Quantcast
Channel: All Ethernet Switching posts
Viewing all 10307 articles
Browse latest View live

Re: How do I block port 25 on EX4600

May 2, 2017, 8:50 am
$
0
0

starlog,

 

Hello! One configuration snippet in particular caught my attention. In your original request you asked to block traffic "from port 25 smtp". In the below configuration, you have a match condition of source-port 25 and destination-port 25.

 

+              term PORT-25-BLOCK {
+                  from {
+                      source-port smtp;
+                      destination-port smtp;

According to this article all conditions in the from stanza must be met to match and execute the then statement. If your intent is to block all traffic sourcing from port 25 then you should only use source-port smtp. If you are attempting to block communications destined to port 25 you should use destination-port smtp. If you want either or, try using the port match condition.

 

All in all, if your original ask is to block traffic from port 25, the below configuration should meet your needs.

 

set firewall family ethernet-switching filter BLOCK-25 term BLOCK-SMTP from source-port smtp
set firewall family ethernet-switching filter BLOCK-25 term BLOCK-SMTP then discard
set firewall family ethernet-switching filter BLOCK-25 term BLOCK-SMTP then log
set firewall family ethernet-switching filter BLOCK-25 term PERMIT-ANY then accept
set interfaces ge-3/0/0.0 family ethernet-switching filter input BLOCK-25

 

 

Search

Re: Web Management not functiong ES-4200 11.4R7.5

May 2, 2017, 8:49 am

Re: Juniper compatibility with Cisco vCP

May 2, 2017, 9:21 am
$
0
0

Thanks for the response.

It looks like MC-LAG and vCP are both implementations of the  IEEE 802.1AX-2008 standard.

I can not fine anywhere that says they are compatible. In fact I find that each is a proprietary implementation of the said standard.

In this customers design, they have vCP between datacenters as well as vCP between core/aggregation/access 5K switches locally and at remote sites. If vCP and MC-LAG are proprietary, is there a way to make them interact?

Re: Web Management not functiong ES-4200 11.4R7.5

May 2, 2017, 9:44 am
$
0
0
and if the solution provided in the KB didn't solve your problem , then as mentioned in the KB you'll need to open JTAC case . But you cannot do that when you're running 11.4 version as this version is out of support . You'll need first to upgrade to a supported version .

Re: Web Management not functiong ES-4200 11.4R7.5

May 2, 2017, 10:28 am
$
0
0

Thank you so much that worked liked a charm!  You all are awesome!

Juniper EX LACP over WiFi for Point to Point WiFi

May 3, 2017, 6:01 am
$
0
0

Hi Gurus,

 

Need to ask your opinion for some ex LACP.

 

We have a customer using 2 pair of Ubiquiti p2p WiFi, and they want to LACP to ex switch.

 

I done configuration the LACP at both ex d.

 

However when I plug it the cable from the poe injector to the LACP members port. The link status remain in down state even admin status is up.

 

Configuration template that I used was below. I did not see any issues with the configuration. But however the interface link status just wont fire up. I did the same for Site A EX and Site B EX as well.

 

set chassis aggregated-devices ethernet device-count 10

 

set interfaces ge-0/0/43 description PowerBridge-Link-1
set interfaces ge-0/0/43 ether-options 802.3ad ae3

set interfaces ge-0/0/45 description PowerBridge-Link-2
set interfaces ge-0/0/45 ether-options 802.3ad ae3

 

set interfaces ae3 mtu 9216
set interfaces ae3 aggregated-ether-options link-speed 1g
set interfaces ae3 aggregated-ether-options lacp active
set interfaces ae3 aggregated-ether-options lacp periodic slow
set interfaces ae3 unit 0 family ethernet-switching port-mode access
set interfaces ae3 unit 0 family ethernet-switching vlan members 22

 

Diagram as below

 

                   |--POE Injector -- AP (UBNT PowerBridge) ***P2P link*** AP (UBNT PowerBridge) --POE Injector --|

