Hello,

Of course

https://www.juniper.net/documentation/en_US/junos/topics/example/interfaces-layer3-subinterfaces-ex-series.html

HTH

Thx
Alex

Hello,

The short answer is yes

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/rfc2544-benchmarking-test-configuring.html

The long answer is that hardware traffic generators like IXIA or Spirent are the best of breed to test anything with realistic traffic profile.

IXIA/Spirent generators can inject ANY kind of L2/L3 traffic, with controlled delay/loss/fragmentation, etc. Naturally, such capabilities come with a price.

You could get away with a sizeable collection of free tools to achieve <50% of what IXIA/Spirent can do but the hassle of configuring all these tools would be enormous. Unless, of course, You are a programmer and can write own unified frontend for interfacing with tools like Iperf (generator), M0n0wall (controlled latency), exaBGP (route injection), Wireshark (packet capture),  etc

HTH

Thx
Alex 

Hi All,

I am not really new to juniper but not an expert also..

Anyway i am running into something for a customer of ours..

A customer of ours needs to have a bandwith limit on all of their ports.

I've figured this is best doing with a policer on an EX switch. We are using EX3300's in a stacked setup by the way.

However somehow i can't apply the policer on the interface range. I wanted to create a policer that set the ports on a download and upload limit of 20M. i can create the policer though.

I'm hoping someone can help me with this.

A copy of the config at this moment:

set version 12.3R12.4
set groups lcd-displays chassis lcd-menu fpc <*> menu-item maintenance-menu disable
set groups lcd-displays chassis lcd-menu fpc <*> menu-item status-menu disable
set system host-name V-SWITCH
set system time-zone Europe/Amsterdam
<outpout ommitted>
set system services ssh
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system commit synchronize
<outpout ommitted>
set chassis redundancy graceful-switchover
set chassis aggregated-devices ethernet device-count 5
set chassis lcd-menu fpc 0 apply-groups lcd-displays
set chassis lcd-menu fpc 1 apply-groups lcd-displays
set chassis lcd-menu fpc 2 apply-groups lcd-displays
set chassis lcd-menu fpc 3 apply-groups lcd-displays
set interfaces interface-range std-poorten member-range ge-0/0/0 to ge-0/0/46
set interfaces interface-range std-poorten member-range ge-1/0/0 to ge-1/0/46
set interfaces interface-range std-poorten member-range ge-2/0/0 to ge-2/0/22
set interfaces interface-range std-poorten member-range ge-3/0/0 to ge-3/0/46
set interfaces interface-range std-poorten ether-options speed 10m
set interfaces interface-range std-poorten unit 0 family ethernet-switching vlan members std
set interfaces ge-0/0/47 ether-options 802.3ad ae0
set interfaces ge-1/0/47 ether-options 802.3ad ae0
set interfaces ge-2/0/23 ether-options 802.3ad ae0
set interfaces ge-3/0/47 ether-options 802.3ad ae0
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ae0 unit 0 family ethernet-switching port-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members std
set interfaces vme unit 0 family inet address xx.xx.xx.xx/xx
set routing-options static route 0.0.0.0/0 next-hop xx.xx.xx.xx/xx
set protocols igmp-snooping vlan all
set protocols rstp bridge-priority 0
set protocols rstp interface std-poorten no-root-port
set protocols lldp interface all
set protocols lldp-med interface all
set ethernet-switching-options secure-access-port interface std-poorten mac-limit 5
set ethernet-switching-options secure-access-port vlan std examine-dhcp
set ethernet-switching-options secure-access-port vlan std ip-source-guard
set ethernet-switching-options nonstop-bridging
set ethernet-switching-options port-error-disable disable-timeout 300
set ethernet-switching-options storm-control interface all
set vlans std vlan-id 200
set vlans std no-local-switching
set virtual-chassis preprovisioned
set virtual-chassis member 0 role routing-engine
set virtual-chassis member 0 serial-number GA0212514663
set virtual-chassis member 1 role routing-engine
set virtual-chassis member 1 serial-number GA0213034842
set virtual-chassis member 2 role line-card
set virtual-chassis member 2 serial-number GD0213062134
set virtual-chassis member 3 role line-card
set virtual-chassis member 3 serial-number GA0217180202

Thanks for the responses. The initial idea in https://forums.juniper.net/t5/Ethernet-Switching/Interface-storming-for-validation-of-physical-interface/m-p/317706#M17566 was to not use Juniper as a traffic generator, but to instead use the SUT (interfacing with Juniper) to start an L2 storm and run a storm between Juniper and the SUT for some standardized packet count.

I'm investigating the idea of changing roles and having Juniper start the storm between the SUT and Juniper.

