I have several ex4200 switches handling layer 3 routing. Their interconnect is a vlan used as a multipoint mesh. Two of the switches operate as a HA pair in that they both route to a shared subnet. So they both advertise this route to the mesh. How would i go about forcing one of the switches to be the preferred router for the shared subnet?
↧
OSPF mesh on 4200 switches?
↧
Re: OSPF mesh on 4200 switches?
THis depends how you announce this shared segment
- as netwrok (in this case you can change metric on master so it will be preffered)
- as external (here you also can change metrick or ext route type, can be 1 or 2)
↧
↧
Re: storm control on 2200C 3300 & 4300 EX
Right, Storm control is what is known as a BUM filter limiting broadcast, unknown unicast and Multicast traffic with a policier.
None of this will affect normal unicast traffic like voip connections.
I would leave this at the normal settings. You don't want this type of traffic to get anywhere near 80%.
the only exception would be if you were running a true multicast application and configuring multicast on the SRX to assist in that process.
↧
Re: Help With Trunking between 2 EX4200's
You can confirm if the default route is the issue by moving that mgmt port to a separate virtual router routing instance and using this for the mgmt access. This will prevent that route from affecting the other vlan traffic.
Add the external interface to this instance
set routing-instance oob instance-type virtual router
set routing-instance oob interface ge-0/0/46.0
Delete the current static route and put it into the virtual router
delete routing-options static route 0.0.0.0/0
set routing-instance oob routing-options static route 0.0.0.0/0 next-hop 172.16.1.1
↧
Re: OSPF mesh on 4200 switches?
Hello,
wrote: I have several ex4200 switches handling layer 3 routing. Their interconnect is a vlan used as a multipoint mesh. Two of the switches operate as a HA pair in that they both route to a shared subnet. So they both advertise this route to the mesh. How would i go about forcing one of the switches to be the preferred router for the shared subnet?
Since You are essentially operating a full mesh network (every switch has a direct link to every other switch) , then the easiest way is to inject the subnet in question as internal or External Type 1 on switchA and as External Type 2 on switchB. External Type 2 is least preferred among OSPF route types.
I hope You are familiar with how JUNOS injects routes into OSPF, but here they are anyway:
1/ make the interface "passive" under "protocols ospf area X interface Y"- injects it as LSA1/LSA2
2/ OSPF export policy with "then accept" - injects it as LSA5 Type2 /LSA7 Type 2 if NSSA
3/ OSPF export policy with "then external; type 1; accept" - injects it as LSA5 Type1 /LSA7 Type 1 if NSSA
Please be aware that You cannot re-export the received OSPF Type 2 route into Type 1 and vice versa
https://forums.juniper.net/t5/Routing/Export-OSPF-route-in-type-1/td-p/300135
- unless You use "instance-type no-forwarding" but I digress...
HTH
Thx
Alex
↧
↧
Re: storm control on 2200C 3300 & 4300 EX
Thank you Steve,
then I will leave it:
interface all {
}
as enabled only and not messing with other setting of storm control.
Thank you again for helping here.
↧
Re: Why is 802.1X on trunk ports not supported?
From an old Forums thread (https://forums.juniper.net/t5/Junos/ex4200-port-mode-tagged-access/td-p/273964) the answer is that EX4500 supports VEPA (https://www.juniper.net/documentation/en_US/junos/topics/concept/bridging-edge-virtual-bridging-understanding.html), while EX4200 does not.
What you want to do can not be done with EX4200. Appears that only EX4500 or [now EOL] EX8200 had such support:
↧
Re: Help With Trunking between 2 EX4200's
Thank You! I will give this a shot!
Is there anyother way to get around this? Like using the me0 port on the back of the switches?
I had also previously been using vlan1000 instead of the default vlan. same problem with that as i'm expereicing now.
Thanks again!
↧
Re: Help With Trunking between 2 EX4200's
ok so i reset the switches and set them up again. this time I used the oob port on the back of the unit. This seems to have solved the issue!
Thank You for all the help!
↧
↧
How to clear BPDU error on EX-4300
Hi,
I am running 13.2X51-D35 on a EX-4300 switch, one edge port was shutdown because of BPDU guard, how do I recover it? document says "clear bpdu-error interface ", but this command is not available, not sure why such basic command was not maintained.
ex4300-32f> clear b
^
'b' is ambiguous.
