Hello all,

I am new to the firewall settings in junos and made the following setup with the outcome the only the ICMP rule works but I have no connectivity on the other rules into the vlan. The idea was to leave the vlans send outbound what ever they like and on vlans I like to protect, I would set an ingress firewall rule on the vlan. I have tried for h to see why or why not to use ethernet-switching as famalie or inet. As inet I can not use on vlans here is my take:

root@juniper# show firewall
family ethernet-switching {
    filter VoIP {
        term VoIP-UDP {
            from {
                destination-port [ 5060 5090 9000-9500 ];
                ip-protocol udp;
            }
            then {
                accept;
                log;
                count voip_udp;
            }
        }
        term VoIP-TCP {
            from {
                destination-port [ 5060 5061 5090 80 443 ];
                ip-protocol tcp;
            }
            then {
                accept;
                log;
                count voip_tcp;
            }
        }
        term VoIP-ICMP {
            from {
                ip-protocol [ icmp icmp6 ];
            }
            then {
                accept;
                count voip_icmp;
            }
        }
        term VoIP-Remote {
            from {
                destination-port 22;
                ip-source-address {
                    10.32.0.22/32;
                }
                ip-destination-address {
                    10.12.0.20/32;
                }
                ip-protocol tcp;
            }
            then {
                accept;
                log;
                count voip_remote;
            }
        }
    }
}

mapped to the Vlan

root@juniper# show vlans Production-VoIP
vlan-id 12;
l3-interface irb.12;
forwarding-options {
    filter {
        input VoIP;
    }
    dhcp-security;
}

and only ICMP works, for all others even the count is 0

root@juniper# run show firewall

Filter: VoIP
Counters:
Name                                                Bytes              Packets
voip_icmp                                           15744                  192
voip_remote                                             0                    0
voip_tcp                                                0                    0
voip_udp                                                0                    0

would someone be so kind to tell me where I went wrong?

Hi,  I am currently testing 802.1x authentication. I have done the setup on an EX2300C running Junos 15.1X53-D56.  Everything look to work as expected. Our radius server, freeradius,  return proper vlan information and then the port is move to the right vlan. However I am having an issues where once the user logged in, if his assigned vlan different than the default assiged one to the PC, the system doesn't renew is IP address. I guess that when vlan change the port should be automatically bounce in order to force client to renew their IP address.  Am I doing something wrong ?  Here the configuration I use... 

lpaulin@wlt4-testing-01# show protocols dot1x
traceoptions {
file dot1x size 10m files 2;
flag vlan;
flag state;
flag normal;
flag general;
flag eapol;
flag dot1x-ipc;
flag dot1x-event;
flag config-internal;
flag task;
flag timer;
flag parse;
}
authenticator {
authentication-profile-name stingray-users;
interface {
ge-0/0/10.0 {
supplicant multiple;
mac-radius {
flap-on-disconnect;
}
reauthentication 60;
guest-vlan 142;
}
}
}

lpaulin@wlt4-testing-01# show access
radius-server {
10.250.a.a {
secret "somethingSecret"; ## SECRET-DATA
source-address 10.250.c.c;
}
10.250.a.b {
secret "somethingSecret"; ## SECRET-DATA
source-address 10.250.c.c;
}
}
profile stingray-users {
authentication-order radius;
radius {
authentication-server [ 10.250.a.a 10.250.a.b ];
}
}

lpaulin@wlt4-testing-01# show interfaces ge-0/0/10
description SpareLaptop;
unit 0 {
family ethernet-switching {
interface-mode access;
storm-control default;
}
}

This is an issue I have encountered a couple of times now and I am yet to find a solution. When configuring the switch as a DHCP server with 2 DHCP pools, one for the Trust and one for the guest wireless only the Trust supplies the correct DHCP information to the client. The guest server supplies an address and subnet mask but no default gateway and no DNS.

root@HGBIJUSW01> show configuration access

address-assignment {

    pool HGBI-LAN-POOL {

        family inet {

            network 10.110.36.0/22;

            range HGBI-LAN-RANGE {

                low 10.110.36.20;

                high 10.110.39.253;

