Quantcast
Channel: Ethernet Switching topics
Viewing all 2326 articles
Browse latest View live

multicast & lsi interface

$
0
0

I'm having trouble following a multicast stream once the "show multicast route instance XXX group xxx.xxx.xxx.xxx" shows a lsi interface as the upstream interface. Pleas help me understand how to continue to trace the multicast tree/stream once the lsi interface is seen in the output. Below is the out put of my show command.

 

Thanks in advance for help on this!!!

 

sturner@111-P1-CNR03-RE0> show multicast route instance BOVESPA-csp group 233.252.9.89

Instance: BOVESPA-csp Family: INET

 

Group: 233.252.9.89/32
      Source: *
      Upstream interface: lsi.1
     Downstream interface list:
               et-0/2/1.53

 

Group: 233.252.9.89
        Source: 177.54.210.57/32
        Upstream interface: lsi.1
        Downstream interface list:
                  et-0/2/1.53

{master}
sturner@111-P1-CNR03-RE0>


Jumbo frames between vlans

$
0
0

We have two EX4500s in a virtual chassis setup

We have two vlans that both have routed vlan interfaces

We would like to be able to route between these two vlans using jumbo frames

Can this be done and if so how?

 

We do have MTU set for 9216 for the interfaces that make up the vlan. Here is how the vlan is configured, notice the MTU of 1500

 

root@Core> show interfaces vlan.123
Logical interface vlan.123 (Index 94) (SNMP ifIndex 803)
Flags: Up SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 25554
Output packets: 21219
Protocol inet, MTU: 1500
Flags: None
Addresses, Flags: Is-Preferred Is-Primary
Destination: 10.121.123/24, Local: 10.121.123.1, Broadcast: 10.121.123.255

DHCP Snooping issues on EX4200

$
0
0

Hello,

 

I have an EX4200 (L3) with multiple vlans and a dhcp server attached  to port 0/0/1 and a cisco 2960  access switch connected to port 0/0/48. I have vlans 5, 6 and 10 defined ob both switches. DHCP server is on VLAN 10. I enabled DHCP snooping and trusted the port 0/0/1. I connnected multiple clients on different vlans and they all get an ip address fine. The issue I have is with the EX4200 doesnt show any binding for vlan 5 and 6. I see multiple bindings on Cisco switch for those vlans but not the EX. I connected clients to EX and put them in vlan 5 and 6, they got an ip fine but switch doesnt show any bindings. The only binding that the EX shows is for vlan 10 where the DHCP server is.

I attached prt of the config

 

 

forwarding-options {
    helpers {
        bootp {

            }
            interface {
                vlan.5 {
                    server 10.81.10.10;
                }
                vlan.6 {
                    server 10.81.10.10;
                }
   vlan.10 {
                    server 10.81.10.10;
                }
            }
        }
    }
}

 

[edit ethernet-switching-options]
abdel# show
secure-access-port {
    interface ge-0/0/1.0 {
        dhcp-trusted;
    }

    vlan vlan5 {
        examine-dhcp;

    vlan vlan6 {
        examine-dhcp;

    }
    vlan vlan10 {
        examine-dhcp;

    }
    dhcp-snooping-file {
        location /var/home/DHCPSNOOPING.log;
        write-interval 60;
    }
}

 

 

Has Anyone run into this issue before?

 

 

15.1 Now Recommended

$
0
0

15.1 is now the recommended release for most of the EX platform after 3 1/2 years on 12.3. Is anyone running 15 regularly in production and can report on general stability?

Ex2200 lacp flap

$
0
0

Hello,

 

I have a ex2200 and now version is 12.3R6.6, there's some lacp flapping suddenly happened during 1 mins yesterday, there's no something interresting in logs except LACP timeout

 

