Quantcast
Channel: All Ethernet Switching posts
Viewing all 10307 articles
Browse latest View live

EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

June 11, 2017, 3:24 am
$
0
0

I'm a new to Juniper devices and so please tell me if I'm being an idiot. I'm trying to configure an EX4300 switch with an allowed-mac list to limit what devices can connect. This appeared to be quite straightforward according to these;

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10866
http://www.juniper.net/documentation/en_US/junos10.2/topics/task/configuration/port-security-cli.html

 

However ethernet-switching-options appears to have been deprecated (?) and replaced with switch-options but there doesn't appear to be an allowed-mac equivalent.

 

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/getting-started-els.html#jd0e499

 

Having looked at this pdf;

 

http://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/ex4300/port-security.pdf

 

It appears that in Chapter 6 : Configuring MAC Limiting it doesn't reference configuring an allowed mac list via the CLI, only via the J-Web interface. I don't have the luxury of the latter right now and so need to do this via the CLI.
Does anybody know how to do this either via the CLI or what the exported config should look like? Of course maybe I've completely missinterpreted this so feel free to flag that as well.

 

Any help would be appreciated.

Search

Re: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

June 11, 2017, 9:41 am
$
0
0

Hello,

 

Page 95 of the same documents shows CLI procedure for the same.

 

You can search for "Configuring MAC Limiting (CLI Procedure)".

 

Regards,

 

Rushi

Re: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

June 11, 2017, 1:52 pm
$
0
0
Distinguished Expert
 
I have spent the last 4 hours searching for this configuration statement and not only am I disappointed, I am angry at having to spend so much time trying to a find a very answer to this query. Unfortunately I don't have an ELS switch at my disposal, where I could use the help to find it. Here is some information I have found, but not the configuration needed or requested.  So if you acess to a 4300, could enable this feature and paste the cli statements in your response, so others can see it? Alo Juniper needs to modify the document and add the specific cli statrement.
 
With MAC limiting, you limit the MAC addresses that can be learned on Layer 2 access interfaces by either limiting the number of MAC addresses or by specifying allowed MAC addresses.
• Specifying allowed MAC addresses—You configure the allowed MAC addresses for an interface. Any MAC address that is not in the list of configured addresses is not learned, and the switch logs an appropriate message. An allowed MAC address is bound to a VLAN so that the address is not registered outside the VLAN. If an allowed MAC setting conflicts with a dynamic MAC setting, the allowed MAC setting takes precedence.
Allowed MAC List: Specifies the MAC addresses that are allowed for the interface
MAC limiting is configured on Layer 2 interfaces
To add a MAC address:
1. Click Add.
2. Enter the MAC address.
3. Click OK

Page 95
NOTE: On a QFX Series Virtual Chassis, if you include the shutdown option at the
[edit vlans vlan-name switch-options interface interface-name interface-mac-limit packet-action]

hierarchy level and issue the commit operation, the system generates a commit error. The system does not
generate an error if you include the shutdown optionat the

[edit switch-options interface interface-name interface-mac-limit packet-action]

hierarchy level.

Page 96
[edit switch-options]
user@switch# set interface interface-name interface-mac-limit limit packet-action <action>
[edit vlans]
user@switch# set vlan-name switch-options mac-table-size limit packet-action <action>
drop|drop-and-log|log|none|shutdown |- recovery-timeout
page 100
[edit edit vlans vlan-name switch-options]
user@switch# set mac-move-limit limit
As an alternative to using persistent MAC learning with MAC limiting, you can statically configure each MAC address on each port or allow.
[edit switch-options]
user@switch# set interface interface-name persistent-learning
To enable MAC limiting on one or more interfaces using the J-Web interface:
1. Select Configure>Security>Port Security.
2. Select one or more interfaces from the Interface List.
3. Click the Edit button. If a message appears asking whether you want to enable port security, click Yes.
...
To add allowed MAC addresses:
1. Click Add.
2. Type the allowed MAC address and click OK.
Repeat this step to add more allowed MAC addresses.
6. Click OK when you have finished setting MAC limits.
7. Click OK after the configuration has been successfully delivered.
 
ALL KINDS OF CLI STATEMENTS FOUND EXCEPT "ALLOWED MAC ADDRESS" Statement!!!

Re: EX4200 running 15.1R5.5 unable to install J-web due to low free space

June 11, 2017, 6:33 pm
$
0
0

@adisor19 - 

Do you have this package you could send to me? I cannot find Application package 15.1A3 anywhere on juniper site, just the Application package 15.1R46, which will not install on my EX4200 switches.

