Quantcast
Channel: All Ethernet Switching posts
Viewing all 10307 articles
Browse latest View live

Re: Hyper-V DUP! Ping

May 16, 2017, 3:57 am
$
0
0

Hello,

Are You sure You are NOT pinging the broadcast IP? DUP! happens when a subnet broadcast IP, such as 192.168.0.255 for 182.168.0.0/24 subnet, is pinged.

Assuming You are not pinging broadcast IP, then I'd suggest to establish first whether the DUP! really means two Echo reply packets, or this is a display issue.

If You do Your pinging from the switch with "detail" knob, You'd see the incoming interface into which the reply arrives:

regress@labrouter> ping 10.254.55.2 detail
PING 10.254.55.2 (10.254.55.2): 56 data bytes
64 bytes from 10.254.55.2 via ae0.577: icmp_seq=0 ttl=64 time=11.081 ms
^C
--- 10.254.55.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 11.081/11.081/11.081/0.000 ms

If You see two different "VIA" interfaces, then there is either a packet duplication or a loop in Your network.

Then You can capture the packets with "monitor traffic interface <blah> size 9999 extensive protocol icmp" and see what MAC/TTL/other fields are in there to arrive at conclusions.

If You see same  "VIA" interface for the 1st and 2nd packet then there is a packet duplication somewhere between switch You are pining from, and ping destination.

HTH

Thx

Alex

Search

A QinQ problem with QFX5100

May 16, 2017, 6:52 am
$
0
0

Hello,

 

I have a mixed VC (QFX5100 and 3500) with 14.1X53-D40.8. There's an interface that incapsulates C-VLANs into S-VLAN:

set interfaces ae31 flexible-vlan-tagging 
set interfaces ae31 mtu 9216 
set interfaces ae31 encapsulation extended-vlan-bridge
set interfaces ae31 unit 3174 vlan-id-list 21-22
set interfaces ae31 unit 3174 input-vlan-map push
set interfaces ae31 unit 3174 input-vlan-map vlan-id 3174
set interfaces ae31 unit 3174 output-vlan-map pop

And on the other side the S-VLAN 3174 just goes out:

set interfaces ae0 flexible-vlan-tagging
set interfaces ae0 mtu 9216
set interfaces ae0 encapsulation extended-vlan-bridge
set interfaces ae0 unit 3174 vlan-id 3174

And S-VLAN configured like this:

set vlans sv3174-qinq interface ae0.3174
set vlans sv3174-qinq interface ae31.3174

At this point everything works fine, but if I create a VLAN with the same ID as a C-VLAN (21 or 22):

set vlans v21-user vlan-id 21

the traffic in the C-VLAN 21 stops.

 

What's wrong with it and how can I fix it?

 

Kind regards.

Re: Evaluation Upgrade EX2300-C to EX2300 or EX3400 or EX4300

May 16, 2017, 7:50 am
$
0
0

This is really a question you should be asking your local partner and/or Juniper rep, but if it was me, I would recommend going with the EX3400 option and then daisy chain the EX2300-C off of it.  Yes now 2 switches to manage, but not sure how often you would make changes to the EX2300-C in the first place.

 

Just my 2 cents.

Re: ip-source-guard/dhcp security blocking lease renewals

May 16, 2017, 8:37 am
$
0
0

I understand what dhcp-snooping, source-guard, DAI should do as we've been doing it with our Cisco gear for years. The problem I'm running into is that even when the dhcp snooping database is built, I still see DAI failures on my voice vlan.  It just is not working like it should.  For example, here is the snooping binding:

 

cscott@ermag# run show dhcp-security binding
IP address MAC address Vlan Expires State Interface
10.183.19.10 0c:85:25:3f:84:89 voice 947 BOUND ge-0/0/36.0
10.183.19.40 00:cc:fc:40:57:d0 voice 962 BOUND ge-0/0/23.0

 

but we can still see DAI failtures: 

 

