Hi all! I have EX2200.Trying to set up Filter Based Routing.

Why i can't see router-instance in firewall settings? Need I EFL for it?

root@EX2200-CORE# set firewall family inet filter Foton_Fbr term 1 then ?
Possible completions:
  accept               Accept the packet
  analyzer             Name of analyzer - (Ingress only)
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  count                Count the packet in the named counter
> discard              Discard the packet
  forwarding-class     Classify packet to forwarding class
  log                  Log the packet
  loss-priority        Packet's loss priority
  policer              Name of policer to use to rate-limit traffic
> reject               Reject the packet
  syslog               System log (syslog) information about the packet
> three-color-policer  Police the packet using a three-color-policer

12.3R12-S6 came out on Thursday with no release notes or documentation -- does anyone know what this release addresses?

Hi all,

is there a document, which shows on what models half-duplex is supported?

On the last summit it was mentioned, that some newer Chipsets do not support half-duplex anymore.

Can anyone explain the cos check-out failure I'm getting on a QFX-5100? I am also seeing this on an EX-4600.

set class-of-service interfaces et-0/0/16 unit 0 classifiers dscp test-classifier
set class-of-service interfaces et-0/0/16 unit 0 rewrite-rules dscp test-rewrite

gives this error:

test@test# commit check 
[edit interfaces]
  'et-0/0/16'
    Fixed/BA Classifier or Rewrite allowed only on  Physical interface with family inet configured
error: configuration check-out failed

et-0/0/16 is configured with inet:

set interfaces et-0/0/16 unit 0 family inet address 10.0.0.2/30

Configuring with wildcard interfaces works fine:

{master:0}[edit]
test@test# set class-of-service interfaces et-* unit 0 classifiers dscp test-classifier
{master:0}[edit]
test@test# set class-of-service interfaces et-* unit 0 rewrite-rules dscp test-rewrite  
{master:0}[edit]
test@test# commit check
configuration check succeeds
{master:0}[edit]
test@test#

Specifying individual interfaces works as expected on EX4300 and EX4200 platforms.

--Paul

Hi

The issue I’m experiencing is with DOT1x, specifically CERT authentications are failing, the endpoint will then fail over to MAC authentication

Some endpoints are working but we do have alot of failures

I am using Juniper EX4200 version 12.3R6.6
I am using Cisco ISE (version 2.1 patch 3) as my RADIUS server
Clients are windows, primarily 7 and 10
I am using certificates (EAP TLS) as my AUTH method
My fail back method is MAB

My config is as follows, in case anyone can see any immediate issues
    dot1x {
        traceoptions {
            file dot1x;
            flag state;
            flag dot1x-debug;
            flag eapol;
        }
        authenticator {
            authentication-profile-name ISE;
            no-mac-table-binding;
            interface {
                ISE {
                    supplicant multiple;
                    retries 3;
                    quiet-period 15;
                    transmit-period 30;
                    mac-radius;
                    reauthentication 14400;
                    supplicant-timeout 30;
                    server-timeout 30;
                    maximum-requests 3;
                    server-fail use-cache;


access {
    radius-server {
              }
    }
    profile ISE {
        authentication-order radius;
        radius {
            authentication-server [ x.x.x.x x.x.x.x ];
            accounting-server [ x.x.x.x x.x.x.x ];
        }
        accounting {
            order radius;
            accounting-stop-on-failure;
            accounting-stop-on-access-deny;
            immediate-update;
            coa-immediate-update;
 
Regards
Simon

Hi,

Not sure if this is possible. I want to acheive the following. On my MX104 I have several customer sites handed over to me on different vlans from my provider. These sites needs to share the same subnet with the default gateway on the MX104.  

