Hi and thanks in advance

I have 8 EX4200 like my IDF CORE 

This one connects to 10  more virtual chassis

This IDF-CORE has a Virtual IP, Virtual router, or whatever is its name  10.72.0.30

This is the Default Gateway

So every IDF, host, ANYTHING connected to the LAN gets this default gateway and everything works fine.

BUT I do not understand how this works, I mean, 

Every VLAN has its own L3 interface (RVI?)

aromay@AGC-IDF-CORE-PR> show interfaces terse | match vlan
vlan up up
vlan.0 up up inet 10.72.0.41/22
vlan.1 up up inet 10.71.0.101/22
vlan.2 up up inet 10.72.17.1/24
vlan.3 up up inet 192.168.0.100/24
vlan.4 up up inet 10.72.18.1/24
vlan.5 up up inet 10.72.4.1/22
vlan.6 up up inet 10.74.0.1/24
vlan.7 up up inet 10.72.8.1/22
vlan.8 up up inet 10.72.12.1/22
vlan.14 up up inet 10.72.24.1/22
vlan.15 up up inet 10.72.28.1/22
vlan.16 up up inet 10.72.32.1/22
vlan.18 up up inet 10.72.40.1/22
vlan.19 up up inet 10.72.36.1/22
vlan.27 up up inet 10.72.72.30/24
vlan.28 up down inet 10.72.20.1/24
vlan.29 up up inet 10.72.251.2/24
vlan.31 up up inet 10.255.0.1/21
vlan.555 up down inet

so when i try to see the default route i get

aromay@AGC-IDF-CORE-PR> show route brief

inet.0: 45 destinations, 46 routes (45 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 2w2d 23:40:01
> to 10.72.0.53 via vlan.0
10.71.0.0/22 *[Direct/0] 2w2d 23:40:00
> via vlan.1
10.71.0.101/32 *[Local/0] 2w2d 23:40:22
Local via vlan.1
10.72.0.0/22 *[Direct/0] 2w2d 23:40:02
> via vlan.0
10.72.0.41/32 *[Local/0] 2w2d 23:40:22
Local via vlan.0
10.72.4.0/22 *[Direct/0] 2w2d 23:39:59
> via vlan.5
10.72.4.1/32 *[Local/0] 2w2d 23:40:22
Local via vlan.5
10.72.8.0/22 *[Direct/0] 2w2d 23:39:59
> via vlan.7
10.72.8.1/32 *[Local/0] 2w2d 23:40:22
Local via vlan.7
10.72.12.0/22 *[Direct/0] 2w2d 23:39:59
> via vlan.8
10.72.12.1/32 *[Local/0] 2w2d 23:40:22
Local via vlan.8
10.72.17.0/24 *[Direct/0] 2w2d 23:39:57
> via vlan.2
10.72.17.1/32 *[Local/0] 2w2d 23:40:22
Local via vlan.2
10.72.18.0/24 *[Direct/0] 2w2d 23:39:55
> via vlan.4
10.72.18.1/32 *[Local/0] 2w2d 23:40:22
Local via vlan.4
10.72.20.1/32 *[Local/0] 2w2d 23:40:21
Reject
10.72.24.0/22 *[Direct/0] 2w2d 23:39:57
> via vlan.14
10.72.24.1/32 *[Local/0] 2w2d 23:40:22
Local via vlan.14
10.72.28.0/22 *[Direct/0] 2w2d 23:39:59
> via vlan.15
10.72.28.1/32 *[Local/0] 2w2d 23:40:22
Local via vlan.15
10.72.32.0/22 *[Direct/0] 2w2d 23:39:57
> via vlan.16
10.72.32.1/32 *[Local/0] 2w2d 23:40:22
Local via vlan.16
10.72.36.0/22 *[Direct/0] 2w2d 23:39:59
> via vlan.19
10.72.36.1/32 *[Local/0] 2w2d 23:40:21
Local via vlan.19
10.72.40.0/22 *[Direct/0] 2w2d 23:40:00
> via vlan.18
10.72.40.1/32 *[Local/0] 2w2d 23:40:22
Local via vlan.18
10.72.72.0/24 *[Direct/0] 2w2d 23:40:00
> via vlan.27
[Static/5] 2w2d 23:40:01
> to 10.72.0.164 via vlan.0
10.72.72.30/32 *[Local/0] 2w2d 23:40:21
Local via vlan.27
10.72.73.0/24 *[Static/5] 2w2d 23:40:01
> to 10.72.0.163 via vlan.0
10.72.251.0/24 *[Direct/0] 2w2d 23:40:00
> via vlan.29
10.72.251.2/32 *[Local/0] 2w2d 23:40:21
Local via vlan.29
10.74.0.0/24 *[Direct/0] 2w2d 23:40:01
> via vlan.6
10.74.0.1/32 *[Local/0] 2w2d 23:40:22
Local via vlan.6
10.255.0.0/21 *[Direct/0] 2w2d 23:40:02
> via vlan.31
10.255.0.1/32 *[Local/0] 2w2d 23:40:21
Local via vlan.31
161.190.1.4/32 *[Static/5] 2w2d 23:40:01
> to 10.72.0.53 via vlan.0
161.190.1.6/32 *[Static/5] 2w2d 23:40:01
> to 10.72.0.53 via vlan.0
161.190.1.33/32 *[Static/5] 2w2d 23:40:01
> to 10.72.0.53 via vlan.0
192.168.0.0/24 *[Direct/0] 2w2d 23:39:57
> via vlan.3
192.168.0.100/32 *[Local/0] 2w2d 23:40:22
Local via vlan.3
192.168.1.41/32 *[Local/0] 2w2d 23:40:21
Reject
192.168.90.0/24 *[Static/5] 2w2d 23:40:01
> to 10.72.0.20 via vlan.0
192.168.91.0/24 *[Static/5] 2w2d 23:40:01
> to 10.72.3.210 via vlan.0
192.168.100.0/24 *[Static/5] 2w2d 23:40:01
> to 10.72.3.251 via vlan.0
224.0.0.22/32 *[IGMP/0] 2w2d 23:40:29
MultiRecv

