Thanks for the answer. So will it support ISSU in the not too distant future?
↧
Re: QFX5200: issu yes or no?
↧
Re: QFX5200: issu yes or no?
Well, according to this, doesn't seem to be planned in the short future:
https://pathfinder.juniper.net/home/#QFX5200/Roadmap+(SOPD)
However, you should get in touch with your Juniper representative and ask him/her to follow up on this with the PLM team.
=====
If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
↧
↧
Re: Issues with firewall filter on Juniper EX4550
Hi,
Applying the filter on the vlan interface without specifying the destination would also block transit ssh traffic.
Best is to apply the filter on loopback logical interfaces.
If you dont mind sharing the config and a traceroute to the vlan interface IP from the host, we could take a look at this behavior.
Cheers,
Ashvin
↧
QFX-5100 configuration disappears after few mintues of commit
Hi,
I am trying to configure a QFX-5100 switch, however, few minutes after I commit the configuration, the switch deletes everything and goes back to factory default with no root password. I used "request system zerorize", but with no luck. It is like the configuration gets automatically deleted after few minutes. The switch is running Junos 14Does anyone know how to toubleshoot such problem ? where to start at least ?
The last lines in "show log messages"
Oct 20 10:59:39 license-check[1690]: LICENSE: copy to /config/license from fpc0:/config/.license_priv/ Oct 20 10:59:39 license-check[1690]: LIBJNX_REPLICATE_RCP_ERROR: rcp -r -Ji fpc0:/config/.license_priv/ /config/license : rcp: /config/.license_priv/: No such file or directory Oct 20 10:59:39 license-check[1690]: copy from member 0 failed Oct 20 10:59:49 license-check[1690]: LICENSE: copy to /config/license from fpc0:/config/.license_priv/ Oct 20 10:59:49 license-check[1690]: LIBJNX_REPLICATE_RCP_ERROR: rcp -r -Ji fpc0:/config/.license_priv/ /config/license : rcp: /config/.license_priv/: No such file or directory Oct 20 10:59:49 license-check[1690]: copy from member 0 failed Oct 20 10:59:50 login: Login attempt for user root from host [unknown] Oct 20 10:59:52 login[3605]: LOGIN_INFORMATION: User root logged in from host [unknown] on device ttyd0 Oct 20 10:59:52 login[3605]: LOGIN_ROOT: User root logged in as root from host [unknown] on device ttyd0 Oct 20 10:59:59 license-check[1690]: LICENSE: copy to /config/license from fpc0:/config/.license_priv/ Oct 20 10:59:59 license-check[1690]: LIBJNX_REPLICATE_RCP_ERROR: rcp -r -Ji fpc0:/config/.license_priv/ /config/license : rcp: /config/.license_priv/: No such file or directory Oct 20 10:59:59 license-check[1690]: copy from member 0 failed
Thank you
↧
Re: QFX-5100 configuration disappears after few mintues of commit
I would go first with this:
If this doesn't work, then contact JTAC to RMA the device.
=====
If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
↧
↧
Re: Issues with firewall filter on Juniper EX4550
I created test filter and applied it on Vlan interface:
admin@4550-1# show firewall family inet filter VLAN-int
term allow-ssh {
from {
source-prefix-list {
CLI-SNMP-access;
}
protocol tcp;
destination-port [ ssh telnet ];
}
then accept;
}
term deny-ssh {
from {
protocol tcp;
destination-port [ ssh telnet ];
}
then {
discard;
}
}
term final {
then accept;
}
{master:0}[edit]
admin@4550-1# show interfaces vlan unit 101
family inet {
filter {
input VLAN-int;
}
address 185.61.153.249/29;
}
{master:0}[edit]
SSH access is not still filtered. I can login from address that is not located in CLI-SNMP-access prefix list:
[root@2ip ~]# traceroute 185.61.153.249
traceroute to 185.61.153.249 (185.61.153.249), 128 hops max, 40 byte packets
1 v524.ares.dc.volia.com (77.120.119.3) 0.280 ms 0.376 ms 0.217 ms
2 88.112.120.77.colo.static.dcvolia.com (77.120.112.88) 0.730 ms 0.453 ms 0.427 ms
3 lag5-40g.agg-1.ss13.kiev.volia.net (77.120.1.165) 0.424 ms 0.345 ms 0.313 ms
4 be14.201.cr-2.g50.kiev.volia.net (77.120.1.81) 0.828 ms 0.772 ms 0.813 ms
5 be3-40g.cr-1.g50.kiev.volia.net (77.120.1.41) 0.951 ms 0.890 ms 1.116 ms
