About 1 out of 4 times when logging into our EX4300's we get severely restricted permissions. The workaround is to log out and log back in. However this proving to be very frustrating. Our EX4300-48 are in a clustered Virtual Chassis. We use Tacacs+ for authentication. We checked the logs on our Tacacs+ box and see no errors. This is only happening on the 4300's as of now.
EX4300-48
13.2x51-d36.1
Thought I'd post this here as I'm not quite understanding the Junos documentation for this feature and working with JTAC hasn't really been helpful. Basically I want to know how vlan firewall filters match traffic when the are applied in the output vs input diredtions. I've been shown the "VLAN firewall filters provide access control for packets that enter a VLAN, are bridged within a VLAN, or leave a VLAN." several times. I understand this. But I'm trying to figure out what Juniper means by "leave a vlan" vs "enter a vlan". The issues I'm having is that when a fw filter is applied inthe "output" direction I can only match on ip-source-address. When it is applied in the input direction I can only match on ip-destination-address.
The scenario is that there is a vlan, a l3 interface irb bound to it. Client in that vlan use the irb address as their default gateway. Would the traffic that clients that are attached to the switch in thsi vlan generated be considreed input? Or is it output if they leave the local subnet/vlan? Would this traffic not be in put and output? Traffic returning to the switch and going out the irb into the vlan would be input?
I have two MX. If each has a single routing engine. Can they be combined into virtual chassis?
Team,
Can we configure two different juniper EX switches in VC.
We have 15no of EX3300 switches now configured in VC for two locations and we are in process to buy another juniper EX 3400switches. can Both EX3300 & EX3400 configure in VC?
Hello,
I have an EX2200 Juniper switch that I'm experiencing problems with client connectivity. Even though the workstation nic says it is connected, I cannot ping anyone on the network. The problem occurs on workstations (Win10) and servers (Server16). I've tried updating the nic drivers, resetting winsock, rebooting; nothing helps. I've swapped out the switch with another EX2200. I even zeroized the switch back to factory settings (ezsetup) but the workstation(s) will not connect
I believe it is a switch issue because I regain connectivity when connecting to a Cisco switch. It seems like my issues started occuring after updating the EX2200 to 12.3R12.4 from 12.3R9. I'm not showing any errors on the port in the CLI and I dont have mac filtering or BPDU configured on the switch.
I did notice that the disconnected workstation nic is showing 'unidentified network' versus the 'domain' connection.
Any ideas?
Hi experts.
I have followed the IaaS: EVPN and VXLAN Solution and is working as it should.
Next step is to decied how the rest of the network should reach the DC.
Should I setup a new bgp from each routing-instance in the spine to my PE router to get connectivty to the rest of the network?
Best practies?
Guides?
All suggestions are welcome
//Niklas
Hello.
We have 2xEX4550-32F (Virtual Chassis). Below configuration:
!
admin@EX4550> show configuration routing-instances TEST
instance-type virtual-router;
interface xe-0/0/29.0;
interface xe-1/0/29.0;
routing-options {
static {
route 192.168.0.0/24 {
next-hop 192.168.1.2;
qualified-next-hop 192.168.1.6 {
preference 10;
bfd-liveness-detection {
minimum-interval 5000;
multiplier 3;
}
}
bfd-liveness-detection {
minimum-interval 5000;
multiplier 3;
}
}
}
}
admin@EX4550> show configuration interfaces xe-0/0/29
description "Link A";
mtu 9216;
unit 0 {
family inet {
address 192.168.1.1/30;
}
}
{master:0}
admin@EX4550> show configuration interfaces xe-1/0/29
description "Link B";
mtu 9216;
unit 0 {
family inet {
address 192.168.1.5/30;
}
}
When I try to ping remote peer via 192.168.1.2 - ping is OK
When I try to ping remote peer via 192.168.1.6 - ping is FAIL
On remote peer tcpdump was turned on - incoming ICMP packets have Source IP = 192.168.1.1, not 192.168.1.5
Why so&
About 1 out of 4 times when logging we get severely restricted permissions. The workaround is to log out and log back in. However this proving to be very frustrating.
vlans - Guest
vlans - Data
Active firewall 192.168.1.25 - LAN interface 1/7 connects to Cisco 2960 gi-1/0/25
Passive firewall 192.168.1.26 - LAN interface 1/7 connects to ex2200 ge-0/1/0 interface
Cisco 2960 gi-1/0/25 - setup as access vlan member is DATA
Juniper ex2200 ge-0/1/0- setup as access vlan member is DATA. switched to trunk with native vlan-id DATA in config below.