CORE A --|                                                                                                                                                                                |-- CORE B

                   |--POE Injector -- AP (UBNT PowerBridge) ***P2P link*** AP (UBNT PowerBridge) --POE Injector --|

Re: Chassis Alarm Potential slow peers are: spmd When Fusion Configured

May 3, 2017, 4:14 pm
$
0
0

As an update for everyone, a PR has been elevated.  I've been also informed that this warning alarm is pretty much benign and it occurs only upon the restart of the SPMD daemon.  Technical explanation is as follows:

 

There is no issue when the device comes up with fusion configuration for the first time. Issue is seen only when re-spawned with a new process id, which can be achieved by just restarting the SPMD daemon.

 

SPMD rtsock client is in stuck state due to processed ifstate ack is not 0. unless the ifstate that's acked is 0. rtsock client will continue to be in stuck state hence the alarm is noticed. Even though, ifsmon shows the states acked by SPMD is 100%, this issue is still seen. Looking further into the code to root-cause the issue.

Re: Juniper EX LACP over WiFi for Point to Point WiFi

May 3, 2017, 4:39 pm
Search

Re: Chassis Alarm Potential slow peers are: spmd When Fusion Configured

May 3, 2017, 4:41 pm
$
0
0

Thanks for the update and keep us posted.  

 

Also if you could add the PR number for reference that would be great.

Re: Juniper EX LACP over WiFi for Point to Point WiFi

May 3, 2017, 6:17 pm
$
0
0

Yup. We tested that. And connection of the poe injector to a normal access or trunk  port, all works fine. Interface link status are able to fire up and traffic running smoothly. 

 

When we unplug and plug back to the LACP member port, the link status remained down. 

 

If we plug a normal laptop lan port to the LACP members port, the link status is able to fire up for testing the port faulty status. 

Re: Juniper EX LACP over WiFi for Point to Point WiFi

May 3, 2017, 10:26 pm
$
0
0
Hi,

I'm just interested if there is an option to enable LACP feature in the AP as well .
Because I remember that in arubanetworks you need to enable the LACP profile .
Again , not sure , just interested Smiley Happy

Re: EX4200 log on OS 15.1R5.5

May 4, 2017, 10:11 am
$
0
0

We're having the same issue here 

 

May 4 09:45:40 2017 172.31.110.173 /kernel: rts_commit_proposalmput op: 2, peer_type:25, peer_index:1, vskid:0, seqno:86438, flag:10,
May 4 09:45:40 2017 172.31.110.173 /kernel: rts_commit_proposalmput op: 2, peer_type:7, peer_index:1, vskid:0, seqno:37790, flag:2,
May 4 09:45:40 2017 172.31.110.173 /kernel: rts_commit_proposalmput op: 2, peer_type:25, peer_index:1, vskid:0, seqno:86438, flag:9,
May 4 09:45:42 2017 172.31.110.173 /kernel: rts_commit_proposalmput op: 2, peer_type:7, peer_index:1, vskid:0, seqno:73712, flag:10,
May 4 09:45:42 2017 172.31.110.173 /kernel: rts_commit_proposalmput op: 2, peer_type:7, peer_index:1, vskid:0, seqno:37791, flag:2,
May 4 09:45:42 2017 172.31.110.173 /kernel: rts_commit_proposalmput op: 2, peer_type:25, peer_index:1, vskid:0, seqno:86439, flag:10,
May 4 09:45:42 2017 172.31.110.173 /kernel: rts_commit_proposalmput op: 2, peer_type:7, peer_index:1, vskid:0, seqno:37792, flag:2,
May 4 09:45:42 2017 172.31.110.173 /kernel: rts_commit_proposalmput op: 2, peer_type:25, peer_index:1, vskid:0, seqno:86439, flag:9,
May 4 09:45:42 2017 172.31.110.173 /kernel: rts_commit_proposalmput op: 2, peer_type:23, peer_index:1, vskid:0, seqno:74245, flag:10,
May 4 09:45:42 2017 172.31.110.173 /kernel: rts_commit_proposalmput op: 2, peer_type:23, peer_index:0, vskid:0, seqno:74109, flag:10,
May 4 09:45:42 2017 172.31.110.173 /kernel: rts_commit_proposalmput op: 2, peer_type:25, peer_index:0, vskid:0, seqno:86974, flag:10,
May 4 09:45:42 2017 172.31.110.173 /kernel: rts_commit_proposalmput op: 2, peer_type:7, peer_index:1, vskid:0, seqno:37793, flag:2,