so WHRE is my default gateway?

it seems that every vlan goes thru its default L3 interface/router/gateway, but...in some point they should "find" 10.72.0.30

how do I check that?

I can only get this

dhcp {
domain-name MYDOMAIN;
name-server {
10.72.0.1;
10.72.0.2;
}
domain-search {
MYDOMAIN;
}
wins-server {
10.72.0.1;
10.72.0.2;
}
router {
10.72.0.30;
10.71.0.1;
10.71.0.101;
10.72.4.1;
10.72.4.2;
10.72.4.3;
10.72.4.4;
10.72.8.2;
10.72.8.1;
10.72.36.2;
10.72.36.1;
10.72.16.1;
10.72.16.2;
}
boot-server 10.72.0.1;
server-identifier 10.72.0.1;
}

and this

vlan {
unit 0 {
family inet {
address 10.72.0.41/22 {
vrrp-group 1 {
virtual-address 10.72.0.30;
priority 254;
}
}
}
}

so, what's the deal?

I have to connect a Cisco 2960 with the same VLANS but I do not where to point the default gateway! if i point it to 10.72.0.30 it don't work, I can not "get out", nor get ip from DHCP 10.72.01

??

any help?

Thanks in advance

What is the use of using tag values  in routing under EX series switches ?

 How to use tag numbers while implemenation ?

Please provide me any example .

Thanks !!

Hi All,

I setup a standalone switch with all relevant vlans and switch configurations needed before creating a VC. I then created a VC by adding two additional ex4300s and configured one as a backup RE. When I do a show interface terse, I only see the interfaces for the master. None for the line card or backup...

Am I missing something here?

Apologies if this is an easy question. I would assume once added the other ports would show. I followed the ex4300 VC feature guide and didn't see information regarding this event. 

Thanks in advance!

I have a EX4500 need to configure a GRE tunnel. But I found there's no gr ports

The systerm version is:

EX4500-1> show version

fpc0: --------------------------------------------------------------------------

Hostname: SRN-EX4500-1

Model: ex4500-40f JUNOS Base OS boot [12.3R10.2]

JUNOS Base OS Software Suite [12.3R10.2]

JUNOS Kernel Software Suite [12.3R10.2]

JUNOS Crypto Software Suite [12.3R10.2]

JUNOS Online Documentation [12.3R10.2]

JUNOS Enterprise Software Suite [12.3R10.2]

JUNOS Packet Forwarding Engine Enterprise Software Suite [12.3R10.2]

JUNOS Routing Software Suite [12.3R10.2]

JUNOS Web Management [12.3R10.2]

JUNOS FIPS mode utilities [12.3R10.2]

And there's no tunnel-port command on EX4500

EX4500-1# set fpc 0 pic 0 ?

