Thank you for your reply lyndidon, but Im trying on only one switch
↧
Re: RVI in Private VLAN on EX3400
↧
Re: CPU Clock Component Issue on Affected Juniper Devices (Intel Atom C2000 Faulty)
The official note is TSB17030 - https://kb.juniper.net/InfoCenter/index?page=content&id=TSB17030&smlogin=true&actp=search
The
PRODUCT AFFECTED:
MPC7E-10G
MPC7E-MRATE
MX2K-MPC8E
MX2K-MPC9E
EX9200-12QS
EX9200-40Xs
FPC3-PTX-U2
FPC3-PTX-U3
FPC3-SFF-PTX-U1
CB2-PTX
PTX-IPLC-B-32
PTX-ILA-M-AC
PTX-ILA-M-CHAS
The only switching products affected are the latest module for EX9200, which have not been out long enough to even get near the time period for potential failure. Juniper is addressing this whole situation, a lot more customer centric than Cisco for sure.
↧
↧
Re: CPU Clock Component Issue on Affected Juniper Devices (Intel Atom C2000 Faulty)
That is super news!! Good to hear!!
↧
Re: RVI in Private VLAN on EX3400
ok I see. Could you show this output?
show vlans klient1 extensive
One thing i would like to see from your test.
remove or deactive the irb. then ping host 1 on klient1 from host on klient2
activate the irb and repeat the same. i am really more curious now about this els. I don't have any such systems to test so I have to rely on the efforts of you and others with such experience.
↧
Re: RVI in Private VLAN on EX3400
I found this for EX4300, whose syntax should be same as that for EX3400. This is without IRB but at least this should help you get the L2 PVLAN stuff set-up right, if other posting is accurate:
https://forums.juniper.net/t5/Ethernet-Switching/PVLAN-on-EX4300/m-p/283272
I'd like to know if you are using similar config or not.
↧
↧
Re: RVI in Private VLAN on EX3400
I have already checked it. Without L3 interface IRB on primary vlan those devices in different communities don't see each other. The thing is that i need routing between community vlans.
I have got VC EX3400. Feature explorer say that it support IRB on PVLAN, but manual say it doesnt support RVI on PVLAN.
Junos allow me to configure irb on PVLAN, but it doesnt work. From switch to hosts broadcast arp requests get, but there is no answer come back to switch.
↧
Ouput drops on ex3300/ex4200 after upgrading to 15.1R5.5
Hi J-net. After upgrading several our ex3300/4200 chassiss we've got increasing output drops on "ge" interfaces.
user@switch> show interfaces ge-0/0/25 extensive | match Drops:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0,
Carrier transitions: 0, Errors: 0, Drops: 2195782, Collisions: 0, Aged packets: 0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0,
So far I can't see any impacts caused by those drops but our zabbix started to comlane a lot. Has anyone had the same "issues" or it just can be ingnored (I haven't found such behavior in Release Notes)
↧
Re: CPU Clock Component Issue on Affected Juniper Devices (Intel Atom C2000 Faulty)
Yeah, Intel really messed up on this one. Cisco had the misfortune to use this chip on a LOT of devices. Luckily for us Juniper only had this on a limited set.
Still waiting for the other shoe to drop with all the other major vendors as they sort out where they used this chip and if the design hits the bug.
↧
Re: Ouput drops on ex3300/ex4200 after upgrading to 15.1R5.5
There are 12 open PR for 15.1R5.5 with drop conditions listed.
I would check to see if your configuration usage would match any of these known issues. None of them are cosmetic but actual traffic drops.
If you don't seem to match an existing PR, I would open a JTAC ticket and have the issue investigated.
↧
↧
Re: Remote port mirror configuration for JUNIPER EX-switch and Cisco switch
It is unbelievable how many restrictions there are in Juniper compared to Cisco:
- Ex4300 RSPAN Vlan destination is supported, but traffic is sent out only on _one_ interface. Which one is not deterministic. RSPAN vlan ist NOT flooded to all ports.
- Ex4200: RSPAN Vlan destination is supported, but not on aggregated ethernet.
- Ex4300/Ex4200: Even in a Vlan configured with no-mac-learning (all show commands show "mac * -> Flood", no MAC addressed, a.s.o): if a second port will receive frame with same MAC address, only one of the two frames is forwarded! *)
- Ex4300 (the Ex4200 can have only one active analyzer!): Two analyzers cannot have the same destination Vlan. Why not? Not the same port might make sense, but Vlan?
