Your understanding is correct, its not enabled by default.
The router or switch responds to an ARP request only if the destination IP address is its own.
It is interface level command and not global:
I think one way you can set global would be configire under the group & apply.
set groups arp interfaces <*> unit <*> proxy-arp unrestricted
Greetings,
We've been seeing some very strange behavior with some devices on our network. We have devices that are statically configured on a specific subnet. Yet, these particular devices are being mysteriously assigned DHCP from a different subnet. This behaviour just started happening a few days ago. Clearly, this simply shouldn't be happening. First of all, these devices are supposed to be statically configured, second, they're on a subnet that is NOT configured for DHCP. Third, the DHCP leases they're getting are from a separate subnet, which means that somehow DHCP request packets are crossing subnets which makes no sense. We have a network where there are Juniper EX-2200s at the access layer. One of these switches may have been damaged by a power surge. Does anybody have any idea about this?
the two layer two vlans at issue are being cross connected somewhere so that they are in the same broadcast domain.
Typically this happens when a port in each vlan are accidently connected to each other. This need not be on the same switch. This could occur in any area where multiple network jacks are available and accidently connected.
Another possibility could be someone has added a device in an office or conference room.
I have also 2 QFX5100 and I can create a virtual chassis.
After a switch-over of the routing-engine, it takes at least 5 minutes that the VC is back formed because the VCP interfaces are down.
This is not acceptable. I don't have this in a EX virtual chassis setup.
The VCPs are configured with the ports et-0/0/48 (40 Gbit)
Current software version : 17.4R1.16
According to a kb juniper article, it is a requirement to install the qfx-5-e junos version. When I check the junos download page for QFX5100, it is not available. (https://kb.juniper.net/InfoCenter/index?page=content&id=KB32473&cat=&actp=LIST)
Even the virtual chassis can be setup with the current software version, I would like to install the qfx-5-e version before going in production and maybe it will solve the issue with the switchover of the RE.
I saw on the download page that the qfx-5-e version is available for the QFX5110 switch. Can this junos package be used ?
Thanks for your support.
Does anyone know the correct syntax to shut down an EX9204 running JUNOS 17? Documented commands do not work:
request system power-off: doesn't exist (are you ^#%&* kidding me?)
request system halt: doesn't exist
request system reboot power-off fpc: reboots the system
That I have to ask this on the forum is either embarassing for me or for Juniper, I'm not sure which.
--Paul
I need a bit of assistance here.
I have the following situation.
switch-1 with multicast sources attached. this is not my switch and I have no operational/config visability of it. This has igmp-snooping enabled.
I then have a second switch-2. This is connected to switch-1.
This switch-2 has recievers that want to recieve sources from switch-1 and also from locally attached sources.
I have enabled igmp-snooping on switch-2 on the relevant vlan and set the link facing switch-1 as a multicast-router.
the recievers on switch-2 are all working fine but I am seeing all the MCAST traffic from the sources on switch-2 being pushed over the link to switch-1.
I had not expected that. I as under the impression that this would only happen if switch-1 registered an interest in recieving the traffic.
a packet capture on the inter switch link shows an IGMPv2 query to all mcast routers 224.0.0.1 coming in from switch-1.
Is this packet what is triggering the traffic push?
thank you
Maybe that "request" commands is blocked for your user access?
Are you logged in as root user?I checked in JUNOS 17.4 and works fine.
