be left as default. change ip-network-region 2 Page 1 of 19 IP NETWORK REGION Region: 2 Location: Authoritative Domain: Name: VPN Users – SSG A MEDIA PARAMETERS Intra-region IP-IP Direct Audio: yes Codec Set: 2 Inter-region IP-IP Direct Audio: yes UDP Port Min: 2048 IP Audio Hairpinning? y UDP Port Max: 3028

Page 3 defines the codec set to use for intra-region and inter-region calls. All calls from IP Network Region 2 will use the G.729 codec as defined by the IP Codec Set in Section 5.2 change ip-network-region 2 Page 3 of 19

Inter Network Region Connection Management

src dst codec direct Dynamic CAC rgn rgn set WAN WAN-BW-limits Intervening-regions Gateway IGAR 2 1 2 y :NoLimit n 2 2 2 2 3 2 y :NoLimit n 2 4

Follow these same steps for configuring IP Network Region 3.

6. Juniper Networks Configuration See Appendix 7. Verification Steps The following steps may be used to verify the configuration:

Verify the trunk between Communication Manager and Session Manager by running the status trunk and status signaling-group command

Verification steps on Juniper devices can be found in Appendix. Please refer Section 4 in Appendix. 8. Conclusion Juniper Networks “Simply Connected Network for Unified Services and Collaboration” provides a converged IP Network to support Avaya Telephony Environment that includes Avaya Aura® Communication Manager, Avaya Aura® Session Manager, and various Telephone and Video Endpoints, with secure connectivity to other locations across the WAN without requiring local survivability of PSTN failover in locations where redundant WAN connections are available. 9. Additional References This section references the product documentation relevant to these Application Notes.

Administering Avaya AuraTM Communication Manager, Document 03-300509, Issue 6.0, Release 6.0, June 2010, available at http://support.avaya.com. Administering Avaya Aura® Session Manager, Release 6.1, November 2010, Issue 1.1, Document Number03-603324, available at http://support.avaya.com. Administering Avaya Aura® System Manager, Release 6.1, November 2010, available at http://support.avaya.com. Juniper product document are available at http://www.juniper.net/customers/support/

©2012 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by ® and ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice. The configurations, technical data, and recommendations provided in these Application Notes are believed to be accurate and dependable, but are presented without express or implied warranty. Users are responsible for their application of any products specified in these Application Notes.

Please e-mail any questions or comments pertaining to these Application Notes along with the full title name and filename, located in the lower right corner, directly to the Avaya DevConnect Program at [email protected].

Appendix

1. Configure Juniper Simply Connected [Campus] In the Campus Design, a cluster of SRX Services Gateways provide Edge Security, WAN Routing and VPN Termination while the EX4500 VirtualChassis Provides Layer 3 Routing, DHCP Services within the Campus environment. OSPF is used between these devices to provide additional resiliency with multiple active paths, as well as scalability within the Campus as the number of networks and VLANs rise. EX3300 Access switches provide Layer 2 connectivity and PoE and LLDP-MED Services to UC Endpoints. The following diagram illustrates the architecture of Juniper Networks Simply Connected Campus

Figure 3 – Campus Network Architecture

1.1. Campus SRX240 Security Gateway The following configuration was used on SRX240-A and SRX240-B, which operate as a Chassis Cluster and provide WAN and VPN Termination and Security to the Campus edge. groups { node0 { system { host-name Campus_Core_SRX_A; } interfaces { fxp0 { unit 0 { family inet { address 192.168.5.20/24; } } } } routing-options { router-id 192.168.2.17; } } node1 { system { host-name Campus_Core_SRX_B; } interfaces { fxp0 { unit 0 { family inet { address 192.168.5.21/24; } } } } routing-options { router-id 192.168.2.41; } } } apply-groups "${node}"; system { root-authentication { encrypted-password "$1$iyoqlmbv$V8uaZuvj8i/4D5sLjl9Jb/"; ## SECRET- DATA } name-server { 208.67.222.222; 208.67.220.220; } services { ssh; telnet; xnm-clear-text;

web-management { http { interface vlan.0; } https { system-generated-certificate; interface vlan.0; } } dhcp { router { 192.168.1.1; } pool 192.168.1.0/24 { address-range low 192.168.1.2 high 192.168.1.254; } propagate-settings ge-0/0/0.0; } } syslog { archive size 100k files 3; } } chassis { cluster { reth-count 3; redundancy-group 1 { node 0 priority 100; node 1 priority 1; preempt; interface-monitor { ge-0/0/6 weight 128; ge-0/0/7 weight 128; ge-0/0/13 weight 128; ge-0/0/14 weight 128; ge-5/0/14 weight 128; ge-5/0/13 weight 128; ge-5/0/7 weight 128; ge-5/0/6 weight 128; } } } } interfaces { ge-0/0/6 { description "To EX4500-A ge-0/0/4"; gigether-options { redundant-parent reth0; } } ge-0/0/7 { description "To EX4500-B ge-0/0/4"; gigether-options { redundant-parent reth0; }

} ge-0/0/13 { description "To EX3300-A (Branch) ge-0/0/32"; gigether-options { redundant-parent reth1; } } ge-0/0/14 { description "To EX3300-A (Branch) ge-0/0/34"; gigether-options { redundant-parent reth2; } } ge-5/0/6 { description "To EX4500-A ge-0/0/6"; gigether-options { redundant-parent reth0; } } ge-5/0/7 { description "To EX4500-B ge-0/0/6"; gigether-options { redundant-parent reth0; } } ge-5/0/13 { description "To EX3300-A (Branch) ge-0/0/33"; gigether-options { redundant-parent reth1; } } ge-5/0/14 { description "To EX3300-A (Branch) ge-0/0/35"; gigether-options { redundant-parent reth2; } } fab0 { fabric-options { member-interfaces { ge-0/0/10; ge-0/0/11; } } } fab1 { fabric-options { member-interfaces { ge-5/0/10; ge-5/0/11; } } } reth0 {

description "Link to 4500VC, note-LACP not supported on this interface"; per-unit-scheduler; redundant-ether-options { redundancy-group 1; } unit 0 { family inet { filter { input UC; } address 192.168.2.29/30; } } } reth1 { description "ISP-A reth"; per-unit-scheduler; redundant-ether-options { redundancy-group 1; } unit 0 { family inet { filter { input UC; } address 192.168.2.2/30; } } } reth2 { per-unit-scheduler; redundant-ether-options { redundancy-group 1; } unit 0 { description "ISP-B reth"; family inet { filter { input UC; } address 192.168.2.6/30; } } } st0 { unit 216 { family inet; } unit 236 { family inet; } unit 2160 { family inet; }

unit 2360 { family inet; } } } routing-options { static { inactive: route 0.0.0.0/0 { qualified-next-hop 192.168.2.1; qualified-next-hop 192.168.2.5 { metric 100; } } route 192.168.0.0/17 next-hop 192.168.2.30; route 192.168.216.0/21 { qualified-next-hop st0.216; qualified-next-hop st0.2160; } route 192.168.232.0/22 { qualified-next-hop st0.236; qualified-next-hop st0.2360; } route 192.168.2.126/32 next-hop 192.168.2.1; route 192.168.2.226/32 next-hop 192.168.2.5; route 192.168.2.234/32 next-hop 192.168.2.1; route 192.168.2.134/32 next-hop 192.168.2.5; route 10.64.40.0/24 { qualified-next-hop st0.216; qualified-next-hop st0.2160; } route 10.64.41.0/24 next-hop 192.168.2.30; } router-id 192.168.2.17; } protocols { ospf { area 0.0.0.0 { interface reth0.0; } } stp; } class-of-service { classifiers { dscp ezqos-dscp-classifier { import default; forwarding-class ezqos-voice-fc { loss-priority low code-points 101110; } forwarding-class ezqos-control-fc { loss-priority low code-points 100000; loss-priority high code-points 110000; } forwarding-class ezqos-video-fc { loss-priority low code-points [ 100010 001010 ];

loss-priority high code-points [ 100100 100110 ]; } forwarding-class ezqos-busapp-fc { loss-priority low code-points [ 010010 010100 ]; loss-priority high code-points 010110; } } } forwarding-classes { queue 0 ezqos-best-effort priority low; queue 2 ezqos-video-fc priority high; queue 1 ezqos-voice-fc priority high; queue 7 ezqos-control-fc priority high; queue 3 ezqos-busapp-fc priority low; } interfaces { reth0 { unit 0 { scheduler-map ezqos-voip-sched-maps; classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } reth1 { unit 0 { scheduler-map ezqos-voip-sched-maps; classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } reth2 { unit 0 { scheduler-map ezqos-voip-sched-maps; classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } } rewrite-rules { dscp Rewrite-Rules { import default; forwarding-class ezqos-voice-fc { loss-priority low code-point 101110;

} forwarding-class ezqos-control-fc { loss-priority low code-point 100000; loss-priority high code-point 110000; } forwarding-class ezqos-video-fc { loss-priority low code-point 001010; loss-priority high code-point 100100; } forwarding-class ezqos-busapp-fc { loss-priority high code-point 010110; loss-priority low code-point 010010; } } } scheduler-maps { ezqos-voip-sched-maps { forwarding-class ezqos-voice-fc scheduler ezqos-voice-scheduler; forwarding-class ezqos-control-fc scheduler ezqos-control- scheduler; forwarding-class ezqos-video-fc scheduler ezqos-video-scheduler; forwarding-class ezqos-best-effort scheduler ezqos-data- scheduler; forwarding-class ezqos-busapp-fc scheduler ezqos-busapp- scheduler; } } schedulers { ezqos-voice-scheduler { buffer-size percent 5; priority strict-high; } ezqos-control-scheduler { buffer-size percent 5; priority high; } ezqos-video-scheduler { transmit-rate percent 70; buffer-size percent 20; priority medium-high; } ezqos-data-scheduler { transmit-rate remainder; buffer-size { remainder; } priority low; } ezqos-busapp-scheduler { transmit-rate percent 20; buffer-size percent 20; priority medium-low; } } }