Dec 11 19:17:40 XXXX chassism[1214]: JTASK_SCHED_SLIP_KEVENT: 21 sec 494516 usec kevent block
Dec 11 19:17:40 XXXX sfid[1215]: JTASK_SCHED_SLIP_KEVENT: 21 sec 495211 usec kevent block
Dec 11 19:17:40 XXXX eswd[1225]: JTASK_SCHED_SLIP_KEVENT: 21 sec 571357 usec kevent block
Dec 11 19:17:40 XXXX /kernel: KERN_LACP_INTF_STATE_CHANGE: lacp_update_state_userspace: cifd ge-0/0/44 - ATTACHED state - acting as standby link
Dec 11 19:17:40 XXXX lacpd[1245]: LACPD_TIMEOUT: ge-0/0/44: lacp current while timer expired current Receive State: CURRENT
Dec 11 19:17:40 XXXX rpd[1235]: RPD_SCHED_SLIP_KEVENT: 22 sec 349263 usec kevent block
Dec 11 19:17:40 XXXX sflowd[1250]: JTASK_SCHED_SLIP_KEVENT: 25 sec 380936 usec kevent block
Dec 11 19:17:40 XXXX mcsnoopd[1251]: JTASK_SCHED_SLIP_KEVENT: 21 sec 814462 usec kevent block
Dec 11 19:17:40 XXXX cfmd[1231]: JTASK_SCHED_SLIP_KEVENT: 21 sec 905300 usec kevent block
Dec 11 19:17:40 XXXX lacpd[1245]: LACPD_TIMEOUT: ge-0/0/45: lacp current while timer expired current Receive State: CURRENT
Dec 11 19:17:40 XXXX lacpd[1245]: LACP_INTF_DOWN: ae0: Interface marked down due to lacp timeout on member ge-0/0/45
Dec 11 19:17:40 XXXX /kernel: ae_bundlestate_ifd_change: bundle ae0: bundle IFD minimum links not met 0 < 1
Dec 11 19:17:40 XXXX /kernel: KERN_LACP_INTF_STATE_CHANGE: lacp_update_state_userspace: cifd ge-0/0/45 - ATTACHED state - acting as standby link
Dec 11 19:17:40 XXXX lacpd[1245]: LACPD_TIMEOUT: ge-0/0/47: lacp current while timer expired current Receive State: CURRENT
Dec 11 19:17:40 XXXX /kernel: KERN_LACP_INTF_STATE_CHANGE: lacp_update_state_userspace: cifd ge-0/0/47 - ATTACHED state - acting as standby link
Dec 11 19:17:40 XXXX /kernel: ae_bundlestate_ifd_change: bundle ae1: bundle IFD minimum links not met 0 < 1
Dec 11 19:17:40 XXXX /kernel: KERN_LACP_INTF_STATE_CHANGE: lacp_update_state_userspace: cifd ge-0/0/46 - ATTACHED state - acting as standby link
Dec 11 19:17:40 XXXX lacpd[1245]: LACPD_TIMEOUT: ge-0/0/46: lacp current while timer expired current Receive State: CURRENT
Dec 11 19:17:40 XXXX lacpd[1245]: LACP_INTF_DOWN: ae1: Interface marked down due to lacp timeout on member ge-0/0/46
Dec 11 19:17:40 XXXX /kernel: KERN_LACP_INTF_STATE_CHANGE: lacp_update_state_userspace: cifd ge-0/0/44 - CD state - ready to carry traffic
Dec 11 19:17:40 XXXX vccpd[1216]: JTASK_SCHED_SLIP_KEVENT: 24 sec 561307 usec kevent block
Dec 11 19:17:40 XXXX /kernel: KERN_LACP_INTF_STATE_CHANGE: lacp_update_state_userspace: cifd ge-0/0/45 - CD state - ready to carry traffic
Dec 11 19:17:41 XXXX /kernel: KERN_LACP_INTF_STATE_CHANGE: lacp_update_state_userspace: cifd ge-0/0/47 - CD state - ready to carry traffic
Dec 11 19:17:41 XXXX /kernel: KERN_LACP_INTF_STATE_CHANGE: lacp_update_state_userspace: cifd ge-0/0/46 - CD state - ready to carry traffic
Dec 11 19:17:41 XXXX mib2d[1234]: SNMP_TRAP_LINK_DOWN: ifIndex 600, ifAdminStatus up(1), ifOperStatus down(2), ifName ae0
Dec 11 19:17:41 XXXX mib2d[1234]: SNMP_TRAP_LINK_DOWN: ifIndex 602, ifAdminStatus up(1), ifOperStatus down(2), ifName ae1

 

I have check RE and looks all normal, below is some information

 

show chassis routing-engine
Routing Engine status:
Slot 0:
Current state Master
Temperature 31 degrees C / 87 degrees F
CPU temperature 31 degrees C / 87 degrees F
DRAM 512
Memory utilization 54 percent
CPU utilization:
User 7 percent
Background 0 percent
Kernel 6 percent
Interrupt 0 percent
Idle 87 percent
Model EX2200-48T-4G
Serial ID CU0215070169
Start time 2014-03-13 17:48:10 CST
Uptime 375 days, 14 hours, 3 minutes, 58 seconds
Last reboot reason 0x1Smiley Tongueower cycle/failure
Load averages: 1 minute 5 minute 15 minute
0.18 0.24 0.23

 

show virtual-chassis

擷取.JPG

 

How can i debug this issue?  many thanks!

MSTP with Juniper and Cisco Switch for load balancing

$
0
0

I am attempting to use MSTP to help with some load balancing and redudancy. I have two cisco access switches that feed into two EX4300 distrobution switches. If there is a better way to manage this please fee free to sugest this.

 

I would like to split off traffic by VLANs but still have the second EX switch in place for redundancy.  At this time the traffic is being re-routed in a simulated failure situation, but when all devices are working the Ciscos appear to be sending all traffic, regardless of VLAN to only one of the two Ex4300.  The closest documentation for this I've found is for 2 Cisco and 1 Juniper (page 12 http://www.juniper.net/us/en/local/pdf/implementation-guides/8010002-en.pdf).  When I look at the spanning tree on the Juniper switchs the correct switch is root for the correct MSTI/VLAN group. When I look at the spanning tree in the Cisco, all MST instances/ VLANs are tagged to the same juniper switch, leaving the other switch in standby.