6 be4495.rcr21.kbp01.atlas.cogentco.com (149.6.191.49) 1.075 ms 1.338 ms 1.163 ms
7 be2679.ccr21.bts01.atlas.cogentco.com (130.117.48.93) 19.181 ms
be2680.ccr22.bts01.atlas.cogentco.com (154.54.36.233) 19.130 ms
be2679.ccr21.bts01.atlas.cogentco.com (130.117.48.93) 20.270 ms
8 be2988.ccr21.vie01.atlas.cogentco.com (154.54.59.86) 19.956 ms
be2990.ccr21.vie01.atlas.cogentco.com (154.54.59.94) 19.955 ms
be2988.ccr21.vie01.atlas.cogentco.com (154.54.59.86) 20.081 ms
9 telia.vie01.atlas.cogentco.com (130.117.14.90) 19.820 ms 20.538 ms 19.809 ms
10 prag-bb1-link.telia.net (80.91.246.50) 25.839 ms
prag-bb1-link.telia.net (62.115.137.10) 26.126 ms
win-bb2-link.telia.net (62.115.112.196) 20.199 ms
11 hbg-bb4-link.telia.net (62.115.119.46) 38.345 ms
hbg-bb1-link.telia.net (62.115.135.20) 64.709 ms
hbg-bb4-link.telia.net (62.115.119.52) 37.726 ms
12 adm-bb3-link.telia.net (80.91.248.246) 43.535 ms
adm-bb3-link.telia.net (62.115.134.196) 43.277 ms
adm-bb4-link.telia.net (80.91.248.240) 43.727 ms
13 adm-b2-link.telia.net (213.155.137.187) 44.477 ms
adm-b2-link.telia.net (62.115.141.35) 44.399 ms
adm-b2-link.telia.net (213.155.137.183) 44.184 ms
14 incapsula-ic-309286-adm-b2.c.telia.net (213.248.103.230) 41.370 ms 41.190 ms 41.447 ms
15 185.61.153.249 (185.61.153.249) 57.678 ms 57.756 ms 57.738 ms
↧
Re: Issues with firewall filter on Juniper EX4550
Hi,
Only possibility I could think of is the traffic is ingressing the device through some other interface and not matching the filter.
If you know which interface the traffic is ingressing, you could monitor using:
monitor traffic interface x/x/x matching "tcp and port 22"
The traffic would not be hitting the vlan.101 interface filter in that case if seen there.
Cheers,
Ashvin
↧
Re: Issues with firewall filter on Juniper EX4550
But I can't understand one thing, why when I put this filter on loopback interface it doesn't filter incoming ssh connection. As I know filter on route engine must work and filter necessary traffic for all interfaces that were configured on device.
↧
Re: Issues with firewall filter on Juniper EX4550
Hi,
Yes, when applied on the loopback interface, any traffic going to the RE should go through the filter unless if you have more than 1 logical unit on the loopback interface. Each logical unit on lo0 would need a filter to protect the RE.
Would also depend on the prefixes defined in the prefix list.
Do you see the count SSHdeny incrementing?
Cheers,
Ashvin
↧
↧
Re: Issues with firewall filter on Juniper EX4550
On loopback interface I have only 1 logical unit:
admin@4550-1# show interfaces lo0
unit 0 {
family inet {
filter {
input RE-filter;
}
}
}And as you can see the filter is applied there.
Filter is configured like this:
admin@4550-1# show firewall family inet filter RE-filter
term CLI-allow {
from {
source-prefix-list {
CLI-SNMP-access;
}
protocol tcp;
destination-port [ telnet ssh ];
}
then {
count SSHpermit;
accept;
}
}
term CLI-deny {
from {
protocol tcp;
destination-port [ telnet ssh ];
}
then {
count SSHdeny;
discard;
}
}
term final {
then accept;
}But when I try to access to switсh from IP adress that is not included in CLI-SNMP-access prefix list, the access is permitted, but it must be filtered by RE-filter.
Also I see success and unsuccess count for this filter:
Filter: RE-filter Counters: Name Bytes Packets SSHdeny 2922769 39508 SSHpermit 2522367 24812
↧
Re: Issues with firewall filter on Juniper EX4550
Hi,
You could turn on logging on the terms and verify the action on the packet with that source address.
Cheers,
Ashvin
↧
Re: irb .vs l3-interface
Thanks, I found that mistake yesterday, good to know.
↧
Stacking EX 3300 and EX 2200
We have a virtual chassis of EX 3300 that we neeed to connect with the 3 EX 2200 and as per juniper the EX 2200 stack cannot be stacked with any other EX series switches. Is there any other way to connect the 3 EX 2200 with the EX 3300 stack? I can trunk the 2 available ports on the EX 3300 with 2 EX 2200 but that still leaves the 3rd EX 2200 to be trunked with the 1G port on the EX 3300 and the 1G port cannot be used for trunk.