            }

            dhcp-attributes {

                maximum-lease-time 604800;

                domain-name hogarthww.prv;

                name-server {

                    10.252.32.33;

                    10.252.32.32;

                }

                router {

                    10.110.36.1;

                }

            }

            host HGBI-SERVER {

                hardware-address 24:5e:be:09:15:84;

                ip-address 10.110.36.20;

            }

        }

    }

    pool HGBI-WIRELESS-POOL {

        family inet {

            network 10.110.35.0/24;

            range HGBI-WIRELESS-RANGE {

                low 10.110.35.10;

                high 10.110.35.110;

            }

            dhcp-attributes {

                maximum-lease-time 14400;

                domain-name hogarthguest.wireless;

                name-server {

                    208.67.222.222;

                    208.67.222.220;

                }

                router {

                    10.110.35.1;

                }

            }

        }

    }

}

root@HGBIJUSW01> show configuration system services dhcp-local-server

group HGBI-LAN-DHCP {

    interface irb.95;

}

group HGBI-WIRELESS-DHCP {

    interface irb.4;

}

root@HGBIJUSW01> show configuration interfaces irb

unit 4 {

    family inet {

        address 10.110.35.254/24;

    }

}

unit 95 {

    family inet {

        address 10.110.39.254/22;

    }

}

root@HGBIJUSW01> show configuration vlans

LAN {

    vlan-id 95;

    l3-interface irb.95;

}

WIRELESS {

    vlan-id 4;

    l3-interface irb.4;

}

from the logs it looks like it is not responding with the DNS or Gateway - options 6, and 3, respectively. does anyone know what causes this behaviour?

Jan  2 22:58:48.311514 [MSTR][INFO] [default:default][SVR][INET][irb.4] --[ DHCP/BOOTP   from == 0.0.0.0, port == 68 ]--

Jan  2 22:58:48.311565 [MSTR][INFO] [default:default][SVR][INET][irb.4] --[ DHCP/BOOTP   size == 263, op == 2 ]--

Jan  2 22:58:48.311616 [MSTR][INFO] [default:default][SVR][INET][irb.4] --[ DHCP/BOOTP  flags == 0 ]--

Jan  2 22:58:48.311665 [MSTR][INFO] [default:default][SVR][INET][irb.4] --[ DHCP/BOOTP  htype == 1, hlen == 6 ]--

Jan  2 22:58:48.311716 [MSTR][INFO] [default:default][SVR][INET][irb.4] --[ DHCP/BOOTP   hops == 0, xid == c78f3aa2 ]--

Jan  2 22:58:48.311766 [MSTR][INFO] [default:default][SVR][INET][irb.4] --[ DHCP/BOOTP   secs == 0, flags == 0000 ]--

Jan  2 22:58:48.311820 [MSTR][INFO] [default:default][SVR][INET][irb.4] --[ DHCP/BOOTP ciaddr == 0.0.0.0 ]--

Jan  2 22:58:48.311872 [MSTR][INFO] [default:default][SVR][INET][irb.4] --[ DHCP/BOOTP yiaddr == 10.110.35.10 ]--

Jan  2 22:58:48.311925 [MSTR][INFO] [default:default][SVR][INET][irb.4] --[ DHCP/BOOTP siaddr == 0.0.0.0 ]--

Jan  2 22:58:48.311977 [MSTR][INFO] [default:default][SVR][INET][irb.4] --[ DHCP/BOOTP giaddr == 0.0.0.0 ]--

Jan  2 22:58:48.312044 [MSTR][INFO] [default:default][SVR][INET][irb.4] --[ DHCP/BOOTP chaddr == cc 20 e8 39 01 20 00 00 00 00 00 00 00 00 00 00 ]--

Jan  2 22:58:48.312096 [MSTR][INFO] [default:default][SVR][INET][irb.4] --[ DHCP/BOOTP  sname ==  ]--

Jan  2 22:58:48.312145 [MSTR][INFO] [default:default][SVR][INET][irb.4] --[ DHCP/BOOTP   file ==  ]--

