Thanks for the feedback. I did configure flexible VLAN tagging and it seems to work just fine, so I guess I'll stick with that approach.
I still don't know why dot1x settings are enforcing rules on this interface even though it's explicitly disabled. I don't think that should be the case, but it appears it is, so this is getting into more of a feature request territory.
I'm glad that it works now (even the dot1x question is still not answered). Please mark the solution as "Accepted Solution" so that others can find the right answer quickly and easily.
Hi there
has anyone ever had issues with a computer that suddenly drops off the network and will not connect to the internet? Could the mac tables be corrupt? Any thoughts or experiences would be greatly appreciated. Thanks!
We are currently running the following OS on all of our switches (as suggested by Juniper Support)
Model: ex2300-48p
Junos: 15.1X53-D590.1
show configuration interfaces ge-0/0/31
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members 1707;
}
storm-control default;
}
}
It appears that you have a case open with Juniper TAC, yes? What is their analysis? Have you tried to port mirror the ingress port to see what is happening? Do you have port level security features turned on? Are there any message is log indicating what might be going on?
If you are saying that client machine works, and then just 'stops' is there still link to the port/interface? Does client still have proper IP and GW, does EX2300MP see the MAC of the device in ethernet-switching table? Is this a specfic device having the situation and do other devices on the switch work fine?
Lots of basic stuff that needs to be looked at for almost anyone to figure out what might be happening.
I also might suggest you more to 18.2R3-S2, as that release has a number of changes associated with both EX2300 (all models) and EX3400. Best to start there for any troubleshooting.
Good luck.
Juniper couldn't replicate the issue. What I did to fix the issue was
1. Disable the port
2. remove all vlans (including the voice vlan) and readd
3. Remove the dhcp entry on our windows 2018 dhcp server
4. Renable the port and voila it works.
This has been happening on off all over the network and just on this switch. Never experienced this issue with any Cisco switch. EVER.
Hi,
I've configured a standalone EX2300 with an ae interface, which connects to an EX-series virtual chassis.
This switch only has one ae uplink (with two interfaces), no other uplinks to any other switches.
When I bring up the interface it sends 3 or 4 BPDU's, and then stops. It receives plenty of BPDU's, but won't send them.
Any ideas?
xe-0/1/0 and 0/1/1:
ether-options {
802.3ad ae0;
}chassis config:
aggregated-devices {
ethernet {
device-count 2;
}
}ae0:
description Uplink;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members all;
}
}
}
BPDU's:
show spanning-tree statistics interface ae0
Interface BPDUs BPDUs Next BPDU TCs Proposal Agreement
Sent Received Transmission Tx/Rx Tx/Rx Tx/Rx
ae0 4 34 0 0/0 0/0 4/0
It appears I've been silly...
This is an RSTP root port, and root ports do not continually send BPDU's like a designated port will.
So, there's no issue after all!
for anyone interested in my almost final config going down the CoS path
ex3400vc> show configuration firewall
family ethernet-switching {
filter MF-CLASSIFIER {
interface-specific;
term blue {
from {
source-prefix-list {
blue-subnets;
}
}
then {
accept;
forwarding-class blue-be;
}
}
term red {
from {
source-prefix-list {
red-subnets;
}
}
then {
accept;
forwarding-class red-be;
}
}
}
}
ex3400vc> show configuration class-of-service
forwarding-classes {
class blue-be queue-num 1;
class red-be queue-num 2;
}
interfaces {
ge-0/0/0 {
scheduler-map SCHEDULER-MAP;
shaping-rate 30m;
}
}
scheduler-maps {
SCHEDULER-MAP {
forwarding-class blue-be scheduler Blue-Scheduler;
forwarding-class red-be scheduler Red-Scheduler;
}
}
schedulers {
Red-Scheduler {
transmit-rate 10m;
}
Blue-Scheduler {
transmit-rate 20m;
}
}
ex3400vc> show configuration interfaces ge-0/0/2
unit 0 {
family ethernet-switching {
vlan {
members red-vlan;
}
filter {
input MF-CLASSIFIER;
}
}
}
This is also a good reference: https://www.juniper.net/assets/us/en/local/pdf/books/day-one-poster-junos-cos.pdf
Somehow doesn't really show up in generic Google search; found it on Reddit
Notes:
as usual, if you got comments or suggestions, please feel free to share
Thank you
Good morning,
I am running the the virtual appliance of the QFX10000 Switch, the name of the image is cosim-18.4R1.8_20180212.qcow2.
