Quantcast
Channel: Ethernet Switching topics
Viewing all 2326 articles
Browse latest View live

EX3400 Junos: 18.1R1.9 trunk port set up

March 7, 2019, 3:30 pm
$
0
0

Hello,

 

I am trying to set up an EX3400 switch. I'm running: Junos: 18.1R1.9

I have not worked with VLANs or switches much at all, but I'm comfortable with basic firewall support and server side networking. If this is not posted to the correct forum, please point me to where I should post this.

 

I am able to configure VLANs, and ping from one VLAN to the other.

My goal is to set up ge-0/0/0 as a trunk port, with a firewall connected to it.

The other ports will be configured for different VLANs. The VLANs should not be able to talk to each other, but the firewall should be able to see the traffic from all VLANs coming across the ge-0/0/0 interface.

 

I have come across numerous examples of similar configurations but they don't seem to work on this switch for various reasons.

 

I don't have the firewall here, so I am using two workstations.

 

Here is an example of a simple configuration that sets up vlans and allows them to talk to each other, as a test:

 

[edit interfaces ge-0/0/4 unit 0]
set description “Sales server port”
set family ethernet-switching vlan members blue
exit

[edit interfaces ge-0/0/6 unit 0]
set description “Sales wireless access point port”
set family ethernet-switching vlan members blue
exit

[edit interfaces ge-0/0/0 unit 0]
set description “Firewall port”
set family ethernet-switching vlan members red
exit

[edit interfaces ge-0/0/2 unit 0]
set description “Support wireless access point port”
set family ethernet-switching vlan members red
exit

Configure VLANs and IRB:
[edit vlans]
set blue vlan-id 100
set red vlan-id 200
exit

[edit interfaces]
set irb unit 100 family inet address 192.168.2.1/24
set irb unit 200 family inet address 192.168.3.1/24
exit

[edit vlans]

set blue l3-interface irb.100
set red l3-interface irb.200

commit

 

I tried to set up ge-0/0/0 as a trunk port:

[edit interfaces ge-0/0/0]

 

set unit 0 family ethernet-switching interface-mode trunk

set unit 0 family ethernet-switching vlan members all

commit

 

This commit succeeds. however, when I connect to this interface, the route does not show as active, and the device does not show up in the arp table.

I figured once I get all VLANs talking to the "firewall" port, I can shut off routing between VLANs.

I can not seem to find a working example for port trunking for the EX3400.

I've tried resetting to factory default and starting from scratch multiple times but the other configurations I'm trying either will not commit for various reasons or the switch does not support the commands in the examples given, as far as I can tell.

 

I just need a simple example of trunking for the EX3400,

 

Any advice /suggestions welcome,

Search

NTP failure on loopback filter with 18.1R3-S3.8

March 8, 2019, 8:13 am
$
0
0

I upgraded a new out of the box EX2300 from version 15.1X53-D58.3 to 18.1R3-S3.8. Now the loopback filter is blocking NTP traffic. Same filter I use on EX2300/2200/4200 switches. But it only fails on 18.1.

> show configuration firewall family inet filter net-services term NTP
from {
source-prefix-list {
mgmt-networks;
}
protocol udp;
destination-port ntp;
}
then accept;

# show system ntp
boot-server 10.176.97.47;
server 10.176.97.47 prefer;
server 10.180.15.160;
source-address 10.176.2.196;

I set a logging filter to capture ntp packets on irb.0 trunked interface, I see NTP traffic which is blocked at the loopback