Possible completions:

+ apply-groups Groups from which to inherit configuration data

+ apply-groups-except Don't inherit configuration data from these groups no-multi-rate Disable multi-rate mode

> q-pic-large-buffer Run in large delay buffer mode

> sfpplus Sfpplus configuration option

But another EX4200 with 12.3R4 have this command:

EX4200# set chassis fpc 0 pic 0 ?

Possible completions:

+ apply-groups Groups from which to inherit configuration data

+ apply-groups-except Don't inherit configuration data from these groups

no-multi-rate Disable multi-rate mode

> q-pic-large-buffer Run in large delay buffer mode

> sfpplus Sfpplus configuration option

> tunnel-port Tunnel port number

 When making a VC out of 3 EX2200 switches, is the cabling similar to how you can cable a 3300? For example, if I make 2 VC ports on each switch can I cable them in a daisy chain ring? I haven't been able to find if there are any limitations as far as cabling goes.

Thanks.

Hello

Is there any way to check the throughput of each port in EX series switch so that we can determine the actual data flow  ?

Thanks in advance !!!

Hi all,

About 6 months ago, we added a 5th member to our then 4-member EX4550 VC. This new switch has an 8-port 10G module installed in it:

FPC 4            REV 08   750-039070   LY0*********      EX4550-32T
  CPU                     BUILTIN      BUILTIN           FPC CPU
  PIC 0                   BUILTIN      BUILTIN           32x 100m/1G/10G Base-T
  PIC 1          REV 07   711-039080   LV0*********      8x 1G/10G SFP/SFP+

The VC member ports are fed off that 10G module. The VC works and all is good on that front, but I cannot seem to query those VCPs from the plain 'show interfaces' command. Here's my 'show virtual-chassis vc-port' which does show them:

> show virtual-chassis vc-port 
fpc0:
--------------------------------------------------------------------------
Interface   Type              Trunk  Status       Speed        Neighbor
or                             ID                 (mbps)       ID  Interface
PIC / Port
0/30        Configured         -1    Up           10000        2   vcp-255/0/30
0/31        Configured         -1    Up           10000        1   vcp-255/0/30

fpc1:
--------------------------------------------------------------------------
Interface   Type              Trunk  Status       Speed        Neighbor
or                             ID                 (mbps)       ID  Interface
PIC / Port
0/30        Configured         -1    Up           10000        0   vcp-255/0/31
0/31        Configured         -1    Up           10000        4   vcp-255/1/0

fpc2:
--------------------------------------------------------------------------
Interface   Type              Trunk  Status       Speed        Neighbor
or                             ID                 (mbps)       ID  Interface
PIC / Port
0/30        Configured         -1    Up           10000        0   vcp-255/0/30
0/31        Configured         -1    Up           10000        3   vcp-255/0/30

fpc3:
--------------------------------------------------------------------------
Interface   Type              Trunk  Status       Speed        Neighbor
or                             ID                 (mbps)       ID  Interface
PIC / Port
0/30        Configured         -1    Up           10000        2   vcp-255/0/31
0/31        Configured         -1    Up           10000        4   vcp-255/1/1

fpc4:
--------------------------------------------------------------------------
Interface   Type              Trunk  Status       Speed        Neighbor
or                             ID                 (mbps)       ID  Interface
PIC / Port
1/0         Configured         -1    Up           10000        1   vcp-255/0/31
1/1         Configured         -1    Up           10000        3   vcp-255/0/31

And here are my 'show interfaces' commands which show me the vcp ports at 255/0/30 and 255/0/31, but nothing at 255/1/n:

> show interfaces vcp-255/0/3?  
Possible completions:<interface-name>     Name of physical or logical interface
  vcp-255/0/30         
  vcp-255/0/30.32768   
  vcp-255/0/31         
  vcp-255/0/31.32768   
{master:0}> show interfaces vcp-255/1/? 
Possible completions:<interface-name>     Name of physical or logical interface
{master:0}

These two vcps also do not show up in SNMP queries of the interfaces MIB, while the others do.

The problem I am trying to solve is that we monitor the vcp-255/0/n ports within our NMS and are alerted if they go down. Since the vcp-255/1/n ports don't show up, we are forced to use the virtual chassis MIB to monitor the status of the ports, which makes things more complicated simply because of the nature of our NMS. Is there a particular reason why these ports are not available through SNMP and the CLI like the others?