Topology attached.
show vlan command attached
Junos OS version: JUNOS EX Software Suite [15.1R5.5]
We have a small network flat network in a remote office. We have 1 Cisco 2960 and 1 Juniper EX2200. interface gi-1/0/28 and interface ge-0/1/3 are setup as trunk with native vlan-id DATA. traffic is flowing between the switches. We just installed PA-820 firewalls in HA. when we failover we lose the site completely behind the firewall. When looking at the switch the arp is not updating to point to the correct MAC and interface to route the traffic between the Cisco and Juniper. Both Mac tables are incorrect. When i run a show vlan on the ex2200 i am seeing that ge-0/1/0 is showing up on the default vlan and not the DATA vlan. The traffic from the PA-820 1/7 interface is untagged as well.
How can i fix this so that interface shows in the DATA vlan and not the default so the failover works with our Firewall?
EX2200 config
interfaces {
interface-range Production {
member-range ge-0/0/0 to ge-0/0/22;
description DATA";
unit 0 {
family ethernet-switching {
port-mode trunk;
native-vlan-id DATA;
}
}
}
ge-0/0/0 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/16 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/17 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/18 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/19 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/20 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/21 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/22 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/23 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members GUEST;
}
}
}
}
ge-0/1/0 {
description "BOTTOM PA820 192.168.1.26 INT1/7 UPLINK";
unit 0 {
family ethernet-switching {
port-mode trunk;
native-vlan-id DATA;
}
}
}
ge-0/1/1 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/2 {
description "Trunk to Cisco C2960";
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members GUEST;
}
native-vlan-id DATA;
}
}
}
ge-0/1/3 {
description "Trunk to Cisco C2960";
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members GUEST;
}
native-vlan-id DATA;
}
}
}
ae0 {
unit 0;
}
me0 {
unit 0 {
family inet;
}
}
vlan {
unit 0 {
family inet;
}
unit 1 {
family inet {
address 192.168.1.14/24;
}
}
}
}
forwarding-options {
helpers {
bootp {
interface {
vlan.1;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.1.1;
}
}
protocols {
rstp;
lldp {
interface all;
}
lldp-med {
interface all;
}
}
ethernet-switching-options {
voip;
storm-control {
interface all;
}
}
vlans {
DATA {
description "Default Cisco VLAN";
vlan-id 1;
l3-interface vlan.1;
}
GUEST {
description "GuestNet VLAN";
vlan-id 3;
}
}
poe {
interface all;
}
We are trying to configure dot1Q config on EX4300, but cli options seems to be missing.
EFL license is installed and version is 13.2X51-D35.3
Follow we guide
#set vlans VLAN-3512 dot1?
No valid completions
;#set vlans VLAN-3512 dot1q-tunneling
^
syntax error.
How do we concieve config following scenario in EX4300
Customer 1 Port ge-0/0/17 - Vlan 1588
Port ge-0/0/18- Vlan 500, 502
Customer 2 Port ge-0/0/19 - Vlan 1588
Port ge-0/0/20 - Vlan 500, 502
Note: customer 1 and 2 use same customer vlan number, but they come in different port.
Customer 1 extended to Site 1, send out in QinQ outer tag 3512
Customer 2 extended to Site 2, send out in QinQ outer tag 3513
Note: Site 1 and 2 can use different outer tag, but they are extended through same service provider so same port or physical link.
will config below work?