RFC 2544 testing may do the trick, let me investigate a bit more. Thanks,

Hi,

Policer is not supported for egress. You can use ingress policing and egress shaping.

root@test# commit
[edit]
'filter'
Referenced filter 'RATE-LIMIT' can not be used as policer not supported on egress

Basic configuration for policer is shown below.

set interfaces ae0 mtu 9216
set interfaces ae0 aggregated-ether-options minimum-links 1
set interfaces ae0 aggregated-ether-options link-speed 1g
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ae0 unit 0 family ethernet-switching vlan members VLAN-TEST
set interfaces ae0 unit 0 family ethernet-switching filter input RATE-LIMIT

set firewall family ethernet-switching filter RATE-LIMIT term one then policer MAX_BANDWIDTH

set firewall family ethernet-switching filter RATE-LIMIT term one then policer MAX_BANDWIDTH
set firewall policer MAX_BANDWIDTH if-exceeding bandwidth-limit 1m
set firewall policer MAX_BANDWIDTH if-exceeding burst-size-limit 200k
set firewall policer MAX_BANDWIDTH then discard

Regards,

Rahul

I'm trying to figure out why these packets were dropped, 'rejects' should be rejected because of SA or DA, but neither SA or DA reject counts are incrementing.

This is in a MX480 with MRATE-12xQSFPP-XGE-XLGE-CGE FPC (https://www.juniper.net/documentation/en_US/release-independent/junos/topics/reference/general/mpc7e-multi-rate.html) 

Configuration

# add interfaces to the bridge domain

set interfaces et-5/0/2 vlan-tagging
set interfaces et-5/0/2 encapsulation extended-vlan-bridge
set interfaces et-5/0/2 unit 100 vlan-id 100

set interfaces et-5/0/5 vlan-tagging
set interfaces et-5/0/5 encapsulation extended-vlan-bridge
set interfaces et-5/0/5 unit 100 vlan-id 100


# add bridge domain interface config

set bridge-domains vlan-100 domain-type bridge bridge-options no-mac-learning
set bridge-domains vlan-100 interface et-5/0/2.100
set bridge-domains vlan-100 interface et-5/0/5.100

What are some good next steps for debugging this?

Physical interface: et-5/1/2, Enabled, Physical link is Up
Interface index: 143, SNMP ifIndex: 571, Generation: 146
Link-level type: Extended-VLAN-Bridge, MTU: 1518, MRU: 1526, Speed: 100Gbps,
BPDU Error: None, Loopback: Disabled, Source filtering: Disabled,
Flow control: Enabled
Pad to minimum frame size: Disabled
Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x20004000
CoS queues : 8 supported, 8 maximum usable queues
Schedulers : 0
Hold-times : Up 0 ms, Down 0 ms
Damping : half-life: 0 sec, max-suppress: 0 sec, reuse: 0, suppress: 0, state: unsuppressed
Current address: 38:4f:49:d6:ae:cc, Hardware address: 38:4f:49:d6:ae:cc
Last flapped : 2018-01-24 00:49:33 UTC (00:02:59 ago)
Statistics last cleared: 2018-01-24 00:52:13 UTC (00:00:19 ago)
Traffic statistics:
Input bytes : 190000 0 bps
Output bytes : 0 0 bps
Input packets: 1000 0 pps
Output packets: 0 0 pps
IPv6 transit statistics:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Dropped traffic statistics due to STP State:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0,
L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0,
FIFO errors: 0, Resource errors: 0
Output errors:
Carrier transitions: 0, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0,
FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0
Egress queues: 8 supported, 4 in use
Queue counters: Queued packets Transmitted packets Dropped packets
0 0 0 0
1 0 0 0
2 0 0 0
3 0 0 0
Queue number: Mapped forwarding classes
0 best-effort
1 expedited-forwarding
2 assured-forwarding
3 network-control
Active alarms : None
Active defects : None
PCS statistics Seconds
Bit errors 0
Errored blocks 0
MAC statistics: Receive Transmit
Total octets 384000 0
Total packets 2000 0
Unicast packets 2000 0
Broadcast packets 0 0
Multicast packets 0 0
CRC/Align errors 0 0
FIFO errors 0 0
MAC control frames 0 0
MAC pause frames 0 0
Oversized frames 0
Jabber frames 0
Fragment frames 0
VLAN tagged frames 1000
Code violations 0
Total errors 0 0
Filter statistics:
Input packet count 2000
Input packet rejects 1000
Input DA rejects 0
Input SA rejects 0
Output packet count 0
Output packet pad count 0
Output packet error count 0
CAM destination filters: 0, CAM source filters: 0
Packet Forwarding Engine configuration:
Destination slot: 0 (0x00)

What packets?  Do you know which exact packet [type] are being dropped?  BTW, you config is for interfaces 5/0/2 and 5/0/5 both in VLAN-100.  I assume traffic flows between this 2 interfaces; BUT your stats are for 5/1/2 - confusing???