- Ex4300: destionation option "no-tag" is only possible on destination vlan? What's that for? It would be reasonable, if it strips the inner Vlan - but it stripps the outer (the RSPAN) tag! IMHO this is just a bug. Having no-tag would be a great option on destionation interface!
- Still (up to current releases) there is that typo: "Removes extra RSAPN tag from mirrored packets". Or do I just not understand what an RSAPN tag is?
*) Scenario: host X is sending to upstream A and B. Port mirror on link to A and B because we want to prove that it is sent out! If A and B is on two different switches, you will see only one stream on the destination switch for the RSPAN vlan.
I'm working hard for 4 weeks now to find a suitable concept permanentely mirror my plattform and feed that into our traffic analyzer as we did with the Ciscos before. I'm considering reinstall the Ciscos for the mirror traffic distribution. Can that be?
br
Walter
↧
Re: RVI in Private VLAN on EX3400
Sorry very confused by your latest statements. If you want routing/communication between the communities why are you using PVLAN in the first place? Is the idea that communities can only talk to each other once they hit some Security point, like say a FW?
What is the subnet mask associated with the IRB and what is the subnet mask of the communities. Does a community know it needs to route (from an IP perspective) if it is trying to reach a different community?
Trying to figure out the big picture requirement, not just if IRB works with PVLAN, . . .
↧
vQFX10k 15.1X53-D60 3 BUGS on MC-LAG (one fatal) :(
- Parser bug for redundancy-group
unlike the QFX5k the vQFX10k needs the redundancy-group and redundancy-group-list setting
if omitted you get a cryptic commit error:
error: Failed Reading Default configuration database:
error: configuration check-out failed
so you need to set:
set protocols iccp peer <peer-ip> redundancy-group-id-list 1
and then if you have any MC-LAGs configured yet, do:
set interfaces aeX aggregated-ether-options mc-ae redundancy-group 1
BUT on vQFX10k ....
{master:0}[edit]
lab@QFX53# set interfaces ae4 aggregated-ether-options mc-ae ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
chassis-id Chassis id of MC-AE network device (0..1)
enhanced-convergence Optimized convergence time for mcae
> events MCAE related events
init-delay-time Init delay timer for mcae sm for min traffic loss
mc-ae-id MC-AE group id (1..65535)
mode Mode of the MC-AE
recovery-delay-time Delay timer for bringing up ICL, ICCP (1..6000 seconds)
revert-time Wait interval before performing switchover (1..10 minute)
status-control Status of the MC-AE chassis
switchover-mode Switch over mode
but you can configure it: ( you have to type in the full parameter, no autofill)
lab@QFX53# show interfaces ae4
##
## inactive: interfaces ae4
##
mtu 2000;
aggregated-ether-options {
lacp {
passive;
system-id 55:55:55:55:55:55;
admin-key 4;
}
mc-ae {
mc-ae-id 4;
redundancy-group 4;
chassis-id 0;
mode active-active;
status-control active;
}
}
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ V100 V150 V200 V250 ];
}
}
}
2.BUG on show multi-chassis mc-lag configuration-consistency
even though the ICCP and Multi-chassis protection is oK
show iccp
Redundancy Group Information for peer 10.53.54.54
TCP Connection : Established
Liveliness Detection : Up
Backup liveness peer status: Up
Redundancy Group ID Status
4 Up
Client Application: lacpd
Redundancy Group IDs Joined: None
Client Application: mclag_cfgchkd
Redundancy Group IDs Joined: 4
Client Application: MCSNOOPD
Redundancy Group IDs Joined: None
Client Application: l2ald_iccpd_client
Redundancy Group IDs Joined: None
the command does NOT show any remote information:
lab@QFX53> show multi-chassis mc-lag configuration-consistency
Configuration Item Enforcement Level Local Value Peer Value Result
------------------ ----------------- ----------- ---------- -------
service-id Mandatory 1 -- PASS
session-establishment-hold-time Mandatory 300 -- PASS
local-ip-addr Mandatory 10.53.54.53 -- PASS
backup-liveness-detection Mandatory 192.168.254.154 -- PASS
iccp/bfd multiplier Mandatory 3 -- PASS
bfd minimum-interval Mandatory 1000 -- PASS
session-establishment-hold-time Mandatory 50 -- PASS
Local Physical Interface:xe-0/0/3
Configuration Item Enforcement Level Local Value Peer Value Result
------------------ ----------------- ----------- ---------- -------
mtu Mandatory 2000 -- PASS
...
and the most cumbersome 3. Bug is
when activating the ae3 ( inactive config see above )
after 10 seconds all XE-interfaces are gone and are invisible !!!!
