Hello,

I'm attempting to replace Catalyst 3650 with Juniper EX4300-48MP but severe performance issues are plaguing VM host connected to Juniper switch.

Network configuration:

- The core consists of two Catalyst 4500X in VSS and juniper is connected to it with 4 10G uplinks (two to each 4500X)

4 10G ports config on Catalyst 4500X side :

switchport mode trunk
switchport nonegotiate
speed nonegotiate
channel-group 111 mode active 

Ports Config  on Juniper EX4300-48MP side:
xe-0/2/0 {
ether-options {
802.3ad ae1;
}
}
xe-0/2/1 {
ether-options {
802.3ad ae1;
}
}
xe-0/2/2 {
ether-options {
802.3ad ae1;
}
}
xe-0/2/3 {
ether-options {
802.3ad ae1;

LAG Config:
ae1 {
description "LAG to Cisco";
native-vlan-id 1;
aggregated-ether-options {
lacp {
active;

LAG Config on  Juniper EX4300-48MP for VM Host

ae2 {
description "LAG to VM Host2";
native-vlan-id 1;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members all;

For a few hours it appears all is good but then performance gradually declines to the point that even few icmp packets per min are dropped.

VMWare and Juniper support are telling me configuration is fine on both ends.

Any suggestion would be greatly apretiated.

Hello community

Could you help me with an issue with the connectivity between two vlans connected through an SRX? I am connecting two differente vlans (90 and 190) through an SRX, the vlan 90 is connected to a asterisk server and the vlan 190 is connected to IP phones. Voice vlan is configured in the switch where the IP phones are connected. For testing pourposes the policies enabled for this services are allowing all traffic in both directions, also host inbound traffic is enable for all services. Phones are registerd for a while and after a period of time all phones are disconnected and also connectivity is lost, consider that locally only inside vlan 90 connectivity continues.

the configuration applied is:

policy PL_VOIP_TO_PHONE {
    match {
        source-address ADD_VOIP_SERVER;
        destination-address ADD_LAN_VOIP;
        application any;
    }
    then {
        permit;
        log {
            session-close;
        }
    }
}


policy PL_VOIP_COMGSP {
    match {
        source-address ADD_LAN_VOIP;
        destination-address ADD_VOIP_SERVER;
        application any;
    }
    then {
        permit;
        log {
            session-close;
        }
    }
}

security-zone SZ_LAN_COMGSP {
    interfaces {
        ae1.110 {
            host-inbound-traffic {
                system-services {
                    ping;
                    traceroute;
                    dhcp;
                }
            }
        }
        ae1.190 {
            host-inbound-traffic {
                system-services {
                    all;
                    ping;
                    dhcp;
                    traceroute;
                    ntp;
                    ftp;
                    tftp;
                    http;
                    https;
                }                       
            }
        }
    }
    application-tracking;
}

security-zone SZ_SERVICIOS_INTERNOS {
    interfaces {
        ae0.105 {
            host-inbound-traffic {
                system-services {
                    ping;
                    traceroute;
                }
            }
        }
        ae0.90 {
            host-inbound-traffic {
                system-services {
                    all;                
                    ping;
                    traceroute;
                    dhcp;
                    ntp;
                    ftp;
                    tftp;
                }
            }
        }
    }
    application-tracking;

Best regards

Karlink

i have a requirement of Many to many port miorring to run CC setup on Juniper EX 4300.

Is that possible to achieve it?

I tried couple of options but none of them have given satisfactory input.

