Hello,
Is it possible to create a LACP across ports on 2 EX3300 switches in a virtual chassis? If yes, can you provide the steps and commands to create the LACP. I would like the following interfaces to be part of the LACP:
ge-0/0/22
ge-0/0/23
ge-1/0/22
ge-1/0/23
As I said above, there are conflicting docs about whether this is possible. How is it possible to get something official from Juniper on this? It kinda seem to work.
Also, on juniper swithces does just turing on dhcp-security on a vlan stop rogue dhcp servers?
Hi,
I want to create some firewall filters on EX4600.
I just want network 192.168.11.0/24 talk only to 192.168.12.0/24 and 192.168.12.0/24 only to 192.168.11.0/24.
I created this rules :
root@SD-TST-C012-1# show firewall family inet filter ACL_IN
term T1 {
from {
source-address {
192.168.11.0/24;
}
destination-address {
192.168.12.0/24;
}
}
then accept;
}
root@SD-TST-C012-1# show firewall family inet filter ACL_OUT
term T1 {
from {
source-address {
192.168.12.0/24;
}
destination-address {
192.168.11.0/24;
}
}
then accept;
}I applied this configuration on my IRB interface :
root@SD-TST-C012-1# show interfaces irb.3082 family inet
filter {
input ACL_IN;
output ACL_OUT;
}
address 192.168.11.1/24 {
vrrp-group 11 {
virtual-address 192.168.11.3;
priority 200;
accept-data;
}
}
root@SD-TST-C012-2# show interfaces irb.3082 family inet
filter {
input ACL_IN;
output ACL_OUT;
}
address 192.168.11.2/24 {
vrrp-group 11 {
virtual-address 192.168.11.3;
priority 100;
accept-data;
}
}
My problem is nothing ping.
Do you have an idea ?
Thank you.
I have two EX4300 switchs in a stack. When I first got them I had them lincked usinging optic calbles, they are now using the standard stackign cabels, and only xe-0/2/2-3 & 1/2/2-3 are configured. So I was suporsed to see the error below shoing a failed connnecion:
Apr 10 09:16:23 pfex: Link 51 FAILED Apr 10 09:16:23 pfex: [EX-BCM PIC] ex_bcm_pic_optics_periodic: Failed to read eeprom of Optic 1 of Pic 2 Apr 10 09:16:23 fpc0 Link 51 FAILED Apr 10 09:16:23 fpc0 [EX-BCM PIC] ex_bcm_pic_optics_periodic: Failed to read eeprom of Optic 1 of Pic 2 Apr 10 09:16:24 fpc1 Link 50 FAILED Apr 10 09:16:24 fpc1 [EX-BCM PIC] ex_bcm_pic_optics_periodic: Failed to read eeprom of Optic 0 of Pic 2 Apr 10 09:16:24 fpc1 Link 51 FAILED Apr 10 09:16:24 fpc1 [EX-BCM PIC] ex_bcm_pic_optics_periodic: Failed to read eeprom of Optic 1 of Pic 2 Apr 10 09:16:24 pfex: Link 50 FAILED Apr 10 09:16:24 pfex: [EX-BCM PIC] ex_bcm_pic_optics_periodic: Failed to read eeprom of Optic 0 of Pic 2
The slots look fine
> show chassis pic fpc-slot 0 pic-slot 2
FPC slot 0, PIC slot 2 information:
Type 4x 1G/10G SFP/SFP+
State Online
PIC version 3.2
Uptime 56 days, 20 hours, 24 minutes, 38 seconds
PIC port information:
Fiber Xcvr vendor Wave- Xcvr
Port Cable type type Xcvr vendor part number length Firmware
3 10GBASE AOC 10M n/a JUNIPER-FINISAR FCBG110SD1C10-J1 1024 nm 0.0
> show chassis pic fpc-slot 1 pic-slot 2
FPC slot 1, PIC slot 2 information:
Type 4x 1G/10G SFP/SFP+
State Online
PIC version 3.2
Uptime 56 days, 20 hours, 24 minutes, 38 seconds
PIC port information:
Fiber Xcvr vendor Wave- Xcvr
Port Cable type type Xcvr vendor part number length Firmware
3 10GBASE AOC 10M n/a JUNIPER-FINISAR FCBG110SD1C10-J1 1024 nm 0.0
I also confirmed that the ports wer no longer used as vc-ports and were unconfigured.