Mar 8 10:04:32 cssw3618 dc-pfe: PFE_FW_SYSLOG_IP: FW: xe-0/1/0.0 A udp Ji Ji 794931210 3288510474 (123 packets)
Mar 8 10:04:32 cssw3618 fpc0 PFE_FW_SYSLOG_IP: FW: xe-0/1/0.0 A udp 10.180.15.160 10.176.2.196 123 123 (1 packets)
Mar 8 10:04:32 cssw3618 fpc0 PFE_FW_SYSLOG_IP: FW: xe-0/1/0.0 A udp 10.176.97.47 10.176.2.196 123 123 (1 packets)
Mar 8 10:04:34 cssw3618 dc-pfe: PFE_FW_SYSLOG_IP: FW: xe-0/1/0.0 A udp Ji Ji 2685383690 3288510474 (123 packets)
Mar 8 10:04:34 cssw3618 fpc0 PFE_FW_SYSLOG_IP: FW: xe-0/1/0.0 A udp 10.180.15.160 10.176.2.196 123 123 (1 packets)
Mar 8 10:04:36 cssw3618 dc-pfe: PFE_FW_SYSLOG_IP: FW: xe-0/1/0.0 A udp Ji Ji 2685383690 3288510474 (123 packets)
Mar 8 10:04:36 cssw3618 fpc0 PFE_FW_SYSLOG_IP: FW: xe-0/1/0.0 A udp 10.180.15.160 10.176.2.196 123 123 (1 packets)

 

I even tried some weird suggestions found in other discussions; no joy.

# show system static-host-mapping  localhost inet 10.176.2.196

 

Anyone have a suggestion I haven't tried?

Archival (transfer-on-commit/interval) not working properly

March 8, 2019, 2:02 pm
$
0
0

I have configured archival settings using both transfer-on-commit and transfer-interval on multiple switches and it is not working properly.  

 

What happens are the config files are indeed created under /var/transfer/config/ when a commit or the interval is reached (depending on which transfer setting used) AND the config file is then copied to the FTP server correctly.

 

The issue is that with each new commit (or interval time is reached) a new config is created in the /var/transfer/config directory, BUT instead of copying the latest config that is created, the original config is copied again.

 

Basically, I end up with a whole bunch of copies of configs in the var/transfer/config/ folder but the original just keeps getting copied instead of the new.

 

Switches are EX3400's using 15.1x3-D58.3 and 15.1x3-D59.4

 

Anybody else encounter this? 

 

 

 

lost poe on all interfaces due to ex4200 is requesting poe upgrade. will resetting the poe interface bring back poe ?

March 9, 2019, 8:33 pm
$
0
0

lost poe on all interfaces on one of our ex4200.  poe controller message  requesting poe upgrade.

will resetting the poe interface bring back poe ?    (disable and enable poe interface)

thanks

ariel

New in JunOS - STP integration

March 9, 2019, 11:24 pm
$
0
0

Hi Folks,

 

Nice to meet everyone here.

We have the intention to move to QFX series for our Coreswitch which are connected to a bunch of Cisco access switches.

Been reading up alot on on STPs integration but am still not very sure.. on the following questions especially on Cisco default VLAN-1. 

 

q1) if we decide to use VSTP on Juniper and retain PVST+ in Cisco,  is there any particular configurations that we need to set for

 

  • Cisco VLAN 1  - i am not refering to native vlan,  i am refering to the Cisco default VLAN1 which will send untagged frame regardless if it is native or not
  • Native VLAN - Does VSTP support native vlan ?  How do we currently support Cisco VLAN1 and a native vlan that is not VLAN1 ?

q2) I have never use a Juniper switch.
It seems to be that STP can be define on interface level as well  in Juniper ?  -> is this right ?

It also seems that i can run different STP protocols concurrently (e.g. VSTP and RSTP) ?

Both the above are not possible in Cisco.

 

Regards,

Alan

EX200 virtual chassis question: PFE and Device ID in the member switch

March 10, 2019, 3:39 pm
$
0
0

Hi everyone.

In Virtual chassis on EX200 , each PFE is assigned a device ID . Is Device ID always equal to PFE ID?

Example:

root@SW1> show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description
Chassis CU0212120838 EX2200-48T-4G
Routing Engine 0 REV 18 750-026325 CU0212120838 EX2200-48T-4G
FPC 0 REV 18 750-026325 CU0212120838 EX2200-48T-4G
CPU BUILTIN BUILTIN FPC CPU
PIC 0 BUILTIN BUILTIN 48x 10/100/1000 Base-T
PIC 1 REV 18 750-026325 CU0212120838 4x GE SFP
Power Supply 0 PS 100W AC
Fan Tray Fan Tray

 

Above we have two PFE : PFE0 and PFE1.