root@jtac-ex9204-re0> show version
Hostname: jtac-ex9204-r2002-re0
Model: ex9204
Junos: 17.4R1.16
JUNOS OS Kernel 64-bit [20171206.f4cad52_builder_stable_11]
JUNOS OS libs [20171206.f4cad52_builder_stable_11]
JUNOS OS runtime [20171206.f4cad52_builder_stable_11]
JUNOS OS time zone information [20171206.f4cad52_builder_stable_11]
JUNOS OS libs compat32 [20171206.f4cad52_builder_stable_11]
JUNOS OS 32-bit compatibility [20171206.f4cad52_builder_stable_11]
JUNOS py extensions [20171219.172921_builder_junos_174_r1]
JUNOS py base [20171219.172921_builder_junos_174_r1]
JUNOS OS crypto [20171206.f4cad52_builder_stable_11]
JUNOS network stack and utilities [20171219.172921_builder_junos_174_r1]
JUNOS libs [20171219.172921_builder_junos_174_r1]
JUNOS libs compat32 [20171219.172921_builder_junos_174_r1]
JUNOS runtime [20171219.172921_builder_junos_174_r1]
root@jtac-ex9204-re0> request system power-off both-routing-engines
warning: Other routing-engine not present
Power Off the system ? [yes,no] (no) yes
Stopping cron.
Waiting for PIDS: 20995.
.
Mar 14 07:36:19 jlaunchd: broker-re (PID 21249) terminate signal 15 sent
Mar 14 07:36:19 jlaunchd: rpcbind-service (PID 21342) terminate signal 15 sent
Mar 14 07:36:19 jlaunchd: overlay-ping-traceroute (PID 21646) terminate signal 15 sent
Mar 14 07:36:23 jlaunchd: iccp-service (PID 21635) exited with status=0 Normal Exit
Waiting (max 60 seconds) for system process `vnlru' to stop... done
Waiting (max 60 seconds) for system process `bufdaemon' to stop... done
Waiting (max 60 seconds) for system process `syncer' to stop...
Syncing disks, vnodes remaining... 0 0 0 0 0 done
All buffers synced.
Uptime: 18d9h51m34s
Khelp module "jsocket" can't unload until its refcount drops from 12 to 0.
acpi0: Powering system off
Hi Bhoomi,
Did you find some solution for the physical interfaces, i saw no reply to your question.
i am also facing the same issue. can you please share the solution if you have managed to get the physical interface up and running?
Thanks
'Regards
Badar
We seem to have a process in my company where we need to send a CSR to the PKI guys so that they can generate a .cer certificate. But if I tried to use this certificate (and a .pem version I created using the windows "certutil -encode" command) with the process you described, I get the same error message as what the previous guy had.
Is there no process for doing it via the CSR path (which means the device already have the private key) or is there the one process where everything to do with the certificate needs to be created outside and independent of the Juniper device?
On 17.1 this does not appear to be an available option even as root.
{master}
root@ex9204-core2-re0> request system ?
Possible completions:
certificate Manage X509 certificates
commit Perform commit related operations
configuration Request operation on system configuration
decrypt Decrypt a $8$ or $9$-encrypted password
license Manage feature licenses
logout Forcibly end user's CLI login session
personality-file Execute commands related to personality of a device
process Request operation on system process
reboot Reboot the system
recover Recover a specified volume
scripts Manage scripts (commit, op, event)
snapshot Create a normal Junos or a recovery snapshot
software Perform system software extension or upgrade
storage Request operation on system storage
yang Perform YANG schema operations
zeroize Erase all data, including configuration and log files