lab@QFX53> edit
Entering configuration mode
{master:0}[edit]
lab@QFX53# activate interfaces ae4
{master:0}[edit]
lab@QFX53# commit and-quit
configuration check succeeds
commit complete
Exiting configuration mode
{master:0}
lab@QFX53>
{master:0}
lab@QFX53> show interfaces terse
Interface Admin Link Proto Local Remote
gr-0/0/0 up up
ae0 up down
ae0.0 up down eth-switch
ae4 up down
ae4.0 up down eth-switch
bme0 up up
bme0.0 up up inet 128.0.0.1/2
128.0.0.4/2
128.0.0.16/2
128.0.0.63/2
cbp0 up up
dsc up up
em0 up up
em0.0 up up inet 192.168.254.153/24
em1 up up
em1.0 up up inet 169.254.0.2/24
em2 up up
em2.32768 up up inet 192.168.1.2/24
em3 up up
em4 up up
em5 up up
em6 up up
em7 up up
em8 up up
em9 up up
esi up up
gre up up
ipip up up
irb up up
irb.599 up down inet 10.53.54.53/24
lo0 up up
lo0.0 up up inet 10.0.0.53 --> 0/0
inet6 fe80::250:560f:fca4:5e7e
lo0.16385 up up inet
lsi up up
mtun up up
pimd up up
pime up up
pip0 up up
tap up up
vme up down
vtep up up
vtep.32768 up up
{master:0}
the logfile is attached
to get the interfaces back you need to deactivate the mc-ae config part and then the interfaces are back
{master:0}[edit interfaces ae4]
lab@QFX53# deactivate aggregated-ether-options mc-ae
lab@QFX53# commit and-quit
Message from syslogd@QFX53 at Feb 20 14:24:21 ...
QFX53 olive-ultimat.elf: SCHED: Thread 28 (cmqfx_pseudo) aborted, hogged 3193 ms
configuration check succeeds
commit complete
Exiting configuration mode
{master:0}
lab@QFX53> show interfaces terse
Interface Admin Link Proto Local Remote
gr-0/0/0 up up
pfe-0/0/0 up up
pfe-0/0/0.16383 up up inet
inet6
pfh-0/0/0 up up
pfh-0/0/0.16383 up up inet
pfh-0/0/0.16384 up up inet
xe-0/0/0 up down
xe-0/0/0.0 up down inet 10.51.53.53/24
xe-0/0/1 up down
xe-0/0/1.0 up down inet 10.52.53.53/24
xe-0/0/2 up down
xe-0/0/2.0 up down aenet --> ae0.0
....
with best regards
Alexander
↧
PPPoE through flexible-ethernet-services
Hi all,
I need some guidance here. Here is my setup:
PPPoE Client Router ----> SW1 -----> R1 ------> R2-BRAS
I want to use the BRAS at R2 to terminate my PPPoE session from the PPPoE client router.
The client router connects to SW1 on access port vlan id 4004. Then the vlan is bridged as a bridged domain all the way to the BRAS. The thing is, i am not sure how to terminate this VLAN on the BRAS so it can enjoy PPPoE services and the link from R1 to R2-BRAS is not trunked but rather flexible-ethernet-services with vlan bridges.
R1 and R2-BRAS are MX series routers.
Let me know if i am not making any sense and i will elaborate some more.
Thanks
↧
↧
Dot1x / MAC-Based Authentication issues on a EX2200 with 100BaseEthernet Devices
Hi everybody,
I have some issues with 100BaseEthernet devices on a EX2200 with activated MAC-Based Security on specific Ports.
When I connect a device with a 100Mbit Ethernet on a dot1x-Port the device MAC does not get authenticated. The authenticator on the switch stays on "Connecting":
Interface Role State ge-0/0/34.0 Authenticator Connecting
The Switch has the latest Firmware (JTAC recommended) installed: 15.1R5.5
I can reproduce this behavior with some other 100Mbit devices. 1Gbit devices get authenticated without any issues.
Thank you in advance.
P.S.: Sorry for my writing but English is not my first language.
↧
SSH Access External
Seeing alot of china SSH attempts to my external inet inet 2200.
Have root login denied but dont even want to see them trying...
Trying to set up a firewall filter and not having much luck. What am I doing wrong?
removed some of the config of course... thanks
Using this doc....
