I have three VLANs configured in my ex8208

Vlan1, Vlan2, and Vlan3

All VLANs are able to communicate with each other which is wrong.

All VLANs are configured with l3.interface.

My Requirements:

1. Can I block inter VLAN communication? 

2.  it is possible with a filter on specific VLANs. ?

We are experiencing a very odd issue with our QFX5100 switching and the routing tables.

Issue:
Ubuntu Test Server (96.126.81.60) making any TCP or UDP connection to off-net services is unable to connect.

After spending a few weeks trying to identify the issue, we found the following to be happening:

1) When no default route is populated on the QFX5100 switch, and only the full BGP table, the Loopback0.0 filter is being applied to all transit traffic.

2) When a default route is populated on the QFX5100 switch, and a full BGP table, only the default route is utilized, the BGP forwarding table appears to be ignored, and the Loopback0.0 filter is not applied.

Below is a simplified network topology showing how all of the Juniper devices are interconnected, as well as how the routing tables are being populated.

I say simplified, because there are actually two MX80 routers, with full BGP tables from two different carriers.

The QFX5100 switches are two physical switches in a VC, using LACP bonding connectivity ( ae[0-5] ) setup for "flexible-vlan-tagging".

Can anyone throw out some ideas as to why the the lo0.0 input filter is being processed on transit traffic?
To my understanding, and all of our research and training, transit traffic should never touch the RE unless exceptions in the packets are experienced.

However, when digging into this issue, I ran across this KB article, but I don't think it applies to my setup (or is even relevant) as I do not run any firewalls on this equipment other than the lo0.0 firewall policy to protect the RE (management, etc).

https://kb.juniper.net/InfoCenter/index?page=content&id=KB32041&cat=QFX_SERIES&actp=LIST

https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1080758

Let me know what you would like to see for configurations or routing table output and I will gladly show it.

Ping Google DNS from Ubuntu Test Server

# ping 8.8.8.8 -c 5
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=120 time=13.0 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=120 time=16.6 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=120 time=38.2 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=120 time=19.1 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=120 time=11.9 ms

--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 11.988/19.828/38.263/9.566 ms

Traceroute to Google DNS (default UDP mode)

# traceroute 8.8.8.8 -n
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  96.126.81.57  0.786 ms  0.806 ms  0.847 ms
 2  96.126.81.37  19.928 ms  19.916 ms  19.897 ms
 3  96.126.81.25  20.177 ms  20.207 ms  20.187 ms
 4  62.115.170.158  20.059 ms  20.054 ms  20.106 ms
 5  62.115.137.106  20.341 ms  20.463 ms  20.488 ms
 6  62.115.113.84  20.330 ms  19.770 ms *
 7  * * *
 8  * * *
 9  * * *
10  * * *

Traceroute to Google DNS (ICMP Mode)

# traceroute 8.8.8.8 -n --icmp
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  96.126.81.57  0.872 ms  0.906 ms  0.941 ms
 2  96.126.81.37  18.166 ms  18.171 ms  18.169 ms
 3  96.126.81.25  18.384 ms  18.404 ms  18.420 ms
 4  62.115.170.158  18.383 ms  18.383 ms  18.406 ms
 5  62.115.137.106  19.947 ms  20.009 ms  20.105 ms
 6  62.115.113.84  19.020 ms  18.184 ms  18.194 ms
 7  72.14.243.44  17.788 ms  22.440 ms  22.462 ms
 8  * * *
 9  72.14.236.240  22.136 ms  22.148 ms  22.115 ms
10  209.85.248.109  23.025 ms  22.848 ms  22.542 ms
11  8.8.8.8  21.378 ms  21.378 ms  20.519 ms

DIG to Google DNS

# dig google.com @8.8.8.8  

; <<>> DiG 9.10.3-P4-Ubuntu <<>> google.com @8.8.8.8
;; global options: +cmd
;; connection timed out; no servers could be reached