{master}root@ex9204-core2-re0> show version Hostname: ex9204-core2-re0 Model: ex9204 Junos: 17.1R2.7 JUNOS OS Kernel 64-bit [20170607.351421_builder_stable_10] JUNOS OS libs [20170607.351421_builder_stable_10] JUNOS OS runtime [20170607.351421_builder_stable_10] JUNOS OS time zone information [20170607.351421_builder_stable_10] JUNOS network stack and utilities [20170617.054345_builder_junos_171_r2] JUNOS modules [20170617.054345_builder_junos_171_r2] JUNOS mx modules [20170617.054345_builder_junos_171_r2] JUNOS libs [20170617.054345_builder_junos_171_r2] JUNOS OS libs compat32 [20170607.351421_builder_stable_10] JUNOS OS 32-bit compatibility [20170607.351421_builder_stable_10] JUNOS libs compat32 [20170617.054345_builder_junos_171_r2] JUNOS runtime [20170617.054345_builder_junos_171_r2] Junos vmguest package [20170617.054345_builder_junos_171_r2] JUNOS py extensions [20170617.054345_builder_junos_171_r2] JUNOS py base [20170617.054345_builder_junos_171_r2] JUNOS OS vmguest [20170607.351421_builder_stable_10] JUNOS OS crypto [20170607.351421_builder_stable_10] JUNOS Web Management Platform Package [20170617.054345_builder_junos_171_r2] JUNOS mx libs compat32 [20170617.054345_builder_junos_171_r2] JUNOS mx runtime [20170617.054345_builder_junos_171_r2] JUNOS common platform support [20170617.054345_builder_junos_171_r2] JUNOS mx libs [20170617.054345_builder_junos_171_r2] JUNOS mtx Data Plane Crypto Support [20170617.054345_builder_junos_171_r2] JUNOS daemons [20170617.054345_builder_junos_171_r2] JUNOS mx daemons [20170617.054345_builder_junos_171_r2] JUNOS Voice Services Container package [20170617.054345_builder_junos_171_r2] JUNOS Services TLB Service PIC package [20170617.054345_builder_junos_171_r2] JUNOS Services SSL [20170617.054345_builder_junos_171_r2] JUNOS Services Stateful Firewall [20170617.054345_builder_junos_171_r2] JUNOS Services RPM [20170617.054345_builder_junos_171_r2] JUNOS Services PTSP Container package [20170617.054345_builder_junos_171_r2] JUNOS Services PCEF package [20170617.054345_builder_junos_171_r2] JUNOS Services NAT [20170617.054345_builder_junos_171_r2] JUNOS Services Mobile Subscriber Service Container package [20170617.054345_builder_junos_171_r2] JUNOS Services MobileNext Software package [20170617.054345_builder_junos_171_r2] JUNOS Services Logging Report Framework package [20170617.054345_builder_junos_171_r2] JUNOS Services LL-PDF Container package [20170617.054345_builder_junos_171_r2] JUNOS Services Jflow Container package [20170617.054345_builder_junos_171_r2] JUNOS Services Deep Packet Inspection package [20170617.054345_builder_junos_171_r2] JUNOS Services IPSec [20170617.054345_builder_junos_171_r2] JUNOS Services IDS [20170617.054345_builder_junos_171_r2] JUNOS IDP Services [20170617.054345_builder_junos_171_r2] JUNOS Services HTTP Content Management package [20170617.054345_builder_junos_171_r2] JUNOS Services Crypto [20170617.054345_builder_junos_171_r2] JUNOS Services Captive Portal and Content Delivery Container package [20170617.054345_builder_junos_171_r2] JUNOS Services COS [20170617.054345_builder_junos_171_r2] JUNOS Border Gateway Function package [20170617.054345_builder_junos_171_r2] JUNOS AppId Services [20170617.054345_builder_junos_171_r2] JUNOS Services Application Level Gateways [20170617.054345_builder_junos_171_r2] JUNOS Services AACL Container package [20170617.054345_builder_junos_171_r2] JUNOS SDN Software Suite [20170617.054345_builder_junos_171_r2] JUNOS Extension Toolkit [20170617.054345_builder_junos_171_r2] JUNOS jplatform ex92xx [20170617.054345_builder_junos_171_r2] JUNOS Packet Forwarding Engine Support (wrlinux) [20170617.054345_builder_junos_171_r2] JUNOS Packet Forwarding Engine Support (MX/EX92XX Common) [20170617.054345_builder_junos_171_r2] JUNOS Packet Forwarding Engine Support (M/T Common) [20170617.054345_builder_junos_171_r2] JUNOS Packet Forwarding Engine Support (MX Common) [20170617.054345_builder_junos_171_r2] JUNOS jfirmware [20170617.054345_builder_junos_171_r2] JUNOS Online Documentation [20170617.054345_builder_junos_171_r2] JUNOS jail runtime [20170607.351421_builder_stable_10]
Hi Smicker,
I quickly tested on MX as well and i dont see the option apprearing. i did some research and found that this is a Software BUG but this is fixed on 17.4R2 and 17.4R1 that is the reason for karand it works fine when he Checked on 17.4R1.
