Hey guys currently trying to connect a Fortigate that I've configured with 3 vlans on one port to a Juniper switch. Then have those vlans on one port.
Little background;
They have fortigate edge devices that connect to the juniper ex2200 which would be used to provide ethernet to users. I would be adding in a few FortiAPs that would be connecting to the Juniper to provide wifi for users in three different VLANs on different SSIDs.
Thanks
Hi Community,
I need deployment a BGP VPLS connection with a Huawei device but I have an error about encapsulation mismatch like describe the next output:
Instance: VS-VPLS-KOMPELLA
Edge protection: Not-Primary
Local site: CE-A (3)
connection-site Type St Time last up # Up trans
1 rmt EM
root@JUNIPER-POC-E01> ...-path | match "entry|encap|entries"
1:77753851:1:1/96 (2 entries, 1 announced)
Communities: target:3851:3851 Layer2-info: encaps: VLAN, control flags:[0x0] , mtu: 1500
1:77753851:3:1/96 (1 entry, 1 announced)
Page 0 idx 0, (group GR-IBGP type Internal) Type 1 val 0x42291d8 (adv_entry)
Communities: target:3851:3851 Layer2-info: encaps: VPLS, control flags:[0x40] Automatic-Site, mtu: 0, site preference: 100
Communities: Layer2-info: encaps: VPLS, control flags:[0x40] Automatic-Site, mtu: 0, site preference: 100
Why i cant change the VPLS encapsultation a VLAN o ETHERNET on BGP Deployments?
root@JUNIPER-POC-E01# commit check
re0:
[edit routing-instances VS-VPLS-KOMPELLA protocols vpls encapsulation-type]
'encapsulation-type ethernet-vlan'
Encapsulation type not valid for BGP vpls
error: configuration check-out failed
Please let me know your comments, additionally if you know ther are trick for interoperatibility about this deployment.
Thanks in advace
Hi All,
Could you please advise how can I check the mac address table of a Juniper router? For example SRX100,200 or 300 series.
I am asking because the main article I find here is about checking mac on switches (and all commands bring no results or give errors) however I just want to see all mac entries learned on a router which doesn't perform switching funcions between multiple vlans and is used for example for internet access or VPN.
> show ethernet-switching table
warning: ethernet-switching subsystem not running - not needed by configuration.
"sh arp" is useless because it works on layer 3 and I need to acquire layer 2 information.
show bridge ... - all sub-commands return zero mac addresses even tho the service is working and having traffic!
For comparison if it's a Cisco 'sh mac address-table' or 'sh mac-address-table' (depending on platform) always returns the needed information.
Hi All,
Having some issues getting QoS working on my EX4300, it is regarding Mulitcast traffic. I am trying to set up QoS so the video MS traffic has priority and I have it set up in Queue No 10 as mcast-af, Video (I set up Video.)
But when doing an "show interfaces ge-0/0/21 extensive" it shows 90% of my Multicast traffic is still going through queue 8 (mcast-be,) and not the one I thought I had specified.
Reading online I have seen a few posts / articles saying that it isn't possible on this version of JunOS, can any one advise me if this is true and if not how do I go about configuring it ?
I am running JunOS 17.3R3.10
Port configuration;
"description TEST_DEVICE;
unit 0 {
family ethernet-switching {
vlan {
members adi-ctrl-int;
}
}
}"
QOS I created;
Video 4 10 2 high normal low
Thanks in advance.
Hi all,
this is what we have, i see all my vlans at 1Gbps :
Physical interface: vlan, Enabled, Physical link is Up
Interface index: 133, SNMP ifIndex: 501
Type: VLAN, Link-level type: VLAN, MTU: 1518, Speed: 1000mbps
Device flags : Present Running
Link type : Full-Duplex
Link flags : None
Current address: 54:e0:32:91:32:c1, Hardware address: 54:e0:32:91:32:c1
Last flapped : Never
Input packets : 104309
Output packets: 22710
issue is they are cap a that speed, and have a total 5 ae interfaces from 2 Gbps to 10Gbps.
What am i missing?
Dear experts.
Is there somebody able confirm my finding that 12 fiber MTP/MTP single mode patchcord polarity B (crossover,rollout) is the right polarity type to connect QFX switches back-to-back 100GE using JNP-QSFP-100G-PSM4 transceivers please?