 

root@SW1> show virtual-chassis device-topology local

 

root@SW1> show virtual-chassis device-topology local
Neighbor List
Member Device Status System ID Member Device Interface
0 0 Prsnt 6487.88b9.a940 0 1 internal-0/24
0 1 Prsnt 6487.88b9.a941 0 0 internal-1/27

 

Above  device ID 0 is assigned to PFE 0 because PFE is numbered as zero?

 

Thanks and have a good weekend!! 

 

 

 

 

 

 

 

 

 

DHCP ARP inspection does not allow to register new clients on DHCP. Disconnects clients.

March 10, 2019, 11:57 pm
$
0
0

Hello! I have such configuration of network the Host <-> EX2300 access switch  <-> EX4600 core switch <-> EX2300 web server access switch <-> DHCP-server. I wanted to apply dhcp snooping and dynamic arp inspection on the access switch EX2300. And web server access switch without additional security settings.

 

The problem is that the user on access switch are periodically disconnected and cannot be connected to network and receive the IP address. In the table dhcp binding they are blocked, but for this purpose there are no reasons. Tell please, whether the correct my configuration of the equipment and in what there can be a problem?

 

Following configuration:

HOST - >

Acces Switch

EX2300 version 18.1R3.3

set vlans USERS-26 vlan-id 26
set vlans USERS-26 forwarding-options dhcp-security arp-inspection
set vlans USERS-26 forwarding-options dhcp-security group TRUST-DHCP overrides trusted
set vlans USERS-26 forwarding-options dhcp-security group TRUST-DHCP interface ae0.0

->

Core Switch

EX4600:

JUNOS 14.1X53-D27.3 built 2015-06-17

set forwarding-options dhcp-relay forward-snooped-clients all-interfaces
set forwarding-options dhcp-relay overrides allow-snooped-clients
set forwarding-options dhcp-relay overrides bootp-support
set forwarding-options dhcp-relay overrides delete-binding-on-renegotiation
set forwarding-options dhcp-relay server-group DHCP-RELAY-GROUP 192.168.22.6
set forwarding-options dhcp-relay server-group DHCP-RELAY-GROUP 192.168.22.5
set forwarding-options dhcp-relay active-server-group DHCP-RELAY-GROUP
set forwarding-options dhcp-relay group DHCP-RELAY-GROUP interface irb.25
set forwarding-options dhcp-relay group DHCP-RELAY-GROUP interface irb.26

-> EX2300 -> DHCP-server

 

 

Help please in what a problem of shutdown of clients?

 

How to measure the latency(in microseconds) of EX2300 switch?

March 11, 2019, 3:12 am
$
0
0

I would like to measure the latency of EX2300 switch in microseconds. The sender transmits the UDP packet streams in 100 microseconds period. Also need to measure its tolerance. How can I measure the latency in nano seconds? Are there any tools available for this purpose?

Search

Generate Interface errors for testing purposes

March 11, 2019, 3:32 am
$
0
0

Hi guys,

 

I need to generate some errors on the interface for testing purposes. I have mismatched the speed on the access port but it didn't generate any errors. Can someone please share any way I can get port errors?

 

Thanks

Juniper firewall filter config help required

March 11, 2019, 8:29 am
$
0
0

Hi I want to define a firewall filter on our Juniper Router . Can you tell me what would be the configuration for that ? . My requirment is it should allow access from  Source IP address subnet is 215.195.67.0/22 for TCP ports 443 and 22, bi-directionally.