Site 1
SVLAN
=====
set vlans 3512 interface ge-0/0/17.3512
set interfaces ge-0/0/17 flexible-vlan-tagging
set interfaces ge-0/0/17 native-vlan-id 3512
set interfaces ge-0/0/17 encapsulation extended-vlan-bridge
set interfaces ge-0/0/17 unit 3512 vlan-id 3512
set interfaces ge-0/0/17 mtu 1504
Site 2
SVLAN
=====
set vlans 3513 interface ge-0/0/17.3513
set interfaces ge-0/0/17 flexible-vlan-tagging
set interfaces ge-0/0/17 native-vlan-id 3513
set interfaces ge-0/0/17 encapsulation extended-vlan-bridge
set interfaces ge-0/0/17 unit 3513 vlan-id 3513
set interfaces ge-0/0/17 mtu 1504
C-VLAN for site 1
=====
set vlans 3512 interface ge-0/0/18.3512
set interfaces ge-0/0/18 flexible-vlan-tagging
set interfaces ge-0/0/18 encapsulation extended-vlan-bridge
set interfaces ge-0/0/18 unit 3512 vlan-id-list 1588
set interfaces ge-0/0/18 unit 3512 input-vlan-map push
set interfaces ge-0/0/18 unit 3512 output-vlan-map pop
set interfaces ge-0/0/18 mtu 1504
set vlans 3512 interface ge-0/0/19.3512
set interfaces ge-0/0/19 flexible-vlan-tagging
set interfaces ge-0/0/19 encapsulation extended-vlan-bridge
set interfaces ge-0/0/19 unit 3512 vlan-id-list 500 520
set interfaces ge-0/0/19 unit 3512 input-vlan-map push
set interfaces ge-0/0/19 unit 3512 output-vlan-map pop
set interfaces ge-0/0/19 mtu 1504
C-VLAN for site 2
=====
set vlans 3513 interface ge-0/0/20.3513
set interfaces ge-0/0/20 flexible-vlan-tagging
set interfaces ge-0/0/20 encapsulation extended-vlan-bridge
set interfaces ge-0/0/20 unit 3513 vlan-id-list 1588
set interfaces ge-0/0/20 unit 3513 input-vlan-map push
set interfaces ge-0/0/20 unit 3513 output-vlan-map pop
set interfaces ge-0/0/20 mtu 1504
set vlans 3513 interface ge-0/0/21.3513
set interfaces ge-0/0/21 flexible-vlan-tagging
set interfaces ge-0/0/21 encapsulation extended-vlan-bridge
set interfaces ge-0/0/21 unit 3512 vlan-id-list 500 520
set interfaces ge-0/0/21 unit 3512 input-vlan-map push
set interfaces ge-0/0/21 unit 3512 output-vlan-map pop
set interfaces ge-0/0/19 mtu 1504
thks
Hi
I would like to configure LACP hashing algorithm on EX4300. There's no systax for configuring on version 18.1R2.6. Can you give me a configuration template or explain me that it can configure hash algorithm for both of source IP and destination IP, source MAC and destination MAC, source TCP and destination UDP
Thank you
Does anybody have a diagram of how to connect 6 x EX 3300 in VC ? Setup of VC would be another step. Thank you
Hello all,
We've got a QFX5100-48S with on a single port 'family ethernet-switching' and 'family inet' configuration.
This has worked for a long time, and by committing this configuration back then, the device didn't stop us.
Later on, we committed another 'family inet' unit on this port and the 'family ethernet-switching' part just stopped working.
The existing 'family inet' part kept on working.
Is this something only SRX, EX and MX devices stop you from committing?
Beeelze
So, I am using the CLI to disable and then trying to re-enable the PoE on a port. Do I have the enable command wrong, because it does not change to ENABLE.
