When configuring MVRP and VSTP on an switched ring topology I noticed that the MVRP learned VLANs do not seem to learn spanningtree bridges. For example, with a topology of switch A - B - C - A, if switch A is confgured as the route bridge with a priority of 8K for VLAN 10 and switch B has a priority of 16K for VLAN 10 and switch C laerns of VLAN 10 through MVRP, switch C does not seem to see switch A as the route bridge. Does this mean it can cause a loop?
↧
Can MVRP cause loops?
↧
Re: VLAN Configuration Help
It does appear that you've successfully configured vlans 203, 204, 209, and 215 to trunk out ge-0/0/47. When you say you cannot get an IP addresse for vlans 209 and 215 do you mean the devices plugged into ports ge-0/0/0 and ge-0/0/3, or the actual vlan interfaces themselves?
↧
↧
Re: VLAN Configuration Help
I mean the devices plugged into ports ge-0/0/0 and 0/0/3. The devices plugged into ports ge-0/0/1 and 0/0/4 pick up an ip address correctly and can access the network.
↧
Re: VLAN Configuration Help
HI,
I can give you some tips to troubleshoot this
1) Configs for ports are correctr 0/0/0 0/0/1 0/0/2 and 0/0/3.
2) Even trunk config is correct.
When you are saying DHCP is not working , we should check the device connected to 0/0/47 and its configuration.
Where is the DHCP server connected to, if its on the device connected to 0/0/47 check the relay or server config.
You could also do "monitor traffic interface ge-0/0/47 no-resolve" and check if dhcp packets are going out, if they are going out the problem is not on EX2200 but on the next hop.
You may as well open a TAC case to troubleshoot if you feel so.
Thanks
Partha
↧
ip-source-guard/dhcp security blocking lease renewals
Running an ex4300 17.1 code
When source guard is enabled, I'm seeing dhcp-security bindings expire and clients are not renewing their leases. These paticular clients are Cisco phones. Has anyone seen anything like this? I'll admit I'm still very green with Juniper products but I can't seem to find many docs on this and its debugging process. Seems like since they merged the documentation huge chunks are missing.
top show vlans voice
vlan-id 4000;
l3-interface irb.4000;
forwarding-options {
dhcp-security {
ip-source-guard;
group trusted {
overrides {
trusted;
}
}
option-82 {
circuit-id;
remote-id {
use-string ermag;
}
}
}
}
↧
↧
Re: ip-source-guard/dhcp security blocking lease renewals
On the EX4300 when you enable any Security feature, like IP-Source Guard, the switch automatically enabled Dynamic Arp Inspection (DAI), which is a requirment for IP-SG to work. Go to:
https://www.juniper.net/documentation/en_US/junos/topics/concept/port-security-ip-source-guard.html
See the 1st Note under "How IP Source Guard Works". There is also a link to CLI procedure to configure via ELS.
You may want to look at DAI nfo here and use this to check what is going on there:
Good luck.
↧
Re: ip-source-guard/dhcp security blocking lease renewals
Thanks for the reply. I had looked at that guide but I don't see where it says specifically that you must set arp-inspection on at the same time with ip-source-guard.
I see where you said " On the EX4300 when you enable any Security feature, like IP-Source Guard, the switch automatically enabled Dynamic Arp Inspection (DAI), which is a requirment for IP-SG to work." Did you mean it automatically enabled dhcp-snooping or DAI? The doc you posted says "
- If your switch uses Junos OS for EX Series with support for the Enhanced Layer 2 Software (ELS) configuration style, DHCP snooping is enabled automatically when you enable IP source guard on a VLAN. See Configuring IP Source Guard (CLI Procedure)."
It just never occured that both had to be on because coming from the Cisco world they work independantly of each other.
Sorry for the newbie Questions.
↧
Re: ip-source-guard/dhcp security blocking lease renewals
Yes Juniper is different. In older EX products, non-ELS, you needed to enable DAI first in order to get IP-SG to function. In new EX, like EX4300 with ELS (different chip set) when you enable DHCP related security features, DAI gets automatically turned on (does not require any specific confih knob to be turned on) when the security feature is set.
So when you enable IP-SG on Ex4300, DAI is also automatically enabled.
