You configure this in Junos under system archival. You can have this occur on regular intervals or every time a commit is done on the device.
↧
Re: Automatically backup config to scp or tftp when “wr me”
↧
Re: Automatically backup config to scp or tftp when “wr me”
link above almost perfect with 1 caveat, which is ssh target host must exist in known host
look at this explanation
https://forum.ivorde.com/junos-system-configuration-archival-is-not-working-over-scp-t19351.html
I also found one bug in archival
BUG
let say I show here
# edit system archival configuration archive-sites
# show
"scp://ftp@10.0.10.107:22" password "$9$F5oA69p1RSyeW"; ## SECRET-DATA
"scp://ftp@10.0.10.107" password "$9$sYgoGHqf5z6"; ## SECRET-DATA
{master:0}[edit system archival configuration archive-sites]
then I want to delete the first one
root# delete "scp://ftp@10.0.10.107:22" password "$9$F5oA69p1RSyeW"
{master:0}[edit system archival configuration archive-sites]
it's not properly deleted
root# show
"scp://ftp@10.0.10.107:22";
"scp://ftp@10.0.10.107" password "$9$sYgoGHqf5z6"; ## SECRET-DATA
{master:0}[edit system archival configuration archive-sites]
I need to delete one more time
root# delete "scp://ftp@10.0.10.107:22"
{master:0}[edit system archival configuration archive-sites]
then it will be ok
root# show
"scp://ftp@10.0.10.107" password "$9$sYgoGHqf5z6"; ## SECRET-DATA
↧
↧
Re: Automatically backup config to scp or tftp when “wr me”
then I want to delete the first one
root# delete "scp://ftp@10.0.10.107:22" password "$9$F5oA69p1RSyeW"
{master:0}[edit system archival configuration archive-sites]
it's not properly deleted
root# show
"scp://ftp@10.0.10.107:22";
"scp://ftp@10.0.10.107" password "$9$sYgoGHqf5z6"; ## SECRET-DATA
{master:0}[edit system archival configuration archive-sites]The thing to note is that the Junos configuration is NOT a flat file single line but a hierarchy.
delete "scp://ftp@10.0.10.107:22" password "$9$F5oA69p1RSyeW"
This deletes the PASSWORD only since the password is under the url hierarchy. this is called a leaf object the command only deletes the leaf.
delete "scp://ftp@10.0.10.107:22"
This will delete the url and everything under it including the password
The first connect will prompt to save the host key and this when accepted becomes part of the configuration. You can also pre add this to the configuration.
↧
Re: Removing two members switches from (four members in a Virtual Chassis)
Can someone please guide me on this ?
↧
Re: Removing two members switches from (four members in a Virtual Chassis)
Hi,
I will try to guide you... and start by highly recommend you to schedule a maintenance window for this and copy a backup of your configuration of box, just in case.
Please review everything I do, as it's just written instructions which I haven't done on actual equipment.
1) Change the Backup Role from FPC -0 to FPC-3.
configure set virtual-chassis member 3 role routing-engine set virtual-chassis member 3 mastership-priority 100 set virtual-chassis member 0 role line-card commit and-quit
2) After that FPC1 would be my master and FPC 3 would be my backup. FPC 0 and FPC-2 would be in linecard role.
just verify this via 'show virtual-chassis status'.
3) Then I want to remove FPC 0 and FPC 2 from this virtual chassis.
You have to be careful not removing both paths in your VC, but something like with the assumption that your have cabled your VC in a ring-topology. Between each step you can validate via the 'show virtual-chassis vc-port' command.
- remove VC-cable between fpc0 and fpc1
- remove VC-cable between fpc0 and fpc3
- add VC-cable between fpc1 and fpc3
- remove VC-cable between fpc1 and fpc2
- remove VC-cable between fpc2 and fpc3
- add VC-cable between fpc1 and fpc3
4) After the removal of FPC 0 and FPC 2 , Only two members ( FPC 1 and FPC 3 will left in that virtual chassis).
Validate via show virtual-chassis status and clear information regarding fpc0 and fpc2:
request virtual-chassis recycle member-id 0 request virtual-chassis recycle member-id 2
5) I want to change FPC 1 to FPC 0 ( MASTER) and FPC 3 TO FPC 1 ( Backup).
First you want to delete all interfaces related config for fpc0 and fpc2:
configure wildcard delete interfaces ge-0/* wildcard delete interfaces xe-0/* wildcard delete interfaces ge-2/* wildcard delete interfaces xe-2/* commit and-quit
Then your renumber one switch at a time (the switch will reboot!)
request virtual-chassis renumber member-id 1 new-member-id 0
After fpc1 has rebooted and become fpc0, you have to move interface configuration.
configure replace pattern ge-1 to ge-0 replace pattern xe-1 to xe-0 commit and-quit
Then you do the same for fpc3 -> fpc1.
Finally you remove an leftover configuration for the newly removed switches under the virtual-chassis stanza.