 

As the real system has more VLANS and additional access cisco switchs, I have simplified this as an example. Not all VLANS in the ranges indicated are in use or part of the trunk ports either. There is no VLAN-1 in use on the network.

 

Simplefied line diagram:

                           |--------   EX4300-1  (traffic for VLANs 1-9) 

Cisco Switch --|                                                       |        (tunked connection between junipers)

                           |--------   EX4300-2  (traffice for VLAN 10-19)

 

Protocols Config from EX4300-1

 

protocols {
    lldp {
        interface all;
    }
    lldp-med {
        interface all;
    }
    igmp-snooping {
        vlan default;
    }
    mstp {
        configuration-name region1;
        bridge-priority 28k;
        interface left1 {
            mode point-to-point;
        }
        interface left2 {
            mode point-to-point;
        }
        msti 1 {
            bridge-priority 24k;
            vlan 1-9;
        }
        msti 2 {
            bridge-priority 28k;
            vlan 10-19;
        }
    }
}

 

Protocols Config from EX4300-2

protocols {
    lldp {
        interface all;
    }
    lldp-med {
        interface all;
    }
    igmp-snooping {
        vlan default;
    }
    mstp {
        configuration-name region1;
        bridge-priority 28k;
        interface left1 {
            mode point-to-point;
        }
        interface left2 {
            mode point-to-point;
        }
        msti 1 {
            bridge-priority 28k;
            vlan 1-9;
        }
        msti 2 {
            bridge-priority 24k;
            vlan 10-19;
        }
    }
}

 

Cisco spanning-tree Config

spanning-tree mode mst
spanning-tree extend system-id
spanning-tree pathcost method long
!
spanning-tree mst configuration
 instance 1 vlan 1-9
 instance 2 vlan 10-19

 

RSTP : Edge port with received BPDU > 0 ?

$
0
0

I'm running a network with 2 EX4500 as core switches and ex4200 VC as access switches.
rstp is used for loop prevention.
On the access switches, only the uplink pots (toward the ex4500 cores) should be non-edge ports, and should receive bpdu.
But I noticed that a few access ports have received bpdu .
Among those ports, some are classified as "edge ports" and some are classified as "non-edge ports".
So I suspect that the guys in charge of server deployment may have configured spanning tree on their boxes, by mistake.

** Edge port with received BPDU > 0, non incrementing
I'm getting confused when I see "edge ports" with received Bpdu counter > 0. Counter have not increased in weeks.
AFAIK, a port is considered as an "edge port" if the switch doesn't see any bpdu on that port after a predefined duration (don't know for how long).
So I assumed that there's been no counter increase since last time interface went up, and that the counter I see today refer to a previous state (when the peer on that port used to run stp, while it is no longer running).

** Non-Edge port with received BPDU > 0, non incrementing
It looks normal to me to see a non-edge port with received BPDU > 0.
The fact that there is no BPDU increase reflects the fact that the interconnection is stable (whether in root or alternate state on the remote equipement).
But I can't access the peer host to check its configuration.

I would like to have confirmation of my understanding :
- edge-port with received bpdu, non incrementing = peer host has run stp long ago (hence counter are > 0), but not since last time the interface went up (=> edge port)
- non edge-port with received bpdu (normal), non incrementing = peer host runs rstp, and is in a stable state (alternate+blocking or root+forwarding).


Cheers,

Pascal




*** edge port with received bpdu > 0
> show spanning-tree statistics interface ae10
Interface   BPDUs sent   BPDUs received      Next BPDU transmission
ae10.0        24554385       1392037                1

>show spanning-tree interface ae10 detail
Spanning tree interface parameters for instance 0
Interface name                 : ae10.0
Port identifier                : 128.11
Designated port ID             : 128.11
Port cost                      : 10000
Port state                     : Forwarding
Designated bridge ID           : 16384.5c:5e:ab:61:22:01
Port role                      : Designated
Link type                      : Pt-Pt/EDGE
Boundary port                  : NA
Edge delay while expiry count  : 23
Rcvd info while expiry count   : 0



*** non edge port
>show spanning-tree statistics interface ge-1/0/24
Interface   BPDUs sent   BPDUs received      Next BPDU transmission
ge-1/0/24.0   24719512          1497                0

>show spanning-tree interface ge-1/0/24 detail
Spanning tree interface parameters for instance 0
Interface name                 : ge-1/0/24.0
Port identifier                : 128.601
Designated port ID             : 128.601
Port cost                      : 20000
Port state                     : Forwarding
Designated bridge ID           : 16384.5c:5e:ab:61:22:01
Port role                      : Designated
Link type                      : Pt-Pt/NONEDGE
Boundary port                  : NA
Edge delay while expiry count  : 240
Rcvd info while expiry count   : 2

What the default action for storm-control default on QFX5100?