↧
Re: VLAN Configuration Help
I changed the trunk port to be 0/1/0 and have connected it directly to our core switch, which is a Dell 7024F. We have 13 other switches connected to the core switch and all of them work correctly. All the other switches are Dell also. I ran the command on port 0/1/0 and this is the output:
root@BLAWS1005A> monitor traffic interface ge-0/1/0 no-resolve
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on ge-0/1/0, capture size 96 bytes
07:39:01.963115 Out IP truncated-ip - 116 bytes missing! 192.168.203.10.22 > 192.168.209.206.56169: P 674297242:674297374(132) ack 2738006037 win 32850
07:39:01.969331 In IP 192.168.209.206.56169 > 192.168.203.10.22: . ack 132 win 253
07:39:01.970652 Out IP truncated-ip - 52 bytes missing! 192.168.203.10.22 > 192.168.209.206.56169: P 132:200(68) ack 1 win 32850
07:39:01.973470 Out IP truncated-ip - 84 bytes missing! 192.168.203.10.22 > 192.168.209.206.56169: P 200:300(100) ack 1 win 32850
07:39:01.979852 In IP 192.168.209.206.56169 > 192.168.203.10.22: . ack 300 win 252
07:39:02.106418 In IP truncated-ip - 272 bytes missing! 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]
07:39:02.156107 In IP truncated-ip - 272 bytes missing! 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]
07:39:02.279892 In arp who-has 192.168.203.198 tell 192.168.203.2
07:39:02.720067 In IP6 truncated-ip6 - 84 bytes missing!fe80::9122:bb8c:78a3:e1ab.546 > ff02::1:2.547: dhcp6 solicit
07:39:02.732461 In IP6 truncated-ip6 - 16 bytes missing!fe80::217:23ff:fea6:61f7 > ff02::1:ffa6:61f7: HBH ICMP6, multicast listener report , length 24
07:39:02.736281 In IP6 truncated-ip6 - 8 bytes missing!:: > ff02::1:ffa6:61f7: ICMP6, neighbor solicitation[|icmp6]
07:39:02.977029 Out IP truncated-ip - 1316 bytes missing! 192.168.203.10.22 > 192.168.209.206.56169: P 300:1632(1332) ack 1 win 32850
07:39:03.051841 In IP6 truncated-ip6 - 16 bytes missing!fe80::217:23ff:feac:fcdc > ff02::1:ffac:fcdc: HBH ICMP6, multicast listener report , length 24
07:39:03.053601 In IP6 truncated-ip6 - 8 bytes missing!:: > ff02::1:ffac:fcdc: ICMP6, neighbor solicitation[|icmp6]
07:39:03.081329 In IP6 truncated-ip6 - 84 bytes missing!fe80::7550:ee10:dbcf:ba7e.546 > ff02::1:2.547: dhcp6 solicit
07:39:03.126103 In IP truncated-ip - 272 bytes missing! 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]
07:39:03.148061 In STP 802.1w, Rapid STP, Flags [Learn, Forward], bridge-id 1000.f8:b1:56:04:a5:3b.8010, length 43
07:39:03.196002 In IP 192.168.209.206.56169 > 192.168.203.10.22: . ack 1632 win 256
07:39:03.351645 In IP6 truncated-ip6 - 16 bytes missing!fe80::217:23ff:feb1:c70 > ff02::1:ffb1:c70: HBH ICMP6, multicast listener report , length 24
07:39:03.362045 In IP6 truncated-ip6 - 8 bytes missing!:: > ff02::1:ffb1:c70: ICMP6, neighbor solicitation[|icmp6]
07:39:03.378662 In arp who-has 192.168.203.198 tell 192.168.203.2
07:39:03.620748 In IP truncated-ip - 252 bytes missing! 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]
07:39:03.976576 Out IP truncated-ip - 1332 bytes missing! 192.168.203.10.22 > 192.168.209.206.56169: P 1632:2980(1348) ack 1 win 32850
07:39:04.104773 In IP6 truncated-ip6 - 16 bytes missing!fe80::217:23ff:fea6:6e2e > ff02::1:ffa6:6e2e: HBH ICMP6, multicast listener report , length 24
07:39:04.106408 In IP6 truncated-ip6 - 8 bytes missing!:: > ff02::1:ffa6:6e2e: ICMP6, neighbor solicitation[|icmp6]
07:39:04.114395 In IP truncated-ip - 272 bytes missing! 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]
07:39:04.193735 In IP 192.168.209.206.56169 > 192.168.203.10.22: . ack 2980 win 251
07:39:04.478644 In arp who-has 192.168.203.198 tell 192.168.203.2
07:39:04.594973 In IP truncated-ip - 272 bytes missing! 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]
07:39:04.647603 In IP truncated-ip - 272 bytes missing! 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]
07:39:04.668411 In IP6 truncated-ip6 - 16 bytes missing!fe80::217:23ff:feb0:a5af > ff02::1:ffb0:a5af: HBH ICMP6, multicast listener report , length 24
07:39:04.756762 In IP6 truncated-ip6 - 86 bytes missing!fe80::79c6:a1ea:d391:8056.546 > ff02::1:2.547: dhcp6 solicit
07:39:04.847086 In IP truncated-ip - 272 bytes missing! 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]
07:39:04.856582 In IP6 truncated-ip6 - 16 bytes missing!fe80::217:23ff:feb1:c70 > ff02::1:ffb1:c70: HBH ICMP6, multicast listener report , length 24
07:39:04.977050 Out IP truncated-ip - 836 bytes missing! 192.168.203.10.22 > 192.168.209.206.56169: P 2980:3832(852) ack 1 win 32850
07:39:04.980931 Out IP truncated-ip - 308 bytes missing! 192.168.203.10.22 > 192.168.209.206.56169: P 3832:4156(324) ack 1 win 32850
07:39:04.984474 Out IP truncated-ip - 420 bytes missing! 192.168.203.10.22 > 192.168.209.206.56169: P 4156:4592(436) ack 1 win 32850
07:39:04.989241 In IP 192.168.209.206.56169 > 192.168.203.10.22: . ack 4156 win 256
07:39:04.989294 In IP truncated-ip - 36 bytes missing! 192.168.209.206.56169 > 192.168.203.10.22: P 1:53(52) ack 4592 win 254
07:39:05.089514 Out IP 192.168.203.10.22 > 192.168.209.206.56169: . ack 53 win 32850
07:39:05.148403 In STP 802.1w, Rapid STP, Flags [Learn, Forward], bridge-id 1000.f8:b1:56:04:a5:3b.8010, length 43
07:39:05.238902 In IP6 truncated-ip6 - 16 bytes missing!fe80::217:23ff:fea6:61f7 > ff02::1:ffa6:61f7: HBH ICMP6, multicast listener report , length 24
^C
47 packets received by filter
0 packets dropped by kernel
I am honestly not sure what I'm looking at.