> show configuration interfaces xe-0/2/1 | display inheritance
{master:0}
> show configuration interfaces xe-1/2/0 | display inheritance
{master:0}
> show virtual-chassis vc-port
fpc0:
--------------------------------------------------------------------------
Interface Type Trunk Status Speed Neighbor
or ID (mbps) ID Interface
PIC / Port
1/0 Configured 6 Up 40000 1 vcp-255/1/1
1/1 Configured 6 Up 40000 1 vcp-255/1/0
1/3 Configured Absent
1/2 Configured Absent
fpc1:
--------------------------------------------------------------------------
Interface Type Trunk Status Speed Neighbor
or ID (mbps) ID Interface
PIC / Port
1/0 Configured 6 Up 40000 0 vcp-255/1/1
1/1 Configured 6 Up 40000 0 vcp-255/1/0
1/2 Configured Absent
1/3 Configured Absent
I am open to any additional guidance on where to look next for the source of these errors.
This is the port config from the Dell switch:
interface Gi1/0/16
switchport mode trunk
switchport general allowed vlan add 203-204,209,215 tagged
exit
All of the switchports are configured the same on the Dell switch and no other switches attached to it are having issues.
Anyone? Here are some examples of what I am trying to accomplish.
Yes both are possible over a virtual chassis. We do something similar to #2 with PAN firewalls in active/standby states.
HI
It is not correct, when we are forming a VC the whole switches are considered as single member. If your requirement is to connect 0/0/1 and 0/0/2 to 1/0/1 and 1/0/2 it is not possible. The reason is the chassis ID remains same for all ports forming LACP.
If you would like to connect these 4 ports to another switch, we can surely do it.
Configs for the same
+-----------+ge-0/0/3 ge-0/0/4 +-----------+
| +--------------------------+ |
|SWITCH-1 | |SWITCH-2 |
| +--------------------------+ |
+-----------+ge-0/0/7 ge-0/0/8 +-----------+
SWITCH-1 Configuration:
set chassis aggregated-devices ethernet device-count 12
set interfaces ge-0/0/3 ether-options 802.3ad ae10
set interfaces ge-0/0/7 ether-options 802.3ad ae10
set interfaces ae10 aggregated-ether-options lacp active
set interfaces ae10 aggregated-ether-options lacp periodic fast
set interfaces ae10 unit 0 family ethernet-switching
SWITCH-2 Configuration:
set chassis aggregated-devices ethernet device-count 12
set interfaces ge-0/0/4 ether-options 802.3ad ae10
set interfaces ge-0/0/8 ether-options 802.3ad ae10
set interfaces ae10 aggregated-ether-options lacp active
set interfaces ae10 aggregated-ether-options lacp periodic fast
set interfaces ae10 unit 0 family ethernet-switching
Thanks
Partha
Partha,
Please check out the 2 diagrams attached in my previous post. I am trying to create a HA between the 2 firewall machines and the 2 Juniper switches.
There are 2 firewalls [pfSense] that is connected in a HA setup.
There are 2 Juniper switches connected in a virtual chassis setup for HA.
My goal is to connect the 2 firewalls to the 2 juniper switches so that I hava failover/redundancy. If the master firewall machine goes down, the backup will take over and still be connected to Master Juniper switch.
If the Master Juniper switch goes down, the Backup Juniper Switch will take over and still be connected to the master firewall machine.
Alex please take a llok at my response.
I have included these 2 new diagrams to hopefully explain what I am trying to accomplish. Please provide the CLI commands to accomplish the LAGG setup in diagram 1 and 2.
Anyone? Please help....
i got it to work.... I was able to add lt interface (logical tunnel interface) as layer 2 interfaces into a routing-instance virtual-switch bridge-domain and then add irb on each logical system and ping across. below i show config and outputs for show commands of pings, bridge entries, arp caches, and different mac address needed for each irb
r6@lab-mx104:r6> show configuration | display set
...