When we got our new servers up and running last September we ended up with a Veeam problem during replication. I ended up opening tickets with Veeam and VMWare since replication data gets pushed through the ESXi management interface. After two months of pulling logs, analyzing running jobs, and other troubleshooting steps we found the culprit, it is the EX4500. With our old Bladecenter and old Veeam proxy server only some much data was pumped through the EX4500. With the new servers and especially the new Veeam proxy server (2 CPUs with 16 cores each for a total of 32 cores), the amount of data we were pumping through the EX4500 increased significantly during replication. The EX4500 was dropping a lot of packets, so many that the connection through the ESXi management interface during replication was interrupted. The Veeam replication job would simply bomb. The work around is simple. Within the Veeam software you can tell it the max concurrent tasks. Best practice is to make this the number of cores available. We had "Max concurrent tasks" set to 32 since the new Veeam proxy server has 32 cores. We ended up lowering it to 10 so we were not overwhelming the EX4500. The big question is will the EX4600 exhibit the same behavior? I am not sure if this is dictated by the buffer on the switch, the CPU the switch uses, or other characteristics of the switch.

Any idea if the EX4600 will be better able to handle this flood of data across a 10gig connection when replication jobs run?

---------------             ---------------	    ---------	
+             +   xe-0/0/41 +             +   100G  +       +
+   3750x-48  +-------------+ qfx5110-48s +---------+ mx204 +
+             +             +             +         +       +
---------------             ---------------         ---------
      |                           |xe-0/0/1
      |                           | 
      |                           |
client qnq		    client qnq

Can QFX or MX push tag with l3 interface (for BGP) into client's QnQ? Now we could configured BGP on mx204 in native vlan only.
Client have QnQ between 10G ports on 3750x and qfx5110.

QFX:

### client port ###

interfaces {
xe-0/0/1 {

flexible-vlan-tagging;
mtu 9216;
encapsulation extended-vlan-bridge;
unit 0 {
vlan-id-list 1-4094;
input-vlan-map push;
output-vlan-map pop;
}

### vlans conf ###
vlans {
vl311 {
interface xe-0/0/41.311;
interface xe-0/0/1.0;

interface et-0/0/48.311;
} 

### port to mx204 ###

interfaces {
et-0/0/48 {

flexible-vlan-tagging;
mtu 9216;
encapsulation flexible-ethernet-services;
unit 311 {
encapsulation vlan-bridge;
vlan-id 311;
}

MX204:

interfaces {
et-0/0/0 {
flexible-vlan-tagging;
mtu 9216;
encapsulation flexible-ethernet-services;
gigether-options {
no-flow-control;
}
unit 311 {
vlan-id 311;
family inet {
address 10.10.10.1/31;
}

Hello all you wonderful people!

I'm having to try to configure persistent mac learning on my EX3300 switches and well I'm not sure the Junos I am currently running supports it (or I just can't find the right command) We are currently running [12.3R9.4] - and when I try to enter the set interface {interface number} mac-limit command I don't have the mac-limit as an option

It appears that it should be available  - but I can't configure it.

So is this something that has to be configured on the SRX router not the EX switch?

And yes - I am *very* confused.

Thanks in advance!

Lirria

Hi!

We have a few QFX5100s and in one of them four ports do not accept QSFP+ DAC cables (and probably not fiber QSFP+ modules) right now. The ports in question are et-0/0/16 to 19. We could reboot the switch and the ports would probably come up, but as this is a production switch, we'd like to explore other options first. I suspect that the QFX5100-24Q has its physical ports divided into port groups where a certain number of ports share some hardware, like a PHY or MAC chip. Reading up on the matter, I see that the QFX10k 36Q has its ports in groups of three, as do lots of other 40/100 G switches. In a deep dive PDF about the QFX5100, I read that the 24Q version can channelize ports 4 to 24, not 0-3. That makes me think that this model has ports grouped in groups of four. That would align with ports 16-19 that we're having problems with. Does anyone know if this is indeed so, and can this common piece of hardware (4-port MAC/PHY/whatever) be reset without too much risk of upsetting the rest of the system?

I have seen a similar scenario in an Avaya VSP9k where ports were divided in groups of 8 and each group consisted of two lanes with 4 ports each. One lane (ports 21-24) locked up and caused a massive traffic storm as the combined MC-LAG ICL/ICCP link (called IST in Avayas SMLT terminology) was on port 23 and 24.

