Can you look under edit vlans vlan-name forward-options - is dhcp-snooping an option there?
Thanks
↧
Re: QFX5100 and DHCP snooping
↧
Re: QFX5100 and DHCP snooping
I have this output:
am# set vlans DATA forwarding-options dhcp-security ? Possible completions:<[Enter]> Execute this command + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups arp-inspection Enable dynamic ARP inspection> dhcpv6-options DHCPv6 option processing for snooped packets> group Define a DHCP security group for overriding defaults ip-source-guard Enable IP source guard ipv6-source-guard Enable IPv6 source guard light-weight-dhcpv6-relay Enable light weight dhcpv6 relay neighbor-discovery-inspection Enable neighbor discovery inspection no-dhcp-snooping Disable dhcp snooping no-dhcpv6-snooping Disable DHCPv6 snooping> option-82 DHCP option-82 processing for snooped packets | Pipe through a command
I did something like this:
set vlans DATA vlan-id 500 set vlans DATA l3-interface irb.500 set vlans DATA forwarding-options dhcp-security group TRUST overrides trusted set vlans DATA forwarding-options dhcp-security group TRUST interface xe-0/0/0.0 set vlans DATA forwarding-options dhcp-security group NO-TRUST interface ge-0/0/10.0 set vlans VOIP vlan-id 770 set vlans VOIP l3-interface irb.770 set interfaces xe-0/0/0 description -=Servers=- set interfaces xe-0/0/0 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members DATA set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members VOIP set interfaces ge-0/0/10 description -=Clients_Sherbakova2=- set interfaces ge-0/0/10 unit 0 family ethernet-switching interface-mode trunk set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members DATA set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members VOIP
I need xe-0/0/0.0 - TRUST and other (ge-0/0/10.0, etc.) - UNTRUST.
↧
↧
Re: QFX5100 and DHCP snooping
Port-mode trunk is trust by default, port-mode access is untrust by default.
You all set now? I will look to get documentation fixed.
↧
Re: QFX5100 and DHCP snooping
How can I change default role for Trunk ports?
In my network I have only 2 Trunk ports with DHCP servers...
All other trunk and access port must be UNTRUSTED.
↧
Re: EX2200 can't join in boot -s (single mode) auto rebooting
Anyone have other ideas on how to fix this?
↧
↧
Re: Where did these packets go?
Sorry for the confusion, the config is a sample config where et-5/1/2 and et-5/1/5 are indeed the ports configured.
I have no-mag-learning as I am flooding in port et-5/1/2 and out et-5/1/5.
I don't follow your last statement; if I send in traffic on two interfaces and broadcast out the opposing interface why would I have 50% drop?
If I send Ixia in each side I expect to get all packets out the opposite side. Maybe there is some flood prevention going on here?
Thanks for the help in diagnosing this.
↧
Re: Where did these packets go?
the packet type is L2 with a vlan header, vlan 1600 (not 100 in the config example);
vlan-1600 {
domain-type bridge;
interface et-5/1/2.1600;
interface et-5/1/5.1600;
bridge-options {
no-mac-learning;
}
}
et-5/1/2 {
vlan-tagging;
encapsulation extended-vlan-bridge;
unit 1600 {
vlan-id 1600;
}
}
et-5/1/5 {
vlan-tagging;
encapsulation extended-vlan-bridge;
unit 1600 {
vlan-id 1600;
}
}
↧
Re: EX2200 can't join in boot -s (single mode) auto rebooting
Hi,
What is your JUNOS Version?
↧
Re: EX2200 can't join in boot -s (single mode) auto rebooting
Hi
from the boot log, i noticed you're JUNOS 15.1R5. Could possibily hit this PR:
https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1265386
On EX2200/EX3200/EX3300/EX4200/EX4500 and EX4550 platform, type "boot -s" from loader prompt can start up the system in single-user mode. The user can setup the password recovery in that mode. If "boot -s" is typed under loader in 15.1R1 ~ 15.1R6, the system does not go into the single-user mode but reboot from the alternate slice.
As a workaround, remove "boot_unattended" environment variable from NVRAM. The removal is temporary. The change does not persist after the password recovery.
Please follow the following steps:
1. Get into u-boot prompt (=>) by pressing [Ctrl + C] key combination at the beginning of the system boot process.
U-Boot 1.1.6 (Feb 6 2008 - 11:27:42)
Board: EX4200-24F 2.20
EPLD: Version 6.1 (0x85)
DRAM: Initializing (1024 MB)
FLASH: 8 MB
USB: scanning bus for devices... 2 USB Device(s) found <<<<< Type Ctrl + C here
scanning bus for storage devices... 1 Storage Device(s) found
=>
2. remove 'boot_unattended' environment variable
=> printenv
bootdelay=1
baudrate=9600
.
.
boot_unattended=0
.
=> setenv boot_unattended
=> printenv
.