It is bit asking for kind nod because RX/TX need to swap on both ends.
Thank you
Found an old EX 4200 post saying the snooping table limit was 18k entries .
That is HUGE. If you google you will see 2k is Cisco limit on Nexus gear but other gear posts 512 - 8k bindings.
If anyone has experience to say the 4300 and the 4300-MP are the same or greater than the 4200s please share and if you can tell me the source of your info..
Ive asked the SE to see if they can look at internal documentation to see what the value is posted as..
IMHO. I think that is something that should be on the data sheet for sure..
Thanks who ever peeked at this thread..
Hi!
I am trying to decapsulate IPIP tunnel according to https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/ipip-tunnel-services-filter-qfx-series.html
While i configured inet filter on irb or tagged et, it seems decapsulate gre (btw very confusing, decapsulate gre for ipip?), nothing is being decapsulated, traffic just pass "as-is" to X.Y.Z.X.
If i replace "decapsulate gre" by "accept" and "count", i can see data in counter.
description BACKBONE;
vlan-tagging;
unit 0 {
vlan-id Y;
family inet {
filter {
input backbone-in;
}
address X/30;
}
}
filter backbone-in {
term ipipdecap {
from {
destination-address {
X.Y.Z.X/32;
}
protocol ipip;
}
then {
decapsulate gre;
}
}
term default {
then accept;
}
}
Model: qfx5100-48s-6q
Junos: 18.2R1.9
Did anybody had success with ipip decapsulation on this switch?
Hi everyone,
When we install JUNOS installation pakage in VAR/TMP folder on EX SW, does it retain when we reboot the box? I could not find any Juniper docs so far. I know we lose logs stored in tmp folder when we reboot but there is no mention if we lose JUNOS installation pakage in tmp folder when we reboot.
Have a nice weekend!!
Hi everybody.
I just want to confirm my understanding:
In Juniper implementation of Virtual chassis , Master /back RE stores/maintains Single copy for the whole virtul chassis . Line card does not store/mainatain the whole Virtual Chassis config like Master /Back RE do. Line card however stores some Virtual chassis config in its own private config file such as member id, vcp port config,
I am trying to find juniper doc that can confirnm the above .
Am I correct?
Have a nice weekend!!
Hello,
I'm writing to seek for help about configuring remote port mirring on Juniper QFX5110-48s.
1. The connectivity
2. Configuration on QFX
set vlans RSPAN vlan-id 3333 set interfaces xe-0/0/3 description To-Analyzer set interfaces xe-0/0/3 mtu 9216 set interfaces xe-0/0/3 unit 0 family ethernet-switching set interfaces xe-0/0/2 description To-MX set interfaces xe-0/0/2 mtu 9216 set interfaces xe-0/0/2 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/2 unit 0 family ethernet-switching vlan members all set forwarding-options analyzer RSPAN input ingress vlan RSPAN set forwarding-options analyzer RSPAN output interface xe-0/0/3.0
I can see MX is mirroring packets and send to QFX but on QFX itself does not send mirrored pacets further to interface xe-0/0/3.
Appreciate for any advice.
Hi All,
A little weird one I have come across recently and seeking some advice.
I have configured an EX2200 in an education environment to provide POE to a set of AP's.
Set it up the same as any of the other EX2200's there, but found as soon as I assign an IP for the switch, POE drops and will not power any of the AP's enough to work. If I remove the IP on the interface, everything starts working again.
I recently upgraded the firmware to 12.3R12.4 to try and resolve but this does not show any difference.
Is there anything someone can suggest to try and work through this?
Currently I cannot remote manage the switch, which is undesirable but can be worked around.
Hi, I have two EX2300-48. running 15.1X53-D59.3 in virtualchasis, All of my logs are full of these, there are 27 lines per second.