QFX5100 lo0.0 Firewall Filter

> show log RE_FIREWALL | match 96.126.81.60 
Mar 27 20:30:24 qfx5100-01 fpc0 PFE_FW_SYSLOG_IP: FW: ae4.0 D udp 96.126.81.60 8.8.8.8 49279 53 (2 packets)
Mar 27 20:30:29 qfx5100-01 fpc0 PFE_FW_SYSLOG_IP: FW: ae4.0 D udp 96.126.81.60 8.8.8.8 49279 53 (2 packets)
Mar 27 20:30:34 qfx5100-01 fpc0 PFE_FW_SYSLOG_IP: FW: ae4.0 D udp 96.126.81.60 8.8.8.8 56371 53 (2 packets)
Mar 27 20:30:39 qfx5100-01 fpc0 PFE_FW_SYSLOG_IP: FW: ae4.0 D udp 96.126.81.60 8.8.8.8 56371 53 (2 packets)
Mar 27 21:04:52 qfx5100-01 fpc0 PFE_FW_SYSLOG_IP: FW: ae4.0 D udp 96.126.81.60 8.8.8.8 52793 53 (2 packets)
Mar 27 21:04:57 qfx5100-01 fpc0 PFE_FW_SYSLOG_IP: FW: ae4.0 D udp 96.126.81.60 8.8.8.8 52793 53 (2 packets)
Mar 27 21:05:02 qfx5100-01 fpc0 PFE_FW_SYSLOG_IP: FW: ae4.0 D udp 96.126.81.60 8.8.8.8 45378 53 (2 packets)
Mar 27 21:05:08 qfx5100-01 fpc0 PFE_FW_SYSLOG_IP: FW: ae4.0 D udp 96.126.81.60 8.8.8.8 45378 53 (2 packets)
Mar 27 21:39:20 qfx5100-01 fpc0 PFE_FW_SYSLOG_IP: FW: ae4.0 D udp 96.126.81.60 8.8.8.8 39696 53 (2 packets)
Mar 27 21:39:25 qfx5100-01 fpc0 PFE_FW_SYSLOG_IP: FW: ae4.0 D udp 96.126.81.60 8.8.8.8 39696 53 (2 packets)
Mar 27 21:39:30 qfx5100-01 fpc0 PFE_FW_SYSLOG_IP: FW: ae4.0 D udp 96.126.81.60 8.8.8.8 58978 53 (2 packets)
Mar 27 21:39:35 qfx5100-01 fpc0 PFE_FW_SYSLOG_IP: FW: ae4.0 D udp 96.126.81.60 8.8.8.8 58978 53 (2 packets)
Mar 27 22:01:48 qfx5100-01 fpc0 PFE_FW_SYSLOG_IP: FW: ae4.0 D udp 96.126.81.60 8.8.8.8 37783 53 (1 packets)
Mar 27 22:01:53 qfx5100-01 fpc0 PFE_FW_SYSLOG_IP: FW: ae4.0 D udp 96.126.81.60 8.8.8.8 37783 53 (1 packets)
Mar 27 22:01:58 qfx5100-01 fpc0 PFE_FW_SYSLOG_IP: FW: ae4.0 D udp 96.126.81.60 8.8.8.8 37783 53 (1 packets)

QFX Configurations - Loopback 0

# show interfaces lo0.0 
family inet {
    filter {
        input PROTECT_RE_v4;
    }
    address 96.126.81.3/32;
}
family inet6 {
    filter {
        input PROTECT_RE_v6;
    }
    address 2607:f170:110:0::3/128;
}

QFX Configurations - Facing MX80 Router

# show interfaces ae1
flexible-vlan-tagging;
aggregated-ether-options {
    minimum-links 1;
    link-speed 10g;
    lacp {
        active;
        periodic fast;
    }
}
unit 0 {
    family ethernet-switching {
        interface-mode trunk;
        vlan {
            members 1013;
        }
    }
}