From other vendors (Avaya, Extreme, Cisco and others) I know port grpoups exist, but I seem to be unable to find info on the QFX5100-24Q in that regard. Can anyone help?

/Fredrik

We have a VC consisting of  2 x EX4200-48t and 2 x EX4500-40f.

What would be considered replacement hardware for this chassis.?

thanks

Hi,

Recently we have upgrade Junos on EX4300 virtual chassis. After upgrade we saw below error.

speed 100m;
##
## Warning: statement ignored: unsupported platform (ex4300-48p)
##
link-mode full-duplex;
unit 0 {
family inet {
address 10.10.1.20/30;

I tried to delete --> link-mode full-duplex; but getting below error. Please suggest how to fix it.

Core-Switch# run show configuration |display set |match ge-0/0/45
set interfaces ge-0/0/45 speed 100m
set interfaces ge-0/0/45 link-mode full-duplex
set interfaces ge-0/0/45 unit 0 family inet address 10.10.1.20/30
set protocols ospf area 0.0.0.0 interface ge-0/0/45.0 bfd-liveness-detection minimum-interval 200
set protocols ospf area 0.0.0.0 interface ge-0/0/45.0 bfd-liveness-detection multiplier 3

{master:0}[edit]
Core-Switch# delete interfaces ge-0/0/45 link-mode full-duplex

{master:0}[edit]
Core-Switch# commit check
[edit protocols]
'ospf'
warning: requires 'ospf2' license
[edit protocols ospf area 0.0.0.0 interface ge-0/0/46.0]
'bfd-liveness-detection'
warning: requires 'bfd-liveness-detection' license
[edit protocols rstp]
'interface'
XSTP : Interface ge-0/0/45 is not enabled for Ethernet Switching
error: configuration check-out failed

Regards,

Np

Hello, we are trying to implement Dynamic Firewall filters to an EX via RADIUS VSA with atribute Juniper-Switching-Filter. It is working fine on our EX2300 switches as long as the attribute value lenght dose not exceed 253 characters.  How can we send longer rules?

Hello community:

First, I would like to explain the topology I have in my office. I have one SRX340 configured two aggregated ethernet links ae0 and ae1. With vlan 90 in interface ae0 (ae0.90) I have connected a virtual chassis with 2 EX2200 to connect servers (my asterisk). With vlan 190 interface ae1 (ae1.190) I have connected another virtual chassis with 2 EX2200 to connect endpoints and IP phones. The two interfaces are assigned to two different zones. On SRX, there are policies on both directions to allow all traffic and ALGs (SIP and TFTP) are disabled. Service is working perfect for a period of time, but without any reason IP phones are disconnected and vlan190 lost connectivity to the server. When connectivity is lost, IP and MAC address of asterisk server dissapear from ARP table and IP address for phones are always on the table. Mac addresses of server and IP phones are learned on switches. DHCP server with options 66 and 150 is configured on SRX, also voice vlan is configured on switches.

do you have any recommendations? or maybe any traceoption I can enable to see further details

Best regards

Karlink

Any recommendatios

we poc'ed these boxes and the SFP-T worked fine for 100mb connections. but that was on 15 code, the switches we just order are on 18.2 code when it shipped i think, I have tried 18.4R1.s4 and the 18.4R2.S2

The SPF work fine a 1G connection, on 100mb the auto is full/100 but i do not see a MAC 

the SPF work fine on he ex-2200 and agaon the POC of the EX3400 we did about 8months ago. was on 15.x 

does anybody know an 18 code that fixes this? 

Hi guys,

I have one problem for the EX 2300 24T series switch. Today i bought Card Access Controller on my company. But when i connection to on my juniper EX 2300 24 T series switch. Card Access Controller never be port UP. However when i  put one hub between switch and card. Connection is UP. How can i fixed this problem. Card Access Controller runnig vlan 1 and my Juniper switch have a default configuration. Card model is a gallagher cardax 3000.

Thank you for help.