 

 

Re: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

June 12, 2017, 12:34 am
$
0
0

Hello All,

 

Can you try something like this?

 

set vlans [vlan-name] switch-options interface [interface-name] interface-mac-limit 2
set vlans [vlan-name] switch-options interface [interface-name] interface-mac-limit packet-action drop-and-log
set vlans [vlan-name] switch-options interface [interface-name] static-mac <mac-address>
set vlans [vlan-name] switch-options interface [interface-name] static-mac <mac-address>

 

Regards,

 

Rushi

How to configure VLAN-class-map and Rewrite input and Output Queuing on EX4550.

June 12, 2017, 1:39 am
$
0
0

Hello Support.

 

I would like to do the following configuration on EX4550 connect with Catalyst Switch.

[topology]

(VLAN10) ge-0/0/1--EX4550--ge-0/0/10---(Trunk)---Gi1/0/10--Cat3850--Gi1/0/1(VLAN10)

(VLAN20) ge-0/0/2--                                                                                 Gi1/0/2(VLAN20)

 

The cisco catalyst switch can do the following feature but EX4550 is unknown.

So I appreciate if you can let me know how to configure the follwoing feature.

 

1. VLAN-Classification (Input)

2. Rewrite base on VLAN-id to CoS (Input)

3. Queuing based on bandwidhgt ration (Output)

 

The cisco configurattion is following, I would like to do vice versa.

 

##### VLAN-Classification and Reqirte #####

 

class-map match-any VLAN_20
 match vlan  20
class-map match-any VLAN_10
 match vlan  10
policy-map VLAN-MARKING
 class VLAN_20
  set cos 2
 class VLAN_10
  set cos 1
!
interface GigabitEthernet1/0/1
 switchport access vlan 10
 switchport mode access
 service-policy input VLAN-MARKING
!
interface GigabitEthernet1/0/2
 switchport access vlan 20
 switchport mode access
 service-policy input VLAN-MARKING

 

##### Queuing based on CoS Value #####

 

class-map match-any COS2
 match cos  2
class-map match-any COS1
 match cos  1
!
policy-map QOS
 class COS1
  bandwidth percent 70
 class COS2
  bandwidth percent 30
!
interface GigabitEthernet1/0/10
 switchport trunk allowed vlan 10,20
 switchport mode trunk
 service-policy output QOS

 

###################################

 

Best Regard,

 

Masanobu Hiyoshi

 

 

 

Re: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS

June 12, 2017, 3:25 am
$
0
0

Hi lyndidon,
Thanks for proving I'm not going mad and for putting in that 4 hrs of effort trying to find these commands which is above and beyond what I expected.

So I managed to obtain a spare ex4300 with no config and enabled j-web as suggested, added in some allowed mac addresses and then dumped the config via the cli. So the main entries as far as I can see are as follows;


interfaces {
ge-0/0/1 {
apply-macro juniper-port-profile {
Desktop;
}
ether-options {
source-address-filter {
<mac address1>;
<mac address2>;
}
}
}
}

..............

switch-options {
interface ge-0/0/1.0 {
interface-mac-limit {
2;
packet-action drop;
}
}
}

I already had enties in the switch-options for interface-mac-limit but the ether-options / source-address-filter was new to me and to be honest I haven't had time to properly research them yet. As I'm trying to use groups to


groups {
banana-user-access {
interfaces {
<ge-0/0/*> {
ether-options {
source-address-filter {
<mac address1>;
<mac address2>;
etc .....

-------

interfaces {
interface-range access_ports {
member-range ge-0/0/0 to ge-0/0/48;
}
ge-0/0/0 {
apply-groups banana-user-access;
}
ge-0/0/1 {
apply-groups banana-user-access;
}
etc .....

-------

switch-options {
interface ge-0/0/0.0 {
interface-mac-limit {
55;
}
}
interface ge-0/0/1.0 {
interface-mac-limit {
55;
}
}
etc .....

-------


I commited the above config and it was successfully loaded. However upon testing the MAC I didn't configure was still allowed to access the network.

I'm therefore not sure if;

1. It can be configured and applied in a group statement.
2. I have missed some other configuration that is needed.
3. I didn't drop any caches before the commit/testing so there is a chance the mac might still be cached?
4. Is <ge-0/0/*> a valid way to wildcard a range of interfaces (this is an inherited config) as I have used wildcard range to successfully set the switch-options but not with an * within the interface settings using the set command. I assume it must be valid or it wouldn't have committed?

