Hi,
could you please try the following option
set forwarding-options analyzer ERSPAN output destination-ip <monitoring station ip>
more details on other settings:
https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series-els.html
In wireshark you may need to set option to parse as ERSPAN
Edit -> Preferences -> Protocols -> ERSPAN -> Check “FORCE to decode fake ERSPAN frame"
a) An interface will automatically be "up" once connected - even without a corresponding entry in the configuration - right ?
Yes, that is correct.
b) If answer to a) is yes -> is there any security concern or impact ? What can an interface without a logical unit in Juniper do ? or rather what can an "up interface" without a corresponding entry in the configuration do ? Does it accept/transmit any form of traffic ?
or is there some sort of "default" configuration for an interface if it is not explicity configured/specified in the configuration
The physical interface will only have physical attributes such as MTU=1500, duplex mode = full, but no traffic forwarding enabled.
Interfaces have NO logical properties by default. That means no address or family (inet, inet6, ethernet-switching, and so on) enabling packet processing. All of these are configured under logical interfaces/units.
There is NO default configuration UNLESS you load the factory-defaults (like you saw in your switch) which adds family-ethernet-switching for example.
There is NO logical properties unless explicitly configured/specified in the configuration (either by you or with the factory default configuration).
c) Will the best practise = to make sure entries for all interfaces are configured in the configuration and set to disable ?
Some people do that for peace of mind, but I do not think that is necessary. Removing the factory default configuration (family ethernet-switching) would be enough.
HTH,
I am trying to setup MPLS over a GRE tunnel on the QFX5100, has anyone been able to work around it?
Thanks
Hello,
I'm having a difficult time figuring out how to disable virtual chassis mode on the EX4300. I've already deleted all the VCP's by doing 'request virtual-chassis vc-port delete pic-slot 1 port [0-4]' and confirmed they are no longer there by running 'show virtual-chassis vc-port'. I also tried deleting all files under /config/vchassis. However, no matter what I do, every time I run 'show virtual-chassis' command, the second line keeps saying 'Virtual Chassis Mode: Enabled' as well as {master:0} being above every cli prompt.
Is there a way to completely disable Virtual Chassis mode and only use it as a single switch?
Thank you!
Hi Rene1,
If you have any MX or SRXx on the network, you could run GRE encapsulation between them and QFX could simply do MPLS routing.
For entire MPLS over GRE, I'm afraid with QFX5100's its still unsupported:
Hope this helps.
Regards,
-r.
--------------------------------------------------
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated 
.
Hi Caleb,
Virtual chassis is enabled by default, but it will function as a VC until you plug in a VC cable and connect the switch to an other switch with VC supported. So if you've removed the VCP cables and the VC configuration from the box, you can use it as a single switch right now. There will be no difference when you see VC is enabled on a standalone EX, that's just a default behavior that any EX/QFX is VC ready .
Hope this helps.
Regards,
-r.
--------------------------------------------------
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated .
Hi Caleb,
Virtual chassis is enabled by default, but it will "not" function as a VC until you plug in a VC cable and connect the switch to another switch with VC supported. So if you've removed the VCP cables and deleted the VC configuration from the box, you can use it as a single switch right now.
There will be no difference when you see VC is enabled on a standalone EX, that's just a default behavior that any EX/QFX is VC ready 
.
Hope this helps.
Regards,
-r.
--------------------------------------------------
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated .
That's kinda what I thought, but wasn't sure if there was a way to completely disable it or something.
Thank you!
Thanks Mriyaz
That was the next step, thought I'd try see if there were new updates on this functionality on the QFX.
Regards.
I like to preload the interface configurations with a disable and description on all the unused interfaces.
We have monitoring that alerts for down interfaces, so when optics are inserted and the interface is not configured as disable it will come up and be link down while it waits for the physical connection generating an alarm.
the list of existing and consisten descriptions let's me know at a glance how many interfaces are open and available on the device for use with a show command
show interfaces descriptions | match LABEL
ANy update on this?