"Vlan rewrite" option on the ge interface doesn't work as the MX won't allow me to translate two different vlans (vlan 100 and 200) to one (vlan 1000). Below is the basic configuration but it obviously doesn't work as there is no vlan translation/rewrite/swap in there. Anyone have any idea on how to acheive this? Please see the descibing picture attached.

irb {
     unit 1000 {
           family inet {
                  address 10.1.1.1/24;
           }
     }
}

bridge-domains {
      VLAN_1000 {
                vlan-id 1000;
                routing-interface irb.1000;
         }
}

interfaces {
ge-0/0/0 {
      description "To PROVIDER";
      flexible-vlan-tagging;
      mtu 9192;
      encapsulation flexible-ethernet-services;
      unit 100 {

             description "Customer ACME site 1";
             family bridge {
                    interface-mode trunk;
                    vlan-id-list 100;
             }
     }
     unit 200 {

           description "Customer ACME site 2";
           family bridge {
                  interface-mode trunk;
                  vlan-id-list 200;
          }
   }

Hi,

does anybody know if RDMA over Converged Ethernet (RoCE) is supported on EX4600?

Based on this:

https://www.juniper.net/documentation/en_US/junos/topics/concept/fibre-channel-cee-features-understanding.html

I would say yes, but since I can not find anything written specifically about RoCE & EX4600, I would like to know from knowledgable experts here?

Thank you in advance ...

Unable to find the PR in the database, any idea what is needed to fix this.?

EX2300-48P

When this happened, the switches cause a storm that dropped all connectivity sessions to our core services.

Ping was at 15% loss.

The contents of the PBN is shown below:

Long story shirt, I took on a new position and the network guy decided to move on.

So i have inherited 39 juniper EX2400 and 4200 ? switches.

I have no experiance with juniper switch as I have always worked at cisco shops.  I am going to assume that the vlaning is the same on a juniper as it would be on a cisco switch.

Setup we have a core set of switches , out to each switch stack we have fiber run and misconfigured port channels  ( 2x10 gb fiber runs with 3 vlans assigned to each 10 gb port)  the issue i have is that  for every vlan on every switch there is an IP assigned to every vlan.  example below   VLAN 100  so that vlan 100 (not default vlan) has 10 gateways assigned to it ?

Switch           Vlan 100
172.16.0.1    172.16.100.1
172.16.0.2    172.16.100.2
172.16.0.3    172.16.100.3
172.16.0.4    172.16.100.4
172.16.0.5    172.16.100.5
172.16.0.6    172.16.100.6
172.16.0.7    172.16.100.7
172.16.0.8    172.16.100.8
172.16.0.9    172.16.100.9
172.16.0.10    172.16.100.10

I am used to the setup of  having all the vlan gateways live on the Core switch stack , all switches attached down the line by fiber would jusy have the vlans created on them ( no gateway) and have all of the vlans on the port channels  of all the switches and have all of the vlans already extended to every part of the building. Am i worong on this  ?

Hi

I have to connect Nexus 9k  to my ex4200 switch with 10Gb link.I would like to know wich module should I use ?

i can see continue log message and at that switch connected to that interface goes down

/kernel: ge-0/0/5: promiscuous mode enabled

/kernel: ge-0/0/5: promiscuous mode disabled

what is this 

Hi,

I have an EX4600 switch which I'm using for host connectivity (obviously). Now I need to set up a VRRP/CARP between two hosts. Surprisingly, it's not working. And the reason is that these two hosts simple don't see the multicast packets from each other, they do see only self-originating packets in tcpdump. Previously I have successfully set up such scheme on a variety of switches, including EX4600, and I see no big difference between them, except that the latter one has the EX4600-EM-8F modukle, but the two hosts with this issue are plugged into pic 0. I was suspecting it's the igmp snooping feature that blocks the multicast, but it turns out there's no such thing configured on my switch:

emz@sw0-lynx# show | match igmp 

{master:0}[edit]
emz@sw0-lynx#

[...]
emz@sw0-lynx> show igmp snooping interface 
warning: multicast-snooping subsystem not running - not needed by configuration.

I've also discovered, that if I put the hosts interfaces into a trunk, the multicast does work in non-default vlan.

Currently I have no ideas why is this happening, so I will really apreciate any.

Thanks.

Follow-up: I just discovered that on a working EX4600 fll the vrrp interfaces are in non-default vlans.