I am able to login into the Unix shell by using username = root, password = no, but I am unable to start the junos CLI.
I read that for starting junos CLI from the Unix shell typing cli is enough, but it does not work with this image.
I am attaching a screenshot of the message.
Thanks in advance.
GM
Hello
I believe you are in the host shell of the vqfx and not the junos shell.
The cli will work on the junos (unix) shell however it would not work on the host shell.
Also cosim image is the pfe image what is the junos image that you are using ?
Hi gmarciales,
To make the virtual appliance work full blown, you need an RE and PFE. The cosim image is just the PFE part of it, you should also be running "jinstall-vqfx-10-f-18.4R1.8.qcow2" and ensure there is a dedicated virtual connection (em1 typically) between the RE and PFE. On PFE you can check if the interface to RE is up (typically eth1). Once the RE to PFE connection is up, we can just login to the RE to get to Junos CLI, you won't need to login to the PFE.
Check this for some basic troubleshooting for this RE/PFE connection:
https://github.com/Juniper/vqfx10k-vagrant/wiki/Troubleshooting-Guide
Hope this helps.
Regards,
-r.
--------------------------------------------------
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated 
.
I know this topic has been discussed ad nauseam, so I'm mostly asking about peripheral questions here (and I have read the applicable documentation on the subject).
First, I'm setting up an EX to emulate the DSCP marking strategy that we do with our Cisco access switches. I've gathered that most EX platforms can't do this inbound, so the approach is instead to classify inbound into different queues and then rewrite the DSCP tag outbound. I've got this working as a simple PoC, but I have a few questions:
1) Is there any way to reuse the same firewall filter on switched ports and routed ports? Since the filters are family-specific, you need to specify whether it's for inet or ethernet-switching or what have you, and an inet filter isn't usable on a switched port and vice versa.
2) Are from statements in a firewall filter ANDed or ORed? I'm guessing AND, but what about situations where the consituents are incompatible? I.e.
"from" : {
"destination-port" : ["161", "1812"],
"ip-protocol" : ["icmp"]
},Does that match TCP/UDP port 161 or 1812 or ICMP? Or just nothing since a packet can't have more than one destination port (especially over ICMP)? What about a case where you're specifying source and destination ports?
Thanks much,
Ian
To answer your question.
1. You may try filter with "family any". There're limitation with family any filter because for each type of interface, the filter can match different types of the packet. Usually we only define very generic matching conditions for family any filters, eg accept everything and do port-mirror
2. Within the same criteria, it's OR. For different criteria, it's AND. You gave a really bad example, since it won't match anything. Let me give another example. Below matches all LDP packets, And [if it's udp OR tcp], AND [if source address is 1.1.1.1/32 OR 2.2.2.2/32]
family inet {
filter test {
term 1 {
from {
source-address {
1.1.1.1/32;
2.2.2.2/32;
}
protocol [ udp tcp ];
port ldp;
}
}
}
}
Great, thanks for your explanation. I suppose I'll need to rework my from statements to get things to work.
Thank you so much guys for your help.
mriyaz,
Thanks for taking time and explaing further.
Best regards
Saludos
GM
I believe the last point in this troubleshooting guide applies to your problem.