Next you can test in 17.2R* latest release and you see the issue then you can directly raise a JTAC case to fix in 17.2R* release.
If the issue doesnot appear in latest 17.2R* release then we can consider it is fixedo n 17.2R* throttle as well.
Model: mx80
Junos: 17.2R1.13
JUNOS Base OS boot [17.2R1.13]
JUNOS Base OS Software Suite [17.2R1.13]
labroot@chicago> request system power-off ?
Possible completions:
<[Enter]> Execute this command
at Time at which to perform the operation
in Number of minutes to delay before operation
media Boot media for next boot
message Message to display to all users
| Pipe through a command
labroot@chicago> request system power-off
regards
Vadivelan V
Hope this helps
--------------------------------------------------------------------------------------------------------
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
--------------------------------------------------------------------------------------------------------
Where would one find the download you mention, jweb-ex-app-15.1A3-signed.tgz?
I previous was on JunOS 17.4R1 & now I tested on ex9204 running junos 17.1R2.7 same as yours & get option of power-off/halt. Could you get "show chassis hardware" & "show configuration system" from your box?
labroot@EX9200-SW1> request system ?
Mar 14 19:42:09
Possible completions:
certificate Manage X509 certificates
commit Perform commit related operations
configuration Request operation on system configuration
decrypt Decrypt a $8$ or $9$-encrypted password
halt Halt the system
license Manage feature licenses
logout Forcibly end user's CLI login session
personality-file Execute commands related to personality of a device
power-off Power off the software on RE
power-on Power on the system
process Request operation on system process
reboot Reboot the system
recover Recover a specified volume
scripts Manage scripts (commit, op, event)
snapshot Create a normal Junos or a recovery snapshot
software Perform system software extension or upgrade
storage Request operation on system storage
yang Perform YANG schema operations
zeroize Erase all data, including configuration and log files
labroot@EX9200-SW1> show version
Mar 14 19:43:32
Hostname: EX9200-SW1
Model: ex9204
Junos: 17.1R2.7
JUNOS OS Kernel 64-bit [20170607.351421_builder_stable_10]
JUNOS OS libs [20170607.351421_builder_stable_10]
JUNOS OS runtime [20170607.351421_builder_stable_10]
JUNOS OS time zone information [20170607.351421_builder_stable_10]
JUNOS OS libs compat32 [20170607.351421_builder_stable_10]
JUNOS OS 32-bit compatibility [20170607.351421_builder_stable_10]
JUNOS py extensions [20170617.054345_builder_junos_171_r2]
JUNOS py base [20170617.054345_builder_junos_171_r2]
JUNOS OS crypto [20170607.351421_builder_stable_10]
JUNOS network stack and utilities [20170617.054345_builder_junos_171_r2]
JUNOS modules [20170617.054345_builder_junos_171_r2]
JUNOS mx modules [20170617.054345_builder_junos_171_r2]
JUNOS libs [20170617.054345_builder_junos_171_r2]
JUNOS libs compat32 [20170617.054345_builder_junos_171_r2]
Did you get this fixed?
Is it something like auto-neg failing?
the switchport nonegotiate on the cisco side is related to determine the trunking mode rather than auto-neg, yet on the juniper side you have auto-neg disabled.
I have had issues in the past between cisco and juniper with this issue.