# show interfaces irb.1013   
family inet {
    address 96.126.81.25/30;
}
family inet6 {
    address 2607:f170:110:1014::25/116;
}

QFX Configurations - Facing EX4200 Switch

# show interfaces ae4 
flexible-vlan-tagging;
aggregated-ether-options {
    minimum-links 1;
    link-speed 10g;
    lacp {
        active;
        periodic fast;
    }
}
unit 0 {
    family ethernet-switching {
        interface-mode trunk;
        vlan {
            members [ 19-20 220-225 1016 2010 ];
        }
    }
}

# show interfaces irb.1016  
family inet {
    address 96.126.81.37/30;
}
family inet6 {
    address 2607:f170:110:1016::37/116;
}

Hey Guys

has anyone had this issue before. I have a switch EX4200 and a phone and PC connected to an access port. the PC uses dot1x authentication while the phone uses mac address to authenticate. Both are all defined in the Radius server.

Now only  one of the devices can authenticate at a time not both. when the devices are chained, the phone authenticates. When the phone is bypassed, the PC authenticates and I also get the error below:

Config:

set vlans vl0029 description Voice_VLAN
set vlans vl0029 vlan-id 29
set vlans vl0029 l3-interface irb.29

set vlans vl0500 description Corporate_users
set vlans vl0500 vlan-id 500
set vlans vl0500 l3-interface irb.500

set interfaces interface-range voip member-range ge-0/0/0 to ge-0/0/44
set protocols lldp-med interface voip
set switch-options voip interface voip vlan vl0029

set interfaces irb unit 500 family inet address 10.211.80.252/24

set interfaces irb unit 29 family inet address 10.215.10.252/24

set interfaces ge-0/0/16 unit 0 family ethernet-switching vlan members vl0500
set interfaces ge-0/0/16 unit 0 family ethernet-switching storm-control default

set protocols dot1x authenticator interface ge-0/0/16.0 supplicant single-secure
set protocols dot1x authenticator interface ge-0/0/16.0 mac-radius

ERROR:

Mar 28 10:44:21.911 2019 ukbslan002 pfex: DFWE DFW: Cannot program filter dot1x_ge-0/0/16 (type IRACL_LO) - TCAM has 0 free entries and the filter change requires 2 free entries

Hi all,

I'm trying to setup mac-move limitation with below requirements.

. When a mac-address flaps between 2 access interfaces (PC,Phone,etc) to shutdown one of the interfaces.
. Exclude the interfaces where our 2 Wifi Access points connect to. The reason is that user mac-addresses sometimes are flapping when users change access-point and I don't wish to shutdown the access point port.

I don't see any option for excluding an interface.
I see only the option of assigning action-priority so I could give 7 to the access point interfaces and lower (3 or 4) to the rest.
The problem is that if there is a mac move between the 2 interfaces where the access points connect to, then according to Junos docs,
even though they have the same action-priority , the interface where the flapping mac-address was seen last will shut down.
I was looking to assign priority 0 (maybe excludes the interface) but could not find documentation for this.

Any suggestions?

Thanks

Hi guys, I have an unusual issue. I am configuring link aggregation on my EX3400 for the first time. I am experiecing the following issue. Can someone please have a look and tell me what am I missing? Thanks

Following is the configuration with the error message at the end.

SW_Lab# show interfaces ge-0/0/46
description "BACKUP ae0";
ether-options {
    802.3ad ae0;
}

SW_Lab# show interfaces ge-0/0/47
description "BACKUP ae0";
ether-options {
    802.3ad ae0;
}

{master:0}[edit]
SW_Lab# show interfaces ae0
description BACKUP;
aggregated-ether-options {
    minimum-links 1;
    link-speed 1g;
    lacp {
        active;
        periodic fast;
    }
}
unit 0 {
    family ethernet-switching {
        interface-mode trunk;
        vlan {
            members 100;
        }
    }
}