↧
↧
Re: LAG and fail-over question.
Ok. Thanks for the info.
↧
LAG config issue in EX3400
I have brand new switches EX3400 when i issue the command
root# set chassis aggregated-devices ethernet device-count 10
the "ae0 to ae9" interfaces doesn’t show up in “interface terse” so I wonder if there is feature that need to be enabled?
even tho its working fine with old switchs that i have ex3200
thanks in advance
↧
Re: LAG config issue in EX3400
AE interfaces won't show up operationally until you've configured them.
set interfaces ge-0/0/0 ether-options 802.3ad ae0 set interfaces ge-0/0/1 ether-options 802.3ad ae0 set interfaces ae0 aggregated-ether-options link-speed 1g set interfaces ae0 unit 0 family ethernet-switching interface-mode access
↧
Re: unknown unicast on QFX5100 mc-lag irb
You are right. I would definitely prefer install VIP as next hop on downhost, because VIP in MC-LAG is processed by both peers - even backup vrrp host.
The problem is that i cant change next-hop on ospf. Each mc-lag peer send LSA's from its IRB, not from VIP. On BGP you can change next-hop to VIP on routing policy, but not on ospf i think.
↧
↧
Re: unknown unicast on QFX5100 mc-lag irb
A couple of comments:
#1 - I would not recommend running [plain] 15.1 on any switching product. For QFX5100, I believe 14.1X53 is best, while for something like QFX5110, 15.1X53 is best. I would certainly not run 18.x, at this time.
#2 - Yes since you are using VRRP config, do NOT set mac-sync.
#3 - It appears 15.1R3 added in a change of behavior for MC-LAG. See this KB (very last statement about 16.1 is VERY confusing; I assume this is maybe a typo and should read 15.1[R3]??):
https://kb.juniper.net/InfoCenter/index?page=content&id=KB32549&actp=METADATA
So if you are going to run 15.1, you may want [need?] to delete static ARP entry??
#4 - I assume your edge device is some L3/Router device running OSPF. So when a packet arrives at either QFX5100 MC-LAG node, it should be a route lookup and next-hop MAC that takes place, yes? Do both nodes have a proper route table and proper next-hop MAC address?
Good luck.
↧
Re: Removing two members switches from (four members in a Virtual Chassis)
Thanks a lot Jonas . Really appreciate it. I will perform this and let you know. One more thing which I would like to ask that. After removing the FPC 0 and FPC 2 from this virtual chassis. I want to create another separate virtual chassis with them in that scenario
where FPC 0 would be master and FPC 2 would be backup. In order to configure them in that above mentioned scenario. Do i need to remove every config on them ? because the previous config would be present on them . If I need to remove whole config on them then how i can remove whole config of previous virtual chassis configure on them ? and I guess i need to POWER UP FPC 0 first in order to make it master ? .Kindly guide for these above mentioned tasks too.
Thanks
↧
Re: Removing two members switches from (four members in a Virtual Chassis)
I would suggest that you run a 'request system zeroize' on both members you removed from the virtual chassis and then ensure the switch you want to become master is booted first.
When you have two unconfigured switches you can follow this documentation page:
Then you would end up having the newly created virtual chassis with fpc0 and fpc1 and no legacy configuration.
Actually on both virtual chassis you should also configure 'no-split-detection':
(Optional: Recommended for a two-member Virtual Chassis) On the master switch, disable the split and merge feature: [edit virtual-chassis] user@switch# set no-split-detection
↧
EX3400 Double-tagging on ingress
Hi all,
New to the forums but I've done a bit of searching and can't seem to find the scenario I'm looking to solve for. I have an EX3400 on which I need to take incoming untagged traffic on multiple ports, mark the same inner VLAN on each but different outer VLANs on each port, to be conditioned to go out multiple trunk ports facing northbound.
For example:
Port 1: Trunk port for VLAN 1000
Port 2: Trunk port for VLAN 2000
Port 3: Trunk port for VLAN 3000
Port 4: Access port to double-tag 1000+50
Port 5: Access port to double-tag 2000+50
Port 6: Access port to double-tag 3000+50
(etc).
Here's the config I've used in the past to add a single VLAN but I haven't found a config for this yet (and to further complicate, won't have one in front of me to play with until it's time to get it up and running).
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members S-TAG-1
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members S-TAG-2
set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members S-TAG-3
set interfaces ge-0/0/4 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members S-TAG-1
set interfaces ge-0/0/5 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members S-TAG-2
set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members S-TAG-3
set vlans S-TAG-1 vlan-id 1000
set vlans S-TAG-2 vlan-id 2000
set vlans S-TAG-3 vlan-id 3000
Any suggestions on how to accomplish that would be greatly appreciated, whether double-tagging ingress on 4-6, or single-tagging ingress on 4-6 and pushing an outer vlan egress on 1-3.
Cheers!