Dec 22 06:25:06 switch-md1 dc-pfe: BRCM_SALM:brcm_salm_l2_addr_process_notif(),380: NULL ifd for bcm port = 0 ,device no = 3 Dec 22 06:25:06 switch-md1 fpc1 BRCM_SALM:brcm_salm_l2_addr_process_notif(),380: NULL ifd for bcm port = 0 ,device no = 0 Dec 22 06:25:06 switch-md1 fpc0 BRCM_SALM:brcm_salm_l2_addr_process_notif(),380: NULL ifd for bcm port = 0 ,device no = 3 Dec 22 06:25:06 switch-md1 dc-pfe: BRCM_SALM:brcm_salm_l2_addr_process_notif(),380: NULL ifd for bcm port = 0 ,device no = 3 Dec 22 06:25:06 switch-md1 fpc1 BRCM_SALM:brcm_salm_l2_addr_process_notif(),380: NULL ifd for bcm port = 0 ,device no = 0 Dec 22 06:25:06 switch-md1 dc-pfe: BRCM_SALM:brcm_salm_l2_addr_process_notif(),380: NULL ifd for bcm port = 0 ,device no = 3 Dec 22 06:25:06 switch-md1 fpc0 BRCM_SALM:brcm_salm_l2_addr_process_notif(),380: NULL ifd for bcm port = 0 ,device no = 3 Dec 22 06:25:06 switch-md1 fpc0 BRCM_SALM:brcm_salm_l2_addr_process_notif(),380: NULL ifd for bcm port = 0 ,device no = 3 Dec 22 06:25:06 switch-md1 dc-pfe: BRCM_SALM:brcm_salm_l2_addr_process_notif(),380: NULL ifd for bcm port = 0 ,device no = 3 Dec 22 06:25:06 switch-md1 fpc0 BRCM_SALM:brcm_salm_l2_addr_process_notif(),380: NULL ifd for bcm port = 0 ,device no = 3
The oldest record is December 22 and I continue to receive these records, they do not stop at any time.
I searched in google and I didn't find anything about this messages. What can be a reason? Thank you!
Unlike the EX3300, EX3400 doesnot seem to have ethernet-switching-options when we can specifiy secure-access-port and limit the amount of mac addresses on an interface.
For example:
ethernet-switching-options {
secure-access-port {
interface ge-1/0/26.0 {
mac-limit 1 action drop;
no-dhcp-trusted;
}
}
}
I can't seem to find an alternative configuration for EX3400.
NOTE: My EX3400 is running on Junos 18.4R1.8
Any ideas would be much appreciated. Thanks!
Hi all,
i am not sure if what am trying achieve is possible, i need some guidance.
We have 3 ex2300 switches in 3 sites , the switches are runnign RSTP.
on every site there are 2 Cisco switches forming VSS. from these two cisco switches there are two links connecting to the EX2300 and every VSS is requred to form LAG with the EX2300.
we have set up the LAG but the AE interface is not coming up. checking the LACT statistics, i can only TX packets and no RX.
we have tried with and wothout LACP. when LACP is enabled, we tried both ACTIVE/ACTIVE and active/passive but still AE inteface remains down on the juniper. the port channle interface on the cisco shows up.
configs as below:
# show chassis
aggregated-devices {
ethernet {
device-count 2;
}
}
# show interfaces ae0
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan-members all;
}
set interfaces xe-0/1/2 ether-options 802.3ad ae0
set interfaces xe-0/1/3 ether-options 802.3ad ae0
set protocols rstp interface ae0.0
Regards
Lish
I thought I had some idea of what was going on, but apparantly not because try as I might I can't get anyting to work. What I've done so far:
--Created a 256-bit ECDSA keypair.
--Generated a CSR.
--E-mailed that to our certificate admin.
--Got a certificate back.
--Installed that certificate and the roots.
--Told HTTPS to use it.
The result? When I go to the site I get ERR_SSL_VERSION_OR_CIPHER_MISMATCH and near as I can tell the switch isn't supporting ANY protocols for SSL.