↧
↧
Re: Stacking EX 3300 and EX 2200
You just need to make the 3 x EX2200 into their own VC, and then connect back to EX3300 VC just as any normal switch-to-switch. Since both are a VC you can interconnect the two VC via a LAG/AE set as a trunk in order to carry multiple VLANs. Since VC acts as one switch, just think of this as single switch to single switch non-VC Ethernet connection. You'll need to manage the EX3300 VC and the EX2200 VC as separate switches. Done all the time.
↧
Re: Setting ex2200 as a DHCP not working
I can't find the information in the documentation, but my recollection with this legacy DHCP server is that you need a layer 3 interface on the switch VLAN for the subnet declared in the DHCP pool for the association to work.
You can confirm the status of DHCP requests using these monitor commands here.
↧
Re: L3 switch block to access vlan gateway ssh and telnet.
to protect login for managment of the switch see starting on page 111 in This Week Hardening Junos devices.
http://forums.juniper.net/jnet/attachments/jnet/Day1Books/148/11/TW_HardeningJunosDevices_2ndEd.pdf
↧
ex4300 VC - can I have two layer 3 interfaces on the same subnet
Hi.
I've two circuits from the same VPLS network connected to two ports on a ex4300 VC, both interfaces are layer3 interfaces, but they need to be on the same subnet.
ge-0/0/1
set unit 0 family inet address 10.50.20.1/27
ge-1/0/1
set unit 0 family inet address 10.50.20.2/27
I want to run eBGP to each one of these IPs through the VPLS network, so if one circuit dies the other one will take over the traffic. So for example ,site A will have two peerings with to the VC switch, one to 10.50.20.1 and one to 10.50.20.2
Is this possible ?
From a config point of view the switch thinks this is fine but I can't actually test it until I'm on site so I would appreciate your thoughts
I am open to any other suggestions, please note I can not change the IP subnet for the VPLS as it would require changing multiple sites which is not possible for this maintenance window
Thanks
Cian
↧
↧
Re: EX4300 LACP with SRX requires VSTP Edge configuration. Why.
The solution was provided by JTAC.
This is a known issue that is _maybe_ solved in 15.x
https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR860226
Solution: Add all interfaces under stp. for example set protocols vstp interfaces <interface-name>.
Otherwise you might get random issues that the interface isnt learning MAC = no traffic is forwarded.
//Rob
↧
SRX345 global trans mode to switch mode
Hello Juniper community!
Im new here so let me say Hello!
I am lack of information about configuration IRB interface on SRX345.
I read in other topic on this forum that i need to change l2-learning global-mode to switching with this command: set protocols l2-learning global-mode..
Configuration:
-version 15.1X49-D45;
-SRX's are configured now on default-mode (transparent-mode)
-SRX345 are in CHASSIS CLUSTER
-(most problematic thing) I dont have possibility to connect to them physically. Im connected to them by SSH - so i can not change config without 'commit confirmed' option. For obvious reason.
And questions (problems) that i have are:
1. When i change global mode to switching-mode after reboot i will be able to connect to them without problem?
Is it changing routing or something that can cut me off after reboot?
2. Will 'commit confirmed' option still be in config after reboot?
Thanks in advance!
Some config:
show interfaces irb
unit 614 {
family inet {
address 10.118.228.1/26;
}
}
show vlans
dmz_614 {
vlan-id 614;
l3-interface irb.614;
}
show security zones:
security-zone dmz_614 {
host-inbound-traffic {
system-services {
ping;
ssh;
}
}
interfaces {
irb.614;
}
}
BR//
Bukem
↧
Re: ex4300 VC - can I have two layer 3 interfaces on the same subnet
Never seen this, but not sure why it would not work. At the same time what most people would do is create a VLAN that contains the 2 interfaces, ge-0/0/1 and ge-1/0/1. Then associated an [L3] IP address with the VLAN - RVI = Routed VLAN Interface. For EX4300 this would be via using an IRB - Integrated Routing and Bridging.
Then you create redundancy for the physical links. For the physical links, now working as L2, versus your previous L3, you need something to break the newly formed L2 loop. For this you have a few options (in order of my preference):
Make the 2 links into a LAG/AE in which case they load share and provide redundancy BUT you need the SP or VPLS cloud to also support this capability. For such a connection LACP is generally also used for better link state and failover.
Use RTG at the EX4300. This option works no matter what the VPLS cloud physical connection is. This creates active-standby for the 2 links. For info go here:
Use something ike STP to break the loop. This assume the VPLS cloud either transparently pass STP BPDU or the cloud connections also run STP. In the later case, you need to match the cloud STP type with EX4300 configured STP type. For EX4300 STP info look here:
I would also suggest you upgrade your EX4300 switches to 14.1X53-D40 when it comes out in [hopefully] a few weeks. This would be a generic suggest for anyone using EX4300 switches. Looking at mid to late November.
↧