May 16 11:23:44 ermag fpc0 DAI FAILED: ARP REQUEST received, interface ge-0/0/36.0 [index 596], vlan-id 4000, sender ip/mac 10.183.15.10/0c:85:25:3f:84:89, receiver ip/mac 10.183.15.1/00:00:00:00:00:00
May 16 11:23:46 ermag fpc0 DAI FAILED: ARP REQUEST received, interface ge-0/0/36.0 [index 596], vlan-id 4000, sender ip/mac 10.183.19.10/0c:85:25:3f:84:89, receiver ip/mac 10.183.19.10/00:00:00:00:00:00
May 16 11:23:46 ermag fpc0 DAI FAILED: ARP REQUEST received, interface ge-0/0/36.0 [index 596], vlan-id 4000, sender ip/mac 10.183.19.10/0c:85:25:3f:84:89, receiver ip/mac 10.183.19.1/00:00:00:00:00:00
May 16 11:24:01 ermag fpc0 DAI FAILED: ARP REQUEST received, interface ge-0/0/23.0 [index 583], vlan-id 4000, sender ip/mac 10.183.19.40/00:cc:fc:40:57:d0, receiver ip/mac 10.183.19.40/00:00:00:00:00:00

Re: ip-source-guard/dhcp security blocking lease renewals

May 16, 2017, 8:41 am
$
0
0

Which product and with what code release, please?

Re: ip-source-guard/dhcp security blocking lease renewals

May 16, 2017, 9:24 am
$
0
0

ex4300

code version 17.1R1.8

 

I've gotten conflicting reports about doing souce guard on both vlans. I'm ok with just doing DAI on voice vlan for now. I know that with version 17 just turning on dhcp-security on a vlan is enough to protect against rogue dhcp (saw it in a doc somewhere), but would like to run all of this at some point if possible. 

Re: ip-source-guard/dhcp security blocking lease renewals

May 16, 2017, 10:22 am
$
0
0

Also, the switch doesn't seem to pick up on the phones renewing their leases on the t1 timer (sometimes not even t2 timers. Lease comes close to exprining or does and the client hast o rebind resulting in a loss of connectivity. 

Re: ip-source-guard/dhcp security blocking lease renewals

May 16, 2017, 1:44 pm
$
0
0

Does have the dhcp relay configured on the same switch matter? 

Search

How to Begin Troubleshooting Slow Network Issues

May 16, 2017, 2:55 pm
$
0
0

Greetings,

 

Although I've been working in IT and with networking for 10 years, I'm still fairly new to the world of switching and routing.  Our network has grown to the point that it's about a mid size network with 200+ computers, devices, APs, switches, and so on.  We use EX2200s on most of our access layer switches and a Cisco SG300 for our core switch.  What we're running into is a situation where we are trying to run a backup on a group of computers and we think it's a network topology or some other related issue.  e.g. I have tested the backup times by connecting a computer directly to the backup server with no switches in between and the backup takes 2 hours.  If we run the backup from another computer across the network over copper and fiber and 4 intermediate switches (some fairly cheap ones as well as an EX2200), with approximately similar hardware it takes almost 5 hours.

 

I'm not asking anyone to figure this out for us, but I just don't know where to start, and I'm not even sure of the right questions to ask.  Is this a VLAN issue?  Is it STP related?  Is it a topology thing?  We don't have any redundant connections that we know of that would cause loops.  Is there some way to trace the route of packets across the network so we can see how a packet is routing?  Also, our EX2200s are configured with some basic VLANs, and that's about it.  Our network is fairly plain vanilla and VLAN traffic goes over our router and that's it.

 

Thanks for any insights,

AV

Re: How to Begin Troubleshooting Slow Network Issues

May 16, 2017, 3:05 pm
$
0
0

I've been in networking now for 38 years and I have that 'slow network performance' is 99.9% related to packet loss/drops.  Some where in your path packets are being dropped, maybe via congestion or something similar.  Or bad HW, etc.

 

1st step is probably to look at the stats of the switches to see if they show any errors, dropped packets, etc.  You could also look at the traffic via packet capture.  Look at it via port mirror to an analyzer.  Then you need to read the capture(s) along the path.

 

Maybe easier said then done.  Hopefully stats show you something.

Re: ip-source-guard/dhcp security blocking lease renewals

May 17, 2017, 7:07 am
$
0
0

Seeing the behavior on ex3400 hundred as well. Binding is in the table. DAI still dropping things.

 

May 17 09:54:00 2250-ex3400 dc-pfe: DAI FAILED: ARP REQUEST received, interface ge-0/0/36.0 [index 594], vlan-id 36, sender ip/mac 10.4.143.139/ac:87:a3:38:23:5b, receiver ip/mac 10.4.143.139/00:00:00:00:00:00
May 17 09:54:00 2250-ex3400 fpc0 DAI FAILED: ARP REQUEST received, interface ge-0/0/36.0 [index 594], vlan-id 36, sender ip/mac 10.4.143.139/ac:87:a3:38:23:5b, receiver ip/mac 10.4.143.139/00:00:00:00:00:00

 

cscott@2250-ex3400# run show dhcp-security binding
IP address MAC address Vlan Expires State Interface

10.4.143.139 ac:87:a3:38:23:5b student 617 BOUND ge-0/0/36.0

 

Switch never snoops the unicast renewals, only the broadcasts, so lease expires almost everytime. Does it matter that relay agent is on same switch? If this is how the feature works, I don't see how it is usuable in production. 