Everything looks ok to me (***** is me redacting things):
admin@*****> show security pki certificate-request
Certificate identifier: Web-Access
Issued to: *****
Public key algorithm: ecdsaEncryption(256 bits)
admin@*****> show security pki ca-certificate
Certificate identifier: InCommon_1
Issued to: AddTrust External CA Root, Issued by: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
Validity:
Not before: 05-30-2000 10:48 UTC
Not after: 05-30-2020 10:48 UTC
Public key algorithm: rsaEncryption(2048 bits)
Certificate identifier: InCommon_3
Issued to: InCommon RSA Server CA, Issued by: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
Validity:
Not before: 10- 6-2014 00:00 UTC
Not after: 10- 5-2024 23:59 UTC
Public key algorithm: rsaEncryption(2048 bits)
Certificate identifier: InCommon_2
Issued to: USERTrust RSA Certification Authority, Issued by: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
Validity:
Not before: 05-30-2000 10:48 UTC
Not after: 05-30-2020 10:48 UTC
Public key algorithm: rsaEncryption(4096 bits)
admin@ECE-*****> show security pki local-certificate
Certificate identifier: Web-Access
Issued to: *****, Issued by: C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA
Validity:
Not before: 01-23-2019 00:00 UTC
Not after: 01-22-2021 23:59 UTC
Public key algorithm: ecdsaEncryption(256 bits)
admin@*****> show configuration system services
ssh {
protocol-version v2;
ciphers [ "aes128-gcm@openssh.com" "aes256-gcm@openssh.com" aes128-ctr aes256-ctr "chacha20-poly1305@openssh.com" aes256-cbc aes128-cbc ];
hostkey-algorithm {
no-ssh-dss;
ssh-ecdsa;
ssh-ed25519;
}
fingerprint-hash sha2-256;
}
netconf {
ssh;
}
web-management {
http;
https {
pki-local-certificate Web-Access;
}
}
Anyone have any idea what I'm doing wrong or what I'm missing?
This seems to have NO impact on the product , but I still would like to know if anyone knows why
on 4300-48MP running 18.4. in a stack with 4300- P the following LEDs are light up with Nothing in the ports.
I just woundering if there is more to these led now the units are not shipped with displays.
mge-X/0/32 shows a slow blinking amber/orage led light on the stauts LED = slow blink led orange for 10 seconds then goes off then back on for 10 more seconds ish.
mge-X/0/33 shows a sold purple led light on the stauts LED
mge-X/0/40 blinking green stauts LED
mge-X/0/41 sold orange stauts LED
Will be posting a pick soon.
Also no status info is given via
run show chassis led fpc-slot 2
LED status for: FPC 2
-----------------------------------
LEDs status:
Alarm LED : Yellow
System LED: Green
Master LED: Green
Interface LED(SPD/DPX/ADM/POE)
-------------------------------------
mge-2/0/32 Off
mge-2/0/33 Off
mge-2/0/40 Off
mge-2/0/41 Of
Hello,
i need to find out a way to auto block/shutdown a switch port if some one attaches a Hub or Physical layer switch to EX2200/EX2300 switch.
Actually in our branch offices, staff has a practice of connecting more PC's connecting Hub in the switch port, which creates problems by introducing broadcast and congestion in the network rendering slow performance complaints of the APPLICATION. So i am curious if there is a way to configure the Switch (EX2200/2300) to auto shut the port whenever HUBs are connected and may generate alert to notify the Network Administrator.
Hi
I configure radius accouting on EX2300. EX2300 will send radius accouting to NAC device but frame-ip-address attribute is null.
As document "https://www.juniper.net/documentation/en_US/junos/topics/concept/802-1x-pnac-accounting-understanding.html" It shown "The Framed-IP-Address attribute is sent only if a valid DHCP binding exists for the host in the DHCP snooping table"
DHCP server was enable on EX2300 switch and I also try to enable DHCP Snooping.
But framed-IP-Address attribute still not show. Here is my configuration
set vlans VLAN27 vlan-id 27
set vlans VLAN27 l3-interface irb.27
set vlans VLAN27 forwarding-options dhcp-security group Trust_VLAN27 overrides trusted
set vlans VLAN27 forwarding-options dhcp-security group Trust_VLAN27 interface ge-0/0/0.0
set vlans VLAN27 forwarding-options dhcp-security group Trust_VLAN27 interface ge-0/0/1.0
set vlans VLAN27 forwarding-options dhcp-security group Trust_VLAN27 interface ge-0/0/10.0
Is it correct?
Do you have any recommended command for verify DHCP snooping
Hi all;
I have 88 ex2200 and ex2300 devices in my hand. I have to do bandwitdh restriction for network structure and configure broadcast and multicast limits. I also have to activate the STP Protocol, but I could not find enough resources. I think I've activated STP, but I couldn't control it.
Can you help with these issues?
Thank you all