CRK; Reviewed: Solution & Interoperability Test Lab Application Notes 22 of 103 SPOC 8/16/2012 ©2012 Avaya Inc. All Rights Reserved. Juniper-Data.doc security { ike { traceoptions { file ike.log; flag all; } proposal UniSvces-Prop { authentication-method pre-shared-keys; dh-group group1; authentication-algorithm md5; encryption-algorithm aes-128-cbc; lifetime-seconds 86400; } policy ike-policy1 { mode main; proposals UniSvces-Prop; pre-shared-key ascii-text "$9$a7ZikmfT3/CPfEcreW8"; ## SECRET- DATA } gateway gw-LgBranch { ike-policy ike-policy1; address 192.168.2.126; external-interface reth1; version v1-only; } gateway gw-LgBranch2 { ike-policy ike-policy1; address 192.168.2.226; external-interface reth2; version v1-only; } gateway gw-SohoBranch { ike-policy ike-policy1; address 192.168.2.134; external-interface reth2; version v1-only; } gateway gw-SohoBranch2 { ike-policy ike-policy1; address 192.168.2.234; external-interface reth1; version v1-only; } } ipsec { vpn-monitor-options { interval 2; threshold 3; } proposal UnifSvcesIPSecProp { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm aes-128-cbc; } policy vpn-policy {

proposals UnifSvcesIPSecProp; } vpn LgBranch1 { bind-interface st0.216; vpn-monitor { optimized; } ike { gateway gw-LgBranch; proxy-identity { local 192.168.0.0/27; remote 192.168.216.0/21; service any; } ipsec-policy vpn-policy; } establish-tunnels immediately; } vpn LgBranch2 { bind-interface st0.2160; vpn-monitor { optimized; } ike { gateway gw-LgBranch2; proxy-identity { local 192.168.0.0/27; remote 192.168.216.0/21; service any; } ipsec-policy vpn-policy; } establish-tunnels immediately; } vpn SohoBranch1 { bind-interface st0.236; vpn-monitor { optimized; } ike { gateway gw-SohoBranch; proxy-identity { local 192.168.0.0/16; remote 192.168.232.0/22; service any; } ipsec-policy vpn-policy; } establish-tunnels immediately; } vpn SohoBranch2 { bind-interface st0.2360; vpn-monitor { optimized; }

ike { gateway gw-SohoBranch2; proxy-identity { local 192.168.0.0/16; remote 192.168.232.0/22; service any; } ipsec-policy vpn-policy; } establish-tunnels immediately; } } alg { h323 disable; sip disable; } flow { tcp-mss { ipsec-vpn { mss 1350; } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { inactive: source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat {

interface; } } } } } } policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } default-policy { permit-all; } } zones { security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { reth0.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } security-zone untrust { screen untrust-screen; interfaces { reth1.0 { host-inbound-traffic { system-services { ike; ping;

ssh; } } } reth2.0 { host-inbound-traffic { system-services { ssh; ike; ping; } } } } } security-zone VPN { interfaces { st0.216; st0.2160; st0.236; st0.2360; } } } } firewall { filter UC { term 1 { from { dscp ef; } then { count RTP-with-DSCP-46; forwarding-class ezqos-voice-fc; accept; } } term 2 { from { protocol tcp; port [ 5061 5060 ]; } then { count SIPTLS-Port-5061; forwarding-class ezqos-busapp-fc; accept; } } term 3 { from { dscp af11; protocol udp; } then { count RIP-with-AF11;

forwarding-class ezqos-video-fc; accept; } } term 4 { from { protocol 50; } then { count ESP-Traffic; forwarding-class ezqos-control-fc; accept; } } term 5 { then accept; } } }

1.2. Campus EX4500 Core Switch The following configuration was used on the EX4500-A and EX4500-B which operate as a VirtualChassis and provide Layer 3 Routing and Core Switching services within the Campus Environment. The EX4500 also offers DHCP Server services to clients, as it is the default route on all local area VLANs. system { host-name Campus_Aggreg_EXVC_A; domain-name uc.com; time-zone America/New_York; root-authentication { encrypted-password "$1$rtcBKTiu$Q10juRHEGnPojhHS4STLn/"; ## SECRET- DATA } services { ftp; ssh { protocol-version v2; } telnet; netconf { ssh; } web-management { http; } dhcp { option 242 string MCIPADD=10.64.41.21,HTTPSSRVR=10.64.40.12,L2QVLAN=0; pool 192.168.10.0/24 { address-range low 192.168.10.100 high 192.168.10.200; router {

192.168.10.1; } } pool 192.168.12.0/24 { address-range low 192.168.12.100 high 192.168.12.200; router { 192.168.12.1; } } pool 192.168.20.0/24 { address-range low 192.168.20.100 high 192.168.20.200; router { 192.168.20.1; } } pool 192.168.22.0/24 { address-range low 192.168.22.100 high 192.168.22.200; router { 192.168.22.1; } } pool 192.168.30.0/24 { address-range low 192.168.30.100 high 192.168.30.200; router { 192.168.30.1; } } pool 192.168.32.0/24 { address-range low 192.168.32.100 high 192.168.32.200; router { 192.168.32.1; } } pool 192.168.60.0/24 { address-range low 192.168.60.100 high 192.168.60.200; router { 192.168.60.1; } } pool 192.168.62.0/24 { address-range low 192.168.62.100 high 192.168.62.200; router { 192.168.62.1; } } pool 192.168.70.0/24 { address-range low 192.168.70.100 high 192.168.70.200; router { 192.168.70.1; } } pool 192.168.72.0/24 { address-range low 192.168.72.100 high 192.168.72.200; router { 192.168.72.1;

} } pool 192.168.80.0/24 { address-range low 192.168.80.100 high 192.168.80.200; router { 192.168.80.1; } } } } syslog { user * { any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } commit synchronize; } chassis { aggregated-devices { ethernet { device-count 8; } } } interfaces { ge-0/0/4 { description "SRX240-A ge-0/0/6"; ether-options { 802.3ad ae2; } } ge-0/0/6 { description "SRX240-B ge-0/0/6"; ether-options { 802.3ad ae3; } } ge-0/0/8 { description "To EX3300-A ge-0/0/22"; ether-options { 802.3ad ae0; } } ge-0/0/10 { description "To EX3300-B ge-0/0/22"; ether-options { 802.3ad ae0; }

} ge-1/0/4 { description "SRX240-A ge-0/0/7"; ether-options { 802.3ad ae2; } } ge-1/0/6 { description "SRX240-B ge-0/0/7"; ether-options { 802.3ad ae3; } } ge-1/0/8 { description "To EX3300-A ge-0/0/23"; ether-options { 802.3ad ae0; } } ge-1/0/10 { description "To EX3300-B ge-0/0/23"; ether-options { 802.3ad ae0; } } ae0 { description "Aggregate to Building A"; aggregated-ether-options { lacp { active; } } unit 0 { family ethernet-switching { port-mode trunk; } } } ae1 { description "Aggregate to Building B"; aggregated-ether-options { lacp { active; } } unit 0 { family ethernet-switching { port-mode trunk; } } } ae2 { description "Link to SRX Cluster"; unit 0 { family ethernet-switching {

port-mode access; vlan { members v230; } } } } ae3 { description "Link to SRX Cluster"; unit 0 { family ethernet-switching { port-mode access; vlan { members v230; } } } } me0 { unit 0 { family inet { address 192.168.5.11/24; } } } vlan { unit 10 { family inet { address 192.168.10.1/24; } } unit 12 { family inet { address 192.168.12.1/24; } } unit 20 { family inet { address 192.168.20.1/24; } } unit 22 { family inet { address 192.168.22.1/24; } } unit 30 { family inet { address 192.168.30.1/24; } } unit 32 { family inet { address 192.168.32.1/24; }

} unit 41 { family inet { address 10.64.41.1/24; } } unit 60 { family inet { address 192.168.60.1/24; } } unit 62 { family inet { address 192.168.62.1/24; } } unit 70 { family inet { address 192.168.70.1/24; } } unit 72 { family inet { address 192.168.72.1/24; } } unit 80 { family inet { address 192.168.80.1/24; } } unit 230 { family inet { address 192.168.2.30/30; } } } vme { unit 0 { family inet { address 192.168.5.10/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 192.168.2.29; } router-id 192.168.2.18; } protocols { ospf { area 0.0.0.0 { interface vlan.10 {

passive; } interface vlan.12 { passive; } interface vlan.20 { passive; } interface vlan.22 { passive; } interface vlan.230 { passive; } interface vlan.30 { passive; } interface vlan.32 { passive; } interface vlan.60 { passive; } interface vlan.62 { passive; } interface vlan.70 { passive; } interface vlan.72 { passive; } } } igmp-snooping { vlan all; } dcbx { interface all; } rstp; lldp { interface all; } lldp-med { interface all; } } class-of-service { classifiers { dscp ezqos-dscp-classifier { import default; forwarding-class ezqos-voice-fc { loss-priority low code-points 101110; }

forwarding-class ezqos-control-fc { loss-priority low code-points 100000; loss-priority high code-points 110000; } forwarding-class ezqos-video-fc { loss-priority low code-points [ 100010 001010 ]; loss-priority high code-points [ 100100 100110 ]; } forwarding-class ezqos-busapp-fc { loss-priority low code-points [ 010010 010100 ]; loss-priority high code-points 010110; } } } forwarding-classes { class ezqos-best-effort queue-num 0; class ezqos-video-fc queue-num 2; class ezqos-voice-fc queue-num 7; class ezqos-control-fc queue-num 4; class ezqos-busapp-fc queue-num 3; } interfaces { ae0 { scheduler-map ezqos-voip-sched-maps; unit 0 { classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } ae1 { scheduler-map ezqos-voip-sched-maps; unit 0 { classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } ae2 { scheduler-map ezqos-voip-sched-maps; unit 0 { classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } }

ae3 { scheduler-map ezqos-voip-sched-maps; unit 0 { classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } } rewrite-rules { dscp Rewrite-Rules { import default; forwarding-class ezqos-voice-fc { loss-priority low code-point 101110; } forwarding-class ezqos-control-fc { loss-priority low code-point 100000; loss-priority high code-point 110000; } forwarding-class ezqos-video-fc { loss-priority low code-point 001010; loss-priority high code-point 100100; } forwarding-class ezqos-busapp-fc { loss-priority high code-point 010110; loss-priority low code-point 010010; } } } scheduler-maps { ezqos-voip-sched-maps { forwarding-class ezqos-voice-fc scheduler ezqos-voice-scheduler; forwarding-class ezqos-control-fc scheduler ezqos-control- scheduler; forwarding-class ezqos-video-fc scheduler ezqos-video-scheduler; forwarding-class ezqos-best-effort scheduler ezqos-data- scheduler; forwarding-class ezqos-busapp-fc scheduler ezqos-busapp- scheduler; } } schedulers { ezqos-voice-scheduler { buffer-size percent 5; priority strict-high; } ezqos-control-scheduler { buffer-size percent 5; priority low; } ezqos-video-scheduler { transmit-rate percent 70;