$
0
0

Hi All,

 

May i know the default action will do by QFX5100 if storm happen at access switch that connected to QFX5100 as per below config. Is it the QFX will shut down the interface automatically even i'm not configure any action? Appreciate someone feedback

 

root@test-vcf> show configuration forwarding-options
storm-control-profiles default {
    all;
}


{master:0}
root@Stest-vcf> show configuration interfaces ae67
description test;
mtu 9192;
aggregated-ether-options {
    minimum-links 1;
    link-speed 10g;
    lacp {
        active;
    }
}
unit 0 {
    family ethernet-switching {
        interface-mode trunk;
        vlan {
            members all;
        }
        storm-control default;
    }
}


Script in EX 2200

$
0
0

Hello,

 

I want to know how I can do a script for all ours Switches in our network, I need to know which Switch has enabled:

show configuration ethernet-switching-options secure-access-port

 interface all {

allowed-mac......}

 

Does any body know about this?

 

Thanks

L2 communication (VLAN)

$
0
0

Hello!

It's my first post, so I'm going to say Hello to everybody! Also I'm sorry in advanced if this is not the right place (Ethernet switching) to post this message.

 

First of all, this is my hardware setup:
SRX220 (JunOS 11.4R7.5) GE-0/0/1 (LAN) - this is the port from where I want to begin my L2 communication
SRX220 GE-1/0/0 (WAN - optic)
----- 192.168.253.34/30 -------
----- 192.168.253.33/30 -------
EX4200 (JunOS 12.2R5.3) GE-0/0/4 (optic)
EX4200 (ae0: GE-0/0/23 + GE-1/0/23 + RSTP)
----- VLAN.1000: 172.16.0.1/24 -----
----- VLAN.1000: 172.16.0.1/24 -----
EX2200 (JunOS 12.2R5.3) (ae0: GE-0/0/22 + GE-0/0/23 + RSTP)
EX2200 GE-0/0/4 - this is the port where I want to end my L2 communication.

 

The SRX JunOS dosen't have option of making WAN (GE-1/0/0 - optic) family ethertnet swhitching (port mode trunk). Is it possible without this option to make a L2 communication (VLAN) as I have described?

 

As an attachment all my configurations.

Thank you for your help in advance.

qfx5100-48S: EVPN AND VXLAN

$
0
0

Hi everyone,

I have a test lab,The topology diagram is as follows:

 

qfx5100-1---------------qfx5100-2

     |                                  |

     |                                  |

     |                                  |

   host-1                         host-2

 

====================================

configuration:

 