Jan  2 22:58:48.312203 [MSTR][INFO] [default:default][SVR][INET][irb.4] --[ OPTION code  53, len   1, data DHCP-OFFER ]--

Jan  2 22:58:48.312270 [MSTR][INFO] [default:default][SVR][INET][irb.4] --[ OPTION code  51, len   4, data 00 01 51 80 ]--

Jan  2 22:58:48.312336 [MSTR][INFO] [default:default][SVR][INET][irb.4] --[ OPTION code   1, len   4, data ff ff ff 00 ]--

Jan  2 22:58:48.312399 [MSTR][INFO] [default:default][SVR][INET][irb.4] --[ OPTION code  54, len   4, data 0a 6e 23 fe ]--

Jan  2 22:58:48.312451 [MSTR][INFO] [default:default][SVR][INET][irb.4] --[ OPTION code 255, len   0 ]--

Is there a way to configure remote port mirroring where the egress port is an Ae interface? My configuration tells me that it is not allowed but I was hoping that there is a way around it.

Hello,

I'm looking to convert a pair of Cisco switches to an existing EX-4300 Virtual Chasis. The configs on the ciscos are identical, I thought I wouldn't have to use the trunk ports in a virtual chasis since it's basically one switch. That leaves us with vlan 11/12/100. Vlan 100 is our main vlan for the servers and 2x management ports on the SAN. Vlan 11 consists of 1 port of each blade in the SAN and one port on each server NIC. Vlan 12 is the 2nd port on each SAN blade and one port on each NIC. Below is the config for the ciscos switches:

Current configuration : 4694 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname JDEswitch1
!
boot-start-marker
boot-end-marker
!
!
!
!
no aaa new-model
switch 1 provision ws-c2960s-24ts-l
!
!
!
!
crypto pki trustpoint TP-self-signed-514237056
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-514237056
 revocation-check none
 rsakeypair TP-self-signed-514237056
!
!
crypto pki certificate chain TP-self-signed-514237056
 certificate self-signed 01
  30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 35313432 33373035 36301E17 0D393330 33303130 30303233
  345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3531 34323337
  30353630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  DA4A4E61 724E32A9 35C3934B 3B95029F CD79E260 14674991 B43F93DC 039BEAB7
  F6484660 B409DFED BA70B4D7 AFE806F9 8A40E1DE 181C3AB1 53AFA7C8 EA385397
  4A50CC3A B62F3257 8D7C835E 5F15868E B503AD71 24A8B9A7 AF5FDA1C E28CAE9F
  2A660842 B77E47F1 E9ABF4AB 2C8D7A14 13976702 4A12EDA9 B51D856E A893A5ED
  02030100 01A36B30 69300F06 03551D13 0101FF04 05300301 01FF3016 0603551D
  11040F30 0D820B4A 44457377 69746368 312E301F 0603551D 23041830 168014AF
  1BD1DAC7 B55209C0 39310130 294838C8 3CD64C30 1D060355 1D0E0416 0414AF1B
  D1DAC7B5 5209C039 31013029 4838C83C D64C300D 06092A86 4886F70D 01010405
  00038181 0098ABB9 34BECA95 067CCF1D 1B2539FE 13B4E22C 0A96A76F B77A94D8
  81254EF8 B93261C0 321FA172 30A6925B 230283A3 27FD6A11 F56BB7F8 B98E36EF
  3239F8BB 88606264 969FC2CF FC17D905 E76D0D5B A4C6B764 B5D42B01 1D0EB2E7
  381EF284 84D5149A 54B6986F 9AF63F04 E40AB5A4 B8C90911 17370685 7359D472
  C4C3E135 9E
  quit
!
spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
lldp run
!
!
interface Port-channel1
 switchport trunk allowed vlan 11
 switchport mode trunk
 spanning-tree portfast disable
!
interface Port-channel2
 switchport trunk allowed vlan 12
 switchport mode trunk
 spanning-tree portfast disable
!
interface FastEthernet0
 no ip address
!
interface GigabitEthernet1/0/1
 switchport access vlan 11
!
interface GigabitEthernet1/0/2
 switchport access vlan 11
!
interface GigabitEthernet1/0/3
 switchport access vlan 11
!
interface GigabitEthernet1/0/4
 switchport access vlan 11
!
interface GigabitEthernet1/0/5
 switchport access vlan 11
!
interface GigabitEthernet1/0/6
 switchport access vlan 11
!
interface GigabitEthernet1/0/7
 switchport trunk allowed vlan 11
 switchport mode trunk
 spanning-tree portfast disable
 channel-group 1 mode active
!
interface GigabitEthernet1/0/8
 switchport trunk allowed vlan 11
 switchport mode trunk
 spanning-tree portfast disable
 channel-group 1 mode active
!
interface GigabitEthernet1/0/9
 switchport access vlan 12
!
interface GigabitEthernet1/0/10
 switchport access vlan 12
!
interface GigabitEthernet1/0/11
 switchport access vlan 12
!
interface GigabitEthernet1/0/12
 switchport access vlan 12
!
interface GigabitEthernet1/0/13
 switchport access vlan 12
!
interface GigabitEthernet1/0/14
 switchport access vlan 12
!
interface GigabitEthernet1/0/15
 switchport trunk allowed vlan 12
 switchport mode trunk
 spanning-tree portfast disable
 channel-group 2 mode active
!
interface GigabitEthernet1/0/16
 switchport trunk allowed vlan 12
 switchport mode trunk
 spanning-tree portfast disable
 channel-group 2 mode active
!
interface GigabitEthernet1/0/17
 switchport access vlan 100
!
interface GigabitEthernet1/0/18
 switchport access vlan 100
!
interface GigabitEthernet1/0/19
 switchport access vlan 100
!
interface GigabitEthernet1/0/20
 switchport access vlan 100
!
interface GigabitEthernet1/0/21
 switchport access vlan 100
!
interface GigabitEthernet1/0/22
 switchport access vlan 100
!
interface GigabitEthernet1/0/23
 switchport access vlan 100
!
interface GigabitEthernet1/0/24
 switchport access vlan 100
!
interface GigabitEthernet1/0/25
 switchport access vlan 100
!
interface GigabitEthernet1/0/26
 switchport trunk allowed vlan 100
 switchport mode trunk
 spanning-tree link-type point-to-point
!
interface GigabitEthernet1/0/27
 switchport access vlan 100
!
interface GigabitEthernet1/0/28
 switchport access vlan 100
!
interface Vlan1
 no ip address
!
interface Vlan100
 description Hawkeye Subent
 no ip address
 no ip route-cache
!
ip http server
ip http secure-server
!
line con 0
line vty 0 4
 login
line vty 5 15
 login
!
end

And here's what I have in the VC- but the iSCSI doesn't seem to be working. What am I missing?

 ge-0/0/12 {
        description "JDE SAN T1";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 11;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/13 {
        description "JDESQL01 SAN BL1";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 11;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/14 {
        description "JDE SAN T2";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 12;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/15 {
        description "JDEDEP01 SAN BL2";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 12;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/16 {
        description "JDE SAN T3";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 100;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/17 {
        description JDESQL01;
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 100;
                }
                storm-control default;
            }
        }
    }

/// Skipping to switch 2

ge-1/0/12 {
        description "JDE SAN B1";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 11;
                }
                storm-control default;
            }
        }
    }
    ge-1/0/13 {
        description "JDEDEP01 SAN BL1";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 11;
                }
                storm-control default;
            }
        }
    }
    ge-1/0/14 {
        description "JDE SAN B2";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 12;
                }
                storm-control default;
            }
        }
    }
    ge-1/0/15 {
        description "JDESQL01 SAN BL2";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 12;
                }
                storm-control default;
            }
        }
    }
    ge-1/0/16 {
        description "JDE SAN B3";
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 100;
                }
                storm-control default;
            }
        }
    }
    ge-1/0/17 {
        description JDEDEP01;
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 100;
                }
                storm-control default;
            }
        }
    }

What am I missing?