Hi all,
Trying to debug a problem with dropped packets from our firewall cluster; the cluster members are both connected to an EX2200 switch. When I look at the output of show interfaces <int> extensive on one of the firewall ints, I see the following sort of drops:
Egress queues: 8 supported, 4 in use
Queue counters: Queued packets Transmitted packets Dropped packets
0 best-effort 0 9868942044 9784947
1 assured-forw 0 0 0
5 expedited-fo 0 0 0
7 network-cont 0 4261145 0Then I looked at the output of show interfaces queue <int>, and saw this output:
Egress queues: 8 supported, 4 in use
Queue: 0, Forwarding classes: best-effort
Queued:
Transmitted:
Packets : 9872164091
Bytes : 9429934422345
Tail-dropped packets : 9790369
RL-dropped packets : 0
RL-dropped bytes : 0
Queue: 1, Forwarding classes: assured-forwarding
Queued:
Transmitted:
Packets : 0
Bytes : 0
Tail-dropped packets : 0
RL-dropped packets : 0
RL-dropped bytes : 0
Queue: 5, Forwarding classes: expedited-forwarding
Queued:
Transmitted:
Packets : 0
Bytes : 0
Tail-dropped packets : 0
RL-dropped packets : 0
RL-dropped bytes : 0
Queue: 7, Forwarding classes: network-control
Queued:
Transmitted:
Packets : 4261833
Bytes : 348050796
Tail-dropped packets : 0
RL-dropped packets : 0
RL-dropped bytes : 0So in looking up the cause of "Tail-dropped packets", the Juniper tech article said that it was most likely the result of a packet buffer overflow. My question is, what kind of buffers do the EX2200 have, are they shared between port groups, and can an EX2200 sustain line-rate 1G/sec flows or not? (All the input and output NICs from the firewall are 1G)
TL
R - experiencing dropped packets on an interface, suspect buffer overflows, how to fix?
Thanks Karand--
Here is some quickly-sanitized output.
root@ex9204-core1-re0> show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description
Chassis xxxxxxxxxxxx EX9204
Midplane REV 06 750-062849 xxxxxxxx EX9204-BP3
FPM Board REV 02 760-064012 xxxxxxxx Front Panel Display
PEM 0 Rev 01 740-063046 xxxxxxxxxxx PS 1.4-2.52kW; 90-264V AC in
PEM 3 Rev 01 740-063046 xxxxxxxxxxx PS 1.4-2.52kW; 90-264V AC in
Routing Engine 0 REV 07 750-063458 xxxxxxxx RE-S-EX9200-2X00x6
CB 0 REV 09 750-062852 xxxxxxxx EX9200-SF2
FPC 2 REV 13 750-064569 xxxxxxxx EX9200 32x10G SFP
CPU REV 03 711-062860 xxxxxxxx HMPC PMB 2G
PIC 0 BUILTIN BUILTIN 8X10GE SFPP
Xcvr 0 REV 01 740-021308 xxxxxxxxx SFP+-10G-SR
Xcvr 1 REV 01 740-021308 xxxxxxxxxxx SFP+-10G-SR
Xcvr 2 REV 01 740-021308 xxxxxxxxxxx SFP+-10G-SR
Xcvr 3 REV 01 740-021308 xxxxxxxxxxx SFP+-10G-SR
Xcvr 4 REV 01 740-021308 xxxxxxxxx SFP+-10G-SR
Xcvr 5 REV 01 740-021308 xxxxxxx SFP+-10G-SR
Xcvr 6 REV 01 740-021308 xxxxxxx SFP+-10G-SR
Xcvr 7 REV 01 740-021308 xxxxxxxxx SFP+-10G-SR
PIC 1 BUILTIN BUILTIN 8X10GE SFPP
Xcvr 0 REV 01 740-021308 xxxxxxx SFP+-10G-SR
Xcvr 6 REV 01 740-021308 xxxxxxxxx SFP+-10G-SR
Xcvr 7 REV 01 740-021308 xxxxxxxxxxx SFP+-10G-SR
PIC 2 BUILTIN BUILTIN 8X10GE SFPP
PIC 3 BUILTIN BUILTIN 8X10GE SFPP
Xcvr 6 REV 01 740-021309 xxxxxxxxxx SFP+-10G-LR
Xcvr 7 REV 01 740-021308 xxxxxxxxx SFP+-10G-SR
Fan Tray 0 REV 02 711-059360 xxxxxxxx Enhanced Fan Trayroot@ex9204-core1-re0> show configuration groups
re0 {
system {
host-name ex9204-core1-re0;
radius-server {
1.1.1.12 source-address 1.1.1.8;
1.1.1.22 source-address 1.1.1.8;
}
syslog {
source-address 1.1.1.8;
}