Hi,

I'm having a weird issue and was wondering if anyone noticed it as well.

I have recently implemented Aruba ClearPass NAC system on a network comprised of Juniper EX4300 and EX3300 switches running JunOS 15.1R6-S3.

See following documentation: https://www.juniper.net/documentation/en_US/release-independent/nce/topics/example/nce160-example-aruba-guest-access.html

After fixing some issues in the manual (e.g. URI contains "?&mac=" instead of "?mac="), I still cannot get the CWA or the JNPR_RSVD_FILTER_CWA filter to work, while in the traceoptions I see the Redirect URL, VLAN, and a manually configured firewall filter, and most of them are veing applied, I cannot get the switch to apply the redirect URL.

The only difference I can think of is that I am trying to create a "Walled Garden" scenario rather than a Guest access one, meaning I expect the CWA redirect to be applied when the user has been authenticated via 802.1x EAP-TLS rather than MAB.

Attaching the dot1x traceoptions for reference.

Can anyone offer an answer?

Dear All

I have a pair of EX 4550 running 12.3R7.7 in a virtual Chassis as dedicated iSCSI switches, we have been having xome issue with one of the storage units connected to the switches and the manufacture says we need to enable flow-control and have RX on and TX off.

When I connect to the switches the only option I have is to enable flow-control under ether-opitions or no-flow-control.

Does any one know is this a feature in a newer version of junos?

From some research I can see it is possible on the 4600 but can not find anything for the 4550.

Regards

Richard

Hi,

we have ex4550 as core with ex4300 as edge switches. I would like to setup another ex4550 as an edge switch due to its 10G ports. I am not farmilar with the vstp setup on this model.

since this is an edge, would something like this

set protocols vstp vlan all bridge-priority 60k

set protocols vstp vlan 10 interface xe-0/0/0.0 edge

thank you in advance.

