no, I used
request virtual-chassis vc-port delete pic-slot 1 port 2
request virtual-chassis vc-port delete pic-slot 1 port 3
should I use procedure from your link?
There was no any VC configured, only default config.
DAC is recognized - it's native juniper DAC and it works fine at xe-0/1
The term you need is discard. You also need to specify your ge-0/1/0 and vlan.71 external addresses as destinations in your filter's terminal_access_denied term or you will block all transited ssh and telnet traffic--these are revenue ports not management interfaces. As Steve noted you also need to apply the filter to your externally facing interfaces.
Hi alexander,
May i know whether this vQFX support VC or VCF? I'm try to make it vc / vcf but fail.
Thanks and appreciate your feedback
I assume this is physica 10K, vQFX, yes?
I do not believe configuration-check or configuration-sync is yet supported on 10K.
Looking into other parts.
Ill give that a try now and report back - thanks
That worked applying it to the ge-0/1/0 - thanks. I didnt quite understand why the example applied it to the loopback but was trying since it didnt work previously when I applied it to the other interface. I may have had something else wrong but it is working now.
Thanks for your help.
John
no, vQFX is a virtual QFX not a physical one
at least configuration-check does a local checking but not a remote one
there are no release informations regarding the vQFX available
and all the QFX have the nasty attitude, that you can enter or configure things which are unsupported or not working but you do not get any error or commit warnings.
regards
alexander
PS the other error family EVPN and family route-target together I assume is also true for the physical one as it is pure control plane (see my other post in this forum)
Heh disregard... that took all of the internet down at that site.
This is what I committed...
-----
set firewall family inet filter local_acl term terminal_access from source-address 10.0.0.0/8
set firewall family inet filter local_acl term terminal_access from protocol tcp
set firewall family inet filter local_acl term terminal_access from port ssh
set firewall family inet filter local_acl term terminal_access from port telnet
set firewall family inet filter local_acl term terminal_access then accept
set firewall family inet filter local_acl term terminal_access_denied from protocol tcp
set firewall family inet filter local_acl term terminal_access_denied from port ssh
set firewall family inet filter local_acl term terminal_access_denied from port telnet
set firewall family inet filter local_acl term terminal_access_denied then log
set firewall family inet filter local_acl term terminal_access_denied then discard
set firewall family inet filter local_acl term default-term then accept
set interface ge-0/1/0 unit 0 family inet filter input local_acl
---
hoenstly for this inet switch - we just use the console cable and laptop to access it. I prefer to have no remote access to it at all. Lower risk of someone getting into it but the example above killed all internet access at that site.
Thanks
John
show config - i useually use display set and missed this... is this the cause?
firewall {
family inet {
filter local_acl {
term terminal_access {
from {
source-address {
10.0.0.0/8;
}
protocol tcp;
##
## Warning: statement ignored: unsupported platform (ex2200-24t-4g)
##
port [ ssh telnet ];
}
then accept;
}
term terminal_access_denied {
from {
protocol tcp;
##
## Warning: statement ignored: unsupported platform (ex2200-24t-4g)
##
port [ ssh telnet ];
}
then {
log;
discard;
}
}
term default-term {
then accept;
}
}
}
}
show virtual-chasis show nothing - look at my first post.
and yes - I've used "delete" option, but no luck.
Correcting myself here--the ex2200 doesn't support named ports, you have to specify numerically. The 'port [ ssh telnet ]' specification was ignored as indicated, leaving the filter with only the tcp term.
set interfaces ge-0/1/0 unit 0 family inet filter input local_acl set interfaces ge-0/1/0 unit 0 family inet address 2.2.2.2/30 set interfaces vlan unit 71 family inet filter input local_acl set interfaces vlan unit 71 family inet address 1.1.1.1/24 set policy-options prefix-list external_ips 1.1.1.1/32 set policy-options prefix-list external_ips 2.2.2.2/32 set firewall family inet filter local_acl term terminal_access from source-address 10.0.0.0/8 set firewall family inet filter local_acl term terminal_access from destination-prefix-list external_ips set firewall family inet filter local_acl term terminal_access from protocol tcp set firewall family inet filter local_acl term terminal_access from destination-port 22 set firewall family inet filter local_acl term terminal_access from destination-port 23 set firewall family inet filter local_acl term terminal_access then accept set firewall family inet filter local_acl term terminal_access_denied from destination-prefix-list external_ips set firewall family inet filter local_acl term terminal_access_denied from protocol tcp set firewall family inet filter local_acl term terminal_access_denied from destination-port 22 set firewall family inet filter local_acl term terminal_access_denied from destination-port 23 set firewall family inet filter local_acl term terminal_access_denied then log set firewall family inet filter local_acl term terminal_access_denied then discard set firewall family inet filter local_acl term default-term then accept
smicker wrote:
That isn't what I asked for.
sorry, my mistake.
but still nothing =)
root@ex3300# run show virtual-chassis vc-port
fpc0:
--------------------------------------------------------------------------
{master:0}[edit]
root@ex3300#
Hello all,
I was tring to understand how I could configure my EX switches to protect agains loops.
I have an EX device which works as an access device connected to a distribution switch.via xe port.
Then all the other ge ports should be connected to a non-switch.
What should be the best configuration to prevent acciental loop generated by connecting a ge port to another one on the sama device?
If I am not mistaken the port connected to a non-switch device can be configured as edge port to speed up the rstp process so they put themself in forward mode immediately. But what happen if I connect two of them each other?
Thank You
Rebards
M.
This situation is protected generally by storm control. Basic settings are enabled by default on a number of the common access layer switch models.
Spanning tree will tke care of loops. However the example you reference does not sound like a mistake any admin is likely to commit. If there is a suspicion that could happen, then disable all ports not in use. That is much more secure and would ensure that unused ports are not accidentally involved in any such loops. If you are concerned about another switch necoming root bridge then you have rootguard for that.
Hi All,
I recently upgraded standalone EX4200-48T from 12.3R6.6 to 15.1R5.5. After reboot, I could see the previous configuration is still there and switch is now running new software. But switching is not happening and shows the following error:
{master:0}
root@SW2-JUN> show vlans
error: the ethernet-switching subsystem is not running
I will be so glad if someone knows about this issue.. Thanks in advance.