buffer-size percent 20; priority low; } ezqos-data-scheduler { transmit-rate remainder; buffer-size { remainder; } priority low; } ezqos-busapp-scheduler { transmit-rate percent 20; buffer-size percent 20; priority low; } } } ethernet-switching-options { storm-control { interface all; } } vlans { Data1 { description "Data VLAN Building A"; vlan-id 10; interface { ae0.0; } l3-interface vlan.10; } Data2 { description "Data VLAN Building B"; vlan-id 20; interface { ae1.0; } l3-interface vlan.20; } Guest1 { description "Guest VLAN"; vlan-id 80; } Voice1 { description "Voice VLAN Building A"; vlan-id 12; interface { ae0.0; } l3-interface vlan.12; } Voice2 { description "Voice VLAN Building B"; vlan-id 22; interface {

ae1.0; } l3-interface vlan.22; } WLDataA { description "Wireless Data Bldg A"; vlan-id 60; interface { ae0.0; } l3-interface vlan.60; } WLDataB { description "Wireless Data Bldg B"; vlan-id 70; l3-interface vlan.70; } WLVoiceA { description "Wireless Voice Bldg A"; vlan-id 62; interface { ae0.0; } l3-interface vlan.62; } WLVoiceB { description "Wireless Voice Bldg B"; vlan-id 72; l3-interface vlan.72; } v230 { description "Uplink to SRX"; vlan-id 230; interface { ae2.0; ae3.0; } l3-interface vlan.230; } vlan41 { description "Avaya Sever DMZ 2"; vlan-id 41; interface { ae0.0; } l3-interface vlan.41; } } virtual-chassis { member 0 { mastership-priority 1; } member 1 { mastership-priority 255; }

}

1.3. Campus EX3300 Access Switch The following configuration was used on the EX3300-A and EX3300-B Devices, which operate in a VirtualChassis and provide Layer 2 Switching, PoE and LLDP-MED services to clients. system { host-name Campus_BldgA_EXVC_A; domain-name uc.com; time-zone America/New_York; root-authentication { encrypted-password "$1$EMHJwmch$xVWM16C3ZtvaznYepSIUo1"; ## SECRET- DATA } services { ftp; ssh; telnet; web-management { http; } } syslog { user * { any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } commit synchronize; } chassis { aggregated-devices { ethernet { device-count 4; } } } interfaces { interface-range DataPorts { member-range ge-1/0/6 to ge-1/0/10; member-range ge-0/0/6 to ge-0/0/10; unit 0 { family ethernet-switching { port-mode access; vlan { members vData1; }

filter { input UC; } } } } ge-0/0/0 { unit 0 { family ethernet-switching { port-mode access; vlan { members vlan41; } } } } ge-0/0/1 { unit 0 { family ethernet-switching { port-mode access; vlan { members vlan41; } } } } ge-0/0/2 { unit 0 { family ethernet-switching { port-mode access; vlan { members vlan41; } } } } ge-0/0/3 { unit 0 { family ethernet-switching { port-mode access; vlan { members vlan41; } } } } ge-0/0/4 { unit 0 { family ethernet-switching { port-mode access; vlan { members vlan41; } } }

} ge-0/0/5 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members vlan41; } } } } ge-0/0/11 { unit 0 { family ethernet-switching; } } ge-0/0/12 { description "WLC2800-Campus Port 2"; unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ vGuest1 WLVoiceA ]; } } } } ge-0/0/13 { unit 0 { family ethernet-switching { port-mode access; vlan { members WLVoiceA; } } } } ge-0/0/22 { description "EX4500-A ge-0/0/8"; ether-options { 802.3ad ae0; } } ge-0/0/23 { description "EX4500-B ge-0/0/8"; ether-options { 802.3ad ae0; } } ge-1/0/0 { unit 0 { family ethernet-switching { port-mode access; vlan { members vlan41;

} } } } ge-1/0/12 { unit 0 { family ethernet-switching { port-mode access; vlan { members WLVoiceA; } } } } ge-1/0/13 { unit 0 { family ethernet-switching { port-mode access; vlan { members WLVoiceA; } } } } ge-1/0/22 { description "EX4500-A ge-0/0/10"; ether-options { 802.3ad ae0; } } ge-1/0/23 { description "EX4500-B ge-0/0/10"; ether-options { 802.3ad ae0; } } ae0 { aggregated-ether-options { lacp { active; } } unit 0 { family ethernet-switching { port-mode trunk; vlan { members all; } filter { input UC; } } } } vlan {

unit 10 { family inet { address 192.168.10.66/24; } } unit 12 { family inet { address 192.168.12.66/24; } } unit 41 { family inet { address 10.64.41.66/24; } } unit 60 { family inet { address 192.168.60.66/24; } } unit 62 { family inet { address 192.168.62.66/24; } } unit 80 { family inet { address 192.168.80.66/24; } } } vme { unit 0 { family inet { address 172.28.114.79/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 192.168.10.1; } } protocols { igmp-snooping { vlan all; } rstp { interface ge-0/0/12.0 { disable; edge; } } lldp {

interface all; } lldp-med { fast-start 1; interface all { location { elin 4085109824; } } } } class-of-service { classifiers { dscp ezqos-dscp-classifier { import default; forwarding-class ezqos-voice-fc { loss-priority low code-points 101110; } forwarding-class ezqos-control-fc { loss-priority low code-points 100000; loss-priority high code-points 110000; } forwarding-class ezqos-video-fc { loss-priority low code-points [ 100010 001010 ]; loss-priority high code-points [ 100100 100110 ]; } forwarding-class ezqos-busapp-fc { loss-priority low code-points [ 010010 010100 ]; loss-priority high code-points 010110; } } } forwarding-classes { class ezqos-best-effort queue-num 0; class ezqos-video-fc queue-num 2; class ezqos-voice-fc queue-num 7; class ezqos-control-fc queue-num 4; class ezqos-busapp-fc queue-num 3; } interfaces { ae0 { scheduler-map ezqos-voip-sched-maps; unit 0 { classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } } rewrite-rules { dscp Rewrite-Rules { import default;

forwarding-class ezqos-voice-fc { loss-priority low code-point 101110; } forwarding-class ezqos-control-fc { loss-priority low code-point 100000; loss-priority high code-point 110000; } forwarding-class ezqos-video-fc { loss-priority low code-point 001010; loss-priority high code-point 100100; } forwarding-class ezqos-busapp-fc { loss-priority high code-point 010110; loss-priority low code-point 010010; } } } scheduler-maps { ezqos-voip-sched-maps { forwarding-class ezqos-voice-fc scheduler ezqos-voice-scheduler; forwarding-class ezqos-control-fc scheduler ezqos-control- scheduler; forwarding-class ezqos-video-fc scheduler ezqos-video-scheduler; forwarding-class ezqos-best-effort scheduler ezqos-data- scheduler; forwarding-class ezqos-busapp-fc scheduler ezqos-busapp- scheduler; } } schedulers { ezqos-voice-scheduler { buffer-size percent 5; priority strict-high; } ezqos-control-scheduler { buffer-size percent 5; priority low; } ezqos-video-scheduler { transmit-rate percent 70; buffer-size percent 20; priority low; } ezqos-data-scheduler { transmit-rate remainder; buffer-size { remainder; } priority low; } ezqos-busapp-scheduler { transmit-rate percent 20; buffer-size percent 20; priority low; }

} } firewall { family ethernet-switching { filter UC { term 1 { from { dscp ef; } then { accept; forwarding-class ezqos-voice-fc; loss-priority low; } } term 2 { from { dscp af11; } then { accept; forwarding-class ezqos-video-fc; loss-priority low; } } term 3 { from { precedence [ net-control internet-control ]; } then { accept; forwarding-class ezqos-control-fc; loss-priority low; } } term 4 { from { destination-port [ 5060 5061 5070 ]; } then { accept; forwarding-class ezqos-busapp-fc; loss-priority low; } } term 5 { then { accept; forwarding-class ezqos-best-effort; loss-priority low; } } } } }

CRK; Reviewed: Solution & Interoperability Test Lab Application Notes 46 of 103 SPOC 8/16/2012 ©2012 Avaya Inc. All Rights Reserved. Juniper-Data.doc ethernet-switching-options { voip { interface DataPorts { vlan vVoice1; } } storm-control { interface all; } } vlans { WLDataA { description "Wireless Data Bldg A"; vlan-id 60; interface { ae0.0; } l3-interface vlan.60; } WLVoiceA { description "Wireless Voice Bldg A"; vlan-id 62; interface { ae0.0; } l3-interface vlan.62; } vData1 { description "Data VLAN Building A"; vlan-id 10; interface { ae0.0; ge-0/0/37.0; } l3-interface vlan.10; } vGuest1 { description "Guest VLAN"; vlan-id 80; interface { ae0.0; } l3-interface vlan.80; } vVoice1 { description "Voice VLAN Building A"; vlan-id 12; interface { ae0.0; } l3-interface vlan.12; } vlan41 { vlan-id 41; l3-interface vlan.41;

} } poe { management class; interface all; } virtual-chassis { member 0 { mastership-priority 255; } member 1 { mastership-priority 1; } fast-failover { xe; } }

1.4. Campus WLC800R Wireless Controller The following configuration was used on the WLC800-Campus Wireless LAN Controller, which is paired with the WLC800-Branch controller to provide a mobility domain for increased resiliency.