↧
↧
EX2200 Double-tagging on ingress & popping outer VLAN on egress
Hi all,
New to the forums but I've done a bit of searching and can't seem to find the scenario I'm looking to solve for. I have an EX2200 on which I need to take incoming untagged traffic on multiple ports, mark the same inner VLAN on each but different outer VLANs on each port, to be conditioned to go out with the same inner VLAN on multiple trunk ports facing northbound.
For example:
Port 1: Trunk port for "Store A" VLAN 50
Port 2: Trunk port for "Store B" VLAN 50
Port 3: Access port for "Store A" VLAN 50
Port 4: Access port for "Store B" VLAN 50
(etc).
My expected behavior is that for "Store A," Port 3 receives untagged traffic, adds VLAN 50 and any local S-Tag (ex. 1000), then pops off the S-Tag on the way out the trunk port (1) so that it leaves the switch as VLAN 50. "Store B" should have the same behavior but use a different S-Tag to differentiate the traffic.
I can add a single VLAN tag to untagged traffic when it comes in but not sure how to differentiate the traffic between the two separate customers/ports that use the same VLAN ID. I've also looked into Private VLANs but I wasn't able to find a way to use the same VLAN ID northbound for two promiscuous ports.
Any suggestions on how to accomplish that would be greatly appreciated!
Cheers!
↧
Measurement on the loop on the ex4600 switch.
Hello, the Juniper community.
I generate traffic towards the EX4600 switch (EXFO) and I would like the traffic to go back through the physical loop on the optical port.
I did this measurement on EX4200 using the "no-mac-learning" option but in the case of EX4600 it does not work.
How to do it on EX4600? Is it possible at all?
Piotr Najduk
Network Engineer.
↧
Re: EX2200 Double-tagging on ingress & popping outer VLAN on egress
I'm not following what behavior you want in the vlan transport as everything is labled the same vlan here.
You have two access ports in vlan 50
and two trunk ports with vlan 50 tagged
That all is so far normal vlan behavior.
From the description you want to push vlan ids on the "access" ports? Maybe a different one per client?
But have the same vlan id inbound on the "trunk" side?
In orther words where exactly do you want to to the push/pop and where exactly are the vlan overlaps?
↧
Re: Measurement on the loop on the ex4600 switch.
Did you check ethernet-switching table to make sure no-mac-learning is actually set properly for your vlan in question? See here for details:
If you are trying to perform this action at the interface level, not sure if actually supported on both platforms or not -
Good luck and HTH.
↧
↧
Re: EX2200 Double-tagging on ingress & popping outer VLAN on egress
Just like @spuluka very confused as to what you are actually trying to accomplish with your traffic separation. Maybe if you tell us what you are trying to accomplish, versus a how, people could help you.
As far as your question, I believe what you are trying to do is not possible without using VRFs of some sort. Basic you would want an L2 VRF for each situation which then "should maybe?" allow you to use same VLAN number within each VRF. The interfaces would also apply to each VRF - switch VRF in your case, which might be VRF of type routing-instance for EX2200, but with no L3 configured.
What really confuses me is why each 'store' must use the same VLAN-ID? The VLAN-ID is just a number which for access ports only has local significance, so why each store would not be assigned its own unique VLAN-ID confuses me, . . . This might make your "how" easier.
↧
Re: LAG Issue between Juniper EX2200-C and Cisco 3560 Layer 2 loop
I would suggest this behavior is normal and expected. Since LAG is a local implementation, that is there is no standard covering this technology, there is no way for a LAG on one end to know there is non-LAG on the remote side. I am thinking if you enable some form of STP on both sides, this may cause non-LAG side to block one link.
Juniper defaults STP to type RSTP and you would also need to set VLAN 1 as default-vlan, as unlike Cisco this is not the default behavior for Juniper. This assumes VLAN 1 is not the only VLAN assigned to this LAG.
I do assume you have LACP active on both sides, but this operates at per link level, not LAG level.
Good luck, HTH.
↧
Re: Measurement on the loop on the ex4600 switch.
Thanks for the answer.
Learning MAC addresses I have disabled as below:
EX4600-Pomiar> show configuration vlans pomiar700
vlan-id 700;
switch-options {
no-mac-learning;
}
I check if it works like this:
EX4600-Pomiar> show ethernet-switching table vlan-id 700
Master {0}
EX4600-Pomiar>
I only see incoming traffic on port xe-0/0/0 but the switch does not forward them to port xe-0/0/23
EX4600-Pomiar> show vlans 700
Routing instance VLAN name Tag Interfaces
default-switch pomiar700 700
xe-0/0/0.0 *
xe-0/0/23.0 *
Master {0}
Port 23 has an optical module SFP+ with a patchcord loop. The rstp protocol is disabled.
I made a sniff of measuring traffic and I see that the source and destination MAC addresses are the same.
And this is probably the reason why traffic is not forwarded. However, why disabling the mac addresses learning for this vlan does not solve the problem?
↧