I will be sure to do so. Thanks!
↧
Re: RSTP implementation question
↧
Re: RSTP implementation question
Believe me, it blew my mind when I saw what we were doing. I'm trying to work within the boundries I've been given until we do a full redesign later this year. Thanks so much!
↧
↧
Re: RSTP implementation question
Python,
the layer 2 services is a mesh. Each of the sites are capable of communicating with the others. I was trying to find a simple way to not have a convergence everytime our provider connection goes down at one of the sites. I think the network can survive the way it is, at least for now. This is certainly not the setup I would want to use.
Thanks so much for taking the time to answer.
↧
Re: RSTP implementation question
"Generally, we recommend using the provider L2 service as a link between L3 devices at each site. And having local sites in their own broadcast domain."
This is what we have. The VLAN (default 1000) is only assigned to the interface that faces the provider. It then has to route to enter our production vlans. So, broadcast is limited to each site.
"With an eLAN you would have a single ip subnet with a L3 address at each site and full mesh peering for your OSPF or BGP route distribution. (or use static routes)"
This is what we are doing wrong. Instead of assigned an IP address on the interfaces at each site, they used put the VLAN at each of the sites and used intervlan routing. It has been making my head spin.......
"Here there is a need to bridge VLAN and broadcast domains between sites. We generally recommend a transparent service that is used as a trunk port between the two sites. The devices on each side then can control which VLANs are shared between the DC. And generally use MSTP per VLAN."
Yes, this is what they were trying for. Unfortunately, they never implemented VSTP or MSTP on the VLAN between the data centers, or anywhere else for that matter.
Thank you for the info... this verifies what I was thinking and gives me a path for moving forward.
↧
Trunking on vQFX
Dear Com !
When configuring two vQFX to communicate (layer 2) together I saw that trunking interface are not working. This is due to the vnic adaptor. The Intel PRO/1000 strip the 802.1Q trag. By default, only access port works with vQFX.
Doesn't any one manage to have a working trunking configuration with vQFX ?
I tried to change the adaptor type in vagrant configuration but it doesn't work. it seems JunOS has only the "Intel PRO/1000" drivers...
Driver not compatible with JunOS => once configured, I can't see the interface on the vQFX
# Interconnect link between vqfx (xe-0/0/0)
vqfx.vm.network 'private_network',
auto_config: false,
nic_type: 'Am79C973',
virtualbox__intnet: "#{UUID}_vqfx_interconnect_nicA"Drivers compatible but not working with 802.1Q
# Interconnect link between vqfx (xe-0/0/1)
vqfx.vm.network 'private_network',
auto_config: false,
nic_type: '82540EM',
virtualbox__intnet: "#{UUID}_vqfx_interconnect_nicA"Environnement info :
OS : CentOS Linux release 7.3.1611 (Core) (on Cisco UCS BLADE, not a VM)
VirtualBox : 5.1.22r115126
Vagrant : 1.9.5
BOX : vqfx10k-pfe-virtualbox-20160609.box / vqfx10k-re-virtualbox-15.1X53-D60.box
help ?
Regards
Salah
↧
↧
Re: qfx5100-48S: EVPN AND VXLAN
Use Lo0 as source ip address for BGP adjacency as shown below.
protocols {
bgp {
group interop {
type internal;
local-address 10.10.10.70;
family evpn {
signaling;
}
neighbor 10.10.10.26;
Remove vrf-import under switch-options and use the simple switch options command.
Example:
set policy-options policy-statement VRF-IMPORT term Vxlan10 from community vxlan10
set policy-options policy-statement VRF-IMPORT term Vxlan10 then accept
set policy-options community vxlan10 members target:777:777
set switch-options vtep-source-interface lo0.0
set switch-options route-distinguisher 1.1.1.1:100
set switch-options vrf-import VRF-IMPORT
set switch-options vrf-target target:777:777
set protocols evpn extended-vni-list 10
set protocols evpn multicast-mode ingress-replication
set protocols evpn vni-options vni 10
Repeat the same on other QFX5100 device. Remove policy configuration and use the above example. Ping should go through.