Switch - Left Side

1. Switch is root for vlan 1701 and 1419

2. Cost

    interface xe-0/0/4 vlan 1701 cost 2000

    interface xe-0/0/4 vlan 1419 cost 2000

    interface xe-0/0/5 vlan  1419 cost 2000

    interface ae0 vlan 1419 cost 1

    interface ae0 vlan 1701 cost 1000

When traffic comes into EX 4550 on left. it arrives on interface xe-0/0/2 which is in vlan 1701.

1. vlan 1701 is configured on interface xe-0/0/4 ( cost 2000 )and it is also passed through ae0.0 ( cost 1000 ) which is a trunk

As per my understanding when traffic comes into switch on interface xe-0/0/2  which is in vlan 1701 , it passes out through ae0.0 as its cost is lower than what is configured on xe-0/0/4. Is my understanding correct ? Or does it passes through interface xe-0/0/4 to packet shaper and traffic is received on interface xe-0/0/3 on vlan 1419 and then passes through ae0.0 ?

We have a stack of two EX4600 switches that form the core of our network. They were running Junos 17.3R3-S3.3. Everytime we logged into J-Web an error message came up

"Unable to check for J-Web application package. Please check internet settings at your desktop"

When we upgraded to this version of Junos months ago we had to download J-Web and install via the command line. We just upgrade to Junos 18.1R3-S6.1 which is the current J-Tac recommended version. The upgrade went very smooth. After the upgrade was completed I logged into the J-Web interface and was hit with the message that I should download J-Web and install it. As you can see by the screenshot below it is not working. The "Checking Internet connectivity in device" has been spinning for 10 minutes. How can I fix this issue? What can I look for in the EX4600 config to indicate it has Internet Connectivity? When I went to the command line of the EX4600 and issued a ping www.gm.com it worked fine. 

Hello,

i have 20x Juniper EX4200-48P and i have about ~400 devices connected to them, i want to use ip source guard to prevent ip spoofing in my network because most of my users is sending attacks to outside of my network.

i know ip source guard needs dhcp snooping but for some reasons i can not use dhcp servers in my network because i assigned ips to my users manually.

so:

1. if i want to use ip source guard i should use dhcp server and all of my users should get their ips from DHCP?

2. is there anyway use ip source guard without DHCP snooping and others table for check ips,arp,mac, ... ?

3. do you have any other suggestion for prevent ip spoofing?

in some of my switches i am using firewall access lists and apply them to the port switch which sending attacks towards internet and in this case i can save myself from ip spoofing but managing ip access lists for 400 servers is really hard. so i am looking for a better way.

Thank you.

Hi all,

First of all, sorry about my English

I´ve a network with 3 EX4300 and 2 Mikrotiks that are distributed as ring topology:

J1-----------J2(root)------J3---Mikrotik1---Mikrotik2----J1

so 1 link should be blocked by rstp. The issue I´m having is that despite I´ve increased the  port cost in the port between J4 and Mikrotik1, rstp is blocking the interface between J1 and Mikrotik2.

J1 rstp conf 

root@J1_203> show spanning-tree bridge
STP bridge parameters
Routing instance name : GLOBAL
Context ID : 0
Enabled protocol : RSTP
Root ID : 16384.80:ac:ac:b0:db:00
Root cost : 10000
Root port : ae0
Hello time : 2 seconds
Maximum age : 20 seconds
Forward delay : 15 seconds
Message age : 1
Number of topology changes : 1
Time since last topology change : 10015 seconds
Local parameters
Bridge ID : 32768.c0:42:d0:0a:07:c0
Extended system ID : 0