root@qfx5100-1# show | display set 
set version 14.1X53-D35.3
set system host-name qfx5100-1
set system root-authentication encrypted-password "$1$Wi6S7UO9$dwPAk/tS.MRBUxKKnoVoL0"
set system services ssh
set system services telnet
set interfaces xe-0/0/0 mtu 9216
set interfaces xe-0/0/0 unit 0 family ethernet-switching interface-mode access
set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members hosts
set interfaces xe-0/0/36 mtu 9216
set interfaces xe-0/0/36 unit 0 description "To qfx5100-2-xe-0/0/46"
set interfaces xe-0/0/36 unit 0 family inet address 10.10.10.1/30
set interfaces lo0 unit 0 family inet address 10.1.1.1/32
set routing-options router-id 10.1.1.1
set routing-options autonomous-system 65401
set routing-options forwarding-table export load-balance
set protocols bgp group fabric type external
set protocols bgp group fabric family inet unicast
set protocols bgp group fabric family evpn signaling
set protocols bgp group fabric export allow-all
set protocols bgp group fabric multipath multiple-as
set protocols bgp group fabric neighbor 10.10.10.2 description qfx5100-2
set protocols bgp group fabric neighbor 10.10.10.2 peer-as 65402
set protocols evpn vni-options vni 10 vrf-target export target:1:10
set protocols evpn encapsulation vxlan
set protocols evpn extended-vni-list 10
set protocols evpn multicast-mode ingress-replication
set policy-options policy-statement allow-all term allow from protocol direct
set policy-options policy-statement allow-all term allow from route-filter 10.1.1.1/32 exact
set policy-options policy-statement allow-all term allow then accept
set policy-options policy-statement allow-all then accept
set policy-options policy-statement load-balance then load-balance per-packet
set policy-options policy-statement vrf-import term vxlan10 from community vxlan10
set policy-options policy-statement vrf-import term vxlan10 then accept
set policy-options policy-statement vrf-import then reject
set policy-options community vxlan10 members target:1:10
set switch-options vtep-source-interface lo0.0
set switch-options route-distinguisher 10.1.1.1:1
set switch-options vrf-import vrf-import
set switch-options vrf-target target:65401:100
set switch-options vrf-target auto
set vlans hosts vlan-id 10              
set vlans hosts vxlan vni 10
set vlans hosts vxlan ingress-node-replication
root@qfx5100-2# show | display set 
set version 14.1X53-D35.3
set system host-name qfx5100-2
set system root-authentication encrypted-password "$1$Efk1tFQH$7wFoqXtVNu/QrG9ZX/NOW1"
set system services ssh
set system services telnet
set interfaces xe-0/0/0 mtu 9216
set interfaces xe-0/0/0 unit 0 description host
set interfaces xe-0/0/0 unit 0 family ethernet-switching interface-mode access
set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members hosts
set interfaces xe-0/0/36 mtu 9216
set interfaces xe-0/0/36 unit 0 description "To qfx5100-1-xe-0/0/46"
set interfaces xe-0/0/36 unit 0 family inet address 10.10.10.2/30
set interfaces lo0 unit 0 family inet address 10.2.2.2/32
set routing-options router-id 10.2.2.2
set routing-options autonomous-system 65402
set routing-options forwarding-table export load-balance
set protocols bgp group fabric type external
set protocols bgp group fabric family inet unicast
set protocols bgp group fabric family evpn signaling
set protocols bgp group fabric export allow-all
set protocols bgp group fabric multipath multiple-as
set protocols bgp group fabric neighbor 10.10.10.1 description qfx5100-1
set protocols bgp group fabric neighbor 10.10.10.1 peer-as 65401
set protocols evpn vni-options vni 10 vrf-target export target:1:10
set protocols evpn encapsulation vxlan
set protocols evpn extended-vni-list 10
set protocols evpn multicast-mode ingress-replication
set policy-options policy-statement allow-all term allow from protocol direct
set policy-options policy-statement allow-all term allow from route-filter 10.2.2.2/32 exact
set policy-options policy-statement allow-all term allow then accept
set policy-options policy-statement load-balance then load-balance per-packet
set policy-options policy-statement vrf-import term vxlan10 from community vxlan10
set policy-options policy-statement vrf-import term vxlan10 then accept
set policy-options policy-statement vrf-import then reject
set policy-options community vxlan10 members target:1:10
set switch-options vtep-source-interface lo0.0
set switch-options route-distinguisher 10.1.1.2:1
set switch-options vrf-import vrf-import
set switch-options vrf-target target:65401:100
set switch-options vrf-target auto
set vlans hosts vlan-id 10
set vlans hosts vxlan vni 10
set vlans hosts vxlan ingress-node-replication
root@host-1# show | display set 
set version 14.1X53-D35.3
set system root-authentication encrypted-password "$1$tvVqqvaS$f.muCwcISMs2.dFQOlfvz0"
set system services ssh
set system services telnet
set interfaces xe-0/0/0 unit 0 family inet address 192.168.10.1/24
root@host-2# show | display set 
set version 14.1X53-D35.3
set system host-name host-2
set system root-authentication encrypted-password "$1$Vxl1d5Ku$.B1nWvweKPpgTrDReOuW6/"
set system services ssh
set system services telnet
set interfaces xe-0/0/0 unit 0 family inet address 192.168.10.2/24
set interfaces vme unit 0 family inet address 10.11.18.2/24
{master:0}[edit]
root@qfx5100-1# run show route  

inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.1.1.1/32        *[Direct/0] 08:21:11
                    > via lo0.0
10.1.18.0/24       *[Direct/0] 07:38:55> via vme.0
10.1.18.1/32       *[Local/0] 07:38:55
                      Local via vme.0
10.2.2.2/32        *[BGP/170] 00:39:43, localpref 100
                      AS path: 65402 I, validation-state: unverified> to 10.10.10.2 via xe-0/0/36.0
10.10.10.0/30      *[Direct/0] 02:13:47> via xe-0/0/36.0
10.10.10.1/32      *[Local/0] 02:13:47
                      Local via xe-0/0/36.0

:vxlan.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.1.1.1/32        *[Direct/0] 08:11:30
                    > via lo0.0
10.1.18.0/24       *[Direct/0] 07:38:55> via vme.0
10.1.18.1/32       *[Local/0] 00:19:43
                      Local via vme.0
10.10.10.0/30      *[Direct/0] 02:13:47> via xe-0/0/36.0
10.10.10.1/32      *[Local/0] 02:13:47
                      Local via xe-0/0/36.0
10.10.10.2/32      *[Static/1] 00:36:40, metric2 0> to 10.10.10.2 via xe-0/0/36.0

bgp.evpn.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2:10.1.1.2:1::10::ec:13:db:8e:5d:e3/304               
                   *[BGP/170] 00:19:52, localpref 100
                      AS path: 65402 I, validation-state: unverified
     > to 10.10.10.2 via xe-0/0/36.0
3:10.1.1.1:1::10::10.1.1.1/304               
                   *[EVPN/170] 07:53:55
                      Indirect
3:10.1.1.2:1::10::10.2.2.2/304               
                   *[BGP/170] 00:39:43, localpref 100
                      AS path: 65402 I, validation-state: unverified> to 10.10.10.2 via xe-0/0/36.0