↧
Re: Install Software from ftp as "non root"
Home dir is set in /etc/passwd. You can modify the file and change the home directory temporarilly. But then you may need root permissions to do so, Ihave not checked it. But I suspect that what you want to do is to find a way around the built in security without using an account that is required and if that were to be the case, the device would not be secure security device. So that may require some advance hacking skills to elevate to permissions of your logged user account. Not sure how to accomplish that. If you could make that change then log in a second session, it should use the new home directory. However, would it not be easier to simply inform the person with root permissions, to update the device since this is not a command you will be using daily, instead of trying to bypass the security?
You could also try another method I have used. Download the file, then use a gui ftp program like fireftp to connect to the EX, and copy the file to the directory you want it. You may still run into a problem with disk space when you run the installation command. Sorry.
↧
Re: EX4300 Port Security - MAC Limiting (Allowed MAC) & ELS
This is what I want to know if you did? Adding the static mac address is adding it to the ethernet switching table, but to limit mac it needs secure-access port which is not available. So when these steps are followed, I would like to what additional heirarchy is now visible.
1. Select Configure>Security>Port Security.<=======???????? Need to see what else has changed
2. Select one or more interfaces from the Interface List.
3. Click the Edit button. If a message appears asking whether you want to enable port security, click Yes.
...
To add allowed MAC addresses:
1. Click Add.
2. Type the allowed MAC address and click OK.
Repeat this step to add more allowed MAC addresses.
6. Click OK when you have finished setting MAC limits.
7. Click OK after the configuration has been successfully delivered
When you enable this feature, you would just need to clear the ethernet switching table of the mac addresses on the defined port. Any mac addreses learned will not be affected until they are flushed out of the ethernet switching table.
Also all you have to do is to change the MAC address of your test device (google it
) to one that is not yet learned and try connecting on the port where security has been enabled.
↧
Re: Install Software from ftp as "non root"
Hi Folks,
I hope the below trick will solve your problem,
set cli directory /var/tmp <<<
Then do ftp from the same sesion
Initial:
lab> file list
/var/home/lab/:
Commands Added:
set cli directory /var/tmp
Now the Magic:
lab> file list
/var/tmp/:
↧
↧
Any impact when EX Switch configures Secondary IP address for a Vlan.
Hello All
I appreciate if you can let me know the above subject.
(EX Switch)
set interfaces vlan unit 10 family inet address 10.0.10.101/24
set interfaces vlan unit 10 family inet address 10.0.100.1/24 primary
(Cisco Switch)
interface Vlan10
ip address 10.0.10.102 255.255.255.0 secondary
ip address 10.0.100.2 255.255.255.0
Cat3850#ping 10.0.10.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
Cat3850#
Cat3850#ping 10.0.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
Cat3850#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.0.10.101 128 FULL/DR 00:00:38 10.0.100.1 Vlan10
*OSPF neighbor it is non-secondary IP Only whtch I know.
Are there any impact when EX configures Secondary IP?
Are there any secondary IP sepecification information which maximum secondary IP and so on?
Best Regards,
Masanobu Hiyoshi
↧
Filter traffic sent to analyzer
Hi,
I work for a VoIP company and we have an analyzer setup so we can monitor all traffic in and out of the nework. Recently the port that all the traffic comes out on has been a bit overloaded and we are trying to cut down on the amount of traffic that
the analyzer port outputs. I tried following the "Filtering the Traffic Entering an Analyzer section" at https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/port-mirroring-cli.html however this seems to only allow sending input traffic to the analyzer (since there is lots of other traffic such as NFS and MySQL) . It seems there is no way of sending output traffic to the analyzer as well.