I'm excited to see that Juniper has finally launched new models with multi-gig support, but dissapointed to find out they currently only exist on the EX2300 and EX4300 lines. Any chance this functionalaility will be extended to the EX3400 line? We've found that the EX3400 hits that sweet spot between price/performance and features. The EX2300 line looks decent as well, but no hot-swap power supplies and a maximum 4 switch virtual chassis are deal-breakers. Not to mention virtual chassis appears to require a separate license now? I hope this won't be a trend going forward.

I am working to replace our cisco core switch stack (3750s) with a EX4600/4300 mixed virtual chassis.  All closets are currently cisco 3750;s which trunk back to the core.  

Currently the cisco trunks(etherchannel) are configured with LACP and on all Cisco switches (core and closets) the following load balancing option is set in the config:

port-channel load-balance src-dst-ip

In my test environement where I am working on the juniper EX virtual chassis, I have created serveral LAGs configured with LACP active connecting to 3750 switches and all seems to be working well. 

However, with the port-channel load-balance src-dst-ip set in the cisco configuration, the ICMP times are more than double compared to simply removing this from the Cisco config.

THis brings me to my questions:

Is it possible on the Juniper EX switches to set the load balance settings to match the cisco src-dst-ip configuration?  Or should this simply be disabled on the Cisco switches?  What is the proper config?

Hello, dear community.

Is there any way around this restriction? It is necessary to use a range and individual members on different interfaces.

12.3R12-S8.1

range_1 {
vlan-range 4-75;
}



show interfaces xe-0/0/16
unit 0 {
family ethernet-switching {
vlan {
members vlan30;
}
}



show interfaces ae27
aggregated-ether-options {
link-speed 1g;
lacp {
active;
periodic slow;
}
}
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ range_1 ];
}
}



commit check
error: tag value 30 is being used by more than one vlan <__range_1_30__> and <vlan30>
error: configuration check-out failed

I have just configured an EX4600 and EX4300 mixed chassis.  THere are 2 EX4600's and 1 EX4300.  I have configured the VC using the preprovisioned method of 

Set virtual-chassis member # serial-number 123456 role master/linecard

The EX4600 are both set to routing engine roles and the EX4300 is a line card.  When running everything looks well and configured interfaces work correctly.  However, I just shutdown the VC to move some hardware and when powering back up I did not power up the EX4300.  I assumed that the VC would come up fine and that simply the EX4300 would show as not present.

Instead, on boot up of just the 2 EX4600's with the EX4300 remaining off, I received the message:

warning: This chassis is operating in a non-master role as part of a virtual-chassis system....

Then on login to the master it shows as linecard:0.  Show virtual-chassis then shows both the EX4600 as linecard roles and the EX4300 is not present (as suspected)

Only when I boot up the EX4300 does the VC appear to become active again, the EX4600's become master and backup as they should, and then traffic starts flowing (configured ports become active),

What is causing this?  My thought with VC is it should be redundant and should handle a switch failure or removal, especially of a linecard switch?

Hi,

I am seeing ICMP duplicates for traffic traversing our virtual chassi (consisting of two ex2300-48p switches).

Physical diagram:

Some findings:

• laptop connected to ge-0/0/9, vlanA = no duplicates
  laptop connected to ge-1/0/9, vlanA = duplicates
  laptop connected to ge-0/0/9, vlanB = duplicates
  laptop connected to ge-1/0/9, vlanB = no duplicates

I ping from the firewall which is the default gateway for both Vlans. We have production traffic in the switches and I haven't heard anything about any issues for them. ICMP duplicates indicates that something is wrong though so I want this solved before it blows up in my face.