For your awareness I've inherited this config and therefore I'm slightly hesitant to change it too much as until today I haven't had physical access to the switches, just remote and they are live providing a service to a project.

Rtllak, as these are live switches I have to perform testing OOH or I will need to use the spare ex4300 to create a test environment for this. This will probably take some time but I will try the example you gave as soon as I can.

As lyndidon has stated it would be good for Juniper to update their documentation to show how this can be done from the cli.

Re: vQFX on VMware Fusion - RE won't boot

June 12, 2017, 6:27 am
$
0
0

I agree the image size looks suspicious, and for me it does not boot at all.

Search

SNMP ex9200

June 12, 2017, 5:10 pm
$
0
0

Hi,

 

I use prtg to monitor snmp device/juniper ex, for ex2200 and ex3300 i dont face any problem, just setting the snmpv2 community,auth,and clients prtg can query the snmp interface bandwidth/traffic, but when i set on ex9200 it show error "No available interfaces on this device snmp", but i can query snmp uptime on ex9200, is there some config missing ?

 

Model: ex9208
Junos: 14.2R7.5

 

[ SNMP ]

contact xxx4;

view RESTRICTED {
    oid .1 include;
}
view all {
    oid .1;
}
view interfaces {
    oid 1.3.6.1.2.1.2 include;
}
community xxx3 {
    authorization read-only;
}
community xxx1 {
    view interfaces;
    authorization read-only;
    clients {
        172.16.30.26/32;
        172.16.30.76/32;
    }
}
community xxx2 {
    authorization read-only;
    clients {
        172.17.3.26/32;
    }
}
trap-group snmp_traps_srv {
    targets {
        172.16.30.26;
    }
}

[SNMP]

Re: SNMP ex9200

June 12, 2017, 6:46 pm

Creating Virtual Chassis with EX3400's

June 13, 2017, 8:15 am
$
0
0

Hi All,

 

I'm very new to Juniper and need assistance trying to create a VC with EX3400's.  I've searched the Knowlege Base and it seems that the setup is version specific and model specific sometimes.  I've had trouble finding all the data I need and I'd be appreciative if someone could give me more info.  I'm coming from an Enterasys shop where no commands are necessary in the CLI beforehand, just power down, attach cables, and power up.  I'm finding the Juniper switches much more favorable.... except for this one thing!

 

I have used the following in Member 0 of a closet with 5 switches that I want to stack together.

set virtual-chassis member 0 mastership-priority 255

set virtual-chassis member 1 mastership-priority 255

 

When I attempted this, upon powering up Member 1, Member 0 lost connectivity and the only lights on the front were SYS and SPD.  Member 1 appeared to become the backup as it had the SYS LED, SPD, and flashing green MST, eventually going solid green.   Consoling in to Member 0 showed it to be a linecard and consoling in to Member 1 showed it to be "Master 1" and running 

show virtual-chassis

Returned that is was the only switch in the VC.  It did not see member 0 at all.

 

Previous to that attempt, I used the pre-provisioned method and listed the SN of all 5 switches and making member 0 and member 1 be routing-engines and the remaining 3 as linecards.  This also resulted in disaster.  I powered on Member 0 and all was fine, upon powering on the remaining switches (with cables already connected) no switch (including member 0 now) had any lights except SYS and SPD.  None were a Master, all showed as being a linecard.

As downtime was limited, in both instances, I restored to factory default and configured each individually with trunks between.  

 

Am I missing a command?  Do all switches need to be set at factory-defaults with no configuration, except for Member 0, of course?  Do switches being added need to powered on or off when cables are connected.  All switches are on the same firmware version (15.1X53-D51).  Four are EX3400-48 and one is an EX3400-24.  I used a ring topology using the VC ports on the rear of the device.

 

There is a lot of documentation that specifically lists the 4200, 4500, 8200, etc. but very little that specifically names the EX3400.  Is it done differently on the 3400?  Any help would be appreciated.

RSTP implementation question

June 13, 2017, 3:14 pm
$
0
0

First time poster, I apologize if I am in the wrong place.  I also inherited the configuration of this network... so be gentle.

 

I currently have 5 sites which are connected with a L2 service from our provider.  We use  a single VLAN (the default one, with the ID changed to 1000) which spans all 5 routers.  The VLAN has a L3 interface bound to it, all in the same address space.

 

I recently discovered that we have a single RSTP instance, with one of the routers obviously serving as the root bridge.  This is not what the previous administrator believed was happening, but it is unfortuantely so.  I would like to make it so that the core router at each site is the root bridge for that site, and also that we aren't spamming BPDU's on our WAN connection.  I understand STP fairly well, but I am not sure of the effect of having that VLAN in each of these sites. 