https://github.com/Juniper/vqfx10k-vagrant/wiki/Troubleshooting-Guide
This might happen if we are running our of CPU You might want to allocate less CPU resources to PFE VMs
In the Vagrantfile, you can add
vqfxpfe.vm.provider "virtualbox" do |v|v.customize ["modifyvm", :id, "--cpuexecutioncap", "50"]endHello everyone,
Yesterday I tried to upgrade our EX3300 stack with Junos 12.3R12. The current fw is 12.3R6.6. I have downloaded fw to: /var/tmp/jinstall-ex-3300-12.3R12.4-domestic-signed.tgz on master switch, after that I have issed command to validate new fw:
request system software validate /var/tmp/jinstall-ex-3300-12.3R12.4-domestic-signed.tgz
And finally I have started upgrade of last virtual-chassis member (9th), to avoid a downtime of whole VC:
request system software add /var/tmp/jinstall-ex-3300-12.3R12.4-domestic-signed.tgz member 9
Unfortunately after the member 9 has been rebooted it fails to load Junos. In the console some disquieting things has appeared during start of this switch (as below). After a while I have managed to take a snapshot and start switch with previous version of Junos (12.3R12). The affected switch status of virtual-chassis was 'not present'.
Can anybody explain me what happened and what I have done wrong?
MISSING '.' I=4097 OWNER=0 MODE=40755 SIZE=512 MTIME=Mar 17 12:26 2014 DIR=? UNEXPECTED SOFT UPDATE INCONSISTENCY FIX? yes DIRECTORY CORRUPTED I=4098 OWNER=0 MODE=40755 SIZE=512 MTIME=Jun 14 08:27 2013 DIR=? UNEXPECTED SOFT UPDATE INCONSISTENCY SALVAGE? yes MISSING '.' I=4098 OWNER=0 MODE=40755 SIZE=512 MTIME=Jun 14 08:27 2013 DIR=? ... UNREF DIR I=4131 OWNER=0 MODE=40700 SIZE=512 MTIME=Feb 12 13:49 2015 RECONNECT? yes NO lost+found DIRECTORY CREATE? yes CG 0: BAD MAGIC NUMBER UNEXPECTED SOFT UPDATE INCONSISTENCY SORRY. CANNOT CREATE lost+found DIRECTORY UNEXPECTED SOFT UPDATE INCONSISTENCY UNREF DIR I=4130 OWNER=0 MODE=40700 SIZE=512 MTIME=Feb 12 13:49 2015 RECONNECT? yes NO lost+found DIRECTORY CREATE? yes CG 0: BAD MAGIC NUMBER UNEXPECTED SOFT UPDATE INCONSISTENCY SORRY. CANNOT CREATE lost+found DIRECTORY UNEXPECTED SOFT UPDATE INCONSISTENCY ... UNEXPECTED SOFT UPDATE INCONSISTENCY SORRY. CANNOT CREATE lost+found DIRECTORY UNEXPECTED SOFT UPDATE INCONSISTENCY CLEAR? yes UNREF FILE I=4106 OWNER=0 MODE=120755 SIZE=25 MTIME=Feb 12 13:50 2015 RECONNECT? yes NO lost+found DIRECTORY CREATE? yes CG 0: BAD MAGIC NUMBER UNEXPECTED SOFT UPDATE INCONSISTENCY SORRY. CANNOT CREATE lost+found DIRECTORY UNEXPECTED SOFT UPDATE INCONSISTENCY
Hi,
That output shows file system corruption. You need to format install that device.
Follow those steps to format install.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB20643
Regards,
Randall
Thank you very much for response. Is that means that it was just a coincidence that the file system of the switch was corrupted?
As I mentioned the switch is now working fine. But this knowledge will be helpful.
Due to the flash technology available back in 2008/9 the file systems on the legacy EX product lines (EX2200/3300/4200) are susceptible to flash corruption over time. Longer switch is in-service with no reboot, the more likely this may happen. It is hit or miss, from my experience. I believe the most often occurance is with the Master RE switch in an EX4200 VC. Since EX4200 is the oldest product, it is most likely one to see this. Flash corruption does not negatively affect the operation of the switch. Despite Unix/Linux tools being present, pre-identifying is difficult at best, and (again from experience) not of the tools to fix this work on an operating switch.
I have seen this most often with EX4200, few and far better on EX3300/EX2200 - you look like one of the lucky ones! For EX4200VC I have found that if you do a partition switch (affects Master RE) that things seem to go much better.
As @randero stated, once a switch is re-boot/reset and has this state (flash corruption present) generally only recovery is via a USB install which would also require local console access.
HTH and Good Luck