 

Bad new's if you are trying to track down a log that happened yesterday

Re: Troubleshooting error message

May 4, 2017, 9:12 pm
$
0
0

HI

By any chance is this LX10?


This SFP LX10 is not qualified on EX4300.

Example


IC 2          REV 04   611-044925   MY3713480373      4x 1G/10G SFP/SFP+
    Xcvr 0       REV 01   740-011614   AC0804S00QL       SFP-LX10          <<<<<<<<<<<<<<<<<<<<<<<<<<<<<  SFP module could be installed normal

May 31 12:48:08  EX43-73.206 pfex: [EX-BCM PIC] ex_bcm_pic_optics_periodic: Failed to read eeprom of Optic 3 of Pic 2
May 31 12:48:08  EX43-73.206 pfex: [EX-BCM PIC] ex_bcm_pic_periodic_raw: Error in Optic periodic functionfor pic slot 2
May 31 12:48:09  EX43-73.206 pfex: [EX-BCM PIC] ex_bcm_pic_optics_periodic: Failed to read eeprom of Optic 3 of Pic 2


Thanks

Partha

Logging to master..... EX4200

May 5, 2017, 4:08 am
$
0
0

Good day.

 

My ex4200 was in virtual chassis.

Then disconnected it from chassis.

Now I can't log into console to this switch. It seems like some files missing or some unmounted I don't know

 

# df

Filesystem  512-blocks   Used Avail Capacity  Mounted on
/dev/da0s1a     374360 263888 80524    77%    /
devfs                2      2     0   100%    /dev
/dev/md0        140100 140100     0   100%    /packages/mnt/jbase

 

 

 

And when I try recovery mode  and Juniper don't show me /root>

instead  I see the next

 

Boot media /dev/da0 has dual root support
WARNING: JUNOS versions running on dual partitions are not same
** /dev/da0s2a
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 14058 free (42 frags, 1752 blocks, 0.0% fragmentation)

Bottom (ttyu0)


login: root

Logging to master
...
Connection to master failed, enabling local login

Bottom (ttyu0)

login:
Bottom (ttyu0)

login: root

Logging to master

 

What is the trouble ?

IPv6 on vme

May 8, 2017, 3:15 am
$
0
0

Hi,

I have 2x EX4550 in a virtual chassis and a bunch of standalone EX4200 switches. I am trying to setup IPv6 on the vme interface of my VC. The configuration is very similar to what you would do for IPv4:

 

vme {
unit 0 {

family inet {
address 10.10.1.61/16;
}

family inet6 {
address <static-ipv6-address>/64;
}}}

 

A link-local address is generated, and the static ip is set. However, it does not seem to work. The local ip addresses are reachable from the switch itself, but the VC does not see any neighbors and neighbors don't see the VC. The IPv4 setup works fine. I also setup a static route, just like one would do for IPv4:

 

rib inet6.0 {
static {
route ::/0 next-hop <gateway-ipv6>;
}}

 

The route information seems to be correct:

 

> show route

::/0 *[Static/5] 21:17:39
  > to <gateway-ipv6> via vme.0
<ipv6-network-address>/64 *[Direct/0] 21:37:40
  > via vme.0

 

Everything is configured in exactly the same way as it is for IPv4, but it does not work. IPv4 works exactly as expected. When this IPv6 configuration is applied to an me0 interface on a EX4200 in standalone configuration, it works fine.

 

One more thing I noticed, the vme interface has the line:

 

> show interfaces vme

[..]