default-switch.evpn.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2:10.1.1.2:1::10::ec:13:db:8e:5d:e3/304               
                   *[BGP/170] 00:19:52, localpref 100
                      AS path: 65402 I, validation-state: unverified
                    > to 10.10.10.2 via xe-0/0/36.0
3:10.1.1.1:1::10::10.1.1.1/304               
                   *[EVPN/170] 07:53:55
                      Indirect
3:10.1.1.2:1::10::10.2.2.2/304               
                   *[BGP/170] 00:36:40, localpref 100
                      AS path: 65402 I, validation-state: unverified> to 10.10.10.2 via xe-0/0/36.0
root@qfx5100-1# run show evpn instance extensive 
Instance: __default_evpn__
  Route Distinguisher: 10.1.1.1:0
  VLAN ID: None
  Per-instance MAC route label: 299776
  MAC database status                     Local  Remote
    MAC advertisements:                       0       0
    MAC+IP advertisements:                    0       0
    Default gateway MAC advertisements:       0       0
  Number of ethernet segments: 0

Instance: default-switch
  Route Distinguisher: 10.1.1.1:1
  Encapsulation type: VXLAN
  MAC database status                     Local  Remote
    MAC advertisements:                       0       1
    MAC+IP advertisements:                    0       0
    Default gateway MAC advertisements:       0       0
  Number of local interfaces: 1 (1 up)
    Interface name  ESI                            Mode             Status
    xe-0/0/0.0      00:00:00:00:00:00:00:00:00:00  single-homed     Up    
  Number of IRB interfaces: 0 (0 up)
  Number of bridge domains: 1
    VLAN  VNI    Intfs / up    IRB intf   Mode             MAC sync  IM route label
    10    10         1   1                Extended         Enabled   10     
  Number of neighbors: 1
    10.2.2.2
      Received routes
        MAC address advertisement:              1
        MAC+IP address advertisement:           0
        Inclusive multicast:                    1
        Ethernet auto-discovery:                0
  Number of peers: 1
    10.10.10.2
      Received routes
        MAC address advertisement:              1
        MAC+IP address advertisement:           0
        Inclusive multicast:                    1
        Ethernet auto-discovery:                0
  Number of ethernet segments: 0
  Router-ID: 10.1.1.1
  Source VTEP interface IP: 10.1.1.1
{master:0}[edit]
root@qfx5100-1# run show evpn database    
Instance: default-switch
VLAN  VNI  MAC address        Active source                  Timestamp        IP address
      10    ec:13:db:8d:fe:e3  xe-0/0/0.0                     Nov 11 18:54:35
      10    ec:13:db:8e:5d:e3  10.10.10.2                     Nov 11 18:33:55

{master:0}[edit]
root@qfx5100-2# run show ethernet-switching table 

MAC flags (S - static MAC, D - dynamic MAC, L - locally learned, P - Persistent static
           SE - statistics enabled, NM - non configured MAC, R - remote PE MAC, O - ovsdb MAC)


Ethernet switching table : 2 entries, 2 learned
Routing instance : default-switch
   Vlan                MAC                 MAC      Logical                Active
   name                address             flags    interface              source
   hosts               ec:13:db:8d:fe:e3   D        vtep.32769             10.10.10.1                    
   hosts               ec:13:db:8e:5d:e3   D        xe-0/0/0.0       


root@qfx5100-1# run show ethernet-switching vxlan-tunnel-end-point source 
Logical System Name       Id  SVTEP-IP         IFL   L3-Idx
<default>                 0   10.1.1.1         lo0.0    0  
    L2-RTT                   Bridge Domain              VNID     MC-Group-IP
    default-switch           hosts+10                   10       0.0.0.0        

{master:0}[edit]
root@qfx5100-1# run show ethernet-switching vxlan-tunnel-end-point remote    
Logical System Name       Id  SVTEP-IP         IFL   L3-Idx
<default>                 0   10.1.1.1         lo0.0    0  
 RVTEP-IP         IFL-Idx   NH-Id
 10.10.10.2       549       1678     
    VNID          MC-Group-IP      
    10            0.0.0.0         

{master:0}[edit]
root@qfx5100-1# run show ethernet-switching vxlan-tunnel-end-point remote mac-table 

MAC flags (S -static MAC, D -dynamic MAC, L -locally learned, C -Control MAC
           SE -Statistics enabled, NM -Non configured MAC, R -Remote PE MAC)

Logical system   : <default>
Routing instance : default-switch
 Bridging domain : hosts+10, VLAN : 10, VNID : 10
   MAC                 MAC      Logical          Remote VTEP
   address             flags    interface        IP address
   ec:13:db:8e:5d:e3   D        vtep.32769       10.10.10.2   

root@qfx5100-2# run show ethernet-switching vxlan-tunnel-end-point source 
Logical System Name       Id  SVTEP-IP         IFL   L3-Idx
<default>                 0   10.2.2.2         lo0.0    0  
    L2-RTT                   Bridge Domain              VNID     MC-Group-IP
    default-switch           hosts+10                   10       0.0.0.0        

{master:0}[edit]
root@qfx5100-2# run show ethernet-switching vxlan-tunnel-end-point remote mac-table 