Sep 20 07:02:17  rcv: ch_ipc_dispatch() null ipc read for args 0x6c2800 pipe 0x6c60c0, fru FPC 0 errno 60
Sep 20 07:02:17  ch_connection_shutdown: Destroying the IPC pipe
Sep 20 07:02:17  pic detach portinfo, pic 0 fpc 0
Sep 20 07:02:17  pic detach portinfo, pic 1 fpc 0
Sep 20 07:02:17  fpc_disconnect_generic: fpc 0 state Online cargs 0x6c2800 clean_shutdown 0, offline_reason=None
Sep 20 07:02:17  -- FPC 0, last request 132, state Online
Sep 20 07:02:17 CHASSISD_IPC_CONNECTION_DROPPED: Dropped IPC connection for FPC 0
Sep 20 07:02:17 CHASSISD_IFDEV_DETACH_FPC: ifdev_detach_fpc(0)
Sep 20 07:02:46  ifdev_detach: skipping ifd vcp-255/0/0
Sep 20 07:02:46  ifdev_detach: skipping ifd vcp-255/0/1
Sep 20 07:05:19  ifd ge-0/0/2 marked as gone
Sep 20 07:05:21  ifd ge-0/0/3 marked as gone
Sep 20 07:05:21  ifd ge-0/0/4 marked as gone
Sep 20 07:05:21  ifd ge-0/0/5 marked as gone
Sep 20 07:05:22  ifd ge-0/0/6 marked as gone
Sep 20 07:05:22  ifd ge-0/0/7 marked as gone
Sep 20 07:05:22  ifd ge-0/0/8 marked as gone
Sep 20 07:05:22  ifd ge-0/0/9 marked as gone
Sep 20 07:05:22  ifd ge-0/0/10 marked as gone
Sep 20 07:05:24  ifd ge-0/0/11 marked as gone
Sep 20 07:05:24  ifd ge-0/0/12 marked as gone
Sep 20 07:05:24  ifd ge-0/0/13 marked as gone
Sep 20 07:05:24  ifd ge-0/0/14 marked as gone
Sep 20 07:05:24  ifd ge-0/0/15 marked as gone
Sep 20 07:05:25  ifd ge-0/0/16 marked as gone
Sep 20 07:05:25  ifd ge-0/0/17 marked as gone
Sep 20 07:05:25  ifd ge-0/0/18 marked as gone
Sep 20 07:05:25  ifd ge-0/0/19 marked as gone
Sep 20 07:05:25  ifd ge-0/0/20 marked as gone
Sep 20 07:05:25  ifd ge-0/0/21 marked as gone
Sep 20 07:05:25  ifd ge-0/0/22 marked as gone
Sep 20 07:05:26  ifd ge-0/0/23 marked as gone
Sep 20 07:05:27  fpc_offline_now - slot 0, reason: None, error Chassis connection dropped transition state 1
Sep 20 07:05:27  mic_get_mic_slot: clp1: fpc_slot=0, pic_slot=0, i2c=0xf037
Sep 20 07:05:27  mic_get_mic_slot: clp1: fpc_slot=0, pic_slot=1, i2c=0xf0c2
Sep 20 07:05:27  hwdb: entry for fpc 1335 at slot 0 deleted
Sep 20 07:05:27 CHASSISD_SNMP_TRAP7: SNMP trap generated: FRU removal (jnxFruContentsIndex 7, jnxFruL1Index 1, jnxFruL2Index 0, jnxFruL3Index 0, jnxFruName FPC: EX2200-24T-4G @ 0/*/*, jnxFruType 3, jnxFruSlot 0)
Sep 20 07:05:27 CHASSISD_SNMP_TRAP7: SNMP trap generated: FRU removal (jnxFruContentsIndex 7, jnxFruL1Index 1, jnxFruL2Index 0, jnxFruL3Index 0, jnxFruName FPC: EX2200-24T-4G @ 0/*/*, jnxFruType 3, jnxFruSlot 0)
Sep 20 07:05:27  FPC 1 removed
Sep 20 07:05:27 CHASSISD_SNMP_TRAP7: SNMP trap generated: FRU removal (jnxFruContentsIndex 7, jnxFruL1Index 2, jnxFruL2Index 0, jnxFruL3Index 0, jnxFruName FPC: EX2200-24T-4G @ 1/*/*, jnxFruType 3, jnxFruSlot 1)
Sep 20 07:05:27 CHASSISD_FRU_OFFLINE_NOTICE: Taking FPC 1 offline: Removal
Sep 20 07:05:27  fpc_down slot 1 reason Removal cargs 0x6c2b20
Sep 20 07:05:27  pic detach portinfo, pic 0 fpc 1
Sep 20 07:05:27  pic detach portinfo, pic 1 fpc 1
Sep 20 07:05:27  fpc_disconnect_generic: fpc 1 state Empty cargs 0x6c2b20 clean_shutdown 0, offline_reason=Removal
Sep 20 07:05:27  -- FPC 1, last request 132, state Empty
Sep 20 07:05:27  fpc_disconnect_generic - FPC 1 was removed!
Sep 20 07:05:27 CHASSISD_IPC_CONNECTION_DROPPED: Dropped IPC connection for FPC 1
Sep 20 07:05:27 CHASSISD_IFDEV_DETACH_FPC: ifdev_detach_fpc(1)
Sep 20 07:05:28  ifdev_detach: skipping ifd vcp-255/0/0
Sep 20 07:05:28  ifdev_detach: skipping ifd vcp-255/0/1
Sep 20 07:05:28  ifd ge-1/0/2 marked as gone
Sep 20 07:05:28  ifd ge-1/0/3 marked as gone
Sep 20 07:05:28  ifd ge-1/0/4 marked as gone
Sep 20 07:05:28  ifd ge-1/0/5 marked as gone
Sep 20 07:05:28  ifd ge-1/0/6 marked as gone
Sep 20 07:05:29  ifd ge-1/0/7 marked as gone
Sep 20 07:05:29  ifd ge-1/0/8 marked as gone
Sep 20 07:05:29  ifd ge-1/0/9 marked as gone
Sep 20 07:05:29  ifd ge-1/0/10 marked as gone
Sep 20 07:05:29  ifd ge-1/0/11 marked as gone
Sep 20 07:05:29  ifd ge-1/0/12 marked as gone
Sep 20 07:05:29  ifd ge-1/0/13 marked as gone
Sep 20 07:05:29  ifd ge-1/0/14 marked as gone
Sep 20 07:05:30  ifd ge-1/0/15 marked as gone
Sep 20 07:05:30  ifd ge-1/0/16 marked as gone
Sep 20 07:05:30  ifd ge-1/0/17 marked as gone
Sep 20 07:05:30  ifd ge-1/0/18 marked as gone
Sep 20 07:05:30  ifd ge-1/0/19 marked as gone
Sep 20 07:05:30  ifd ge-1/0/20 marked as gone
Sep 20 07:05:30  ifd ge-1/0/21 marked as gone
Sep 20 07:05:31  ifd ge-1/0/22 marked as gone
Sep 20 07:05:31  ifd ge-1/0/23 marked as gone
Sep 20 07:05:31  fpc_offline_now - slot 1, reason: Removal, error Chassis connection dropped transition state 1