 

 

Re: ip-source-guard/dhcp security blocking lease renewals

May 17, 2017, 7:55 am
$
0
0

Same behavior on EX3400 is likely as similar implementation I believe.  Do you have a TAC case number open for this?

 

I do not believe relay-agent on switch, that is switch having L3, or external, switch pure L2, should matter.

Re: ip-source-guard/dhcp security blocking lease renewals

May 17, 2017, 9:04 am
$
0
0

I do, the case number is 2017-0516-0819

Actually the second one I've opened about this. Didn't really get anywhere with the first one and gave up. I can't really find somone who knows this feature inside and out and can't really find in depth docs. 

 

I just can't get this to work right. I've also reiterated to our account people (we are a new customer) how important this feature is for us to be able to use Juniper switches everywhere in our environment to the point that it is a deal breaker in some scenarios. 

 

I added "allow-snooped-clients" under forwading-options dhcp-relay ovrerrides on the 3400 and it seemed to help but I can't replicate this on the 4300.

Re: How to Begin Troubleshooting Slow Network Issues

May 17, 2017, 1:43 pm
$
0
0

As already stated I would look for errors on both sides of the like Cisco and Juniper. If the uplink is a dot1q trunk make sure you turn off dtp and switch port negotiation on the cisco side. I've seen interface erros from not doing this. 

 

After that look for obvious erros via Wireshark on whatever host is having the problems. 

 

You can manually trace the path of things if you need to to by looking at routing and mac address tables. 

 

 

 

Also, listen to 

Re: 4300 J-web logon immediate session expire

May 17, 2017, 1:51 pm
$
0
0

I know this is a long dead thread, but just in case anyone stumbles across it like I just did here's the fix that worked for me.

 

I found KB30618 which outlines updating file permissions that may have broken after a zeroize. As soon as I updated the /jail/var/tmp file with the correct permissions I was able to login.

 

And just in case the KB disappears:

 

Change the file access permissions for /jail/var/tmp as follows:

root@host:RE:0% cd /jail/var
root@host:RE:0% ls -lrt
total 12
drwxrwxrwx 2 root wheel 512 Oct 6 21:04 run
drwxrwxrwx 2 root wheel 512 Oct 8 01:42 etc
drwxrwxrwt 3 root wheel 512 Oct 8 20:17 tmp
root@host:RE:0% chmod 777 tmp
root@host:RE:0% ls -lrt
total 12
drwxrwxrwx 2 root wheel 512 Oct 6 21:04 run
drwxrwxrwx 2 root wheel 512 Oct 8 01:42 etc
drwxrwxrwx 3 root wheel 512 Oct 8 20:17 tmp
Search

Re: How to Begin Troubleshooting Slow Network Issues

May 17, 2017, 2:37 pm
$
0
0

Thanks for your response.  I did discover that my router is dropping packets when we're up around 1 Gbps, and it confuses me that packets are being routed when they're not crossing VLANs.  Do you have any ideas why that would be?  The router is Vyatta based.  But not sure sharing configs now would help.

Re: A QinQ problem with QFX5100

May 18, 2017, 12:08 pm
$
0
0

Hello,

 

Are there any suggestions?

Am I the only one who experienced a problem like this?

 

Kind regards.

Unable to open J-Web in EX-3200

May 19, 2017, 6:34 am
$
0
0

Dear All, 

I want to access the switch through Web. But I am unable to do it. I have been configured through ezsetup, I configured the http port 80 in ge-o/o/o.o port. But no posivitive result. At the same time I am able to access telnet and it is working. But unable to open in web.

Re: Unable to open J-Web in EX-3200

May 19, 2017, 9:24 am

Storm Control Config SRX

May 19, 2017, 10:39 am
$
0
0
Hi all
I am unable to find and config storm control feature in SRX 240/ 210. If any one can help me in this regard like the feature available in EX series switches
set ethernet-switching options storm-control interface....
Viewing all 10307 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>