    Protocol inet6, MTU: 1500

    Max nh cache: 0, New hold nh limit: 0, Curr nh cnt: 0, Curr new hold cnt: 0, NH drop cnt: 0

[..]

 

Whereas the regular me0 interface on an EX4200 standalone switch has

 

> show interfaces me0

[..]

    Protocol inet6, MTU: 1500

    Max nh cache: 75000, New hold nh limit: 75000, Curr nh cnt: 8, Curr new hold cnt: 1, NH drop cnt: 0

[..]

 

I understand the vme interface creates an abstraction of the individual me0 interfaces in the virtual chassis (through a management Vlan and a VIP?). Is it possible that this setup is only implemented for ipv4?

Search

Re: IPv6 on vme

May 8, 2017, 3:29 am
$
0
0

IPv6 on vme interface is not supported.


=====

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

Q-in-Q QFX 5100

May 8, 2017, 6:40 am
$
0
0

I have been struggling with Q-inQ on my QFX 5100 switches all day and despite reading all the forum posts and KB articles I could find, was not able to find a complete configuration that would work for me on 14.1X53-D42.3. All seemed to be missing the complete S-VLAN interface.

 

Some of the resources I found are listed below.

 

http://www.netscreen-support.com/documentation/en_US/junos/topics/task/configuration/qinq-tunneling-qfx-series-dual-tag-rewrite-els.html

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/qinq-tunneling-qfx-series-els.html

https://eising.wordpress.com/2015/08/26/juniper-els-and-qinq/

 

I suspect something has changed as of the latest release, because nothing seemed to work and the example configs don't have the uplink configuration.

 

My setup is pretty simple, using some test switches with SVIs as the traffic initiators on either side of the Q-in-Q tunnel.

 

TestSW1 <-> QFX5100SW1 <-> QFX5100SW2 <-> TestSW2

 

QFX5100SW1

set interfaces ge-0/0/0 description "Connection to TestSW1"

set interfaces ge-0/0/0 flexible-vlan-tagging

# Native VLAN ID here refers to the customer's native VLAN

# Some documentation implies this is actually the VLAN ID that will be pushed onto the packet in a new DOT1Q header, but that is not the case
set interfaces ge-0/0/0 native-vlan-id 1

# Probably don't need jumbo frames, but I thought maybe the extra header might push it over 1500 bytes
set interfaces ge-0/0/0 mtu 9216
set interfaces ge-0/0/0 encapsulation extended-vlan-bridge

# What customer VLANs are allowed on the Q-in-Q tunnel

# For my purposes, whatever the customer wants to do is fine by me so I am accepting all VLANs
set interfaces ge-0/0/0 unit 100 vlan-id-list 1-4094

# This is the interesting bit, push VLAN ID 100 onto any frames received on this interface
set interfaces ge-0/0/0 unit 100 input-vlan-map push

# Without the line below nothing worked, I assume because the switch didn't know which VLAN to use for the outer tag
set interfaces ge-0/0/0 unit 100 input-vlan-map vlan-id 100

# Pop the outer VLAN off again before sending out frames with their original VLAN header (or not) intact
set interfaces ge-0/0/0 unit 100 output-vlan-map pop

 

# I have an AE interface configured, which I figure would be the norm for most people with QFX switches

set interfaces xe-0/0/44 ether-options 802.3ad ae46
set interfaces xe-0/0/45 ether-options 802.3ad ae46
set interfaces ae46 description "L2 interconnect"

# The line below is required or else you can't have a VLAN ID against a unit other than 0
set interfaces ae46 flexible-vlan-tagging
set interfaces ae46 mtu 9216

# I chose flexible-ethernet-services because you can still have a unit 0 with non S-VLANs as members (or so it seems to me)

# Note that this does mean that you have to specify the encapsulation for all units other than 0 and that 0 must be family ethernet switching (again as far as I can tell)
set interfaces ae46 encapsulation flexible-ethernet-services
set interfaces ae46 aggregated-ether-options link-speed 10g
set interfaces ae46 aggregated-ether-options lacp active
set interfaces ae46 aggregated-ether-options lacp periodic fast