 

Thanks 

Dynamic FIlter Effective View

March 12, 2019, 2:51 pm
$
0
0

"On EX Series switches, firewall filters that you apply to interfaces enabled for 802.1X or MAC RADIUS authentication are dynamically combined with the per-user policies sent to the switch from the RADIUS server. The switch uses internal logic to dynamically combine the interface firewall filter with the user policies from the RADIUS server and create an individualized policy for each of the multiple users or nonresponsive hosts that are authenticated on the interface. " (https://www.juniper.net/documentation/en_US/junos/topics/example/802-1x-pnac-firewall-filters-for-multiple-supplicants.html)

 

Is there a way to show the effective dynamically generated policy?  

 

i.e.

root@kjs-juniper12> show dot1x firewall ge-0/0/0
Filter name: dot1x_ge-0/0/0
Counters:
Name Bytes Packets
dot1x_ge-0/0/0_204c03172494 8552059 86984
dot1x_ge-0/0/0_204c03172494_t0 389844 4998

 

 

Is a way to show the effectively applied combined firewall filter, a la " show configuration firewall family ethernet-switching filter dot1x_ge-0/0/0"

Network Analytics Streaming Data collectors

March 13, 2019, 2:37 am
$
0
0

I would like to analyse the network analytics streaming data from QFX and EX2300-48MP switch. What are the available tools (windows) that I can configure to collect the network analytics streaming data from these switch? Are there any free tools available?

finding port on 4300 EX

March 13, 2019, 4:04 pm
$
0
0

Hi All,

There are multiple virtual chassises that are connected to various firewalls. My question is to how to find the actual port on the VC along with MAC or IP address.

>Sh arp IP address ------>to get MAC address from IP address.

>Sh ethernet-switching table | match XX:xx:XX:xx:xx:xx
VLAN_201         XX:xx:XX:xx:xx:xx    D          -          ae1.0

 

ae1.0 has four pyhcical interfaces. From this point, how can be drill-down further to find actual interface that my laptop connected to?

 

Thanks

Erix.

traceoptions

March 13, 2019, 6:50 pm
$
0
0

Hi all,

 How to check whether or not traceoption is still running on EX switches in VC and how to verify that causes comsuming CPU and Memory?

 

Thx

Erimix

Logical unit number / sub interface

March 14, 2019, 2:11 am
$
0
0

Hi,

 

Sorry to sound absolutely green.

Just started on Juniper platform and is not really used to the concept of logical unit number of the physical interface.

 

Been seeing these below output in my switch config

 

em2 up up
em2.32768 up up inet 192.168.1.3/24

vme up up
vme.0 up up inet 192.168.0.203/24


q1) How does one decide to use a logical unit number of 0 ? and a logical unit number of 32768 ? - if the purpose is to just give the interface an IP address.

I also see some logical unit number of 16385, in the loopback interface

 

lo0 up up
lo0.16385 up up inet

 

Regards,

Alan

Search

Clean up configuration against actual interfaces - how to

March 14, 2019, 2:21 am
$
0
0

Hi all,

 

It seems to me that i am able to configure non-existence interfaces into the actual configuration despite having no relevant physical ports. 

e.g.  ( i don't have a xe-1/0/1 interface at all)

show configuration interfaces xe-1/0/1
unit 0 {
family ethernet-switching {
storm-control default;
}
}

I find this to be very confusing.... when looking at the configuration VS the actual setup.

 

q1) How can i do a clean up of the configuration such that only what is "physically and actually in used"  will be shown ?

 

Regards,

Alan

Virtual-chassis auto-sw-update scenario on Master Switch in Virtual chassis

March 14, 2019, 1:28 pm
$
0
0

Hi everyone.

Let say we have  three switches  VC , SW1 is the master. SW1 has following JUNOS pacakages  in var/tmp folder:

jinstall-ex-2200-12.3R12.4-domestic-signed.tgz

jinstall-ex-2200-12.3R11.2-domestic-signed.tgz

 

SW is booted from jinstall-ex-2200-12.3R12.4-domestic-signed.tgz

If we use "Virtual-chassis auto-sw-update" without specifying particular JUNOS image, what software will be downloaded to a new member switch if there is mismatch of JUNOS?