# Image 7.6.2.3.0 # Model MX-800R set ip route default 192.168.62.1 0 set system name WLC800R-B set system ip-address 192.168.62.5 set system countrycode US set timezone PST -8 00 set service-profile campus-voice-wlan ssid-name ca-voice set service-profile campus-voice-wlan ssid-type clear set service-profile campus-voice-wlan auth-fallthru last-resort set service-profile campus-voice-wlan psk-encrypted 075f70484a0a4c5c4545585b54737d222c6b66761553420655570c5d03005a504b4e5a5c52065 7530c5d0d03540007534a53540b5e070c77144d084a0147460d5a set service-profile campus-voice-wlan 11n mode-ng disable set service-profile campus-voice-wlan wpa-ie auth-psk enable set service-profile campus-voice-wlan wpa-ie auth-dot1x disable set service-profile campus-voice-wlan rsn-ie cipher-ccmp enable set service-profile campus-voice-wlan rsn-ie auth-psk enable set service-profile campus-voice-wlan rsn-ie auth-dot1x disable set service-profile campus-voice-wlan rsn-ie enable set service-profile campus-voice-wlan attr vlan-name campus-voice set radio-profile default auto-tune channel-config disable set radio-profile default service-profile campus-voice-wlan set radio-profile uc set radio-profile uc dtim-interval 2 set radio-profile uc auto-tune channel-config disable set radio-profile uc rf-scanning channel-scope operating set radio-profile uc wmm-powersave enable

CRK; Reviewed: Solution & Interoperability Test Lab Application Notes 48 of 103 SPOC 8/16/2012 ©2012 Avaya Inc. All Rights Reserved. Juniper-Data.doc set radio-profile uc cac video mode enable set radio-profile uc cac voice mode enable set radio-profile uc cac best-effort max-utilization 30 set radio-profile uc cac video max-utilization 30 set radio-profile uc cac voice max-utilization 50 set radio-profile uc service-profile campus-voice-wlan set vlan-profile uc vlan voice tag 262 set ap 1 serial-id 0971100856 model MP-422A set ap 1 name WLC471-A set ap 1 fingerprint 58:91:35:74:97:e7:7c:74:56:9d:b8:73:e8:40:0b:ea set ap 1 radio 1 radio-profile uc channel 9 mode enable set ap 1 radio 2 radio-profile uc channel 157 tx-power 16 mode enable set ap 2 serial-id 0873500176 model MP-422A set ap 2 name WLC471-B set ap 2 fingerprint ec:5e:48:a1:0b:27:f3:dd:e1:30:d6:8c:ef:09:0f:cc set ap 2 radio 1 radio-profile uc channel 3 mode enable set ap 2 radio 2 radio-profile uc channel 165 tx-power 17 mode enable set port 2 name vlan62 set vlan 62 name campus-voice set vlan 62 port 2 tag 62 set vlan 62 port 3 tag 62 set vlan 80 name campus-guest set vlan 80 port 2 tag 80 set vlan 80 port 3 tag 80 set interface 62 ip 192.168.62.5 255.255.255.0 set interface 80 ip 192.168.80.5 255.255.255.0

2. Configure Juniper Simply Connected [Large Branch] In the Large Branch Location, a pair of SRX240s operating in Chassis Cluster provides WAN and LAN Routing, VPN Termination and Security Services, the SRX240 also acts as the DHCP Server and default route for all local-area VLANs within the Large Branch. The EX3300 operates as a Layer 2 switch and provides PoE and LLDP-MED Services to UC Endpoints. The Access Layer is connected to the SRX Cluster via multiple Link Aggregation uplinks to provide additional link-level redundancy in a fully meshed configuration to the access layer. The following diagram illustrates the architecture of Juniper Networks Simply Connected Large Branch

Figure 4 – Large Branch Architecture

2.1. Large Branch SRX240 Security Gateway The following configuration was used on the SRX240 Cluster for the Large Branch. For group configuration node0 represents the primary active firewall, SRX240-C while node1 represents the backup (standby) device, SRX240-D groups { node0 { system { host-name Branch_WAN_SRX_A; time-zone America/New_York; ntp { server 172.28.113.111; server 172.28.114.111; } } interfaces { fxp0 { unit 0 { family inet { address 172.28.114.88/24; } } } } } node1 { system { host-name Branch_WAN_SRX_B; time-zone America/New_York; ntp { server 172.28.113.111; server 172.28.114.111; } } interfaces { fxp0 { unit 0 { family inet { address 172.28.114.87/24; } } } } } } apply-groups "${node}"; system { host-name Branch_WAN_SRX_A; domain-name uc.com; time-zone America/New_York; root-authentication { encrypted-password "$1$jgseDxaR$rNdbdHs86NjbXXrXIgJRR0"; ## SECRET- DATA }

name-server { 172.28.113.111; 172.28.114.111; } login { user soleng { uid 2001; class super-user; authentication { encrypted-password "$1$mZafH7Iz$37oo6Ui6VzVGRKaVUWEk9/"; ## SECRET-DATA } } } services { ftp; ssh; telnet; xnm-clear-text; web-management { http { interface vlan.0; } https { system-generated-certificate; interface vlan.0; } } dhcp { option 242 string MCIPADD=10.64.41.21,HTTPSSRVR=10.64.40.12,L2QVLAN=0; pool 192.168.216.0/24 { address-range low 192.168.216.100 high 192.168.216.150; router { 192.168.216.1; } } pool 192.168.217.0/24 { address-range low 192.168.217.100 high 192.168.217.150; router { 192.168.217.1; } } pool 192.168.218.0/24 { address-range low 192.168.218.100 high 192.168.218.150; router { 192.168.218.1; } } pool 192.168.221.0/24 { address-range low 192.168.221.100 high 192.168.221.150; router { 192.168.221.1; } }

pool 192.168.222.0/24 { address-range low 192.168.222.100 high 192.168.222.150; router { 192.168.222.1; } } pool 192.168.223.0/24 { address-range low 192.168.223.100 high 192.168.223.150; router { 192.168.223.1; } } } } syslog { archive size 100k files 3; } ntp { server 172.28.113.111; server 172.28.114.111; } } chassis { aggregated-devices { ethernet { device-count 4; } } fpc 0 { pic 0 { mlfr-uni-nni-bundles 1; } } cluster { reth-count 3; heartbeat-interval 1000; heartbeat-threshold 3; redundancy-group 1 { node 0 priority 100; node 1 priority 1; preempt; gratuitous-arp-count 4; interface-monitor { ge-0/0/2 weight 128; ge-0/0/3 weight 128; ge-5/0/2 weight 128; ge-5/0/3 weight 128; ge-0/0/13 weight 128; ge-0/0/14 weight 128; ge-5/0/14 weight 128; ge-5/0/13 weight 128; } } } }

CRK; Reviewed: Solution & Interoperability Test Lab Application Notes 53 of 103 SPOC 8/16/2012 ©2012 Avaya Inc. All Rights Reserved. Juniper-Data.doc interfaces { ge-0/0/2 { description "EX3300-A ge-0/0/46"; gigether-options { redundant-parent reth0; } } ge-0/0/3 { description "EX3300_B ge-0/0/46"; gigether-options { redundant-parent reth0; } } ge-0/0/10 { description "HA to SRX_B ge-0/0/10"; } ge-0/0/11 { description "HA to SRX_B ge-0/0/11"; } ge-0/0/12 { unit 0; } ge-0/0/13 { gigether-options { redundant-parent reth2; } } ge-0/0/14 { gigether-options { redundant-parent reth1; } } ge-0/0/15 { unit 0; } ge-5/0/2 { description "EX3300_A ge-0/0/47"; gigether-options { redundant-parent reth0; } } ge-5/0/3 { description "EX3300_B ge-0/0/47"; gigether-options { redundant-parent reth0; } } ge-5/0/10 { description "HAFab Link to SRX_A ge-0/0/10"; } ge-5/0/11 { description "HAFab Link to SRX_A ge-0/0/11"; } ge-5/0/13 { description "Connection to EX58 ge-0/0/9";

gigether-options { redundant-parent reth2; } } ge-5/0/14 { gigether-options { redundant-parent reth1; } } fab0 { fabric-options { member-interfaces { ge-0/0/10; ge-0/0/11; } } } fab1 { fabric-options { member-interfaces { ge-5/0/10; ge-5/0/11; } } } lo0 { unit 0 { family inet { address 192.168.5.216/32; } } } reth0 { description "LAG Group and RETH for Switch Uplink"; per-unit-scheduler; vlan-tagging; redundant-ether-options { redundancy-group 1; lacp { active; } } unit 40 { description "Avaya DMZ"; vlan-id 40; family inet { filter { input UC; } address 10.64.40.1/24; } } unit 216 { description "Wireless Data VLAN L3 Interface"; vlan-id 216;

family inet { filter { input UC; } address 192.168.216.1/24; } } unit 217 { description "Wireless Voice VLAN L3 Interface"; vlan-id 217; family inet { filter { input UC; } address 192.168.217.1/24; } } unit 218 { description "Guest VLAN L3 Interface"; vlan-id 218; family inet { filter { input UC; } address 192.168.218.1/24; } } unit 221 { description "Data VLAN L3 Interface"; vlan-id 221; family inet { filter { input UC; } address 192.168.221.1/24; } } unit 222 { description "Voice VLAN L3 Interface"; vlan-id 222; family inet { filter { input UC; } address 192.168.222.1/24; } } unit 223 { description "WLA VLAN L3 Interface"; vlan-id 223; family inet { filter { input UC; } address 192.168.223.1/24;

} } } reth1 { description "Primary Link to ISP"; per-unit-scheduler; redundant-ether-options { redundancy-group 1; inactive: lacp { active; } } unit 0 { family inet { filter { input UC; } address 192.168.2.226/30; } } } reth2 { description "Secondary Link to ISP"; per-unit-scheduler; redundant-ether-options { redundancy-group 1; inactive: lacp { active; } } unit 0 { family inet { filter { input UC; } address 192.168.2.126/30; } } } st0 { unit 216 { description "Primary Tunnel to Campus"; family inet; } unit 232 { description "Primary Tunnel to Small Branch"; family inet { address 192.168.90.1/30; } } unit 2160 { description "Secondary Tunnel to Campus"; family inet; } unit 2320 {

description "Secondary Tunnel to Small Branch"; family inet { address 192.168.91.1/30; } } } } snmp { description "SRX021 SRX240 used in Unified Solutions"; contact "Unified Solutions"; community solutions; } routing-options { static { inactive: route 0.0.0.0/0 { next-hop 192.168.2.125; qualified-next-hop 192.168.2.225 { metric 20; } } route 192.168.232.0/22 { qualified-next-hop st0.232; qualified-next-hop st0.2320; } route 192.168.0.0/16 { qualified-next-hop st0.216; qualified-next-hop st0.2160; } route 192.168.2.134/32 next-hop 192.168.2.125; route 192.168.2.234/32 next-hop 192.168.2.225; route 192.168.2.2/32 next-hop 192.168.2.125; route 192.168.2.6/32 next-hop 192.168.2.225; route 10.64.41.0/24 { qualified-next-hop st0.216; qualified-next-hop st0.2160; } } } protocols { lacp { traceoptions { flag all; } } rstp; } class-of-service { classifiers { dscp ezqos-dscp-classifier { import default; forwarding-class ezqos-voice-fc { loss-priority low code-points 101110; } forwarding-class ezqos-control-fc { loss-priority low code-points 100000;

loss-priority high code-points 110000; } forwarding-class ezqos-video-fc { loss-priority low code-points [ 100010 001010 ]; loss-priority high code-points [ 100100 100110 ]; } forwarding-class ezqos-busapp-fc { loss-priority low code-points [ 010010 010100 ]; loss-priority high code-points 010110; } } } forwarding-classes { queue 0 ezqos-best-effort priority low; queue 2 ezqos-video-fc priority high; queue 1 ezqos-voice-fc priority high; queue 7 ezqos-control-fc priority high; queue 3 ezqos-busapp-fc priority low; } interfaces { reth0 { unit 216 { scheduler-map ezqos-voip-sched-maps; classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } unit 217 { scheduler-map ezqos-voip-sched-maps; classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } unit 218 { scheduler-map ezqos-voip-sched-maps; classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } unit 221 { scheduler-map ezqos-voip-sched-maps; classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules;