Also, is there a specific reason you have enabled no-mac-learning for the VLAN/bridge-domain?  For this config option there should never be drops due to SA or DA, as they should be ignored.  The drops must be for some other reason.  Potentially since everything in that VLAN/bridge-domain is now a flood, if you input line-rate on say 2 interfaces, out 1 interfaces, you should get 50% drop, as you are seeing.

Hello there, im looking for some ideas about what is happen with my two junipers switches, I don't remember the password so Im trying to follow the root password recovery procedure but after put boot -s something are loading and at the end appears a message saying "Rebooting..." and never asked to put the "recovery".

Here is what is happen in the console:

FreeBSD/arm U-Boot loader, Revision 1.1
(builder@svl-junos-pool91.juniper.net, Tue Apr  5 00:15:22 UTC 2011)
Memory: 512MB
bootsequencing is enabled
bootsuccess is set
new boot device = disk0s1:
Loading /boot/defaults/loader.conf 
/kernel text=0x957c71 data=0x469e8+0xfe108 syms=[0x4+0x1053a0+0x4+0xe045e]


Hit [Enter] to boot immediately, or space bar for command prompt.


Type '?' for a list of commands, 'help' for more detailed help.
loader> boot -s
Kernel entry at 0x1400100 ...
GDB: debug ports: uart
GDB: current port: uart
KDB: debugger backends: ddb gdb
KDB: current backend: ddb
Copyright (c) 1996-2016, Juniper Networks, Inc.
All rights reserved.
Copyright (c) 1992-2007 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
JUNOS 15.1R5.5 #0: 2016-11-25 16:54:59 UTC
    builder@mayland.juniper.net:/volume/build/junos/15.1/release/15.1R5.5/obj/arm/junos/bsd/kernels/JUNIPER-EX-2200/kernel
can't re-use a leaf (all_slot_serialid)!
CPU: Feroceon 88FR131 rev 1 (Marvell core)
cpu53: Feroceon 88FR131 revision   WB enabled EABT branch prediction enabled
  16KB/32B 4-way Instruction cache
  16KB/32B 4-way write-back-locking-C Data cache
real memory  = 536870912 (512 MB)
avail memory = 501743616 (478 MB)
SOC: Marvell 88F6281 rev A0, TClock 200MHz
Security policy loaded: Junos MAC/veriexec (mac_veriexec)
Security policy loaded: JUNOS MAC/pcap (mac_pcap)
Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
MAC/veriexec fingerprint module loaded: SHA1
MAC/veriexec fingerprint module loaded: SHA256
ETHERNET SOCKET BRIDGE initialising
Initializing EXSERIES properties ...
mbus0: <Marvell Internal Bus (Mbus)> on motherboard
ic0: <Marvell Integrated Interrupt Controller> at mem 0xf1020200-0xf102023b on mbus0
timer0: <Marvell CPU Timer> at mem 0xf1020300-0xf102032f irq 1 on mbus0
gpio0: <Marvell Integrated GPIO Controller> at mem 0xf1010100-0xf101011f irq 35,36,37,38,39,40,41 on mbus0
uart0: <16550 or compatible> at mem 0xf1012000-0xf101201f irq 33 on mbus0
uart0: console (9600,n,8,1)
uart1: <16550 or compatible> at mem 0xf1012100-0xf101211f irq 34 on mbus0
ehci0: <88F5XXX Integrated USB 2.0 controller> at mem 0xf1050000-0xf1050fff irq 48,19 on mbus0
usb0: EHCI version 1.0
usb0 on ehci0
usb0: USB revision 2.0
uhub0: Marvell EHCI root hub, class 9/0, rev 2.00/1.00, addr 1
uhub0: 1 port with 1 removable, self powered
uhub1: vendor 0x04b4 product 0x6560, class 9/0, rev 2.00/90.15, addr 2
uhub1: single transaction translator
uhub1: 2 ports with 2 removable, self powered
umass0: STMicroelectronics ST72682  High Speed Mode, rev 2.00/2.10, addr 3
mge0: <Marvell Gigabit Ethernet controller> at mem 0xf1072000-0xf1073fff irq 12,13,14,11,46 on mbus0
mge0: hardware MAC address 54:4b:8c:ba:3b:ff
miibus0: <MII bus> on mge0
e1000phy0: <Marvell 88E1118 Gigabit PHY> on miibus0
e1000phy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseTX-FDX, auto
i2c0: <Marvell I2C ARM OnChip Controller> at mem 0xf1011000-0xf101101f irq 29 on mbus0
syspld0: <SYSPLD> on i2c0
poe0: <POE> on i2c0
cfi0: <SPI flash - 8MB> at mem 0xf1010600-0xf101062f,0xf8000000-0xf87fffff irq 23 on mbus0
mpfe0: <Juniper EX-series Packet Forwarding Engine> at mem 0xf4000000-0xf7ffffff irq 113 on mbus0
pcib0: <Marvell 88F6281 PCI-Express host controller> at mem 0xf1040000-0xf1041fff,0xe8000000-0xefffffff irq 9 on mbus0
pci0: <PCI bus> on pcib0
Initializing product: 119 ..
Timecounter "CPU Timer" frequency 200000000 Hz quality 1000
Registered AMT tunnel Encap with UDP Tunnel!
 Loading Redundant LT driver
###PCB Group initialized for udppcbgroup
###PCB Group initialized for tcppcbgroup
da0 at umass-sim0 bus 0 target 0 lun 0
da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device 
da0: 40.000MB/s transfers
da0: 1000MB (2048000 512 byte sectors: 64H 32S/T 1000C)
Kernel thread "wkupdaemon" (pid 40) exited prematurely.
Trying to mount root from ufs:/dev/da0s1a
Attaching /packages/junos via /dev/mdctl...
Mounted junos-ex package on /dev/md0...
Waiting (max 60 seconds) for system process `vnlru' to stop...done
Waiting (max 60 seconds) for system process `vnlru_mem' to stop...done
Waiting (max 60 seconds) for system process `bufdaemon' to stop...done
Waiting (max 60 seconds) for system process `syncer' to stop...
Syncing disks, vnodes remaining...0 0 0 0 0 0 0 0 0 done