I have the following filter:
set firewall family ethernet-switching filter UDP_TRAFFIC term 10 from protocol udp
set firewall family ethernet-switching filter UDP_TRAFFIC term 10 then accept
set firewall family ethernet-switching filter UDP_TRAFFIC term 10 then analyzer MAIN
set firewall family ethernet-switching filter UDP_TRAFFIC term 20 then accept
and I tried doing on the interface:
set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input UDP_TRAFFIC
set interfaces ge-0/0/0 unit 0 family ethernet-switching filter output UDP_TRAFFIC
and when I try to commit confirmed I get:
root@dovid_home# commit check
[edit interfaces ge-0/0/0 unit 0 family ethernet-switching]
'filter'
Referenced filter 'UDP_TRAFFIC' can not be used as analyzer not supported on egress
error: configuration check-out failed
Are there any work arounds to this?
↧
Strange logmessages: "IFCM: no handler for command subtype XXX"
Hi experts,
after an upgrade to Junos 15.1R5 I noticed on my EX4550s strange log messages like these:
---snip---
chassism[1179]: IFCM: no handler for command subtype 178
chassism[1179]: IFCM: no handler for command subtype 179
---snap---
Are these pointing to an error?
Can I safely igore them?
Many thanks in advance,
Stefan
↧
Re: Strange logmessages: "IFCM: no handler for command subtype XXX"
Hello,
This message is related to child interface of a LAG.
If the LAG and/or their child interfaces are not flapping, you can ignore this message as per my information.
Regards,
Rushi
↧
↧
MX Q-in-Q With Multiple Inner Tags not working
I am trying to build an interface that sends 3 seperate VLANs inside an outer tag across the network. One of the logical units is a Layer3 IP interface and the other 2 are bridged VLANs. Using the below config, the Layer3 Interface passes traffic and then only 1 or the other (whichever one I build first) of the bridged units will pass traffic. How can this config be modified so all 3 VLANs pass traffic at the same time?
MX480
user@FTMY-T3-EDGE-01> show configuration interfaces ge-2/3/0
description "--- UPLINK TO NNI ---";
flexible-vlan-tagging;
mtu 9192;
encapsulation flexible-ethernet-services;
unit 1276 {
vlan-tags outer 1176 inner 1276;
family inet {
address 63.247.145.69/30;
}
}
unit 11767 {
encapsulation vlan-bridge;
vlan-tags outer 1176 inner 127;
}
unit 11769 {
encapsulation vlan-bridge;
vlan-tags outer 1176 inner 999;
}
user@FTMY-T3-EDGE-01> show configuration bridge-domains
VLAN-127 {
description T3-VOIP;
vlan-id 127;
interface ge-2/3/0.11767;
interface ge-x/x/x.127;
}
VLAN-999 {
description T3-CUST-MGMT;
vlan-id 999;
interface ge-2/3/0.11769;
interface ge-x/x/x.999;
}Again, in the above config I can ping across unit 1276, but I can only ever ping across either 999 or 127 and not both when enabled at the same time. How can I configure this better so it will work?
↧
Re: EX2200 loader> can't load '/kernel'
what is wrong with these switches - mine has same problem and RMA - looks like corrupted file structure
↧
How can do bandwidth control inet/inet6 for QFX 5100?
I've configured policers like:
set vlans V10 forwarding-options filter input FILTER-10M
set vlans V10 forwarding-options filter output FILTER-10M
set vlans V11 forwarding-options filter input FILTER-10M
set vlans V11 forwarding-options filter output FILTER-10M
set vlans V12 forwarding-options filter input FILTER-10M
set vlans V12 forwarding-options filter output FILTER-10M
set firewall policer 10M if-exceeding bandwidth-limit 10m
set firewall policer 10M if-exceeding burst-size-limit 1m
set firewall policer 10M then discard
set firewall family ethernet-switching filter FILTER-10M term 1 then accept
set firewall family ethernet-switching filter FILTER-10M term 1 then policer 10M
But is not working very well. Some vlans work normal, others the bandwidth is very slow. Very weird.
So I've configured filters using mx style:
set interfaces ge-0/0/1 unit 10 vlan-id 10
set interfaces ge-0/0/1 unit 10 family inet filter input FILTER-10M
set interfaces ge-0/0/1 unit 10 family inet filter output FILTER-10M
Now is working well but since qfx doesn't support logical-interface-policer like:
set firewall policer 10M logical-interface-policer
It can't share bandwidth for both inet/inet6.