set logical-systems r6 interfaces lt-0/1/0 unit 670 description r6->r7_1
set logical-systems r6 interfaces lt-0/1/0 unit 670 encapsulation ethernet-bridge
set logical-systems r6 interfaces lt-0/1/0 unit 670 peer-unit 760
set logical-systems r6 interfaces lt-0/1/0 unit 670 family bridge interface-mode access
set logical-systems r6 interfaces lt-0/1/0 unit 670 family bridge vlan-id 10
set logical-systems r6 interfaces irb unit 6 family inet address 172.16.40.2/24
set logical-systems r6 interfaces irb unit 6 mac 00:00:00:00:00:06
set logical-systems r6 routing-instances switch1 instance-type virtual-switch
set logical-systems r6 routing-instances switch1 interface lt-0/1/0.670
set logical-systems r6 routing-instances switch1 bridge-domains switch1 vlan-id 10
set logical-systems r6 routing-instances switch1 bridge-domains switch1 routing-interface irb.6
r7@lab-mx104:r7> show configuration | display set
...
set logical-systems r7 interfaces lt-0/1/0 unit 760 description r7->r6_1
set logical-systems r7 interfaces lt-0/1/0 unit 760 encapsulation ethernet-bridge
set logical-systems r7 interfaces lt-0/1/0 unit 760 peer-unit 670
set logical-systems r7 interfaces lt-0/1/0 unit 760 family bridge interface-mode access
set logical-systems r7 interfaces lt-0/1/0 unit 760 family bridge vlan-id 10
set logical-systems r7 interfaces irb unit 7 family inet address 172.16.40.3/24
set logical-systems r7 interfaces irb unit 7 mac 00:00:00:00:00:07
set logical-systems r7 routing-instances switch1 instance-type virtual-switch
set logical-systems r7 routing-instances switch1 interface lt-0/1/0.760
set logical-systems r7 routing-instances switch1 bridge-domains switch1 vlan-id 10
set logical-systems r7 routing-instances switch1 bridge-domains switch1 routing-interface irb.7
r6 shows...
r6@lab-mx104:r6> ping 172.16.40.3 rapid
PING 172.16.40.3 (172.16.40.3): 56 data bytes
!!!!!
--- 172.16.40.3 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.492/0.558/0.703/0.076 ms
r6@lab-mx104:r6> show interfaces irb.6 | grep "inet|mac"
MAC: 00:00:00:00:00:06
Protocol inet, MTU: 1514
r6@lab-mx104:r6> show arp interface irb.6
MAC Address Address Name Interface Flags
00:00:00:00:00:07 172.16.40.3 172.16.40.3 irb.6 [lt-0/1/0.670] none
r6@lab-mx104:r6> show bridge mac-table
MAC flags (S -static MAC, D -dynamic MAC, L -locally learned, C -Control MAC
O -OVSDB MAC, SE -Statistics enabled, NM -Non configured MAC, R -Remote PE MAC)
Logical system : r6
Routing instance : switch1
Bridging domain : switch1, VLAN : 10
MAC MAC Logical NH RTR
addresssss flags interface Index ID
00:00:00:00:00:07 D lt-0/1/0.670
30:b6:4f:68:70:a9 S,NM lt-0/1/0.670
r7 shows...
r7@lab-mx104:r7> ping 172.16.40.2 rapid
PING 172.16.40.2 (172.16.40.2): 56 data bytes
!!!!!
--- 172.16.40.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.485/0.573/0.714/0.082 ms
r7@lab-mx104:r7> show interfaces irb.7 | grep "inet|mac"
MAC: 00:00:00:00:00:07
Protocol inet, MTU: 1514
r7@lab-mx104:r7> show arp interface irb.7
MAC Address Address Name Interface Flags
00:00:00:00:00:06 172.16.40.2 172.16.40.2 irb.7 [lt-0/1/0.760] none
r7@lab-mx104:r7> show bridge mac-table
MAC flags (S -static MAC, D -dynamic MAC, L -locally learned, C -Control MAC
O -OVSDB MAC, SE -Statistics enabled, NM -Non configured MAC, R -Remote PE MAC)
Logical system : r7
Routing instance : switch1
Bridging domain : switch1, VLAN : 10
MAC MAC Logical NH RTR
addresssss flags interface Index ID
00:00:00:00:00:06 D lt-0/1/0.760
I know someone can help me... Anyone?
Hi,
The configuration was already provided.