The VCP ports are connected with DAC cables.

some outputs:

root@switch> show configuration virtual-chassis
preprovisioned;
no-split-detection;
member 0 {
    role routing-engine;
    serial-number JW0217060269;
}
member 1 {
    role routing-engine;
    serial-number JW0217100386;
}
root@switch> show virtual-chassis status detail
Preprovisioned Virtual Chassis
Virtual Chassis ID: 1b65.2a7a.638c
Virtual Chassis Mode: Enabled
                                                Mstr           Mixed Route
Member ID  Status   Serial No    Model          prio  Role      Mode  Mode Location
0 (FPC 0)  Prsnt    JW0217060269 ex2300-48p     129   Master*      N  VC
    Neighbor ID:   1   Interface: vcp-255/1/0
    Neighbor ID:   1   Interface: vcp-255/1/1
1 (FPC 1)  Prsnt    JW0217100386 ex2300-48p     129   Backup       N  VC
    Neighbor ID:   0   Interface: vcp-255/1/0
    Neighbor ID:   0   Interface: vcp-255/1/1
{master:0}

root@switch> show virtual-chassis vc-port
fpc0:
--------------------------------------------------------------------------
Interface   Type              Trunk  Status       Speed        Neighbor
or                             ID                 (mbps)       ID  Interface
PIC / Port
1/0         Configured          5    Up           10000        1   vcp-255/1/0
1/1         Configured          5    Up           10000        1   vcp-255/1/1
fpc1:
--------------------------------------------------------------------------
Interface   Type              Trunk  Status       Speed        Neighbor
or                             ID                 (mbps)       ID  Interface
PIC / Port
1/0         Configured          5    Up           10000        0   vcp-255/1/0
1/1         Configured          5    Up           10000        0   vcp-255/1/1

Anyway to troubleshoot this without changing hardware or firmware?

Thanks in advance

Cheers!

Hi experts,

can someone pls. sheed a light on the following log messages:

chassisd[1298]: PoE port name ge-0/0/2 status 1
chassisd[1298]: PoE port name ge-0/0/2 status 27
chassisd[1298]: PoE port name ge-0/0/2 status 37

What is the meaning of the different states?

Thanks in advance,

Stefan

Hello, I am trying to bring up a combo 1/10G Intel transceiver (AFBR-709DMZ-IN2) on our EX2200 switch. Transceiver works well at Gigabit speed with other vendors switches, but here JunOS even does not shows fiber interfaces:

> show interfaces ge-0/1/0 
error: device ge-0/1/0 not found

{master:0}

During last two days I've searched across all forums and tried all possible solutions - no effect. JunOS update to 12.3 and 15.1 gives no effect too.

Could you please advise me if it is possible at all to bring it up here?

Here comes some diagnostics information:

/var/log/messages:
Mar 2 15:01:09 chassism[1201]: XCVR: Unit 0, SFP+ Optic of type 1 inserted in SFP Cage!!

> show chassis pic pic-slot 1 fpc-slot 0 
FPC slot 0, PIC slot 1 information:
Type 4x GE SFP Builtin
State Online 
Uptime 20 minutes, 9 seconds

PIC port information:
Fiber Xcvr vendor Wave- Xcvr
Port Cable type type Xcvr vendor part number length Firmware
0 10GBASE SR MM Intel Corp AFBR-709DMZ-IN2 850 nm 0.0

{master:0} 

> show chassis hardware 
Hardware inventory:
Item Version Part number Serial number Description
Chassis CW0212507548 EX2200-24T-4G
Routing Engine 0 REV 22 750-026468 CW0212507548 EX2200-24T-4G
FPC 0 REV 22 750-026468 CW0212507548 EX2200-24T-4G
CPU BUILTIN BUILTIN FPC CPU
PIC 0 BUILTIN BUILTIN 24x 10/100/1000 Base-T
PIC 1 REV 22 750-026468 CW0212507548 4x GE SFP
Xcvr 0 NON-SFP AA17133027P SFP+-10G-SR
Power Supply 0 PS 100W AC
Fan Tray Fan Tray

{master:0}

> show virtual-chassis

Virtual Chassis ID: 06d5.9776.851b
Virtual Chassis Mode: Enabled
Mstr Mixed Route Neighbor List
Member ID Status Serial No Model prio Role Mode Mode ID Interface
0 (FPC 0) Prsnt CW0212507548 ex2200-24t-4g 128 Master* NA VC

Member ID for next new member: 1 (FPC 1)

{master:0}

> show virtual-chassis vc-port 
fpc0:
--------------------------------------------------------------------------

{master:0}

Hello Community,

I am stood for an issue and I dont know where it is coming from.