Tried this way:
set interfaces ge-0/0/1 unit 10 family inet6 filter input FILTER-10M
set interfaces ge-0/0/1 unit 10 family inet6 filter output FILTER-10M
but it's double the bandwidth if using ipv4 and ipv6 at the same time.
It's possible? What is the correct way to do bandwidth control for qfx 5100?
↧
QinQ QFX and EX
Hello Guys,
I'm trying to configure a QinQ vlan from a EX4550 to a QFX3550. I have checked all the forums and corrected any possible mistake on the 4550, like the ethertype thing, but it is still not working.
This is my conf:
EX4550x2 --- EX4550x1 -- QFX3550x1
this is the configuration:
EX4550x2:
vlan100 {
vlan-id 100;
dot1q-tunneling {
customer-vlans 1-4094;
}
}
interfaces xe-1/0/5 {
description "DLX5_SERV + MGMT NIC2";
mtu 9216;
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan100;
}
}
}
ae1 {
mtu 9216;
aggregated-ether-options {
minimum-links 1;
link-speed 10g;
lacp {
active;
periodic fast;
}
}
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members vlan100
}
}
}
ezequiel@EX4550x2> show configuration ethernet-switching-options
dot1q-tunneling {
ether-type 0x8100;
}
EX4550x1:
ezequiel@EX4550x1> show configuration interfaces xe-0/0/27 <<PORT FACING QFX3550x1
description "UPLINK COBOGWBPQX3500x3 PUERTO XE-0/0/0";
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members vlan100;
}
}
}
ae0 {
mtu 9216;
aggregated-ether-options {
minimum-links 1;
link-speed 10g;
lacp {
active;
periodic fast;
}
}
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members vlan100
}
}
}
QFX3550:
root@QFX3550x1> show configuration vlans vlan100
interface xe-0/0/10.100;
interface xe-0/0/11.100;
interface xe-1/0/0.100;
interface xe-1/0/10.100;
oot@QFX3550x1> show configuration interfaces xe-0/0/10 <<CE PORT
flexible-vlan-tagging;
native-vlan-id 100;
encapsulation extended-vlan-bridge;
unit 100 {
vlan-id-list 1-4094;
input-vlan-map push;
output-vlan-map pop;
}
root@QFX3550x1> show configuration interfaces xe-1/0/0 << PORT FACING EX4550x1 (trunk)
flexible-vlan-tagging;
encapsulation extended-vlan-bridge;
unit 100 {
vlan-id 100;
}
I see mac addresses from customers in both EX4550 but not in the QFX. Also I have mac addresses in the QFX but they are not passing to the EX. I guess the problem is on trunk QFX/EX configuration but I dont know how to fix it. I have tried multiple configurations, flexible-vlan/vlan-id, standard trunk with vlan members but none of them seem to be working.
Txs
Ezeq.
↧
↧
Re: Filter traffic sent to analyzer
I have not used this particular function, but typically in the sampling features we only apply the filter to the input on the interface level and not the output.
Looking at your sample documentation it seems to also be the case here. I think you can just remove the filter on the output.
↧
Re: Monitor traffic inteface XXXX command
My apology for not replying, totally forgot about this
Thanks everyone!!
↧
Re: Filter traffic sent to analyzer
There are two ways of solving this.
1) Do port mirroring of complete interface with all traffic and select whatever you need using filter in wireshark.
set ethernet-switching options analyzer employee–monitor input ingress interface ge-0/0/0.0
set ethernet-switching options analyzer employee–monitor input ingress interface ge-0/0/1.0
set ethernet-switching options analyzer employee–monitor output interface ge-0/0/10.0
2) To do the same using FF Filter apply your filter only on ingress
https://www.juniper.net/documentation/en_US/junos/topics/example/port-mirroring-local-ex-series.html
Thanks
Partha
↧