Here is my config - removed private items of course... IPs are not really relavent - wont let me commit this filter to lo0
-------------------------------------------------------------------------------------------------------
root@iswitch# run show configuration | display set
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members INTERNET
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members INTERNET
set interfaces ge-0/1/0 description "to Internet"
set interfaces ge-0/1/0 ether-options no-auto-negotiation
set interfaces ge-0/1/0 ether-options link-mode full-duplex
set interfaces ge-0/1/0 ether-options speed 1g
set interfaces ge-0/1/0 unit 0 family inet address x.x.x.x/x - ISP assigned IP
set interfaces vlan unit 71 family inet address x.x.x.x/x - our external IP
set routing-options static route 0.0.0.0/0 next-hop x.x.x.x - external ISP IP
set routing-options static route x.x.x.x next-hop x.x.x.x (internal routing)
(added this per doc linked above)
set firewall family inet filter local_acl term terminal_access from source-address x.x.x.x/x (internal range)
set firewall family inet filter local_acl term terminal_access from protocol tcp
set firewall family inet filter local_acl term terminal_access from port ssh
set firewall family inet filter local_acl term terminal_access from port telnet
set firewall family inet filter local_acl term terminal_access then accept
set firewall family inet filter local_acl term terminal_access_denied from protocol tcp
set firewall family inet filter local_acl term terminal_access_denied from port ssh
set firewall family inet filter local_acl term terminal_access_denied from port telnet
set firewall family inet filter local_acl term terminal_access_denied then log
set firewall family inet filter local_acl term terminal_access_denied then reject
set firewall family inet filter local_acl term default-term then accept
set interfaces lo0 unit 0 family inet filter input local_acl
set interfaces lo0 unit 0 family inet address 127.0.0.1/32
(end added per doc above)
set ethernet-switching-options storm-control interface all
set vlans INTERNET vlan-id 71
set vlans INTERNET l3-interface vlan.71
-------------------------------------------------------------------------------------------------------
Commit and I get this... remove log and it fails as well and doesnt like reject.... tried discard and doesnt like that either...
root@iswitch# commit check
[edit interfaces lo0 unit 0 family inet]
'filter'
Referenced filter 'local_acl' can not be used as log not supported on ingress loopback interface
error: configuration check-out failed
Thanks
↧
Re: SSH Access External
I think you need to apply this to the interface where the ip address is located.
set interfaces ge-0/1/0 unit 0 family inet filter input local_acl
↧
Ex4600 'Error in: SBUS transaction.'
Hi all,
Not able to find much on this one but I am seeing a reoccuring log entries on one member of a 2 Node ex4600 Chassis.
Any help would be great
Log as follows
Feb 23 09:57:38 swi-02 fpc1 LBCM-L2,pfe_bcm_l2_mac_add(),702:same mac entry
Feb 23 09:57:38 swi-02 fpc1 LBCM-L2,pfe_bcm_l2_mac_add(),690:modid 1 port 0 is_lag_port 1 flags 0x10cc0 trunk_id 1 port 0
Feb 23 09:57:38 swi-02 fpc1 LBCM-L2,pfe_bcm_l2_mac_add(),702:same mac entry
Feb 23 09:57:38 swi-02 fpc1 LBCM-L2,pfe_bcm_l2_mac_add(),690:modid 1 port 0 is_lag_port 1 flags 0x108c0 trunk_id 1 port 0
Feb 23 09:57:38 swi-02 fpc1 LBCM-L2,pfe_bcm_l2_mac_add(),702:same mac entry
Feb 23 09:57:38 swi-02 fpc1 LBCM-L2,pfe_bcm_l2_mac_add(),690:modid 1 port 0 is_lag_port 1 flags 0x108c0 trunk_id 1 port 0
Feb 23 09:57:38 swi-02 fpc1 LBCM-L2,pfe_bcm_l2_mac_add(),702:same mac entry
Feb 23 09:57:38 swi-02 fpc1 LBCM-L2,pfe_bcm_l2_mac_add(),690:modid 1 port 0 is_lag_port 1 flags 0x10cc0 trunk_id 1 port 0
Feb 23 09:57:38 swi-02 fpc1 LBCM-L2,pfe_bcm_l2_mac_add(),702:same mac entry
Feb 23 09:59:04 swi-02 fpc1 LBCM-L2,pfe_bcm_l2_mac_add(),690:modid 1 port 47984 is_lag_port 1 flags 0x104c0 trunk_id 1 port 0
Feb 23 09:59:04 swi-02 fpc1 LBCM-L2,pfe_bcm_l2_mac_add(),702:same mac entry
Feb 23 09:59:04 swi-02 fpc0 LBCM-L2,pfe_bcm_l2_mac_add(),690:modid 1 port 44448 is_lag_port 1 flags 0x104c0 trunk_id 1 port 0
Feb 23 09:59:04 swi-02 fpc0 LBCM-L2,pfe_bcm_l2_mac_add(),702:same mac entry
Feb 23 09:59:09 swi-02 fpc1 Unit: 0
Feb 23 09:59:09 swi-02 fpc1 Mem:
Feb 23 09:59:09 swi-02 fpc1 Parity error..