We use Steel-Belted Radius on our dot1x where on some ports an IP-Phone and a PC connects thought the IP-Phones switch port .For only PC ports on our EX3400 all is woring well but when we use the IP-Phones switchports our issues start as they are not configured for 802.1x Auth. So we created a static list of MACs and a VLan binding where the phone should be moved to, to operate. This is a  bit of a tidious work.

user@juniper# show
00:04:13:71:5b:XX/48 {
    vlan-assignment 12;
}

This is a  bit of a tidious work.

I found this:

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/lldp-med-bypass-edit-protocols.html

And was jumping for joy however it does not work. The IP-Phone starts and in deed becomes the LLDP-MED V-Lan ID passed and reboots. But still it is not added to the static list to bypass and is stuck in connecting state.

ge-2/0/0.0    Authenticator  Authenticated   54:EE:75:AB:02:XX    DOMAIN\Administrator
ge-2/0/0.0                   Connecting      00:04:13:74:02:XX    No User

Where am I going wrong? Thx in advanced!

We are developing equipment used to test hardware devices which communicate through network. Something like unit testing, but with hardware. For one scenario we would like to redirect some part of network traffic into a PC but leave other traffic switched directly. The traffic would be selected using IP addresses and TCP/UDP port number. I think this could be done using filter-based VLANs (am I right?).

When using filter-based VLAN which will route some TCP ports on one target device and other ports of the same IP address on another target device, how could be MAC addresses handled? Do I need to setup both target devices to have same MAC address? Can switch modify MAC address when passing packets between VLANs?

I have a pretty straight forward network, however I am using routing-instances (set as virtual router) to route vlans through a central firewall.  As such, I need all of my data vlan clients to be able to get DHCP addresses from my server vlan.  On cisco this was incredibly easy and is  as simple as setting ip helper address on each vlan SVI and it just works.

Comparitively, on this EX4600 it appears that there are a TON of dhcp options and configurations.  All I really need to do is make sure clients can get an IP from my windows server.  I just want to be sure I don't miss anything:

My config which does work in testing:

routing-instances {
    Data {
        instance-type virtual-router;
        interface irb.10;
        interface irb.20;
        interface irb.300;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 1.1.0.4;
            }
        }
        forwarding-options {
            dhcp-relay {
                server-group {
                    DataVlanDHCP {
                        1.1.11.2;
                    }
                }
                active-server-group DataVlanDHCP;
                group DataRelayGroup {
                    interface irb.10;
                    interface irb.20;
                }
            }
        }

Questions:

1. Is this the proper method for DHCP relay when using routing-instances or should I be using global config(edit forwarding-options)?

2. Is there anything i should need under the global config in addition to what i have under routing instances?

3. What is the forward-only option?  Should this be set as well?

Hello all, 

I have a EX4200-24F that was pulled out of a decommissioned stack running as a linecard.  Short and sweet ( with snippets below ) I cannot for the life of me get this switch back to standalone (master), and it refuses to show interfaces. I continually get "fpc0" related errors, and since it refuses to run any other way then lincard, I have very limited func.  Steps Ive taken (some from some very seasoned junos gurus)

install --format file:///file.tgz ( succeeds, but stuck in LC still)

start shell user root -> cd /config/vchassis -> rm -rf *.* -> reboot ( files do delete, but reboot regens them, and still in LC)

numerous formats and installs with release vers from 11.4R13.5 to current 15 track

LCD display normal junos loading/boot msgs, but once booted is blank with backlight on all the time.

no warn/error led on front panel, sys is green others are off.

Is there another directory that contains VC info that isnt blown away by the formats, zeroise, factory default requests?

Possible firmware issue, or hardware issue?

I thank you all in advance, highly appreciate the help!

Hello all,

I've been doing MPLS, LDP, OSPF and BGP for a while now and have been succesfully deploying l2circuits.

The version we're using is vlan-ccc encapsulated interfaces with a single VLAN tag and connect this to a neighbor with similar config. 