 

Can I just disable the RSTP on each of the interfaces that connect the sites, and set the local router to have a bridge prioroty of 0?

 

We are running ex4600's (as the routers) at 2 of the sites, and ex4200's for the routers at the other 3. 

 

I don't need any specific configuration help, I am just asking more as a general information question.  Is there any way to make each of these sites it's own RSTP instance with the same VLAN at all 5 sites? 

 

Thanks for any help you guys are willing to give.

Re: RSTP implementation question

June 13, 2017, 6:51 pm

Re: RSTP implementation question

June 13, 2017, 8:52 pm
$
0
0

Hello,

 

Theoretically it would be possible. You can have separate RSTP at each site with their own root bridges.

You might disable RSTP, enable IGMP snooping, Disable PVST etc. on links facing the provider devices.

However you would need to take great precautions as any loop has a potential to affect multiple sites.

 

Note:- I have not seen anybody doing this though.

 

Regards,

 

Rushi

Re: RSTP implementation question

June 13, 2017, 11:38 pm
$
0
0 
  Please view in a fixed-width font such as Courier.

+---------+           +---------+          +---------+
|         |           |         |          |         |
|         |           |         |          |         |
|   1     |           |   2     |          |   3     |
|         |           |         |          |         |
+-------+-+           +----+----+          +----+----+
        |                  |                    |
        |                  |                    |
        |                  |                    |
      --+----+-------------+---------+----------+------
             |                       |
             |                       |
             |                       |
             |                       |
        +----+----+               +--+------+
        |         |               |         |
        |   4     |               |   5     |
        |         |               |         |
        |         |               |         |
        +---------+               +---------+

As per my understanding this is the connectivity. If RSTP is enabled in all the switches; its expexceted for 1 box to act as root.

 

Now, what are you trying to achive with disabling RSTP?

Search

Re: Creating Virtual Chassis with EX3400's

June 14, 2017, 12:07 am
$
0
0

Re: DHCP-Relay + firewall on interface

June 14, 2017, 1:45 am
$
0
0

Thanks for thinking with me!

 

The subnet is a public hosting network. The filters (in + out) are in place to protect the subnet from the internet.

As soon as the IN filter is applied, the DHCP request packet no longer reaches the relay agent and DHCP stops working.

 

term is bieng hit

Counters:
Name                                                Bytes              Packets
dhcprequests                                         4920                   15

 

Is there any way to force a packet to be sent to RE instead of forwarding in the PFE?

Re: RSTP implementation question

June 14, 2017, 3:10 am
$
0
0

Is your intention to keep all the sites in the same VLAN and broadcast domain?

 

If so, then some version of spanning tree is advisable for loop prevention across the entire domain and your current issue with STP tafffic will not really change.

 

Is your L2 service an eLAN that connects all the sites in the same service?

Or an series of eLine point to point that connect only two sites at a time per service?

 

For user locations:

Generally, we recommend using the provider L2 service as a link between L3 devices at each site.  And having local sites in their own broadcast domain.

 

With an eLAN you would have a single ip subnet with a L3 address at each site and full mesh peering for your OSPF or BGP route distribution. (or use static routes).

 

With the eLine you have a /31 between the two sites and neighbor relationships on each of these links.

 

For Data Center Interconnect:

Here there is a need to bridge VLAN and broadcast domains between sites.  We generally recommend a transparent service that is used as a trunk port between the two sites.  The devices on each side then can control which VLANs are shared between the DC.  And generally use MSTP per VLAN.

Re: Install Software from ftp as "non root"

June 14, 2017, 3:12 am
$
0
0

Exactly. Even if I go to the shell and cd to /var/tmp It still copies to /home/user before moving this internally to /var/tmp

Only root is able to move directly to /var/tmp it seems Smiley Sad

 

Re: Creating Virtual Chassis with EX3400's

June 14, 2017, 3:15 am
$
0
0

I suspect based on your description that perhaps not all of the setup for your pre provision VC was removed before you did this new setup leading to the inconsistent results.

 

The other item to be aware of is you should set the priority to be lower on member 1 assuming you want to keep mastership on member 0 unless there is a failure.  By setting them the same you no longer fully control the election process.

 

At this point, I would suggest reseting to factory default to start the process again.  

request system zeroize

 

If that is not feasible, you are probably best to open a JTAC offical ticket so an engineer and do a deep dive on the configs and guide you to a less service affecting transition.

Viewing all 10307 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>