} } unit 222 { scheduler-map ezqos-voip-sched-maps; classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } unit 223 { scheduler-map ezqos-voip-sched-maps; classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } reth1 { unit 0 { scheduler-map ezqos-voip-sched-maps; classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } reth2 { unit 0 { scheduler-map ezqos-voip-sched-maps; classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } } rewrite-rules { dscp Rewrite-Rules { import default; forwarding-class ezqos-voice-fc { loss-priority low code-point 101110; } forwarding-class ezqos-control-fc { loss-priority low code-point 100000; loss-priority high code-point 110000; } forwarding-class ezqos-video-fc {

loss-priority low code-point 001010; loss-priority high code-point 100100; } forwarding-class ezqos-busapp-fc { loss-priority high code-point 010110; loss-priority low code-point 010010; } } } scheduler-maps { ezqos-voip-sched-maps { forwarding-class ezqos-voice-fc scheduler ezqos-voice-scheduler; forwarding-class ezqos-control-fc scheduler ezqos-control- scheduler; forwarding-class ezqos-video-fc scheduler ezqos-video-scheduler; forwarding-class ezqos-best-effort scheduler ezqos-data- scheduler; forwarding-class ezqos-busapp-fc scheduler ezqos-busapp- scheduler; } } schedulers { ezqos-voice-scheduler { buffer-size percent 5; priority strict-high; } ezqos-control-scheduler { buffer-size percent 5; priority high; } ezqos-video-scheduler { transmit-rate percent 70; buffer-size percent 20; priority medium-high; } ezqos-data-scheduler { transmit-rate remainder; buffer-size { remainder; } priority low; } ezqos-busapp-scheduler { transmit-rate percent 20; buffer-size percent 20; priority medium-low; } } } security { ike { traceoptions { file ike.log; flag all; }

proposal UniSvces-Prop { authentication-method pre-shared-keys; dh-group group1; authentication-algorithm md5; encryption-algorithm aes-128-cbc; lifetime-seconds 86400; } policy ike-policy1 { mode main; proposals UniSvces-Prop; pre-shared-key ascii-text "$9$4saDiqmfzn/.mIESrvM"; ## SECRET- DATA } gateway gw-SohoBranch1 { ike-policy ike-policy1; address 192.168.2.134; external-interface reth2; version v1-only; } gateway gwSoHoBranch2 { ike-policy ike-policy1; address 192.168.2.234; external-interface reth1; version v1-only; } gateway gw-Campus1 { ike-policy ike-policy1; address 192.168.2.2; external-interface reth2; version v1-only; } gateway gw-Campus2 { ike-policy ike-policy1; address 192.168.2.6; external-interface reth1; version v1-only; } } ipsec { vpn-monitor-options { interval 2; threshold 2; } proposal UnifSvcesIPsecProp { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm aes-128-cbc; } policy vpn-policy1 { proposals UnifSvcesIPsecProp; } policy vpn-policy { proposals UnifSvcesIPsecProp; } vpn VPN-SohoBranch1 {

bind-interface st0.232; vpn-monitor { optimized; } ike { gateway gw-SohoBranch1; proxy-identity { local 192.168.216.0/21; remote 192.168.232.0/22; service any; } ipsec-policy vpn-policy1; } } vpn VPN-SohoBranch2 { bind-interface st0.2320; vpn-monitor { optimized; } ike { gateway gwSoHoBranch2; proxy-identity { local 192.168.216.0/21; remote 192.168.232.0/22; service any; } ipsec-policy vpn-policy1; } } vpn VPN-Campus1 { bind-interface st0.216; vpn-monitor { optimized; } ike { gateway gw-Campus1; proxy-identity { local 192.168.216.0/21; remote 192.168.0.0/27; service any; } ipsec-policy vpn-policy; } establish-tunnels immediately; } vpn VPN-Campus2 { bind-interface st0.2160; vpn-monitor { optimized; source-interface vlan.232; } ike { gateway gw-Campus2; proxy-identity { local 192.168.216.0/21;

remote 192.168.0.0/17; service any; } ipsec-policy vpn-policy; } establish-tunnels immediately; } } alg { h323 disable; sip disable; } flow { tcp-mss { ipsec-vpn { mss 1350; } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { inactive: source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } }

} } } policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone DataCenter to-zone trust { policy AllowAll { match { source-address DCLocal; destination-address addrMed; application any; } then { permit; } } } from-zone trust to-zone DataCenter { policy AllowAll { match { source-address addrMed; destination-address DCLocal; application any; } then { permit; } } } from-zone untrust to-zone trust { policy untrust-to-trust { match { source-address any; destination-address any; application any; } then { permit; } } } default-policy { permit-all; }

} zones { security-zone trust { address-book { address addrMed 192.168.216.0/21; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { reth0.221; reth0.222; reth0.223; reth0.216; reth0.217; reth0.218; reth0.40; } } security-zone untrust { screen untrust-screen; interfaces { reth1.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } reth2.0 { host-inbound-traffic { system-services { all; } } } } } security-zone DataCenter { address-book { address DCLocalOne 10.1.0.0/16; address DCLocalTwo 10.2.0.0/16; address DCLocalZero 192.168.0.0/16; address-set DCLocal { address DCLocalOne; address DCLocalTwo; address DCLocalZero;

} } interfaces { lo0.0 { host-inbound-traffic { system-services { all; } } } st0.216; st0.232; st0.2320; st0.2160; } } security-zone WAN; } } firewall { filter UC { term 1 { from { dscp ef; } then { count RTP-with-DSCP-46; forwarding-class ezqos-voice-fc; accept; } } term 2 { from { protocol tcp; port [ 5061 5060 ]; } then { count SIPTLS-Port-5061; forwarding-class ezqos-video-fc; accept; } } term 3 { from { dscp [ af11 af41 ]; } then { count RTP-with-AF11; forwarding-class ezqos-video-fc; accept; } } term 4 { from { protocol 50;

} then { count ESP-Traffic; forwarding-class ezqos-control-fc; accept; } } term 5 { then accept; } } }

2.2. Large Branch EX3300 Access Switch The following configuration was used on the EX3300-C and EX3000-D access layer switches system { host-name Branch_Access_EXVC_A; domain-name uc.com; time-zone America/New_York; root-authentication { encrypted-password "$1$FlEzP.j2$56SqrNYoQihfpc5nvYUOm0"; ## SECRET- DATA } name-server { 172.28.113.111; 172.28.114.111; } login { user soleng { uid 2001; class super-user; authentication { encrypted-password "$1$E.Ffk769$E6KdMHYyei7PfefKM9uZ60"; ## SECRET-DATA } } } services { ssh { root-login allow; } telnet; web-management { http; } } syslog { user * { any emergency; } file messages { any notice;

authorization info; } file interactive-commands { interactive-commands any; } } commit synchronize; ntp { server 172.28.113.111; server 172.28.114.111; } } chassis { aggregated-devices { ethernet { device-count 2; } } } interfaces { interface-range VoicePorts { member ge-1/0/45; member-range ge-0/0/6 to ge-0/0/7; member-range ge-1/0/6 to ge-1/0/7; unit 0 { family ethernet-switching { vlan { members vVoice1; } filter { input UC; } } } } interface-range DualPorts { member-range ge-0/0/1 to ge-0/0/3; member-range ge-1/0/1 to ge-1/0/3; unit 0 { family ethernet-switching { port-mode access; vlan { members vVoice1; } filter { input UC; } } } } inactive: interface-range DataPorts { member-range ge-0/0/4 to ge-0/0/5; member-range ge-1/0/4 to ge-1/0/5; unit 0 { family ethernet-switching {

port-mode access; vlan { members v199; } filter { input UC; } } } } ge-0/0/0 { unit 0 { family ethernet-switching { port-mode access; vlan { members vlan40; } } } } ge-0/0/4 { unit 0 { family ethernet-switching; } } ge-0/0/12 { description WLC471-D; unit 0 { description "Used for Wireless Connections"; family ethernet-switching { port-mode access; vlan { members 217; } } } } ge-0/0/13 { description WLA471-D; unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ 216 217 218 221 ]; } } } } ge-0/0/14 { unit 0 { family ethernet-switching { port-mode access; vlan { members 217; }

} } }

} ge-0/0/40 { description "SRX240-Branch ge-0/0/13"; unit 0 { family ethernet-switching { port-mode access; vlan { members 997; } } } } ge-0/0/41 { description "SRX240-Branch ge-0/0/14"; unit 0 { family ethernet-switching { port-mode access; vlan { members 996; } } } } ge-0/0/46 { description "SRX240-A ge-0/0/2"; ether-options { 802.3ad ae0; } } ge-0/0/47 { description "SRX240-B ge-0/0/2"; ether-options { 802.3ad ae1; } } ge-1/0/10 { unit 0 { family ethernet-switching { vlan { members vlan62; } } } } ge-1/0/12 { description WLC471-C; unit 0 { family ethernet-switching { port-mode access; vlan { members 217;

