A short note here... from 17.3R2-S4 you can also use 100G for VC ports. Listed in the bottom off this page:
↧
Re: QFX5200 Virtual Chassis ports
↧
STP BPDU filtering with l2 firewall filter
Hi All,
Thank you for taking the time to read my question.
I have a spanning-tree free core network of 4 location/devices (EX92x + MX) which is running MPLS+EVPN. This pretty much functions as a dumb switch for alot of VLANs.
Currently, all STP BPDU's from edge switches is running through the entire network. Any change or switch up/down will cause STP to recalculate the tree thus impacting all switches on every edge location. This is not desires as we want isolation on every location.
To solve this issue, my idea was to have a STP root bridge on every location. Even for the same VLANs.
To achieve this, i want to block BPDU's on the core routers. To be more precise; a L2 filter on the core interface to the edge switch. This way BPDU's from other locations should not hit other locations. Thus creating multiple root bridges. More information here:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB30304&cat=SWITCHING&actp=LIST
Since we are running multple VRF's and EVPN instances, interfaces are configured as follows;
[edit interfaces ae33]
USER@LOCATION1-CORE01# show
description labsw1;
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 511 {
encapsulation vlan-bridge;
vlan-id 511;
}
unit 827 {
encapsulation vlan-bridge;
vlan-id 827;
}
unit 829 {
encapsulation vlan-bridge;
vlan-id 829;
}
When applying the filter; i am running into the following issue:
Warning: referenced filter must be defined under firewall family any
However, when i move the filter to Firewall Family Any, there is no option for L2 destination-mac filtering.
Does anyone have an idea on how i can apply a L2 filter in my scenario?
↧
↧
Re: SFP-T in EX2300 on 18.4R1
Hi Looki,
Please check if auto-negotiation settings on both sides are the same.
If they are same and issue still seen, you might try following:
If it is enabled on both sides, please try to dsiable it, alternatively try to enable it.
Regards,
Roman
↧
Re: SFP-T in EX2300 on 18.4R1
Hello Looki,
I'd recommend you to use the recommended Junos 18.1R3 (or 18.1R4):
https://kb.juniper.net/InfoCenter/index?page=content&id=kb21476
Also found this issue where 18.4R1 is already slated to be removed from the "Resolved In" list:
https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1360602
It'll be great if you share your feedback so others can benefit from your post.
Hope this helps.
Regards,
-r.
--------------------------------------------------
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated 
.
↧
Re: STP BPDU filtering with l2 firewall filter
I found command;
set protocols layer2-control bpdu-block interface
But this shuts the interface if a BPDU arrives. That will break things. The "Drop" option is missing.
↧
↧
Re: STP BPDU filtering with l2 firewall filter
Hi Ballistic,
There is an option to configure "drop" after the interface name. You can drop BPDUs per interface:
root@Juniper#set protocols layer2-control bpdu-block interface xe-0/0/0 ?
Possible completions:
<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
disable Disable bpdu-block on a port
drop Drop xSTP BPDUs
Hope this helps.
Regards,
-r.
--------------------------------------------------
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated .
↧
Re: STP BPDU filtering with l2 firewall filter
Thank you for your input. My EX9200 on 14.2 does not have that option;
USER@LOCATION1-CORE01# set protocols layer2-control bpdu-block interface xe-0/0/0 ?
Possible completions:
<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
disable-timeout Disable timeout for BPDU Protect (10..3600 seconds)
+ interface Interface name to block BPDU on
↧
Re: SFP-T in EX2300 on 18.4R1
Hi mriyaz,
I will try to install 18.1R3-S3 as by KB it fixes some problems with EX2300 and maybe it will work with SFP-T.
I wanted to make it run on 18.4R1 cause from this version dhcp snooping and private vlans are working but I think the version is problem as in a mean time I downgraded to 15.1X53-D590 and SFP-T started working.
Thanks for that PR link but it's a bit missleading cause it states that the issue is resolved in 18.4R1 which I can for sure say it isn't.
BTW, I have a few SFP-T and done all things I can imagine on them as disabling auto-negotiation on both end, on one of them, putting speeds to 1g and full-duplex and nothing worked.
↧
Re: SFP-T in EX2300 on 18.4R1
Confirmed, it is working fine on Junos 18.1R3-S3.8 with different SFP-T (even those programmed for Juniper).