Hi All

I have in the process of upgrading all my switches to the latest recommend version by JTAC and I have 4 EX4550 virtual chassis running 12.3R releases, can I upgrade these virtual chassis straight to version 15.1 which is the recommend version by JTAC.  Does not matter if I can't use NSSU as I have performed upgrades not using NSSU.

Only asking as I was looking through the release notes for version 15.1 and it says you can not upgrade/downgrade more than 3 major version releases unless you are going from EEOL to and EEOL.  The plan will be to upgrade all the EX4550 VC's to 15.1R6-S2.

Sorry if this has already been answered by another post.

Richard

Has anybody ever seen this false report

FPC 1 power supply says it failed , but it is up and running passing traffic with nothing in the logs.

admin@rbe-mc-lab> show chassis environment

Class Item                           Status     Measurement

Power FPC 0 Power Supply 0           OK

      FPC 1 Power Supply 0           Failed

      FPC 2 Power Supply 0           OK

      FPC 3 Power Supply 0           OK

      FPC 4 Power Supply 0           OK

Junos version 12.3R12.4

Hello,

I have a strange problem with a customer network. So here goes we have inherited a really bad configuration of network in a hospital. I would love to reset the whole network and redo it but ofc it is not possible.

Dont have a topology set up because there si a ton of work to be done before i have time to do that. So here is a little overview:

virtual chassis stack of 2 EX3300 48p switches ---> EX4200-24F ----> 13x EX 2200 48p switches and on one case another EX 2200 48p switch 

So we had to change the management VLAN ip to release some ip addresses when we are going to replace the server hardware... that went smoothly with no problems on the network.

Gateway is still on old IP subnet because of routing of external locations which are not mentioned in the improvised topology.

Management subnet is 10.10.1.0/24 virtual chassis is 10.10.1.1 EX42000 is 10.10.1.2 and then come the switches in order. So i can ssh in to first 6 ip`s without any problems. But all other dont work, also we cant reach the jweb. 

Trunk ports are all corectly set, telnet from virtual chassis work to all switches. Everything works except for ssh and jweb (meaning management is abit obscured). Configurations on all the switches are a mess vlan are configured by a monkey if u ask me, but it works and i am fixing it slowly. 

So does anyone have an idea what might be wrong???

oh and gateway ip is 192.168.10.1 set on all the switches so its kinda weird that 6 IP in 10.10.1.0/24 work like it is supposed to work and others dont.

Regards Dejan

Hi,

     I am spinning up full-1vqfx using vagrant. I am not able to see any physical interfaces avaialble in the output of show interface terse. I have allocated 4 vcpu and 8Gb RAM to my ubuntu vm on which I am using vagrant to spin up the vqfx. Can anyone help me out with where am I going wrong/how can I get physical interfaces shown up on the show interface output.

Any help is much appreciated

Thanks

Bhoomi