Feb 23 09:59:09 swi-02 fpc1 Error in: SBUS transaction.
Feb 23 09:59:09 swi-02 fpc1 Blk: 1, Pipe: 1, Address: 0x28401698, base: 0x10, stage: 10, index: 5784
Feb 23 09:59:09 swi-02 fpc1 Unit 0: mem: 2046=L3_DEFIP blkoffset:10
Feb 23 09:59:09 swi-02 fpc1 Unit 0: RESTORE[from X pipe]: L3_DEFIP[2046] blk: ipipe0 index: 5784
Feb 23 09:59:09 swi-02 fpc1 Unit: 0
Feb 23 09:59:09 swi-02 fpc1 Mem:
Feb 23 09:59:09 swi-02 fpc1 Parity error..
Feb 23 09:59:09 swi-02 fpc1 Error in: SBUS transaction.
Feb 23 09:59:09 swi-02 fpc1 Blk: 1, Pipe: 1, Address: 0x284016a8, base: 0x10, stage: 10, index: 5800
Feb 23 09:59:09 swi-02 fpc1 Unit 0: mem: 2046=L3_DEFIP blkoffset:10
Feb 23 09:59:09 swi-02 fpc1 Unit 0: RESTORE[from X pipe]: L3_DEFIP[2046] blk: ipipe0 index: 5800
↧
↧
EX3300 can't disable xe-2/3 for VC.
Hello.
I need to use all four 10Gb port as network ports.
so I'd disabled xe2/3 as VC ports but link is still down
root@ex3300# run show virtual-chassis
Virtual Chassis ID: 492c.d68c.639c
Virtual Chassis Mode: Enabled
Mstr Mixed Route Neighbor List
Member ID Status Serial No Model prio Role Mode Mode ID Interface
0 (FPC 0) Prsnt GD021xxx446061 ex3300-24t 128 Master* NA VC
Member ID for next new member: 1 (FPC 1)
root@ex3300# run show interfaces xe-0/1/3
Physical interface: xe-0/1/3, Enabled, Physical link is Down
Interface index: 156, SNMP ifIndex: 565
Description:
Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Speed: 10Gbps, Duplex: Full-Duplex, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Media type: Copper
Device flags : Present Running Down
Interface flags: Hardware-Down SNMP-Traps Internal: 0x4000
Link flags : None
CoS queues : 8 supported, 8 maximum usable queues
Current address: 3c:61:04:ef:18:de, Hardware address: 3c:61:04:ef:18:de
Last flapped : 2017-02-23 13:21:40 MSK (01:10:39 ago)
Input rate : 0 bps (0 pps)
Output rate : 0 bps (0 pps)
Active alarms : LINK
Active defects : LINK
Interface transmit statistics: Disabled
Logical interface xe-0/1/3.0 (Index 97) (SNMP ifIndex 566)
Flags: Device-Down SNMP-Traps 0x40004000 Encapsulation: ENET2
Input packets : 4
Output packets: 10
Protocol eth-switch
Flags: Trunk-Mode
root@ex3300# run show version fpc0: -------------------------------------------------------------------------- Hostname: ex3300 Model: ex3300-24t Junos: 15.1R5.5 JUNOS EX Software Suite [15.1R5.5] JUNOS FIPS mode utilities [15.1R5.5] JUNOS Online Documentation [15.1R5.5] JUNOS EX 3300 Software Suite [15.1R5.5] JUNOS Web Management Platform Package [15.1R5.5]
need any advice how to fix it.
thanks!
↧
Re: EX3300 can't disable xe-2/3 for VC.
Is this the procedure you are using to remove the port as a VC link?
https://kb.juniper.net/InfoCenter/index?page=content&id=KB17821
Is there another link still active to keep the VC traffic flowing or are you removing this completely from the VC?
↧
Re: EX3300 can't disable xe-2/3 for VC.
Assuming you mean xe-0/1/3, you can run show chassis hardware to confirm that the installed optic is recognized. If so you'll then want to check the cabling and its polarity as well as that of the end device connected to it.
↧