Tried even restarting it and they still went up fine and transmitted the traffic.
Do you maybe know when this issue will be resolved in 18.4 to have the function of dhcp snooping with SFP-T working?
↧
↧
Re: STP BPDU filtering with l2 firewall filter
Hi Ballistic,
This seems to be some cosmetic issue just on 14.2. I can see it on all other major releases (15.x/16.x/17.x). If you're starting off, it's better to use a JTAC recommeded release: https://kb.juniper.net/InfoCenter/index?page=content&id=kb21476
Just for assurance:
root@Juniper# run show version | no-more
Hostname: Juniper
Model: ex9208
Junos: 17.4R2.4
JUNOS OS Kernel 64-bit [20180730.2cd3a6e_builder_stable_11]
JUNOS OS libs [20180730.2cd3a6e_builder_stable_11]
JUNOS OS runtime [20180730.2cd3a6e_builder_stable_11]
JUNOS OS time zone information [20180730.2cd3a6e_builder_stable_11]
JUNOS OS libs compat32 [20180730.2cd3a6e_builder_stable_11]
JUNOS OS 32-bit compatibility [20180730.2cd3a6e_builder_stable_11]
JUNOS py extensions [20180816.225718_builder_junos_174_r2]
JUNOS py base [20180816.225718_builder_junos_174_r2]
JUNOS OS crypto [20180730.2cd3a6e_builder_stable_11]
JUNOS network stack and utilities [20180816.225718_builder_junos_174_r2]
JUNOS libs [20180816.225718_builder_junos_174_r2]
JUNOS libs compat32 [20180816.225718_builder_junos_174_r2]
JUNOS runtime [20180816.225718_builder_junos_174_r2]
JUNOS Web Management Platform Package [20180816.225718_builder_junos_174_r2]
JUNOS mx libs compat32 [20180816.225718_builder_junos_174_r2]
JUNOS mx runtime [20180816.225718_builder_junos_174_r2]
JUNOS common platform support [20180816.225718_builder_junos_174_r2]
JUNOS mtx network modules [20180816.225718_builder_junos_174_r2]
JUNOS modules [20180816.225718_builder_junos_174_r2]
JUNOS mx modules [20180816.225718_builder_junos_174_r2]
JUNOS mx libs [20180816.225718_builder_junos_174_r2]
JUNOS mtx Data Plane Crypto Support [20180816.225718_builder_junos_174_r2]
JUNOS daemons [20180816.225718_builder_junos_174_r2]
JUNOS mx daemons [20180816.225718_builder_junos_174_r2]
JUNOS Services URL Filter package [20180816.225718_builder_junos_174_r2]
JUNOS Services TLB Service PIC package [20180816.225718_builder_junos_174_r2]
JUNOS Services SSL [20180816.225718_builder_junos_174_r2]
JUNOS Services SOFTWIRE [20180816.225718_builder_junos_174_r2]
JUNOS Services Stateful Firewall [20180816.225718_builder_junos_174_r2]
JUNOS Services RPM [20180816.225718_builder_junos_174_r2]
JUNOS Services PTSP Container package [20180816.225718_builder_junos_174_r2]
JUNOS Services PCEF package [20180816.225718_builder_junos_174_r2]
JUNOS Services NAT [20180816.225718_builder_junos_174_r2]
JUNOS Services Mobile Subscriber Service Container package [20180816.225718_builder_junos_174_r2]
JUNOS Services MobileNext Software package [20180816.225718_builder_junos_174_r2]
JUNOS Services Logging Report Framework package [20180816.225718_builder_junos_174_r2]
JUNOS Services LL-PDF Container package [20180816.225718_builder_junos_174_r2]
JUNOS Services Jflow Container package [20180816.225718_builder_junos_174_r2]
JUNOS Services Deep Packet Inspection package [20180816.225718_builder_junos_174_r2]
JUNOS Services IPSec [20180816.225718_builder_junos_174_r2]
JUNOS Services IDS [20180816.225718_builder_junos_174_r2]
JUNOS IDP Services [20180816.225718_builder_junos_174_r2]
JUNOS Services HTTP Content Management package [20180816.225718_builder_junos_174_r2]
JUNOS Services Crypto [20180816.225718_builder_junos_174_r2]
JUNOS Services Captive Portal and Content Delivery Container package [20180816.225718_builder_junos_174_r2]
JUNOS Services COS [20180816.225718_builder_junos_174_r2]
JUNOS AppId Services [20180816.225718_builder_junos_174_r2]
JUNOS Services Application Level Gateways [20180816.225718_builder_junos_174_r2]
JUNOS Services AACL Container package [20180816.225718_builder_junos_174_r2]
JUNOS SDN Software Suite [20180816.225718_builder_junos_174_r2]
JUNOS Extension Toolkit [20180816.225718_builder_junos_174_r2]