{master:0}[edit]
admin@001# run show poe interface ge-0/0/33
PoE interface status:
PoE interface : ge-0/0/33
Administrative status : Disabled
Operational status : Disabled
Power limit on the interface : 0.0W
Priority : Low
Power consumed : 0.0W
Class of power device : not-applicable
PoE Mode : 802.3at
{master:0}[edit]
admin@001# set poe interface ge-0/0/33
{master:0}[edit]
admin@001# commit
configuration check succeeds
commit complete
{master:0}[edit]
admin@001# run show poe interface ge-0/0/33
PoE interface status:
PoE interface : ge-0/0/33
Administrative status : Disabled
Operational status : Disabled
Power limit on the interface : 0.0W
Priority : High
Power consumed : 0.0W
Class of power device : not-applicable
PoE Mode : 802.3at
{master:0}[edit]
admin@001# exit
Exiting configuration mode
{master:0}
admin@001> show poe interface ge-0/0/33
PoE interface status:
PoE interface : ge-0/0/33
Administrative status : Enabled
Operational status : OFF
Power limit on the interface : 0.0W
Priority : High
Power consumed : 0.0W
Class of power device : not-applicable
PoE Mode : 802.3at
{master:0}
admin@001>
The command I used was:
set poe interface ge-0/0/33
Unlike the EX3300, EX3400 doesnot seem to have ethernet-switching-options when we can specifiy secure-access-port and limit the amount of mac addresses on an interface.
For example:
ethernet-switching-options {
secure-access-port {
interface ge-1/0/26.0 {
mac-limit 1 action drop;
no-dhcp-trusted;
}
}
}
I can't seem to find an alternative configuration for EX3400.
NOTE: My EX3400 is running on Junos 18.4R1.8
Any ideas would be much appreciated. Thanks!
Hi
I found a problem on my switch on last week. I have 5 unit of EX4300 within mix virtual chassis. version is 14.1X53-D30.3 All IRB route is not shown in routing table. I have to reboot it after that It will show again.
I try to get a log message it. Output as attached. There was a interesting in one log message.
"PYH-FL17-EX4300-Core chassisd[1184]: CHASSISD_IPC_FLUSH_ERROR: ch_flush_fru_pipe: flush operation failed for LCD 4"
PYH-FL17-EX4300-Core chassisd[1184]: CHASSISD_FRU_IPC_WRITE_ERROR: fru_send_msg: FRU LCD 4, errno 40, Message too long"
Have you ever seen these log messeage??
Thanks!
Experts,
We are going to expand our infrastructure by adding using 60-90 IP cameras, by adding them to current IDFs and MDF. Creating another vlan for such network is not an issue. The traffic inside will be expanding since these cameras send all the time traffic to the main DVR. Having in network currently 1000 end devices and using EX 3300 & EX 4300 switches should not be a problem correct? Any specific QoS on juniper for cameras or just separate VLAN? Any other thoughts?
Thank you
Hello,
my plan was to build a Lab with vQFX10k and OpenNTI to test the analytics functinallity.
I configured analytics as:
root@vqfx-re> show configuration services
analytics {
streaming-server open-nti {
remote-address 10.30.12.50;
remote-port 50000;
}
export-profile opennti {
local-address 10.30.12.1;
local-port 21001;
reporting-rate 5;
format gpb;
transport udp;
}
sensor interface-phy {
server-name open-nti;
export-name opennti;
resource /junos/system/linecard/interface/;
}
sensor interface-log {
server-name open-nti;
export-name opennti;
resource /junos/system/linecard/interface/logical/usage/;
}
}And get the following error message:
root@vqfx-re> show analytics status error: peer_daemon: bad daemon: analyticsd
Version of RE/PFE ist 17.4R1.
Any ideas?
Greets
Is there an easy way to include all the interfaces to send sflow data instead of doing set sflow interfaces ge-x/x/x.x for each interface ?
I already have the following
{master:0} [edit protocols]
username@vcname# show sflow
polling-interval 10;
sample-rate {
ingress 500;
egress500;
}
collector ip address of collector {
udp-port 6343;
}
interfaces ge-0/0/7.0;
interfaces xe-0/2/0.0;
interfaces xe-1/2/0.0;
{master:0}[edit protocols]