MAC flags (S -static MAC, D -dynamic MAC, L -locally learned, C -Control MAC
           SE -Statistics enabled, NM -Non configured MAC, R -Remote PE MAC)

Logical system   : <default>
Routing instance : default-switch
 Bridging domain : hosts+10, VLAN : 10, VNID : 10
   MAC                 MAC      Logical          Remote VTEP
   address             flags    interface        IP address
   ec:13:db:8d:fe:e3   D        vtep.32769       10.10.10.1  
{master:0}[edit]
root@host-1# run ping 192.168.10.2 rapid count 1000    
PING 192.168.10.2 (192.168.10.2): 56 data bytes
...................................................................................................................................................^C
--- 192.168.10.2 ping statistics ---
148 packets transmitted, 0 packets received, 100% packet loss

All the normal state, Ping results fail?

Thank you !

 

 

 

dot1x works only one time - ex4200

$
0
0

Hello all,

I have the following issue: dot1x works fine after a switch reboot. All supplicants authenticate and are placed on proper VLANS. However, if one supplicant reboots, or the cable gets disconnected and reconnected in the same port, the supplicant is not authenticated anymore. The dot1x status shows "Connecting" forever. If I move the cable to a different port, the authentication works immediately, but the scenario repeats at reboot of the supplicant. If I return to the initial port with the supplicant, I get the same result: Connecting.... The supplicant isn't even placed one server-fail VLAN.

The authentication is happening against a Juniper UAC as RADIUS. We have tens of EX4200 that work fine. As a matter of fact, this one worked fine untill recently. The change is that I added a voice-vlan and placed it behind a site-to-site VPN (SRX to SRX). Other swithces in the same site continue to work ok.

Any ideas?

EX3300 Remove Line Card

$
0
0

We removed an unecessary switch from a virtual-chassis that was configured as a line card.  It is now independent.  How do you make this a member a master role to regain control of the swith?

 

Thank you.

ksyncd_select_control_plane_proto error

$
0
0

I am getting the below message logged every ten minutes on the backup RE of a two-member EX4200 VC. As the version is EOS (11.4R5) JTAC is not touching it. I plan to replace the switches with new units but I'd still like to know what this is, and if it's a critical failure. Can anyone help?

 

--Paul

 

Dec 19 14:03:11  <hostname redacted> ksyncd[1876]: ksyncd_select_control_plane_proto: rhost_sysctlbyname_get: No such file or directory
Dec 19 14:13:11  <hostname redacted> last message repeated 40 times
Dec 19 14:23:11  <hostname redacted> last message repeated 40 times
Dec 19 14:33:11  <hostname redacted> last message repeated 40 times
Dec 19 14:43:11  <hostname redacted> last message repeated 40 times
Dec 19 14:53:11  <hostname redacted> last message repeated 40 times
Dec 19 15:03:11  <hostname redacted> last message repeated 40 times
Dec 19 15:13:11  <hostname redacted> last message repeated 40 times
Dec 19 15:23:11  <hostname redacted> last message repeated 40 times
Dec 19 15:33:11  <hostname redacted> last message repeated 40 times
Dec 19 15:43:11  <hostname redacted> last message repeated 40 times
Dec 19 15:53:11  <hostname redacted> last message repeated 40 times
Dec 19 16:03:11  <hostname redacted> last message repeated 40 times
Dec 19 16:13:11  <hostname redacted> last message repeated 40 times
Dec 19 16:23:11  <hostname redacted> last message repeated 40 times
Dec 19 16:33:11  <hostname redacted> last message repeated 40 times
Dec 19 16:43:11  <hostname redacted> last message repeated 40 times
Dec 19 16:53:11  <hostname redacted> last message repeated 40 times
Dec 19 17:03:11  <hostname redacted> last message repeated 40 times
Dec 19 17:13:11  <hostname redacted> last message repeated 40 times
Dec 19 17:23:11  <hostname redacted> last message repeated 40 times
Dec 19 17:33:12  <hostname redacted> last message repeated 40 times
Dec 19 17:43:12  <hostname redacted> last message repeated 40 times
Dec 19 17:53:12  <hostname redacted> last message repeated 40 times
Dec 19 18:03:12  <hostname redacted> last message repeated 40 times
Dec 19 18:13:12  <hostname redacted> last message repeated 40 times

VRRP and BFD for subsecond VRRP faiover

$
0
0

Hello,

 

I'm trying to find a way of getting faster failover than the standard 600ms which VRRP provides.

 

A little googleing suggests that BFD can be combined with VRRP, however I cannot find a Juniper implementation of this.

 

Has anyone tried this? I'm trying to get some clarity on if this something supported on Juniper devices.