# This is where I tell the switch that for unit 100 it should encapsulate as a vlan-bridge
set interfaces ae46 unit 100 encapsulation vlan-bridge
set interfaces ae46 unit 100 vlan-id 100

 

# The lines below initially confused me since there is no ID listed against the VLAN

# But it seems that JunOS with ELS generates the VLAN ID based on the unit number of the C-VLAN interface

# The purpose of these lines seems to be to stitch together the two logical interfaces to become a kind of switch

# I agree with EISING in his linked article that this is inelegant and shared some of his expletives at the lack of documentation from Juniper

set vlans TEC001_qinq_100 interface ge-0/0/0.100
set vlans TEC001_qinq_100 interface ae46.100

 

QFX5100SW2 (no comments as it is the same)

set interfaces ge-0/0/0 description "Connection to VasilySwitch"
set interfaces ge-0/0/0 flexible-vlan-tagging
set interfaces ge-0/0/0 native-vlan-id 1
set interfaces ge-0/0/0 mtu 9216
set interfaces ge-0/0/0 encapsulation extended-vlan-bridge
set interfaces ge-0/0/0 unit 100 vlan-id-list 1-4094
set interfaces ge-0/0/0 unit 100 input-vlan-map push
set interfaces ge-0/0/0 unit 100 input-vlan-map vlan-id 100
set interfaces ge-0/0/0 unit 100 output-vlan-map pop

 

set interfaces xe-0/0/44 ether-options 802.3ad ae46
set interfaces xe-0/0/45 ether-options 802.3ad ae46

set interfaces ae46 description "L2 interconnect"
set interfaces ae46 flexible-vlan-tagging
set interfaces ae46 mtu 9216
set interfaces ae46 encapsulation flexible-ethernet-services
set interfaces ae46 aggregated-ether-options link-speed 10g
set interfaces ae46 aggregated-ether-options lacp active
set interfaces ae46 aggregated-ether-options lacp periodic fast
set interfaces ae46 unit 100 encapsulation vlan-bridge
set interfaces ae46 unit 100 vlan-id 100

 

set vlans TEC001_qinq_100 interface ge-0/0/0.100
set vlans TEC001_qinq_100 interface ae46.100

 

TestSW1

vlan 10
name CVLAN10
!
vlan 11
name CVLAN11

!

interface GigabitEthernet0/1
switchport mode trunk
switchport nonegotiate
spanning-tree bpdufilter enable
!
interface Vlan1
ip address 192.168.1.10 255.255.255.0
no ip route-cache
!
interface Vlan10
ip address 192.168.10.10 255.255.255.0
!
interface Vlan11
ip address 192.168.11.10 255.255.255.0
!

 

TestSW1#ping 192.168.1.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
TestSW1#ping 192.168.10.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
TestSW1#ping 192.168.11.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.11.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

 

 

TestSW2

vlan 10
name CVLAN10
!
vlan 11
name CVLAN11

!

interface GigabitEthernet0/1
switchport mode trunk
switchport nonegotiate
spanning-tree bpdufilter disable
!
interface Vlan1
ip address 192.168.1.20 255.255.255.0
no ip route-cache
!
interface Vlan10
ip address 192.168.10.20 255.255.255.0
!
interface Vlan11
ip address 192.168.11.20 255.255.255.0
!

 

 

TestSW2#ping 192.168.1.20

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
TestSW2#ping 192.168.10.20

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
TestSW2#ping 192.168.11.20

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.11.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

 

 

Hopefully this helps someone else out with their Q-in-Q/QFX/ELS woes.

Re: Q-in-Q QFX 5100

May 8, 2017, 6:51 am

Re: Q-in-Q QFX 5100

May 8, 2017, 11:30 am

Re: IPv6 on vme

May 9, 2017, 1:23 am
Viewing all 10307 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>