} } } } ge-1/0/13 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ 217 216 218 ]; } } } } ge-1/0/45 { unit 0 { family ethernet-switching { port-mode trunk; } } } ge-1/0/46 { description "SRX240-B ge-0/0/2"; ether-options { 802.3ad ae0; } } ge-1/0/47 { description "SRX240-B ge-0/0/3"; ether-options { 802.3ad ae1; } } ae0 { aggregated-ether-options { lacp { active; } } unit 0 { family ethernet-switching { port-mode trunk; vlan { members all; } filter { input UC; } } } } ae1 { aggregated-ether-options { lacp { active;

} } unit 0 { family ethernet-switching { port-mode trunk; vlan { members all; } filter { input UC; } } } } lo0 { unit 0 { family inet { address 1.1.1.1/32; } } } vlan { unit 40 { family inet { address 10.64.40.253/24; } } unit 62 { family inet { address 192.168.62.133/24; } } unit 199 { family inet { address 192.168.199.1/24; } } unit 216 { family inet { address 192.168.216.253/24; } } unit 217 { family inet { address 192.168.217.253/24; } } unit 218 { family inet { address 192.168.218.253/24; } } unit 221 { family inet { address 192.168.221.253/24;

} } unit 222 { family inet { address 192.168.222.253/24; } } unit 223 { family inet { address 192.168.223.253/24; } } } vme { unit 0 { family inet { address 172.28.114.84/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 192.168.221.1; } } protocols { lacp { traceoptions { flag all; } } igmp-snooping { vlan all; } rstp; lldp { interface all; } lldp-med { fast-start 1; interface all { location { elin 4085109824; } } } } class-of-service { classifiers { dscp ezqos-dscp-classifier { import default; forwarding-class ezqos-voice-fc { loss-priority low code-points 101110;

} forwarding-class ezqos-control-fc { loss-priority low code-points 100000; loss-priority high code-points 110000; } forwarding-class ezqos-video-fc { loss-priority low code-points [ 100010 001010 ]; loss-priority high code-points [ 100100 100110 ]; } forwarding-class ezqos-busapp-fc { loss-priority low code-points [ 010010 010100 ]; loss-priority high code-points 010110; } } } forwarding-classes { class ezqos-best-effort queue-num 0; class ezqos-video-fc queue-num 2; class ezqos-voice-fc queue-num 7; class ezqos-control-fc queue-num 4; class ezqos-busapp-fc queue-num 3; } interfaces { ge-0/0/0 { scheduler-map ezqos-voip-sched-maps; unit 0 { classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } ge-0/0/1 { scheduler-map ezqos-voip-sched-maps; unit 0 { classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } ge-0/0/2 { scheduler-map ezqos-voip-sched-maps; unit 0 { classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } }

} ge-0/0/3 { scheduler-map ezqos-voip-sched-maps; unit 0 { classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } ge-0/0/4 { scheduler-map ezqos-voip-sched-maps; unit 0 { classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } ge-0/0/5 { scheduler-map ezqos-voip-sched-maps; unit 0 { classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } ge-0/0/6 { scheduler-map ezqos-voip-sched-maps; unit 0 { classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } ge-0/0/7 { scheduler-map ezqos-voip-sched-maps; unit 0 { classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } }

} ge-1/0/0 { scheduler-map ezqos-voip-sched-maps; unit 0 { classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } ge-1/0/1 { scheduler-map ezqos-voip-sched-maps; unit 0 { classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } ge-1/0/2 { scheduler-map ezqos-voip-sched-maps; unit 0 { classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } ge-1/0/3 { scheduler-map ezqos-voip-sched-maps; unit 0 { classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } ge-1/0/4 { scheduler-map ezqos-voip-sched-maps; unit 0 { classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } }

} ge-1/0/5 { scheduler-map ezqos-voip-sched-maps; unit 0 { classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } ge-1/0/6 { scheduler-map ezqos-voip-sched-maps; unit 0 { classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } ge-1/0/7 { scheduler-map ezqos-voip-sched-maps; unit 0 { classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } ae0 { scheduler-map ezqos-voip-sched-maps; unit 0 { classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } ae1 { scheduler-map ezqos-voip-sched-maps; unit 0 { classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } }

} } rewrite-rules { dscp Rewrite-Rules { import default; forwarding-class ezqos-voice-fc { loss-priority low code-point 101110; } forwarding-class ezqos-control-fc { loss-priority low code-point 100000; loss-priority high code-point 110000; } forwarding-class ezqos-video-fc { loss-priority low code-point 001010; loss-priority high code-point 100100; } forwarding-class ezqos-busapp-fc { loss-priority high code-point 010110; loss-priority low code-point 010010; } } } scheduler-maps { ezqos-voip-sched-maps { forwarding-class ezqos-voice-fc scheduler ezqos-voice-scheduler; forwarding-class ezqos-control-fc scheduler ezqos-control- scheduler; forwarding-class ezqos-video-fc scheduler ezqos-video-scheduler; forwarding-class ezqos-best-effort scheduler ezqos-data- scheduler; forwarding-class ezqos-busapp-fc scheduler ezqos-busapp- scheduler; } } schedulers { ezqos-voice-scheduler { buffer-size percent 5; priority strict-high; } ezqos-control-scheduler { buffer-size percent 5; priority low; } ezqos-video-scheduler { transmit-rate percent 70; buffer-size percent 20; priority low; } ezqos-data-scheduler { transmit-rate remainder; buffer-size { remainder; } priority low; }

ezqos-busapp-scheduler { transmit-rate percent 20; buffer-size percent 20; priority low; } } } firewall { family ethernet-switching { filter UC { term 1 { from { dscp ef; } then { accept; forwarding-class ezqos-voice-fc; loss-priority low; } } term 2 { from { dscp af11; } then { accept; forwarding-class ezqos-video-fc; loss-priority low; } } term 3 { from { precedence [ net-control internet-control ]; } then { accept; forwarding-class ezqos-control-fc; loss-priority low; } } term 4 { from { destination-port [ 5060 5061 5070 ]; } then { accept; forwarding-class ezqos-busapp-fc; loss-priority low; } } term 5 { then { accept; forwarding-class ezqos-best-effort; loss-priority low;

} } } } } ethernet-switching-options { voip { interface DualPorts { vlan vVoice1; } } storm-control { interface all; } } vlans { vData1 { description Data_Network; vlan-id 221; interface { ge-1/0/45.0; } l3-interface vlan.221; } vGuest1 { description WLC_Network; vlan-id 223; l3-interface vlan.223; } vVoice1 { description Voice_Network; vlan-id 222; interface { ge-1/0/45.0; } l3-interface vlan.222; } vWWData1 { description "Wireless Guest LAN"; vlan-id 216; l3-interface vlan.216; } vWWGuest1 { description "Wireless Guest LAN"; vlan-id 218; l3-interface vlan.218; } vWWVoice1 { description "Wireless Voice LAN"; vlan-id 217; l3-interface vlan.217; } vlan40 { vlan-id 40; l3-interface vlan.40;

} vlan62 { vlan-id 62; l3-interface vlan.62; } } poe { management class; interface all; } virtual-chassis { member 0 { mastership-priority 255; } member 1 { mastership-priority 1; } fast-failover { xe; } }

2.3. Large Branch WLC800R Wireless Controller The following configuration was used on the WLC800R-Branch Wireless Controller device. A mobility domain was configured with the WLC800R-Campus device for additional resiliency.

# Image 7.6.2.3.0 # Model MX-800R set ip route default 192.168.217.1 1 set system name WLC800-Branch set system ip-address 192.168.217.5 set system countrycode US set timezone PST -8 00 set service-profile branch-voice ssid-name br-voice set service-profile branch-voice ssid-type clear set service-profile branch-voice auth-fallthru last-resort set service-profile branch-voice 11n mode-ng disable set service-profile branch-voice wpa-ie auth-dot1x disable set service-profile branch-voice rsn-ie auth-dot1x disable set service-profile branch-voice attr vlan-name voice set radio-profile default service-profile branch-voice set radio-profile uc set radio-profile uc dtim-interval 2 set radio-profile uc auto-tune channel-config disable set radio-profile uc rf-scanning channel-scope operating set radio-profile uc wmm-powersave enable set radio-profile uc cac video mode enable set radio-profile uc cac voice mode enable set radio-profile uc cac best-effort max-utilization 30 set radio-profile uc cac video max-utilization 30 set radio-profile uc cac voice max-utilization 50 set radio-profile uc service-profile branch-voice

set vlan-profile uc vlan voice tag 217 set ap auto mode enable set ap 1 serial-id 0971100858 model MP-422A set ap 1 name WLA471-D set ap 1 fingerprint e3:64:2f:af:36:a5:f1:93:3e:00:fa:7d:6c:36:7a:c2 set ap 1 radio 1 radio-profile uc channel 2 mode enable set ap 1 radio 2 radio-profile uc mode enable set ap 2 serial-id 0971100864 model MP-422A set ap 2 name WLC471-C set ap 2 fingerprint d4:b6:c1:4a:ff:20:62:4c:b0:2b:07:7c:b7:b7:a5:4a set ap 2 radio 1 radio-profile uc channel 4 mode enable set ap 2 radio 2 radio-profile uc set vlan 217 name voice set vlan 217 port 2 tag 217 set interface 217 ip 192.168.217.5 255.255.255.0 set mobility-domain mode member seed-ip 192.168.62.5

3. Configuring Juniper Simply Connected [Small Branch] In the Small Branch Location a single Juniper SRX210 device provide Security, IPSec Termination, LAN and WAN Routing and local PoE-Enabled Switching for an all-in-one-box solution for small branch offices. The following diagram illustrates the architecture of Juniper Networks Simply Small Branch

Figure 5 – Small Branch Architecture

3.1. Configure Juniper SRX210 Services Gateway The following configuration was used on the SRX210-A Services Gateway for the Small Branch system { host-name SmallBranch-SRX240; domain-name uc.com; root-authentication { encrypted-password "$1$ziuLTzl.$2YgsxI.Lam8stKGyxOjFb1"; ## SECRET- DATA } name-server { 208.67.222.222; 208.67.220.220; } services { ssh; telnet; web-management { http { interface vlan.0; } https { system-generated-certificate; interface vlan.0; } } dhcp { option 242 string MCIPADD=10.64.41.21,HTTPSSRVR=10.64.40.12,L2QVLAN=0; pool 192.168.232.0/24 { address-range low 192.168.232.10 high 192.168.232.100; router { 192.168.232.1; } } pool 192.168.233.0/24 { address-range low 192.168.233.10 high 192.168.233.100; router { 192.168.233.1; } } pool 192.168.234.0/24 { address-range low 192.168.234.10 high 192.168.234.100; router { 192.168.234.1; } } }

} syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { ge-0/0/0 { description "WLC471-C Connection to port 1"; unit 0 { family ethernet-switching { vlan { members vlan-voice; } } } } ge-0/0/1 { unit 0 { family ethernet-switching { vlan { members vlan-voice; } } } } fe-0/0/2 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/3 { unit 0 { family ethernet-switching { vlan {

members vlan-trust; } } } } fe-0/0/4 { unit 0 { family ethernet-switching { port-mode access; vlan { members vlan-trust; } } } } fe-0/0/5 { unit 0 { family ethernet-switching { port-mode access; vlan { members vlan-trust; } } } } fe-0/0/6 { description "To EX3300-A ge-0/0/40"; per-unit-scheduler; unit 0 { family inet { address 192.168.2.134/30; } } } fe-0/0/7 { description "To EX3300-A ge-0/0/41"; per-unit-scheduler; unit 0 { family inet { address 192.168.2.234/30; } } } lo0 { unit 0 { family inet { address 127.0.0.1/32; } } } st0 { unit 216 { description "Primary VPN to Campus"; family inet { address 192.168.92.1/30;

} } unit 236 { description "Primary VPN to Branch"; family inet { address 192.168.90.2/30; } } unit 2160 { description "Secondary VPN to Campus"; family inet { address 192.168.92.5/30; } } unit 2360 { description "Secondary VPN to Branch"; family inet { address 192.168.91.2/30; } } } vlan { per-unit-scheduler; unit 232 { description UserVLAN; family inet { filter { input UC; } address 192.168.232.1/24; } } unit 233 { description VoiceVLAN; family inet { filter { input UC; } address 192.168.233.1/24; } } unit 234 { description "WiFi Phone VLAN"; family inet { filter { input UC; } address 192.168.234.1/24; } } } } routing-options { static { inactive: route 0.0.0.0/0 {

next-hop 192.168.2.133; qualified-next-hop 192.168.2.233 { metric 20; } } route 192.168.216.0/21 { qualified-next-hop st0.236; qualified-next-hop st0.2360; } route 192.168.2.226/32 next-hop 192.168.2.233; route 192.168.2.126/32 next-hop 192.168.2.133; route 192.168.0.0/17 { qualified-next-hop st0.216; qualified-next-hop st0.2160; } route 192.168.2.0/30 next-hop 192.168.2.233; route 192.168.2.4/30 next-hop 192.168.2.133; route 10.64.40.0/24 { qualified-next-hop st0.236; qualified-next-hop st0.2360; } route 10.64.41.0/24 { qualified-next-hop st0.216; qualified-next-hop st0.2160; } } } protocols { lldp { interface all; } lldp-med { fast-start 1; interface all; interface ge-0/0/2.0 { location { elin 4089363003; } } interface ge-0/0/3.0 { location { elin 4089363004; } } } rstp; } class-of-service { classifiers { dscp ezqos-dscp-classifier { import default; forwarding-class ezqos-voice-fc { loss-priority low code-points 101110; } forwarding-class ezqos-control-fc {

loss-priority low code-points 100000; loss-priority high code-points 110000; } forwarding-class ezqos-video-fc { loss-priority low code-points [ 100010 001010 ]; loss-priority high code-points [ 100100 100110 ]; } forwarding-class ezqos-busapp-fc { loss-priority low code-points [ 010010 010100 ]; loss-priority high code-points 010110; } } } forwarding-classes { queue 0 ezqos-best-effort priority low; queue 2 ezqos-video-fc priority high; queue 1 ezqos-voice-fc priority high; queue 7 ezqos-control-fc priority high; queue 3 ezqos-busapp-fc priority low; } interfaces { fe-0/0/6 { unit 0 { scheduler-map ezqos-voip-sched-maps; classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } fe-0/0/7 { unit 0 { scheduler-map ezqos-voip-sched-maps; classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } vlan { unit 232 { scheduler-map ezqos-voip-sched-maps; classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } unit 233 { scheduler-map ezqos-voip-sched-maps;

classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } unit 234 { scheduler-map ezqos-voip-sched-maps; classifiers { dscp ezqos-dscp-classifier; } rewrite-rules { dscp Rewrite-Rules; } } } } rewrite-rules { dscp Rewrite-Rules { import default; forwarding-class ezqos-voice-fc { loss-priority low code-point 101110; } forwarding-class ezqos-control-fc { loss-priority low code-point 100000; loss-priority high code-point 110000; } forwarding-class ezqos-video-fc { loss-priority low code-point 001010; loss-priority high code-point 100100; } forwarding-class ezqos-busapp-fc { loss-priority high code-point 010110; loss-priority low code-point 010010; } } } scheduler-maps { ezqos-voip-sched-maps { forwarding-class ezqos-voice-fc scheduler ezqos-voice-scheduler; forwarding-class ezqos-control-fc scheduler ezqos-control- scheduler; forwarding-class ezqos-video-fc scheduler ezqos-video-scheduler; forwarding-class ezqos-best-effort scheduler ezqos-data- scheduler; forwarding-class ezqos-busapp-fc scheduler ezqos-busapp- scheduler; } } schedulers { ezqos-voice-scheduler { buffer-size percent 5; priority strict-high; }

ezqos-control-scheduler { buffer-size percent 5; priority high; } ezqos-video-scheduler { transmit-rate percent 70; buffer-size percent 20; priority medium-high; } ezqos-data-scheduler { transmit-rate remainder; buffer-size { remainder; } priority low; } ezqos-busapp-scheduler { transmit-rate percent 20; buffer-size percent 20; priority medium-low; } } } security { ike { traceoptions { file ike.log; flag all; } proposal UniSvces-Prop { authentication-method pre-shared-keys; dh-group group1; authentication-algorithm md5; encryption-algorithm aes-128-cbc; lifetime-seconds 86400; } policy ike-policy1 { mode main; proposals UniSvces-Prop; pre-shared-key ascii-text "$9$yQ4lWL7-VY4aN-.PTz6/"; ## SECRET- DATA } gateway gw-Branch1 { ike-policy ike-policy1; address 192.168.2.126; external-interface fe-0/0/6; version v1-only; } gateway gw-Branch2 { ike-policy ike-policy1; address 192.168.2.226; external-interface fe-0/0/7; version v1-only; } gateway gw-Campus1 {

ike-policy ike-policy1; address 192.168.2.2; external-interface fe-0/0/7; version v1-only; } gateway gw-Campus2 { ike-policy ike-policy1; address 192.168.2.6; external-interface fe-0/0/6; version v1-only; } } ipsec { vpn-monitor-options { interval 2; threshold 2; } proposal UnifSvcesIPsecProp { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm aes-128-cbc; } policy vpn-policy { proposals UnifSvcesIPsecProp; } vpn VPN-Branch1 { bind-interface st0.236; vpn-monitor { optimized; } ike { gateway gw-Branch1; proxy-identity { local 192.168.232.0/22; remote 192.168.216.0/21; service any; } ipsec-policy vpn-policy; } establish-tunnels immediately; } vpn VPN-Branch2 { bind-interface st0.2360; vpn-monitor { optimized; } ike { gateway gw-Branch2; proxy-identity { local 192.168.232.0/22; remote 192.168.216.0/21; service any; } ipsec-policy vpn-policy; }

establish-tunnels immediately; } vpn VPN-Campus1 { bind-interface st0.216; vpn-monitor { optimized; } ike { gateway gw-Campus1; proxy-identity { local 192.168.232.0/22; remote 192.168.0.0/27; service any; } ipsec-policy vpn-policy; } establish-tunnels immediately; } vpn VPN-Campus2 { bind-interface st0.2160; vpn-monitor { optimized; } ike { gateway gw-Campus2; proxy-identity { local 192.168.232.0/22; remote 192.168.0.0/17; service any; } ipsec-policy vpn-policy; } establish-tunnels immediately; } } alg { h323 disable; sip disable; } flow { tcp-mss { ipsec-vpn { mss 1350; } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; }

tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } default-policy { permit-all; } } zones { security-zone trust { host-inbound-traffic { system-services { all; } protocols { all;

} } interfaces { vlan.232; vlan.233; vlan.234; } } security-zone untrust { screen untrust-screen; host-inbound-traffic { system-services { ike; ping; ssh; } protocols { all; } } interfaces { fe-0/0/6.0; fe-0/0/7.0; } } security-zone VPN { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { st0.236; st0.2360; st0.216; st0.2160; } } } } firewall { filter UC { term 1 { from { dscp ef; } then { count RTP-with-DSCP-46; accept; } } term 2 {

from { protocol tcp; port [ 5061 5060 ]; } then { count SIPTLS-Port-5061; accept; } } term 3 { from { dscp [ af11 af41 ]; } then { count RTP-with-AF11; accept; } } term 4 { from { protocol 50; } then { count ESP-Traffic; forwarding-class ezqos-control-fc; accept; } } term 5 { then accept; } } } poe { interface all; } ethernet-switching-options { voip { interface access-ports { vlan vlan-voice; } } } vlans { vlan-trust { vlan-id 232; l3-interface vlan.232; } vlan-voice { description VoiceVLAN; vlan-id 233; l3-interface vlan.233; } vlan-wifi { vlan-id 234;

l3-interface vlan.234; } }

4. Validation Commands Note: Screens that used in this section show the sample screens only.

To show JunOS DHCP Server Bindings issue the following command to show DHCP Leases. root@SOHO_SRX_A> show system services dhcp bindings

To show the PoE Controller status and how much power is being consumed currently, issue the following command root@SOHO_SRX_A> show poe controller Controller Maximum Power Guard Management Status index power consumption band 0 150.0 W 13.5 W 0 W Class