Hello

Please share the possible reasons of generating these log messages in EX4200 sswitch

> jdhcpd: DH_SVC_SENDMSG_FAILURE: sendmsg() from 10.170.11.2 to port 67 at 10.26.101.200 via interface 71 and routing instance default failed: No route to host

> jdhcpd: DH_SVC_SENDMSG_FAILURE: sendmsg() from 10.170.11.2 to port 67 at 10.26.101.201 via interface 71 and routing instance default failed: No route to host

Thanks in advance!!

1. Create the server group name along with IP address

set forwarding-options dhcp-relay server-group <name> ip address

set forwarding-options dhcp-relay server-group <name> ip address

1. Setting dhcp relay interfaces group request to new created server group

set forwarding-options dhcp-relay group Clients active-server-group <NAME>

1. Applying and using dhcp relay group to applicable vlan interfaces

set forwarding-options dhcp-relay group Clients interface vlan.x

set forwarding-options dhcp-relay group Clients interface vlan.xx

Hi to all,

One of the challenges I faced today at work , is a customer requesting to block data traffic on EX port configured as access data / voice vlan :

set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members Data-only
set ethernet-switching-options voip interface ge-0/0/2.0 vlan VOIP-only
set vlans Data-only vlan-id 203
set vlans VOIP-only vlan-id 303
set protocols lldp interface all
set protocols lldp-med interface all

without the forwarding class statement :

set ethernet-switching-options voip interface ge-0/0/2.0 forwarding-class assured-forwarding

In this port was connected only an IP phone , and thats it . So , if an external user got an physical access to this switch , he could disconnect the IP phone and connect his laptop , and start surfing the internet and internal sites .

The customer requested to block such this scenario .

We came across those three options:

1- ACL at the L3 backbone switch or policy in the firewall . which is blocking 80\443 ports towards any , and accepting only DHCP traffic toward the DHCP server and RTP + high ports toward the CUCM server and all other voice ports ..

2- installing a NAC server, which can indentify the vendor of the connected OUI MAC of the device , and allowing-blocking via fingerprints \ OUI policies configured on the NAC server .. (such as portnox server)

3- a simple solution but very basic, is to configure a port-security sticky (persistent-learning) . this solution could be hacked if the end external user knows how to change his laptop MAC address to the MAC of the IP phone . Also a clear command is needed every time you need to move the IP phone to another port .. (lazy administrator -_- i know)

[edit ethernet-switching-options secure-access-port]

set interface ge-0/0/2 mac-limit 1

set interface ge-0/0/2 persistent-learning

or manually :

set interface ge-0/0/2 allowed-mac 00:01:02:03:04:05

I'll be glad if someone has a difference opinion

Dears ,

   I need to monitor the actual load of EX4500 backplane ( in each PFEs) in term of throughput and PPS , any way to do that ? ( similar to "show fabric utilisation all" in CISCO catalyst )

Br.

Kayssar

Having problems tunneling vstp 

Cisco Customer Switch---->  g1/0/4 Cisco 3750(CPE) g1/0/5---->ge-0/01  Ex4300(CPE) ge-0/0/2---->Cisco Customer Switch

QinQ tunnel is done between Cisco 3750 and  EX4300.

Everything workds except vstp the ciso switch cannot see bpdus incoming from the far end in vstp.

WHile rstp works.

EX4300 Config:

# show protocols layer2-control
mac-rewrite {
interface ge-0/0/2 {
protocol {
stp;
vtp;
cdp;
vstp;
  }
    }

      }

# show interfaces

ge-0/0/1 {
flexible-vlan-tagging;
native-vlan-id 906;
mtu 9216;
encapsulation extended-vlan-bridge;
unit 32 {
vlan-id 32;
}
unit 910 {
vlan-id 910;
}
}

ge-0/0/2 {
description C3750-2;
flexible-vlan-tagging;
native-vlan-id 906;
mtu 9216;
encapsulation extended-vlan-bridge;
unit 0 {
vlan-id-list 1-4094;
input-vlan-map push;
output-vlan-map pop;
}
}

#show vlans

QinQ_Interface {
interface ge-0/0/1.910;
interface ge-0/0/2.0;
}

Cisco 3750 CPE COnfig:

interface GigabitEthernet1/0/5
description towards ex4300 ge-0/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
speed 100
!

interface GigabitEthernet1/0/4
description "To C2960"
switchport access vlan 910
switchport mode dot1q-tunnel
load-interval 60
speed 100
l2protocol-tunnel cdp
l2protocol-tunnel lldp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable
!