↧
↧
Re: ip-source-guard/dhcp security blocking lease renewals
Also seems that only phones don't want to work with this. Are there known issues? Can't run this feature on phone vlans? It works with computer on phone vlan, computer behind a phone, but not a phone itself.
↧
Re: ip-source-guard/dhcp security blocking lease renewals
Gotcha. I guess now the issue I'm having is that phones don't seem to be working with this....and JTAC is saying that you you might not be able to run these features on the voice and data vlans on the same switchport.
Unfortunately if I can't get this to work the way it does on the Cisco gear, it might be a deal breaker on our proof of concept as odd as that sounds.
↧
Re: ip-source-guard/dhcp security blocking lease renewals
Looks lke they may be right (note this doc appears to have cli for non-ELS only!):
One thing you might try is to configure the voice vlan as untrusted. Access ports are untrusted by default. You may need to explicitly set interface to dhcp-untrust?? Maybe worth a try.
↧
Re: ip-source-guard/dhcp security blocking lease renewals
Seems like the docs are all over the place on this, as I found this as well. Docs seem to contradict themselves. Not srue I follow what you mean about making voice vlan untrusted, specifically.
Tip: If you wanted to configure IP source guard on the voice VLAN as well as on the data VLAN, you would configure DHCP snooping and IP source guard exactly as you did for the data VLAN. The configuration result for the voice VLAN under secure-access-port would look like this:
secure-access-port {
vlan voice {
examine-dhcp;
ip-source-guard;
}
}
↧
↧
Re: ip-source-guard/dhcp security blocking lease renewals
I sound have added that, the dhcp-security binding is created initially, but the attempt to renew/rebind looks like it never is never acknoweleged by the switch.
↧
Re: ip-source-guard/dhcp security blocking lease renewals
TAC is your best bet now. What is your TAC case #? Is your config in the case?
↧
Re: ip-source-guard/dhcp security blocking lease renewals
Parts of it are in there, frankly you've been more helpful that tac
case number is: 2017-0407-0587
↧
Maximum number of RVIs
Can anyone pinpoint me to a kb article/mention of maximum number of RVIs across EX series switches ?
Does it work that way ? Hardware footprint/model relationship ? i.e. the beefier the model, the more supported ?
Or is it a JUNOS revision relationship ? i.e. the later the revision, the more supported ?
Or neither, and there is hardstop/finite number regardless of JUNOS revision and/or hardware footprint ?
↧
↧
Re: VLAN Configuration Help
Are you trunking the same vlans (203, 204, 209, and 215) on the Dell core switch interface connected to ge-0/1/0? It appears the issue is somewhere downstream, as your 2200 seems to be configured correctly.
↧
Re: Maximum number of RVIs
There is no RVI configuration limit only the maximum number of vlans supported on each switch model.
But you may hit other platform limits with a large number of RVI like bandwidth, mac addresses or other traffic related items by having all the vlan traffic come to a particular switch for their default gateway. Thus you will need to be aware of all the link capacity to the gateway in your network design.
↧
Configuring RTG on two EX2300-C
Hello,
I want to configure RTG on two EX2300-C.
The switches are connected with 10G fiber (SFP+) (xe-0/1/0) and 1G copper (ge-0/0/11).
The 10G fiber cable should be primary, the copper cable secondary mode.
Will the copper cable (1G) reduce the speed of the fiber (10G) to also 1G?
I found this documents:
They only show example configuration for three switches.
So my question is:
Do I need to configure the following commands on both of the switches or only on one switch?
set protocols rstp disable set ethernet-switching-options redundant-trunk-group group example1 interface xe-0/1/0.0 primary set ethernet-switching-options redundant-trunk-group group example1 interface ge-0/0/11.0 set redundant-trunk-group group example1 preempt-cutover-timer 60
Does RTG also work when one VLAN is configured as IRB management interface?
I hope that somebody could help me.
Thanks and kind regards
gp83.
↧