JUNOS jplatform ex92xx [20180816.225718_builder_junos_174_r2]
JUNOS Packet Forwarding Engine Support (wrlinux) [20180816.225718_builder_junos_174_r2]
JUNOS Packet Forwarding Engine Support (MX/EX92XX Common) [20180816.225718_builder_junos_174_r2]
JUNOS Packet Forwarding Engine Support (M/T Common) [20180816.225718_builder_junos_174_r2]
JUNOS Packet Forwarding Engine Support (MX Common) [20180816.225718_builder_junos_174_r2]
JUNOS jfirmware [20180816.225718_builder_junos_174_r2]
JUNOS Online Documentation [20180816.225718_builder_junos_174_r2]
JUNOS jail runtime [20180730.2cd3a6e_builder_stable_11]
JUNOS FIPS mode utilities [20180816.225718_builder_junos_174_r2]
[edit]
root@Juniper# ...ntrol bpdu-block interface xe-0/0/0 ?
Possible completions:
<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
disable Disable bpdu-block on a port
drop Drop xSTP BPDUs
If you don't immediately have the liberty of upgrading, you can use the disable option and set the disable-timeout to the lowest (10sec) so the port is disabled for 10secs and auto-recovers, for the time-being. Although that'll be a pain to see drops for a few secs. Hence best to look to move the recommended Junos so you're good.
set protocols layer2-control bpdu-block disable-timeout 10
Hope this helps.
Regards,
-r.
--------------------------------------------------
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated .
Hope this helps.
Regards,
-r.
--------------------------------------------------
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated .
↧
Re: SFP-T in EX2300 on 18.4R1
Hi Looki,
That's good news then we got the PR right. Its best if you take the PR and check with JTAC for the correct 18.4 release slated to fix this.
Hope this helps.
Regards,
-r.
--------------------------------------------------
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated .
↧
Re: STP BPDU filtering with l2 firewall filter
Hi,
please give a try with the following :
set firewall family bridge filter BPDU term 1 from destination-mac-address 01:80:c2:00:00:00/48
set firewall family bridge filter BPDU term 1 from destination-mac-address 01:00:0c:cc:cc:cd/48
set firewall family bridge filter BPDU term 1 then count DROP-BPDU
set firewall family bridge filter BPDU term 1 then discard
set firewall family bridge filter BPDU term 2 then accept
set interfaces ae33 unit 511 family bridge filter input BPDU
↧
Re: Virtual Chass - vme0 vs em0
Hi Carlos,
Thanks for your reply.
1) In a virtual-chassis, does accessing via em0.0 will always leads to the master ? if yes, why would one prefer to use a vme interface then ?
2) Are we able to have the em0.0 interface/ip for individual switches and also have the vme.0 for the master switch ?
e.g. access individual switch -> use em0.0 IP, access master switch -> use vme.0 IP
3) Try using management instance set system management-instance, true enough, em0 is on now in the mgmt_junos routing instance. But how do I make vme.0 interface to be part of the mgmt_junos routing instance ?
Regards,
Alan
↧
↧
Re: Virtual Chass - vme0 vs em0
Hello Alan
see inline:
1) In a virtual-chassis, does accessing via em0.0 will always leads to the master ? if yes, why would one prefer to use a vme interface then ?
it does it always takes you to the master, the idea of the vme is that you use only one IP to manage the whole stack, so you basically can get to the vme's ip address from any of the physical management interfaces on each VC member always using the same IP.
2) Are we able to have the em0.0 interface/ip for individual switches and also have the vme.0 for the master switch ?
e.g. access individual switch -> use em0.0 IP, access master switch -> use vme.0 IP
you can but then you cannot use the vme, you would use the management interface of each member:
..."To access individual switches via their management interface (if required), their respective me0 interface can be directly configured with an IP address.