syncing disks... All buffers synced.
Uptime: 29s
Rebooting...

I will appreciate any idea of how I can fix this.

Also, I tried to reinstall via tftp and usb, with tftp error 60 appears and with usb error 22, so Im stuck at this point.

Thank you a lot for take time reading this.

Hi Slack,

Could you please ensure that there no USB attached to switch while you do enter "boot -s"?

https://kb.juniper.net/InfoCenter/index?page=content&id=KB14102

https://www.juniper.net/documentation/en_US/junos9.5/topics/task/troubleshooting/ex-series-root-password-recovery.html

Thanks, but that don't work. I did without any usb connected and the same happen when I put "boot -s" after some loading, the "Rebooting..." message appears and the device is rebooted.

Try this medthod, the one at the end, type only "-s" at the boot: prompt and see how it goes?

https://forums.juniper.net/t5/Ethernet-Switching/Unable-to-reset-password-on-EX2200/td-p/104234

I wouldn't suggest RMA & why RMA? An RMA should be only when you have H/w issue with device.

This is not H/w issue. Also, for RMA, you will need to log a ticket with JTAC, insteand of RMA, raise a tech ticket with JTAC where in they can remote access your system to live trouble shoot and recovery the switch (instead of RMA)

Hi karand, I don't see any like that to just put "-s".

I've raised a case with our Support partner and am still getting no comfortable feeling from them as to why RSTP is still blocking my interfaces.

All links between switches have now been configured as 'access'.

Each link is a 'l3-interface' with a unique subnet and VLAN.

I've completely removed all unused interfaces from 'default' VLAN.

So why on earth is RSTP still blocking interfaces!? This is driving me nuts.

My heart says disable RSTP globally, but my head says I should keep it enabled and figure this out.

Hi!

I have:

QFX5100-48S-6Q

Junos: 17.4R1.16

I want to configure DHCP snooping for protect my network from other DHCP servers...

I use this guide: https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/qfx-series/security.pdf

But I don't see any working config.

QFX5100 support DHCP snooping ?

am> show dhcp?  
Possible completions:
  dhcp                 Show Dynamic Host Configuration Protocol information
  dhcp-security        Show DHCP access security information
  dhcpv6               Show Dynamic Host Configuration Protocol v6 information
{master:0}
am> show dhcp ? 
Possible completions:
  client               Show DHCP client information
  relay                Show DHCP relay information
  server               Show DHCP server information
  statistics           Show DHCP service statistics

{master:0}[edit]
am# set et
        ^
syntax error.
am# set et 

I have resolved this by enabling VSTP on the interfaces forming the triangle. As each link has a unique VLAN, there are now no ports being blocked 

I have left RSTP enabled also, but disabled it on all the interfaces in the 'triangle'.

I'm happy. Thanks for all your replies.

Per this it should be there - https://apps.juniper.net/feature-explorer/feature-info.html?fKey=1039&fn=DHCP%20snooping

See here for details on how to configure - https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/port-security-dhcp-snooping-cli.html

QFX51xx and EX4600 have different CLI structure than EX4300/EX3400/EX2300, that is other EX ELS switches. 

Hello,

But a dont have ethernet-switching-options:

am> configure 
Entering configuration mode

{master:0}[edit]
am# set et
        ^
syntax error.
am# set et