-----------------------------------------------------------------------------------

CDP works, RSTP works but vstp doesn't work 

both ciso cuseomter switches think they are root when issuing the command show spanning tree

Anyone has an idea what's going on ?

hello guys-

i am trying to copy a login banner i was using in cisco for some reason i am not able to use this banner in juniper maybe i am doing something wrong i am kinda new to juniper. how can get this banner to work in juniper

#########################################################################
##                                                                                                                                         ##
##                                 {}                                                                                                      ##
## ,           A                  {}                                                                          ############# ##
##         / \, | , .--.                                                                                     ## !!WARNING!! ## ##
## | =|= > /.--.\                                                                                        ################# ##
## \ /` | ` |====| ##
## ` | |`::`| ##
## | .-;`\..../`;_.-^-._ You have accessed a restricted ##
## /\\/ / |...::..|` : : `| device. It is for official and ##
## |:'\ | /'''::''| .:.:. | authorized use only. You have ##
## \ /\;-,/\ :: |.:::.:::.| no expectation of privacy in ##
## |\ <` > >._::_.| '::.::' | its use. To ensure that the ##
## | `""` / ^^ | ':.:' | device is functioning properly ##
## | | \ :.: / individuals using this system ##
## | | \ : : / are subject to having all of ##
## | |___/\___|`-.:.-` their activities monitored and ##
## | \_ || _/ recorded. ##
## | <_ >< _> ##
## | | || | Last Updated September 22 2014 ##
## | | || | ##
## | _\.|:./_ ##
## | /____/\____\ ##
## ##
#########################################################################

Hi all

I have a QFX5100 that I am configuring. I connected the ethernet mgmt port to my dhcp server and set the em0 unit 0 to receive dhcp. but still it is not getting an dhcp address. What's going on?

Thanks

Here are my config for the mgmt interface: 

em0 {
    unit 0 {
         family inet {
               dhcp{
                        vendor-id Juniper-qfx5100-48s-6q;
               }
         }
    }
}

em1 {
       unit 0 {
              family inet {
                          dhcp {
                                  vendor-id Juniper-qfx5100-48s-6q;
                           }
               }
        }
}

Thanks

Hi guys,

I have EX 4200 , JUNOS 12.3R10.2, and strange message :

Jun 28 16:17:29 ex4200 chassism[1349]: cm_cheetah_ifd_read_port_intr_cause: Got Tx underrun for Port:1
Jun 28 16:17:35 ex4200 chassism[1349]: cm_cheetah_ifd_read_port_intr_cause: Got Tx underrun for Port:1
Jun 28 16:17:35 ex4200 /kernel: simulated intr
Jun 28 16:17:37 ex4200 chassism[1349]: cm_cheetah_ifd_read_port_intr_cause: Got Tx underrun for Port:1

can somebody explain what is this message ?

Thanks

On my SRX devices, I'm successfully monitoring CoS queue data rates using the jnxCosQstatTxedByteRate OID, but a query on EX devices always returns a rate of zero, even though the xmit byte count is increasing.

For example:

> show snmp mib walk jnxCosQstatTxedBytes.749
jnxCosQstatTxedBytes.749.0 = 49635243589049

> show snmp mib walk jnxCosQstatTxedByteRate.749
jnxCosQstatTxedByteRate.749.0 = 0

I'm 100% certain the current byte rate is much greater than zero based on the topology and other SRX monitors so I'm wondering if the EX simply doesn't support queue rate tracking, but I haven't turned up any documentation yet to confirm.  Does anyone have any insight?

Thanks

Hi Guys, I have a Virtual Chassis with two Ex4550, the VC ports are configured on Electric Ports, I mean not on Optical ports, the Virtual Chassis is UP,  Is necessary enable the failover on xe- ports, Now the failover on xe- ports is enable..I read about this but I'm not sure, Thanks, Reagards.

Hi guys,

I am new to Junos. Having trouble getting native vlan to work for WAPs. I also tested with a cisco 3560 with no luck. However config was working on old EX2200. I also used ELS translater confirmed all commands are there. Any one have ideas? 