{master:1}
root@J1_203> show spanning-tree interface

Spanning tree interface parameters for instance 0

Interface Port ID Designated Designated Port State Role
port ID bridge ID Cost
ae0 128:3 128:3 16384.80acacb0db00 10000 FWD ROOT

ge-1/2/2 128:544 128:544 32768.c042d00a07c0 12000 BLK DIS--->CONNECTED TO MIKROTIK1

J2 rstp conf  (ROOT)

root@J2_206> show spanning-tree bridge
STP bridge parameters
Routing instance name : GLOBAL
Context ID : 0
Enabled protocol : RSTP
Root ID : 16384.80:ac:ac:b0:db:00
Hello time : 2 seconds
Maximum age : 20 seconds
Forward delay : 15 seconds
Message age : 0
Number of topology changes : 47
Time since last topology change : 331 seconds
Local parameters
Bridge ID : 16384.80:ac:ac:b0:db:00
Extended system ID : 0

{master:1}
root@J2_206> show spanning-tree interface

Spanning tree interface parameters for instance 0

Interface Port ID Designated Designated Port State Role
port ID bridge ID Cost
ae0 128:3 128:3 16384.80acacb0db00 10000 FWD DESG
ae1 128:4 128:4 16384.80acacb0db00 10000 FWD DESG

root@J2_206> show lldp neighbors
Local Interface Parent Interface Chassis Id Port info System Name

ge-0/2/0 ae0 c0:42:d0:09:83:e0 LA 006_sw_NodoCentral_UCO_206 006_sw_J1_203
ge-0/2/1 ae1 c0:42:d0:09:f7:c0 LA 006_sw_NodoCentral_UCO_206 006_sw_J3_214

J3 rstp conf

root@006_sw_J3_214> show spanning-tree bridge
STP bridge parameters
Routing instance name : GLOBAL
Context ID : 0
Enabled protocol : RSTP
Root ID : 16384.80:ac:ac:b0:db:00
Root cost : 10000
Root port : ae0
Hello time : 2 seconds
Maximum age : 20 seconds
Forward delay : 15 seconds
Message age : 1
Number of topology changes : 4
Time since last topology change : 602 seconds
Local parameters
Bridge ID : 32768.c0:42:d0:0a:ef:80
Extended system ID : 0

{master:0}
root@006_sw_J3_214> show lldp neighbors
Local Interface Parent Interface Chassis Id Port info System Name

ge-0/2/0 ae0 80:ac:ac:b0:6d:80 LA 006_sw_J2_206

{master:0}
root@006_sw_J3_214> show spanning-tree interface

Spanning tree interface parameters for instance 0

Interface Port ID Designated Designated Port State Role
port ID bridge ID Cost
ae0 128:3 128:4 16384.80acacb0db00 10000 FWD ROOT
ge-0/0/0 128:490 128:490 32768.c042d00aef80 200000 FWD DESG
ge-1/2/3 128:552 128:552 32768.c042d00aef80 100000 FWD DESG---PORT MIKROTIK 2

In J3 switch I´ve increased to 100k the port cost but it still continue in FWD mode.

Could you help me to change   ge-1/2/3 interface from J3 switch to be the blocked port instead of     ge-1/2/2 from J1 switch?

Thanks in advance

Manuel                                  

i have ex 4300 switches and has a requirement of converting couple of ports to act like hub (i.e. all the traffic need a broadcasting) for connnecting couple of VOice recorders.

AFAIK, no-mac-learning may be knob to be used.

Can anyone confirm the same ? 

Hi there

  we have a stack of 2 JuniperEX230048p switches and for some reason JWEB will not load. I have tried several browsers and network but to no avail. SSH however does work.

  Also I have been noticing that connections to not only these switches but others will work and all of a sudden dont. Case in point this morning I had a Mitel Voip phone connected fine and the same point would not connect a laptop. Once I moved to a different port it worked. Any idea on how to fix this? Thanks!

Hello,

I was wondering what would happen if all the uplinks to the spines go down on a leaf in a spine-leaf topology. I was happy to see that the access interfaces configured with ESI's went all down after the bfd timer for the overlay BGP expired.

Still, I was wondering if that is the expected behaviour since I couldn't find any related doc, and I would also like to know if there is a way to control it.

Thanks, and best regards, 

Pablo