{master:0}[edit]
SW_Lab# commit check
[edit]
  'unit 0'
     logical unit is not allowed on aggregated links
error: configuration check-out failed

I have an EX4300 setup with the following dhcp relay configuration.  This switch is setup as a L3 switch.

forwarding-options {
    storm-control-profiles default {
        all;
    }
    dhcp-relay {
        server-group {
            AMI-DHCP {
                172.16.30.8;
            }
            AMI-Phone {
                172.16.128.11;
            }
        }
        active-server-group AMI-DHCP;
        group Data {
            interface irb.11;
        }
        group Phone {
            active-server-group AMI-Phone;
            interface irb.130;
        }
    }
}

Computers are on the data vlan (11 using irb.11) and phones are on the phone vlan (130 using irb.130).  When I plug a phone into a port (which has data configured as the member vlan and phone configured as the VOIP vlan), the phone cannot receive an IP address from the dhcp server.  However, if I plug a phone into a port (vlans configured the same as above) on a switch connected to the EX4300, it works fine.

So this works:

phone --> ex2200 --> ex4300 --> dhcp server

But this does not:

phone --> ex4300 --> dhcp server

Computers plugged into either switch receive an IP address without any problem.  This only occurs with the phones.

Hi,

I am having an issue with J-Web where the second I log in it expires my session immediately.

nothing works!  

tried to open permissions for var folder,

tried to upgrade didn't work.

tried to change the settings for a limit session, and sessions idle 

create new user 

nothing helped 

please help!

Hi folks,

Can anyone help me understand "restricted" proxy-arp? Is it like the arp responses are made if the source and actual IP address are on unlike subnets? Is this understanding right?

Thanks!

PoE devices were inducted to EX switch, there are some issues around establishing connectivity but unfortunately, I don't see any telemetry logs even though it is enabled. Is there anything else to enable this logging to function properly.

Thanks!

Hi all,

I realize whenever i configure a firewall filter on the local loopback interface that allows SSH, Telnet from certain sourceIP (e.g. sourceIP-A) only ,  i lose the ability to PING to the switch even if i come from the sourceIP-A which is white-listed - is this normal ?

q1) Does loopback interface represents all traffic that is address to the Juniper switch/router itself ? (e.g. traffic destined to interface ip )

q2) if the above is right, and i only open SSH/Telnet to sourceIP-A, does that means all the other control/routing protocol traffic that is address to the switch/router will no longerworks ?  (including ICMP) ?

q3) Does that if i want to restirct access via SSH/Telnet, i should create in the firewall filter on the local-loopback interface
- a term that allow ssh/telnet from source-IPA
- a term that deny ssh/telnet form all other IPs

- a term that allow all other traffic from anywhere   -- so that my ping and other traffic can still works as normal ?

Regards,

Alan

I have an Allworx VOIP PBX system located at our central site. It uses multicast to allow a phone to page a group of phones. This works correctly on the local network. We have multiple remote sites with phones connecting back to the PBX. The remote sites are using EX2200 switches. The switch is connected to the central site with a 100mbps layer 2 Metro E line. The central site uses a Fortigate 200E. Each site has its own VOIP VLAN. Multicast traffic is enabled on the Fortigate between the appropriate VLANs. All phone functions work except for paging groups which use multicast. It seems like the problem is in the EX2200 configuration.

A trunked port carrying multiple VLANS is connected to the MetroE line. The Phones are on their own trunked ports. I need to allow for the multicast traffic to pass back and forth between the phones and the PBX. So, port 47 is the MetroE and the phones are on several ports all belonging to the same VLAN.

After a good amount of digging, I think I need help to go further.

Hi all,

I am doing some testing and require to downgrade my virtual chassis from 17.4 to 17.3.

NSSU can't work for downgrade.