<<<<< /* boot_unattended is not listed anymore */
3. Then issue "boot" command, get into "loader>", boot -s will work
=> boot
Consoles: U-Boot console
Found compatible API, ver. 7
FreeBSD/PowerPC U-Boot bootstrap loader, Revision 2.1
Hit [Enter] to boot immediately, or space bar for command prompt. <<<<< press "Space" here
Type '?' for a list of commands, 'help' for more detailed help.
loader> boot -s <<<<<
..
System watchdog timer disabled
Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery <<<<< enter "recovery" here
warning: Please logout and log into the VC-M to use CLI.
{linecard:0}
root>
{linecard:0}
root> configure
Entering configuration mode
{linecard:0}[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:
{linecard:0}[edit]
root# commit
2010-01-01 00:31:54 UTC: Running FIPS Self-tests
veriexec: no signatures for device. file='/sbin/kats/cannot-exec' fsid=75 fileid=51404 gen=1 uid=0 pid=304
2010-01-01 00:31:57 UTC: FIPS Self-tests Passed
commit complete
↧
↧
Re: QFX5100 and DHCP snooping
Hi,
I have not solved the issue.
How to do UNTRUST for TRUNK ports?
↧
Re: QFX5100 and DHCP snooping
I tested next config :
am> show configuration vlans
DATA {
vlan-id 500;
l3-interface irb.500;
forwarding-options {
dhcp-security {
group TRUST {
overrides {
trusted;
}
interface ge-0/0/20.0;
}
group UNTRUST {
overrides {
##
## Warning: statement ignored: unsupported platform (qfx5100-48s-6q)
##
untrusted;
}
interface ge-0/0/21.0;
}
}
}
}But this dont work to..
So. I have answer from JTAC: "The warning is self explanatory. It is not supported on QFX5100. This is a product limitation."
↧
Re: EX3400 - Recovery from failed SW upgrade fails
Thank you for this information. It cannot get documented soon enough as JTAC was not helpful and still sending me towards the older EX recovery methods...
Just to note, I initially downloaded the "limited" image and it seemed to not work. This could be my image or I messed up the process. I then downloaded the junos-install-media-usb-arm-32-[version].img.gz file and was successful. Just to add some details that some may not know.
Uncompress the file so you are left with a .img file
On OSX to create a bootable drive do the following:
$diskutil list - to find where your thumb drive is located, I'll be using "disk2" in my example
$diskutil unmountDisk /dev/disk2
$sudo dd if=/path/to/junos-install-media-usb-arm-32-version.img of=/dev/disk2 bs=1m
OSX will probably have a pop-up asking to eject, but just in case you can eject manually
$diskutil eject /dev/disk2
Plug the now bootable USB drive to the EX2300 switch, boot up with the console cable plugged in. You can either interrupt the boot process to get to the 'loader>' prompt. In my example the switch would only boot to the loader> prompt.
With the usb drive installed on the switch type in the following
loader> set currdev="disk1s1a"
loader> include /boot/loader.rc
Thank you again rmaradia
↧
Re: QFX5100 and DHCP snooping
What was your JTAC case number, please? Many thanks.
↧
↧
ex2200 default gateway
Hello colleagues,
I have one simple question, but I not know how do it.
So, i have switch EX2200 as access switch in network, by cisco have command ip default-gateway.
Do have juniper analouges command or i must use set routins-options default<host>?
↧
Re: ex2200 default gateway
routing is per default enabled, even in an EX2200, so you just have to configure a static route for 0.0.0.0/0:
set routing-options static route 0.0.0.0/0 next-hop <gateway-ip>
↧
Re: ex2200 default gateway
Ok, I thought same way.
One yet question, how be with dhcp-relay? DHCP-relay needed configure on switch (by access role)?
↧
Re: EX2200 can't join in boot -s (single mode) auto rebooting
Hi Slack,
Was wondering if you'd manage to recover from the above steps??
↧
↧
Re: ex2200 default gateway
For DHCP-Relay, could you elaborate? You want this switch to be bootp or dhcp-relay agent?
↧
Re: Where did these packets go?
Is there a way to trace packets in Juniper to see more information of why the drop occured?
↧
SRX Switching vs. Cisco
Currently I have SRX 240 firewall and Cisco 24 port swich set up.
I do use ether channel for my vmware servers.
I would like to consolidate it all into new SRX 650 with 2 x 24 port modules.
Pleanty of ports to go around and I was thinking making 80% of them into LAN ports (vlan tagging).
Has anyone had experience with Ethernet switching performance on SRX vs Cisco/SRX.
Although SRX is not really a switch I do eliminate that extra hop to go from SRX 240 to Cisco switch.
Plus, everything done on same box and one routing engine board.
Am I losing out a lot on SRX 650 performances vs. 240 + Cisco switch combination?
What is the diferece/latency if anyone has any idea that would be greatly apreciated.
Thanks in advance and please advise.
↧