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 1.1.1.8/26;
address 1.1.1.6/26 {
master-only;
}
}
}
}
}
snmp {
trap-options {
source-address 1.1.1.8;
}
}
}
re1 {
system {
host-name ex9204-core1-re1;
radius-server {
1.1.1.12 source-address 1.1.1.10;
1.1.1.22 source-address 1.1.1.10;
}
syslog {
source-address 1.1.1.10;
}
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 1.1.1.10/26;
address 1.1.1.6/26 {
master-only;
}
}
}
}
}
snmp {
trap-options {
source-address 1.1.1.10;
}
}
}
root@ex9204-core1-re0> show configuration system
domain-name xxxxx.com;
domain-search xxxxx.com;
time-zone PST8PDT;
authentication-order [ radius password ];
ports {
console log-out-on-disconnect;
}
root-authentication {
encrypted-password "xxxxx"; ## SECRET-DATA
}
name-server {
1.1.1.210;
1.1.1.100;
}
radius-server {
1.1.1.12 secret "xxxxx"; ## SECRET-DATA
1.1.1.22 secret "xxxxx"; ## SECRET-DATA
}
scripts {
op {
file iv-link.slax;
}
}
login {
class xxxxx1 {
login-alarms;
login-tip;
}
class xxxxx2 {
idle-timeout 15;
login-alarms;
login-tip;
permissions [ clear network reset trace view ];
}
class xxxxx3 {
idle-timeout 15;
permissions [ view view-configuration ];
}
class xxxxx4 {
idle-timeout 15;
login-alarms;
login-tip;
permissions all;
}
user xxxxx5 {
uid 2000;
class xxxxx5;
}
user xxxxx6 {
uid 2006;
class xxxxx6;
}
user xxxxx7 {
uid 2001;
class xxxxx7;
}
user xxxxx8 {
uid 2002;
class xxxxx8;
authentication {
encrypted-password "xxxxx"; ## SECRET-DATA
}
}
}
services {
ssh {
max-sessions-per-connection 32;
connection-limit 10;
rate-limit 5;
}
netconf {
ssh;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
host 1.1.1.98 {
any any;
port 4044;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
file default-log-messages {
any info;
match "(requested 'commit' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|CFMD_CCM_DEFECT| LFMD_3AH | RPD_MPLS_PATH_BFD|(Master Unchanged, Members Changed)|(Master Changed, Members Changed)|(Master Detected, Members Changed)|(vc add)|(vc delete)|(Master detected)|(Master changed)|(Backup detected)|(Backup changed)|(interface vcp-)|BR_INFRA_DEVICE";
structured-data;
}
}
commit synchronize;
ntp {
boot-server 1.1.1.210;
server 1.1.1.210;
server 1.1.1.100;
}
This image has been replaced by jweb-15.1R4.6-signed.tgz. You'll find this under EX4200 Downloads -> Junos 15.1 -> bottom section -> J-Web User Interface Package
EX2200 has 1,5MB of buffer space per PFE.
It supports wire rate forwarding.
There are dedicated (per-port) and shared buffers.
Try this
#set class-of-service shared-buffer percent 100
Regards, Wojtek
For the life of me, I am unable to get dhcp snooping to work on a juniper MX 480. We are using flexible-vlan-tagging and bridge-domains. I have tried setting one port to trusted, and another to untrusted, both to untrusted... and I already know that "trunk" ports are trusted by default and "access" ports are untrusted by default. However, this seems to not matter on this setup. no matter which settings i enable (arp-inspection, option 82...) the command "show dhcp-security binding" is blank and dhcp continues to work. I need it to NOT work... per dhcp-snooping policy...
I will point out we are using an external dhcp server, not the server integrated into the juniper MX.
Is this a limitation of an MX? Has anyone attempted to use dhcp-security features on an MX?