Like below:

unit 1187 {
    encapsulation vlan-ccc;
    vlan-id 1187;
    input-vlan-map {
        swap;
        vlan-id 1;
    }
    output-vlan-map swap;
    family ccc {
        mtu 1520;
    }
}
protocols {
    l2circuit {
      neighbor x.x.x.x {
          interface xe-0/0/3.1187 {
              end-interface {
                  interface ge-1/0/9.3708;
              }
          }
       }
    }
}

This works fine. 

But since a while, we connected to a party who wants both sides of the l2circuit to be double tagged.

We tried the following, but failed to make a working connection for the customer.

A side:

unit 1170 {
    encapsulation vlan-ccc;
    vlan-tags outer 0x8100.1170 inner 0x8100.603;
    family ccc {
        mtu 1530;
    }
}     

protocols {
    l2circuit {
        neighbor x.x.x.x {
            interface xe-0/0/3.1170 {
                virtual-circuit-id 1170;
                mtu 1530;
            }
        }
     }
}

B side:

 unit 10603 {
    description "FROM: KPN WEAS core-nkh-03.xe-0/0/3:1170";
    encapsulation vlan-ccc;
    vlan-tags outer 0x8100.603 inner 0x8100.603;
    family ccc {
        mtu 1530;
    }
}
protocols {
    l2circuit {
         neighbor y.y.y.y {
              interface xe-0/0/1.10603 {
                    virtual-circuit-id 1170;
                    mtu 1530;
              }
           }
     }
}

MPLS, OSPF, LDP, BGP all work, and even the l2circuit connection came up. But the customer reported a non working connection. They couldn't sent any traffic over the circuit.

What am I missing here? Do i need to do something with VLAN swapping?

Thanks in advance!

Beeelze

hi,

I'm using juniperEX2200 and EX4300-BT as switch access.

What happen in my devices if I deploy sFlow and netFlow on them?

Does this take effect on the performance of my devices: CPU, RAM? and what are these effect?

Please answer me. 

Thank you!

BUY FAKE PASSPORT (superiorfalsodocs017@gmail.com),COUNTERFEIT MONEY,HOLOGRAMS,FALSE DRIVING LICENSE, FALSE ID CARD.
We are a team of professionals with many years of experience in producing COUNTERFEIT MONEY,HOLOGRAMS,fake passports
And other identity documents, best producers as fake documents. With
More than 10 million documents circulating around the world.
We only offer originals of great qualities of real-fake passports, licensed
Drivers, Identity Cards, Stamps, Birth Certificates, False International Diplomas
And other products for a number of countries including: USA, Australia, Belgium, Brazil, Norway
Canada, Italy, Finland, France, Germany, Israel, Mexico, Netherlands, South Africa, Spain, United Kingdom.
This list is not complete.
For further information and to place an order, simply
Contact us by email or mobile.

BUY BRITISH PASSPORT (UK), AMERICANS, CANADIANS
FALSE ONLINE IDENTITY CARDS IN THE UNITED STATES, DRIVING LICENSE.
BUY FALSE OF BIRTH
BUYING FALSE DRIVING LICENSES

Contact mails:superiorfalsodocs017@gmail.com
Soutien general: express.eu.docs@gmail.com
whatsapp: +32 460 20 63 42
Do not hesitate to contact by email or call at any time and at any discretion.

Can anyone identify what version of JUNOS this is? I've never seen this before.

root@xxx> show version 
fpc0:
--------------------------------------------------------------------------
Hostname: xxx
Model: ex4300-48p
Junos: 14.1I20170217_1655_yadavm
JUNOS EX  Software Suite [14.1I20170217_1655_yadavm]
JUNOS FIPS mode utilities [14.1I20170217_1655_yadavm]
JUNOS Online Documentation [14.1I20170217_1655_yadavm]
JUNOS EX 4300 Software Suite [14.1I20170217_1655_yadavm]
JUNOS Web Management Platform Package [14.1I20170217_1655_yadavm]
JUNOS py-base-powerpc [14.1I20170217_1655_yadavm]