Cannot ping 10.1.51.254 to 10.1.51.200 but can ping 172.16.2.254 to 172.16.2.200

Test setup with EX4300 ge-0/0/10 <-> fa0/4 cisco 3560

EX4300 

set interfaces ge-0/0/10 native-vlan-id 51
set interfaces ge-0/0/10 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members 2-15
set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members 51

set interfaces irb unit 2 family inet address 172.16.2.254/24
...
set interfaces irb unit 51 family inet address 10.1.51.254/24
set vlans AREA51 vlan-id 51
set vlans AREA51 l3-interface irb.51
set vlans vlan2 vlan-id 2
set vlans vlan2 l3-interface irb.2
...

show ethernet-switching interface ge-0/0/10
Routing Instance Name : default-switch
Logical Interface flags (DL - disable learning, AD - packet action drop,
LH - MAC limit hit, DN - interface down,
SCTL - shutdown by Storm-control,
MMAS - Mac-move action shutdown, AS - Autostate-exclude enabled)

Logical Vlan TAG MAC STP Logical Tagging
interface members limit state interface flags
ge-0/0/10.0 65535 tagged
vlan3 3 65535 Forwarding tagged
....
AREA51 51 65535 Forwarding untagged
vlan2 2 65535 Forwarding tagged

Cisco 3560

interface FastEthernet0/4
switchport trunk encapsulation dot1q
switchport trunk native vlan 51
switchport trunk allowed vlan 2-15
switchport mode trunk

interface Vlan2
ip address 172.16.2.200 255.255.255.0
!
interface Vlan51
ip address 10.1.51.200 255.255.255.0

show interfaces switchport
Name: Fa0/4
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 51 (VLAN0051)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: 2-15
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Thanks.

Experimenting with Junos 15 on QFX.

Is there a way to enable STP protocol on physical interface configured in ELS style?

Its works on 14.1, but not on 15.1:

# show interfaces xe-0/0/46
flexible-vlan-tagging;
encapsulation extended-vlan-bridge;
unit 701 {
vlan-id 701;
}
# show protocols rstp
interface xe-0/0/46;
'interface'
XSTP : Interface xe-0/0/46 is not enabled for Ethernet Switching

Also 'interface' statement in /protocols/xstp not accepting unit.

Hi,

i got the following Problem:

I setted up 802.1X on my EX2200 and it seems to work fine, but if someone fails the first Policy on my RADIUS I want to trigger an Port Filter on the Interface the person is connected to (only DHCP allowed on the Interface). The Filter works fine but I cant manage to trigger it using an VSA. I tried VSA 11 & 48 yet. My RADIUS is a Windows Server 2012 R2, my dot1x config looks like this:

 dot1x {
authenticator {
authentication-profile-name 8021X-Profile;
static {
---:--:--:--:--:--/48 {
vlan-assignment test;
interface ge-0/0/0.0;
}
---:---:---:--:--:--/48 {
vlan-assignment test;
interface ge-0/0/0.0;
}
}
interface {
ge-0/0/0.0 {
supplicant multiple;
reauthentication 3600;
}
ge-0/0/1.0 {
supplicant multiple;
reauthentication 3600;
}
ge-0/0/2.0 {
supplicant multiple;
reauthentication 3600;
}
ge-0/0/3.0 {
supplicant multiple;
reauthentication 3600;
}
ge-0/0/4.0 {
supplicant multiple;
reauthentication 3600;
}
ge-0/0/5.0 {
supplicant multiple;
reauthentication 3600;
}
ge-0/0/6.0 {
supplicant multiple;
reauthentication 3600;
}
ge-0/0/7.0 {
supplicant multiple;
reauthentication 3600;
}
ge-0/0/8.0 {
supplicant multiple;
reauthentication 3600;
}
ge-0/0/9.0 {
supplicant multiple;
reauthentication 3600;
}
ge-0/0/10.0 {
supplicant multiple;
reauthentication 3600;
}
ge-0/0/11.0 {
supplicant multiple;
reauthentication 3600;
}
}
}
}

And thats my Filter:

filter filter1 {
term term1 {
from {
source-address {
0.0.0.0/32;
}
destination-address {
255.255.255.255/32;
}
protocol udp;
source-port 68;
destination-port 67;
}
then accept;
}
term term2 {
from {
protocol udp;
source-port [ 67 68 ];
destination-port [ 67 68 ];
}
then accept;
}
}

Has anybody tried something similiar and could help me out? I would be very grateful. I spent hours searching the Examples and Wiki Sites but i can't manage to find the solution.