For Example:
groups { member0 { interfaces me0 unit 0 family inet address <address0> } member1 { interfaces me0 unit 0 family inet address <address1> } }
The above configuration is applicable only on the master and backup, on which me0.0 interfaces are present.
To directly use the Linecard's me0 interface, perform the following procedure:
- The following special configuration is required to take it away from the management VLAN:
virtual-chassis { member 2 { no-management-vlan; } member 3 { no-management-vlan; } } - Now, me0.<xxxxx> should be configured from the shell as follows:
root# ifconfig me0.0 local=10.10.10.1 netmask=255.255.255.0
3) Try using management instance set system management-instance, true enough, em0 is on now in the mgmt_junos routing instance. But how do I make vme.0 interface to be part of the mgmt_junos routing instance ?
For this I think you would need to use the method on point #2 and the vme will stay down if you use the individual management iterfaces
source:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB25724&cat=EX6200&actp=LIST
Cheers!
Carlos
↧
EX4500
I need help. I am new in Juniper environment. In the basement, I have a stack of 5 Junipers stackup, the master is EX4500 and other 4 are EX4200 and they are interconnecting to 3rd floor (stack up of another 4 chassis of EX4200) and 4th floor (same as 3rd) via fibre. I just created a vlan on the master switchin the basement but the interconnected switch on the 3rd and 4th floor cannot see it. What should I do? Do I have to recreate the same vlan on the 3rd and 4th floor closet chassis?
thanks ,
↧
Re: Chassis
Thanks spuluka. I set up L3 VLAN for this new vlan in the basement. What should I do on the 3rd floor closet? Please provide me in detail steps and command. The existing VLAN in the basement are being able to be accessed on the 3rd floor closet switches via a fibre connection but not this new one. Please help me out. I am new to this Juniper. Thank you very much for your kindness and assistance.
↧
Re: Chassis
A few questions to understand the exact topology.
Can you confirm that the layer 3 interface for the new vlan is up on the basement VC using
show interfaces terse
If not, we start with checking this vlan setup
And confirm that the layer 3 interface for the other vlans are also on this same VC in the basement.
If the interfaces are spread among the VC than we need to know how the internal routing is setup
And do devices in the new vlan need to have access ports on the other VC or not.
↧
↧
Re: EX4500
A few questions to understand the exact topology.
Can you confirm that the layer 3 interface for the new vlan is up on the basement VC using
show interfaces terse
If not, we start with checking this vlan setup
And confirm that the layer 3 interface for the other vlans are also on this same VC in the basement.
If the interfaces are spread among the VC than we need to know how the internal routing is setup
And do devices in the new vlan need to have access ports on the other VC or not.
↧
Re: Virtual Chass - vme0 vs em0
Hi Carlos,
Thank you for your reply.
1) I am using 2 x qfx5100-48s-6q to setup the virtual chasiss, there is no me interface. Only em0. Originally when i setup the switch individually, each em0.0 is assigned its own IP.
switch1 em0.0 - 192.168.0.1/24
switch2 em0.0 - 192.168.0.2/24
switch1 vme.0 - 192.168.0.3/24
After the virtual chassis is up, I can access the em0.0 - 192.168.0.1, but i cannot access 192.168.0.2.
I also cannot access 192.168.0.3 (because the vme interface is down).
2) Using the groups method dont seems to work for me.
set groups member0 interfaces em0 unit 0 family inet address 192.168.0.1/24 set groups member3 interfaces em0 unit 0 family inet address 192.168.0.2/24
After commiting, i still can't access 192.168.0.2.
=============================================
q1) So it seems to me
access via em0.0 -> 192.168.0.1 > always go to the master
access via vme.0 -> 192.168.0.3 -> always go to the master (provided that i remove the em0 interface)
What the difference ?
q2) Any idea why the group method can't work so i can access the switches individually ?
q3) Can i confirm that
- the EM and VME interface cannot work concurrently
- VME interafce cannot work with mgmt_junos management routing instance ?
Regards,
Alan
↧
Re: STP BPDU filtering with l2 firewall filter
I've tried but our EX9200's don't have Family Bridge. Only the already tried ethernet-switching which doesn't work.
We have already tried upgrading our junos versions to 17.4 but ran into issues after the upgrade. My guess is that we resolve the upgrade issue first and then hope that the bpdu drop function shows up.
Thanks for the help so far guys!
↧