Just asking. What if any limites dose the 4300-MP hypervisor limit to the Junos instance ?
I see the box has 8 gig ram and the Junos 18. instance shows it is given 4gig . So what else is limited ?
Just woundering things like
Is the priority of the pricess the hypervisor is running Junos set to real time , or normal ?
And anything else anyone is willing to eductate me with id be happy to know..
The purpose im asking this type of information is just to create baselines..
What do these lines mean ? The items in BOLD are posted to the screen when doing an upgrade.
============================================
Current Host kernel version : 3.14.52-rt50-WR7.0.0.9_ovp
The rt dose that mean kernel is complied for RealTime ?
ovp = Wind River Open Virtualization Profile . From my googling is it like vmware tools adds hooks to hypervisor and guest ?
Package Host kernel version : 3.14.52-rt50-WR7.0.0.9_ovp
Current Host version : 3.0.9
Package Host version : 3.1.0
What dose those last two lines of Host version mean ? If my current is 3.0.9 and the package was complied built a version higher
why would it not just update my host version to keep it up dated ?
Min host version required for applications: 3.0.0
Skipping Host OS upgrade!
I understand Min Version is 3.0.0 but why did you skip updating my host ???
============================================
Hi tgreaser,
That is just telling us there is an updated host version between the current Junos and the newer one you're installing. If we're seeing this "while" doing an upgrade, that's informational and update hasn't happened yet. If you've already pushed the image and rebooted to upgrade the box, I'd expect the updated version to reflect. Just check "show version detail" after the upgrade is completed.
Hope this helps.
Regards,
-r.
--------------------------------------------------
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated .
Would anyone be able to direct me to any detailed docs to read up on the system ddos-protection stuff ?
Right now im looking for EX platform stuff but will soon be needing this for QFX (and MX if i get my buget funded).
I undertand this idea. Cisco calls it Control Plane Policing ( CPP) . Since we do the default action of protect-re filters
im just want to see what this ddos-protection can do in line with that and how to bettter tshoot it if we need to..
We run Nexus (will be replacing with qfx) and have had to deal with the Fcards sending traffic to its Mcards and havign issues with the with CPP. So just wanting to jump ahead with issues ive dealt with in the past..
Maybe an Ambassador Day One recipe idea ??!?!? Hint Hint.
Hi tgreaser,
These should help get you started with DDOS protection on Junos:
Hope this helps.
Regards,
-r.
--------------------------------------------------
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated .
I'm not sure whether there's a day one book describing that (hopefully someone could point to it if there is one).
Check this link for more info on QFX ddos policers (general overview): https://www.juniper.net/documentation/en_US/junos/topics/concept/ddos-protection-qfx-series.html
KB entry displaying some of HW specifics: https://kb.juniper.net/InfoCenter/index?page=content&id=KB31827
Current Host version : 3.0.9 --- host version currently running on your device
Package Host version : 3.1.0 --- host version in the install package you are using
By default HOST is not upgraded automatically. You can use "force-host" upgrade option to get HOST part upgraded.
I have problem with SFP-T modules in EX2300 uplink ports.
They are properly detected in chassis hardware with a name and s/n but the logical link is down so I can't pass any traffic throught it.
Weird thing is that the link on other side in EX2200 physical port comes up when I connect the cable and it blinks as it were passing some traffic but on EX2300 uplink side the LEDs for power and traffic are off.
I have a batch of SFP-T modules (non-Juniper but programmed for it) which works till you reboot the switch after which you need to re-attach them physically to make them function properly.
I have original SFP-T modules and few other from different vendors and even those programmed for Cisco. All of them are working fine with older hardware EX2200/EX3300 but not on ELS hardware EX2300/EX3400.
Maybe someone stumbled on this problem and solved it as I don't really have any idea why this happens and how to solve this.
What version and platform do you have?
For example, if it's qfx5100 try using 14.1X53-D40 (and higher) or 17.1R3 (and higher)