Option 1
set chassis aggregated-devices ethernet device-count 3 set interfaces ge-0/0/22 ether-options 802.3ad ae1 set interfaces ge-1/0/22 ether-options 802.3ad ae1 set interfaces ae1 aggregated-ether-options lacp active set interfaces ae1 aggregated-ether-options lacp periodic fast set interfaces ae1 unit 0 family ethernet-switching set interfaces ge-0/0/23 ether-options 802.3ad ae2 set interfaces ge-1/0/23 ether-options 802.3ad ae2 set interfaces ae2 aggregated-ether-options lacp active set interfaces ae2 aggregated-ether-options lacp periodic fast set interfaces ae2 unit 0 family ethernet-switching
Option 2 (This would require your firewall cluster to support LACP between members as well)
set chassis aggregated-devices ethernet device-count 2 set interfaces ge-0/0/22 ether-options 802.3ad ae1 set interfaces ge-1/0/22 ether-options 802.3ad ae1 set interfaces ge-0/0/23 ether-options 802.3ad ae1 set interfaces ge-1/0/23 ether-options 802.3ad ae1 set interfaces ae1 aggregated-ether-options lacp active set interfaces ae1 aggregated-ether-options lacp periodic fast set interfaces ae1 unit 0 family ethernet-switching
Tim
Can anyone explain the purpose of the vlan-tagging statement under interfaces interface-name ? The documentation says it exists "to enable the reception and transmission of 802.1Q VLAN-tagged frames on the interface"
1. How is this any different from simply configuring set interfaces family ethernet-switching interface-name port-mode trunk?
2. The documentation states "On EX Series switches except for EX4300 and EX9200 switches, the vlan-tagging and family ethernet-switching statements cannot be configured on the same interface." This suggests that it can be configured together on the EX4300 and EX9200 -- why would I want to do this and what purpose does it serve?
Thanks,
--Paul
Hi All,
we have a switch that is constantly spamming the following messages:
Apr 13 13:00:29 sw04.hil.uto chassism[1227]: XCVR: XCVR 1 EEPROM read Failed
Apr 13 13:00:29 sw04.hil.uto chassism[1227]: xcvr_cache_eeprom: xcvr_read_eeprom failed - link:1 pic_slot:1
Apr 13 13:00:29 sw04.hil.uto chassism[1227]: CM_LED: Unable to set frontpanel led for register: 0x3c bit loc 0
Apr 13 13:00:30 sw04.hil.uto chassism[1227]: cm_read_i2c errno:16, device:13
Apr 13 13:00:30 sw04.hil.uto chassism[1227]: I2C bus busy. Attempting I2C bus reset: device = 13
Apr 13 13:00:30 sw04.hil.uto chassism[1227]: I2C bus reset done!!
Apr 13 13:00:30 sw04.hil.uto chassism[1227]: CM_JAVA [FPC:0 PIC:1]: Failed to uplink SFP 1 EEPROM
Apr 13 13:00:30 sw04.hil.uto chassism[1227]: XCVR: XCVR 1 EEPROM read Failed
We also see a high amount of delay when we ping this host, it is also a Juniper compatible optic.
If anyone could help me in terms of some troubleshooting/fixing that would be great.
***EDIT***
Switch Model- EX2200-C-12T-2G
Version - 12.3R12.4
Uptime - 64 weeks
Kind regards,
Dennis Verheul
NEP Worldwide
Hi,
You do not indicate;
-Type of EX switch
-Junos running
-Type of compatible optics
The e-prom is probably wrong coded in the optics, please run: show chassis hardware and indicate what you get on the pic row where you have inserted the actual sfp in terms of
Version
Part number
Serial number
Description
GLO, in your 2 diagrams, one.jpg is NOT possible, you MUST use 2.jpg. The 2 FWs do NOT act as one device, which would be required for one.jpg. Instead the act as 2 separate, but redundant devices. The EX2300 VC DOES ACT as one device. So the solution for you is to create 2 separate LAGs on the EX2300 mixing interfaces from FPC0 and FPC1 into each LAG. Then you also need to create 2 separate (again 2 port) LAGs on the FW's.. Whether or not LACP is also required, would depend upon FW vendor LAG implementation, but would be a suggested best practice configuration.
Hope this may help you.
Hi MICDUF,
Pardon me for not excluding the information, i've added it to the origina post.
Aas for the output of the show chassis hardware command:
REV 01 740-011614 VE134100217 SFP-LX10
We use these kind of optics almost everywhere and this is the only environment where we see this behaviour.