Been googling around but i am not able to find the right steps to properly downgrade a virtual chassis with minimum downtime

q1) Should I connect to the backup switch (e.g request session member 2) and issue a request system software add ... reboot ?

q2)  When the member switch with an older version is back up,  does it still join back the virtual chassis ? Will it remain as inactive status ( how does Juniper determine which switch become inactive ? shortest uptime ?)

q3) when the member switch is back, if it remain as inactive,  then should i proceed to issue request system software add ... reboot on the master switch ?  When the master switch reboot,  will the inactive memer switch become the new master ?

Does this means i will have a downtime for virtual chassis firmware downgrade ?

I am using 2 x qfx5100-48s-6q to setup my virtual-chassis.

Hope gurus here can shed some light.

Thank you!

Regards,

Alan

Hi,

I just put a EX-SFP-10GE-DAC-5M between a EX3400 (15.1X53-D52) and a EX2300 (15.1X53-D58.3) and it's not working.

The green LED under the SFP are continuously and do not flash.

We should do a simple connection between these 2 hardware.

Is there a special configuration ?

Any help or thing to control ?

Thanks.

Hi all,

• I have a pair of qfx5100-48s-6q and virtual-chassis is setup.
• I have grace switchover , nonstop routing and nonstop bridging enabled.
  
  
• I have a window server with 2 nic ports connected to each switch in the virtual chassis.  The switch ports are in L2 access mode, there is no trunking.
• The window server 2 nic ports are configured with NIC teaming (switch independent mode) which is not LACP
• Hyper-V vm in the window server is running on top of the Vswitch (created on top team interface above)

And i encounter the below behaviour during NSSU

• Throughout the NSSU, ping to the switch vlan interface seems ok when a ping lost during master switch reboot - OK
  
  
• But i started losing connectivity on the window server host when the NSSU shows "Preparing ISSU... Switchover ready" - NOT OK
• The even wierder part is i can still ping to the Guest-VM while i loses connectivity to its host. - NOT OK
• During the master switch reboot, i also encounter quite significant number of packet losts to the guest VM. - NOT OK

Why i can ping to the virtual chasis vlan-interface with almost no failure but just not the window server host connected to the switch ?

Can virtual-chassis works with this Window-server (switch independent mode) of NIC teaming ?

Is my virtual chassis having issue   What could be wrong....

Regards,

Alan

Hi,

I just put a EX-SFP-10GE-DAC-5M between a EX3400 (15.1X53-D52) and a EX2300 (15.1X53-D58.3) and it's not working.

The green LED under the SFP are continuously and do not flash.

We should do a simple connection between these 2 hardware.

Is there a special configuration ?

Any help or thing to control ?

Thanks.

Hi,
I have the following config for pvlan on EX3300. Please let me know how I can implement the same on EX3400 as it has ELS and there is some difference. Thanks

    vlan100 {
        description "Primary VLAN";
        vlan-id 100;
        interface {
            xe-0/1/0.0 {
                pvlan-trunk;
            }
            xe-0/1/2.0 {
                pvlan-trunk;
            }
        }
        no-local-switching;
        isolation-id 200;
    }

Hi All,

How to grap old all messages after rebooting the QFX VC?

Thx

Arix

Hello ;

We have as our ASBR 3  qfx10002-36q running Junos: 17.3R3-S1.5 and I want to export flow IPFIX to a server

Note that, the traffic that we want to export flows comes from interfaces belongs to routing-instance "VR" type virtural-router and our flow collector is connected to default routing table "inet.0" and reachable.

The IPFIX configuration is good but no flow seen on my server.

Then I have a question, do flows can be exported from virtual-router interfaces to server stays on global routing "inet.0" ?

thanks for your reply

Experts,

Migrated config from EX2200 to EX2300

unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ 1-3 5 10 20-25 40 50 60 80 90-91 93 95-96 98 101-102 115 150 155 170 180 194 ];
}
##
## Warning: statement ignored: unsupported platform (ex2300-c-12p)
##
native-vlan-id 70;
}
}

Any thoughts how to fix that?