Possible completions:
bfd Clear Bidirectional Forwarding Detection information
bgp Clear Border Gateway Protocol information
bridge Clear learned Layer 2 MAC address information
{master:0}
↧
Re: How to clear BPDU error on EX-4300
I figured this out, the new command is "clear error bpdu interface interface-name <>"
next question, how to configured the time-out value for BPDU guard disabled interface to bring itself up? it used to be under "ethernet-switch-options"
↧
Configuration Group
Hello All,
I am trying to learn how to use configuration groups. I wrote this small configuration to set the system hostsname using configuration group. But its not working as expected. I expected the hostname to change to "Group'
krishna@R1# set groups Test system host-name Group [edit] krishna@R1# set apply-groups Test
[edit]
krishna@R1# commit and-quit
commit complete
Exiting configuration mode
krishna@R1>
Can anyone please tell me what's wrong with this config?
↧
Re: Configuration Group
You run into an issue with multiple configurations affecting the same thing. So you have a config that sets the hostname to "R1" and you also have a config group that sets the hostname to "Group". So which one does the router choose?
As you can see from your output, whatever is directly configured wins. If you delete the configured hostname, "delete system host-name", your hostname should then change to "Group".
You can verify this with the commit or before committing you can issue a "show system | display inheritance" to see the configuration inherited from the Test group.
↧
↧
Re: every time i log in i get "You have pending changes from previous commit"
Sorry for the late reply and thank you for your response.
Yes I do get output it is showing basically the same thing twice. Which is the ssl certificate that I am trying to install.
↧
Re: every time i log in i get "You have pending changes from previous commit"
Hi,
Could you paste the output of "show|compare" to see what configuration rolls back post commit? and could you try to "commit full" and see if that helps?
Since you mentioned about SSL certificate, I assume you trying to access/setup secure web access? if yes, it could be that SSL certificate got messed up , and you will need to import it again to see if that helps.
Try to import the PEM file again and delete services web-management, then re-configure everything back again to force reprogram the kernel and generate a new file now with ssh v2.///
For Instance:
- delete system services web-management
- commit full
- set system services web-management http
- commit
- delete security certificates local
- commit full
- set security certificates local abc load-key-file /var/tmp/xyz.ca.pem
- set system services web-management https local-certificate abc
- show | compare
- commit full
Generating and installing the SSL certificate to be used for Secure Web Access for EX Series switch
https://kb.juniper.net/InfoCenter/index?page=content&id=KB19726
↧
Re: How to clear BPDU error on EX-4300
Timeout is configured under protocols layer2-control:
user@switch# set protocols layer2-control bpdu-block disable-timeout ? Possible completions:<disable-timeout> Disable timeout for BPDU Protect (10..3600 seconds)
↧
Integrating Juniper switches with Cisco Identity Services Engine NAC solution
Hi Experts,
As per the new policy in our organization, we are in the middle of deploying a NAC Solution from Cisco.
And as a part of that deployment, I need to integrate 90 Juniper switches with Cisco's NAC solution.
Before I could go ahead and start the integration, I am want to run tests with our test switches, to allow to formulate and come up with the results for the use cases like authentication, authorization, posture checks, guest and MAB.
I have been looking over the internet for reliable sources to get this deployment smoothly, but no luck.
Could you please assist me with this deployment and testing.
Any references to configuration documents and other material are highly appreciated.
↧
↧
Re: Integrating Juniper switches with Cisco Identity Services Engine NAC solution
I assume the Cisco NAC solution will be using 802.1x/Radius. In that case, probably best to start here from Juniper switch set-up perspective:
https://www.juniper.net/documentation/en_US/junos/topics/concept/802-1x-overview.html
I would also assume that Cisco NAC documentation would have some information regarding set-up and configuration with 3rd party non-Cisco switches.
↧
Re: Integrating Juniper switches with Cisco Identity Services Engine NAC solution
Thanks for the quick response on the documentation to follow.
There is one more thing that I would like to know is that, unlike the Cisco switches, where I could configure one ACL and have it called through NAC, is there something similar that I could do on Juniper switch as well?
Or is there a completly different approach that I need to take?
↧
Re: Integrating Juniper switches with Cisco Identity Services Engine NAC solution
In Juniper/Junos lingo, ACLs type functions are referred to as Firewall Filters. For info look here:
↧