#########################333

 

 

2) I noticed when I uploaded JUNOS into var/tmp/ folder from my FTP server,  and reboot the EX 2200 Switch , the installtion pacakage is not retained in /var/tmp folder once the  sw is booted. Is there any we can retain the installation package in VAR/TMP folder on EX200 switch?

 

Thanks have a good day!!

 

 

finding a traceoptions file that created previously on EX 4600

March 14, 2019, 2:37 pm
$
0
0

hi all,

I am trying to find  a traceoptions file that my colleague created for troubleshooting purpose.  How can be found this file via Junos CLI?

>file list / detail ----->didn't help!

 

Thanks

LAG from EX4300MP to Cisco VSS (2) Catalyst 4300X-16

March 18, 2019, 11:40 am
$
0
0

Hello,

 

Hardware and software in question:

Juniper:

hardware: EX4300-48MP (multigigabit)

Junos ver: 18.3R1.9

 

Cisco:

Hardware: Catalyst 4300X-16 port in virtual stack (VSS) that consists of two units

Ios ver: 15.0(1r)SG10

 

Issue:

 

I've setup LAG 10g interfaces (4 ports) but when I enable ports on both sides, on juniper all ports are no longer accessible. Weird part(s):

- the management interface is inaccessible event though it shows in junos cli  "up" status. All 4 10g ports are also showing up status and indicator led on the hardware is showing active/green light.

- On Cisco side is the same story. All 4 ports are showing connected, including ether-channel and also, indicator led on the hardware is showing active/green light.

 

Relevant ports configuration on Juniper:

============================

xe-0/2/0 {
ether-options {
802.3ad ae1;
}
}
xe-0/2/1 {
ether-options {
802.3ad ae1;
}
}
xe-0/2/2 {
ether-options {
802.3ad ae1;
}
}
xe-0/2/3 {
ether-options {
802.3ad ae1;
}
}
ae1 {
description "LAG to Cisco";
aggregated-ether-options {
lacp {
active;

================================================

 

Relevant Cisco configuration:

================================================

interface Port-channel111
description HR SRV RM
switchport
switchport mode trunk

!

interface TenGigabitEthernet1/1/5
description HR Jun4300 Link 1
switchport mode trunk
channel-group 111 mode active
!
interface TenGigabitEthernet1/1/6
description HR Jun4300 Link 2
switchport mode trunk
channel-group 111 mode active

!

interface TenGigabitEthernet2/1/13
description HR Jun4300 Link 3
switchport mode trunk
channel-group 111 mode active
!
interface TenGigabitEthernet2/1/14
description HR Jun4300 Link 4
switchport mode trunk
channel-group 111 mode active

============================================================

 

Any suggestion would be greatly appreciated.

Virtual Chassis - preprovisioned vs non-provisioned

March 19, 2019, 10:11 am
$
0
0

Hi all,

I am extremely new to Juniper. Please bear with me.

Reading virtual chassis feature guide on configuring virtual chassis


In pre-provisioned

- mastership priority cannot be defined but will be set to the same for master and backup RE

- role is pre-defined to the serial number of switch

- memberid is pre-defined to the serial number of switch
- switch intended to be master is powered on

 

In non-provisioned

- mastership priority can be defined but will be set to the same for master and backup RE
- switch intended to be master is powered on

 

============================

So the only difference between a pre-provisioned and non-provisioned is that

- in pre-provisioned, you can define/tied the intended role to the desired switch ?

- in pre-provisioned, you can define the memberID to the desired switch ? ?

 

Q1) What other benefits/non-benefits does 1 have over the other ?  Why would one choose pre-provisioned over non-provisioned ?

In a 2 members virtual chassis, how will the above matters ?

 

Q2) When specifying an interface in a virtual-chassis setup,  what is the relationship between FPC and memberID ?

Say FPC2 (switch2) is define with a memberID of 6,   when we want to refer to port1 of switch2 , do we specify

ge-6/0/1 or ge-2/0/1 in a virtual chassis ?

 

I am using 2 x qfx5100-48s-6q

 

Regards,

Alan

Viewing all 2326 articles
Browse latest View live
Search