To show the PoE Ports in-use and Power Consumption and class of device issue the following command root@SOHO_SRX_A> show poe interface Interface Admin status Oper status Max power Priority Power consumption Class ge-0/0/0 Enabled Searching 15.4W Low 0.0W 0 ge-0/0/1 Enabled Searching 15.4W Low 0.0W 0 ge-0/0/2 Enabled Powered-up 15.4W Low 2.7W 2 ge-0/0/3 Enabled Powered-up 15.4W Low 6.1W 0 ge-0/0/4 Enabled Searching 15.4W Low 0.0W 0 ge-0/0/5 Enabled Searching 15.4W Low 0.0W 0 ge-0/0/6 Enabled Searching 15.4W Low 0.0W 0 ge-0/0/7 Enabled Searching 15.4W Low 0.0W 0 ge-0/0/8 Enabled Searching 15.4W Low 0.0W 0 ge-0/0/9 Enabled Searching 15.4W Low 0.0W 0 ge-0/0/10 Enabled Searching 15.4W Low 0.0W 0 ge-0/0/11 Enabled Searching 15.4W Low 0.0W 0 ge-0/0/12 Enabled Searching 15.4W Low 0.0W 0 ge-0/0/13 Enabled Searching 15.4W Low 0.0W 0 ge-0/0/14 Enabled Searching 15.4W Low 0.0W 0 ge-0/0/15 Enabled Powered-up 15.4W Low 4.7W 3

4.1. Validating LLDP To show the LLDP Neighbors discovered on the access-layer device issue the following show command: root@SOHO_SRX_A> show lldp neighbors Local Interface Parent Interface Chassis Id Port info System Name

CRK; Reviewed: Solution & Interoperability Test Lab Application Notes 97 of 103 SPOC 8/16/2012 ©2012 Avaya Inc. All Rights Reserved. Juniper-Data.doc ge-0/0/0.0 - 00:1f:12:31:fc:80 ge-0/0/33.0 WF- SolEng-MGMT-VC-J ge-0/0/14.0 - b0:c6:9a:63:50:c0 ge-0/0/4.0 Inet_Router ge-0/0/2.0 - 192.168.233.100 00:1b:9e:fe:41:8d ge-0/0/3.0 - 192.168.233.102 1 Polycom VVX 1500

To show the details on an LLDP Neighbor use this command . root@SOHO_SRX_A> show lldp neighbors interface ge-0/0/2.0 LLDP Neighbor Information: Local Information: Index: 11 Time to live: 3600 Time mark: Tue Jan 24 23:11:43 2012 Age: 856 secs Local Interface : ge-0/0/2.0 Parent Interface : - Local Port ID : 538 Ageout Count : 1

Neighbour Information: Chassis type : Network address Chassis ID : 192.168.233.100 Port type : Mac address Port ID : 00:1b:9e:fe:41:8d

System capabilities Supported : Telephone Enabled : Telephone Media endpoint class: Class III Device

To show the details on an LLDP Neighbor use this command root@SOHO_SRX_A> show lldp neighbors interface ge-0/0/3.0 LLDP Neighbor Information: Local Information: Index: 12 Time to live: 120 Time mark: Tue Jan 24 23:26:02 2012 Age: 5 secs Local Interface : ge-0/0/3.0 Parent Interface : - Local Port ID : 539 Ageout Count : 4

Neighbour Information: Chassis type : Network address Chassis ID : 192.168.233.102 Port type : Mac address Port ID : 00:04:f2:be:c8:20 Port description : 1 System name : Polycom VVX 1500

System Description : Polycom;VVX-VVX_1500;2345-17960-001,6;SIP/4.0.1.13681/29-Nov-11 16:51;UP/5.0.1.11086/29-Nov-11 17:16;

System capabilities Supported : Bridge Telephone Enabled : Telephone

Management Info Type : IPv4 Address : 192.168.233.102 Port ID : 0

Subtype : 1 Interface Subtype : Unknown(1) OID : 1.3.6.1.2.1.31.1.1.1.1.0 Media endpoint class: Class III Device

MED Hardware revision : 2345-17960-001,6 MED Firmware revision : UP/5.0.1.11086/29-Nov-11 17:16 MED Software revision : SIP/4.0.1.13681/29-Nov-11 16:51 MED Serial number : 0004f2bec820 MED Manufacturer name : Polycom MED Model name : VVX-VVX_1500 root@SOHO_SRX_A> show lldp statistics Interface Parent Interface Received Unknown TLVs With Errors Discarded TLVs Transmitted Untransmitted ge-0/0/0.0 - 23462 0 0 0 23464 0 ge-0/0/2.0 - 791 0 0 0 28865 0 ge-0/0/3.0 - 23477 0 0 23472 27988 0 ge-0/0/14.0 - 25374 0 0 0 23464 0 ge-0/0/15.0 - 0 0 0 0 27506 0

4.2. Validating QoS The following shows the Statistics UC Firewall Ruleset (UC) Counters detail. You can use this to determine if voice, video and SIP traffic is getting marked correctly. root@SOHO_SRX_A> show firewall Filter: UC Counters: Name Bytes Packets ESP-Traffic 25240536 111990 RTP-with-AF11 1019273 841 RTP-with-DSCP-46 143982 714 SIPTLS-Port-5061 6503036 15464

The following command shows the statistics for interface queues, these should be run on an egress interface such as the WAN-facing interface to validate traffic is being assigned to the right queues and forwarding-classes. When testing you should first clear the statistics, send some traffic, and verify you see the appropriate counters increasing for each queue. root@SOHO_SRX_A> show interfaces queue ge-0/0/14 Physical interface: ge-0/0/14, Enabled, Physical link is Up Interface index: 148, SNMP ifIndex: 508 Description: MPLS Uplink Forwarding classes: 8 supported, 5 in use Egress queues: 8 supported, 5 in use Queue: 0, Forwarding classes: ezqos-best-effort Queued: Packets : 230353 1 pps Bytes : 47777310 3984 bps Transmitted: Packets : 230353 1 pps Bytes : 47777310 3984 bps

Tail-dropped packets : 0 0 pps RED-dropped packets : 0 0 pps Low : 0 0 pps Medium-low : 0 0 pps Medium-high : 0 0 pps High : 0 0 pps RED-dropped bytes : 0 0 bps Low : 0 0 bps Medium-low : 0 0 bps Medium-high : 0 0 bps High : 0 0 bps Queue: 1, Forwarding classes: ezqos-voice-fc Queued: Packets : 9799 0 pps Bytes : 2410858 0 bps Transmitted: Packets : 9799 0 pps Bytes : 2410858 0 bps Tail-dropped packets : 0 0 pps RED-dropped packets : 0 0 pps Low : 0 0 pps Medium-low : 0 0 pps Medium-high : 0 0 pps High : 0 0 pps RED-dropped bytes : 0 0 bps Low : 0 0 bps Medium-low : 0 0 bps Medium-high : 0 0 bps High : 0 0 bps Queue: 2, Forwarding classes: ezqos-video-fc Queued: Packets : 28458 0 pps Bytes : 21128556 0 bps Transmitted: Packets : 28458 0 pps Bytes : 21128556 0 bps Tail-dropped packets : 0 0 pps RED-dropped packets : 0 0 pps Low : 0 0 pps Medium-low : 0 0 pps Medium-high : 0 0 pps High : 0 0 pps RED-dropped bytes : 0 0 bps Low : 0 0 bps Medium-low : 0 0 bps Medium-high : 0 0 bps High : 0 0 bps Queue: 3, Forwarding classes: ezqos-busapp-fc Queued: Packets : 20478 0 pps Bytes : 4570996 0 bps Transmitted: Packets : 20478 0 pps Bytes : 4570996 0 bps Tail-dropped packets : 0 0 pps RED-dropped packets : 0 0 pps Low : 0 0 pps Medium-low : 0 0 pps Medium-high : 0 0 pps High : 0 0 pps RED-dropped bytes : 0 0 bps Low : 0 0 bps

Medium-low : 0 0 bps Medium-high : 0 0 bps High : 0 0 bps Queue: 7, Forwarding classes: ezqos-control-fc Queued: Packets : 58109 0 pps Bytes : 9643406 0 bps Transmitted: Packets : 58109 0 pps Bytes : 9643406 0 bps Tail-dropped packets : 0 0 pps RED-dropped packets : 0 0 pps Low : 0 0 pps Medium-low : 0 0 pps Medium-high : 0 0 pps High : 0 0 pps RED-dropped bytes : 0 0 bps Low : 0 0 bps Medium-low : 0 0 bps Medium-high : 0 0 bps High : 0 0 bps

The following commands can be used to validate active routes for a device. root@SOHO_SRX_A> show route inet.0: 25 destinations, 29 routes (25 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 [Access-internal/12] 00:00:40 > to 192.168.30.1 via ge-0/0/15.0 10.1.0.0/16 *[Static/5] 1w0d 01:37:30 > via st0.232 10.1.31.0/25 *[Static/5] 1w0d 01:37:30 > via st0.232 [Static/5] 1w0d 01:37:30, metric 10 > via st0.332 10.1.31.128/25 *[Static/5] 1w0d 01:37:30 > via st0.332 [Static/5] 1w0d 01:37:30, metric 10 > via st0.232 192.168.0.0/16 *[Static/5] 1w0d 01:37:30 > via st0.232 [Static/5] 1w0d 01:37:30, metric 10 > via st0.332 192.168.2.0/24 *[Static/5] 1w1d 03:37:29 > to 192.168.2.233 via ge-0/0/14.0 192.168.2.232/30 *[Direct/0] 1w1d 03:37:29 > via ge-0/0/14.0 192.168.2.234/32 *[Local/0] 1w1d 03:37:42 Local via ge-0/0/14.0 192.168.5.232/32 *[Direct/0] 1w1d 03:38:34 > via lo0.0 192.168.30.0/24 *[Direct/0] 1w1d 03:10:56 > via ge-0/0/15.0 192.168.30.199/32 *[Local/0] 1w1d 03:10:56 Local via ge-0/0/15.0 192.168.90.1/32 *[Local/0] 1w1d 03:37:52 Reject 192.168.90.232/30 *[Direct/0] 1w0d 01:37:30 > via st0.232 192.168.90.234/32 *[Local/0] 1w1d 03:37:53

Local via st0.232 192.168.91.1/32 *[Local/0] 1w1d 03:37:52 Reject 192.168.91.232/30 *[Direct/0] 1w0d 01:37:30 > via st0.332 192.168.91.234/32 *[Local/0] 1w1d 03:37:52 Local via st0.332 192.168.232.0/24 *[Direct/0] 1w1d 03:37:29 > via vlan.232 192.168.232.1/32 *[Local/0] 1w1d 03:37:52 Local via vlan.232 192.168.233.0/24 *[Direct/0] 1w1d 03:37:29 > via vlan.233 192.168.233.1/32 *[Local/0] 1w1d 03:37:52 Local via vlan.233