 

Many Thanks,

Tom


restrict access to EX switch

$
0
0

Hi

 

I'm trying to implement access restriction via telnet\ssh to my switch via filter on lo0 interface as explained on this page :

http://www.juniper.net/documentation/en_US/junos15.1/topics/example/firewall-filter-stateless-example-trusted-source-block-telnet-and-ssh-access.html

 

But I'm not succeeding on that with reject command . It is giving me this error:

[edit interfaces lo0 unit 0 family inet]
  'filter'
    Referenced filter 'local_acl' can not be used as reject not supported on ingress loopback interface
error: configuration check-out failed

 

Only if I change to 'discard' instead of reject , it giving commit successful but still I can access the switch from any IP !!

 

why ?

 

Here is what I configured:

 

set firewall family inet filter local_acl term terminal_access from address x.x.x.x/32
set firewall family inet filter local_acl term terminal_access from protocol tcp
set firewall family inet filter local_acl term terminal_access from port ssh
set firewall family inet filter local_acl term terminal_access from port telnet
set firewall family inet filter local_acl term terminal_access then accept
set firewall family inet filter local_acl term terminal_access_denied from protocol tcp
set firewall family inet filter local_acl term terminal_access_denied from port ssh
set firewall family inet filter local_acl term terminal_access_denied from port telnet
set firewall family inet filter local_acl term terminal_access_denied then discard
set firewall family inet filter local_acl term default-term then accept
set interfaces lo0 unit 0 family inet filter input local_acl
set interfaces lo0 unit 0 family inet address 127.0.0.1/32

 

 

EX4550 - Hashing - LAG

$
0
0

Can anyone confirm if the ex4550 hashing for a LAG is 3bit or 8bit.

 

Asking as wanting to confirm if there will be an issue uneven members in a 3,5,7 LAG

EX4200 Hardware Difference - Old and New models

$
0
0

Hi All,

 

We have some old(about 5 years) working ex4200-48T switches off the rack. Should we buy new 4200-48T switches for our new project or use the old ones? . Is there any hardware enhancement on new models?. Will the old models support current JunOS code?

 

root@SW2-JUN> show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description
Chassis BP0212394540 EX4200-48T
Routing Engine 0 REV 18 750-033063 BP0212396540 EX4200-48T, 8 POE
FPC 0 REV 18 750-033063 BP0212396540 EX4200-48T, 8 POE
CPU BUILTIN BUILTIN FPC CPU
PIC 0 BUILTIN BUILTIN 48x 10/100/1000 Base-T
PIC 1 REV 06 711-021271 AS0213204542 2x 10GE XFP
Xcvr 0 NON-JNPR UPR067D XFP-10G-LR
Power Supply 0 REV 05 740-020957 AT0512350924 PS 320W AC
Fan Tray Fan Tray

 

Thanks,

 

Aslam

VLAN firewall filter issue on EX switch

$
0
0

Hello Guys,

 

We have two EX4200 switches installed with virtual chassis and we are configuring it as a router / firewall filter but we are facing somes issues with firewall filter that it isn't working properly.

 

The EX is configured with one L3 interface to LAN network and one physical interface to outside network as the following layout:

 

Me:
192.168.0.xxx

 

EX:
ge-0/0/23 - Outside network - 192.168.0.251
LAN (L3 vlan interface) - 172.16.100.1
ae0 (LAG interface) - LAN as member

 

srv01:
bond0 - 172.16.100.10

 

We would like to filter just the input traffic from outside network: allowing any, dropping any for some destinations for allow after specific ports as needed, for example:

 

# Allow specific ports

set firewall family inet filter eveo_in term allow_srv01 from destination-address 172.16.100.10/32
set firewall family inet filter eveo_in term allow_srv01 from protocol icmp
set firewall family inet filter eveo_in term allow_srv01 from protocol tcp
set firewall family inet filter eveo_in term allow_srv01 from destination-port 22
set firewall family inet filter eveo_in term allow_srv01 from destination-port 80
set firewall family inet filter eveo_in term allow_srv01 then count allow_srv01
set firewall family inet filter eveo_in term allow_srv01 then accept

 

# Block any to specific IPs to allow specific ports after

set firewall family inet filter eveo_in term Deny_Access from destination-address 172.16.100.10/32
set firewall family inet filter eveo_in term Deny_Access then count Deny_Access
set firewall family inet filter eveo_in term Deny_Access then discard

 

# Default 

set firewall family inet filter eveo_in term Default then accept

 

So if I apply the input filter on outside interface, the access is done as it was allowed (but a little slow) and the output traffic also is being blocked. From the server with IP 172.16.100.10 I can't do: curl, telnet, dns resolver to external network. Only ping works and without filter everything works fine.

 

I tried apply the filter in differents directions input/output on the outside interface and on the LAN interface too, but the correct direction for this example should be input to outside interface and output to LAN interface, right ?

 

Any help would is greatly appreciated.

Thank you

Regards

Robson

EX switch "Port high non-unicast traffic"

$
0
0

This is on several of our switches, the config is set to storm-control default.

 

For instance on a 10gig SFP port, it exceeds daily. So taking out the default for storm control, would that be a better way to threshold the traffic alert.?

 

Not sure what to put in there for bandwidth.

 

Any ideas.?

Viewing all 2326 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>