[j-nsp] Configuring link-speed for Aggregated Ethernet interface bundles
Hi all, We just noticed that we see the log messages listed in https://kb.juniper.net/InfoCenter/index?page=content=KB20343 and I just wrote up a plan and reserved a maintenance window to apply the changes listed as the solution, but am wondering if anyone has experienced issues after doing this. Looking forward to any responses. Thank you! Matt Freitag Network Engineer Information Technology Michigan Technological University (906) 487-3696 <%28906%29%20487-3696> https://www.mtu.edu/ https://www.mtu.edu/it ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SSH access with Radius auth issue
My only pointer is make sure your RADIUS server is returning the correct VSA. Based on your config it should be RADIUS:Juniper:Juniper-Local-Username = remote Also there are typically things that show up in the messages log about login issues looking in there may be useful to you. Matt Freitag Network Engineer Information Technology Michigan Technological University (906) 487-3696 <%28906%29%20487-3696> https://www.mtu.edu/ https://www.mtu.edu/it On Fri, Feb 16, 2018 at 11:44 AM, Chris Boyd <cb...@gizmopartners.com> wrote: > Starting to tear my hair out over this one. > > Recently wiped and upgraded an EX4200 to 15.1R6.7. Dropped in my standard > Radius config that’s working on all my other devices. Users that are > locally configured on the 4200 can log in normally, but SSH sessions that > are Radius authenticated get the session closed immediately upon supplying > the correct password. Giving the wrong password gets you another password > prompt. Google keeps taking me to pages talking about BRAS/Dialup sorts of > issues. > > Here’s what’s working on all the other switches and routers, but not on > the newly upgraded switch: > > system { > radius-server { > 10.a.b.c { > secret "$9$shh_don't_tell_anyone"; ## SECRET-DATA > source-address 10.p.q.r; > } > 10.x.y.z { > secret "$9$shh_don't_tell_anyone"; ## SECRET-DATA > source-address 10.p.q.r; > } > } > radius-options { > password-protocol mschap-v2; > > The Radius servers are reachable by the source address. > > After re-reading the Radius configuration pages, I added this to the > config, with no effect. Behavior is the same. > > groups { > global { > system { > login { > user remote { > class super-user; > } > } > } > } > } > > Pointers and cluebats appreciated. > > —Chris > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] What is your experience with the EX2200
Also since it was mentioned earlier and I forgot to mention it, I'm running simple MAC auth 802.1x on 83 EX2200's and the only issue is the captive portal functionality in Junos 12 is pretty terrible but it's been that way for years. If you need good captive portal go to the EX2300. Matt Freitag Network Engineer Information Technology Michigan Technological University (906) 487-3696 <%28906%29%20487-3696> https://www.mtu.edu/ https://www.mtu.edu/it On Mon, Dec 11, 2017 at 8:17 AM, Alain Hebert <aheb...@pubnix.net> wrote: > Rofl, smell like my QFX5100 experience. > > PS: And I think its more of a platform issue than a software issue. > > - > Alain Hebertaheb...@pubnix.net > PubNIX Inc. > 50 boul. St-Charles > <https://maps.google.com/?q=50+boul.+St-Charles=gmail=g> > P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 > Tel: 514-990-5911 http://www.pubnix.netFax: 514-990-9443 > > > On 12/09/17 14:29, Christian Scholz wrote: > >> I would only buy the EX2300 if somebody points a Gun in my Face - >> seriously! >> Anyone recommending a Device that purely relies on 15.1 Software does not >> even closely know what he is talking about... >> >> The 2300 is a Joke so far - We have 7 PR's open and weekly Core-Dumps... >> Stick with the EX2200 since the EX2200 is not EOL and the EX2300 is >> unusable >> until a fine Release (17.3 onwards) is available, fixing all the critical >> things. >> 15.1 is the new Windows Vista - unstable, unreliable and just a big joke - >> never ever ever ever use a 15.X in Production until you want to watch the >> World burn... >> >> Just my 2 cents... >> >> >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> >> > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] What is your experience with the EX2200
For some reason I also thought the EX2200 EOL date was coming up in a year or two but cannot find any sources to prove that. My only complaints about the box: - Sometimes when they lose power abruptly it corrupts the file system on the primary partition. Best way I know of to solve this is a complete reinstall of the OS on the routing engine. - This does not affect forwarding at all since the actual packet forwarding happens on a different unit of the box. You'll only see this when you try to SSH to it, for example, and it rejects your attempts by closing your connection. - It takes these things a few seconds to commit their config, but I think the routing engine runs on an 800MHz CPU and 512MB of RAM. They're also quite slow to SSH to, again due to the lack of CPU and memory. Otherwise the EX2200 is a really solid platform, but as Saku said Juniper moved to the EX2300 a long time ago. Matt Freitag Network Engineer Information Technology Michigan Technological University (906) 487-3696 <%28906%29%20487-3696> https://www.mtu.edu/ https://www.mtu.edu/it On Fri, Dec 8, 2017 at 1:54 PM, Saku Ytti <s...@ytti.fi> wrote: > Only buy EX2200 if you're buying gray and get them really cheap. > Juniper has long since moved to entirely different platform EX2300. > > On 8 December 2017 at 19:41, Dan White <dwh...@olp.net> wrote: > > We're considering purchasing these switches for our branch offices. Our > > needs include PoE, and basic routing functionality. What's been your > > experience with these switches? > > > > -- > > Dan White > > BTC Broadband > > Network Admin Lead > > Ph 918.366.0248 (direct) main: (918)366-8000 > > Fax 918.366.6610email: dwh...@olp.net > > http://www.btcbroadband.com > > ___ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > -- > ++ytti > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Using a QFX5100 without QFabric?
Karl, we're also looking at QFX5100-48S switches for our aggregation. I actually have one in place doing aggregation and routing and the only "big" change I found is the DHCP forwarder config is not remotely similar to the forwarding-options helpers bootp config we've been using to forward DHCP on our MX480 core. But that only counts if you do routing and DHCP forwarding at the QFX. But, if you want to do routing and DHCP forwarding on this, any forwarding in the default routing instance goes under forwarding-options dhcp-relay and any DHCP forwarding in a non-default routing instance goes under routing-instances INSTANCE-NAME forwarding-options dhcp-relay. There are a ton of DHCP relay options but we found we just need a server group that contains all our DHCP servers and an interface group that ties an interface to a server group. Again I only bring the DHCP relay stuff up because we've been using forwarding-options helpers bootp on our MX's to do DHCP forwarding and the QFX explicitly disallows that in favor of the dhcp-relay. Other than that initial confusion we've not had a problem and I'm very interested in any issues you hear of. This QFX I'm talking about runs Junos 14.1X53-D40.8. I'm also very interested in any other issues people have had doing this. Matt Freitag Network Engineer Information Technology Michigan Technological University (906) 487-3696 <%28906%29%20487-3696> https://www.mtu.edu/ https://www.mtu.edu/it On Tue, Oct 24, 2017 at 8:41 AM, Karl Gerhard <karl_g...@gmx.at> wrote: > Hello > > we're thinking about buying a few QFX5100 as they are incredibly cheap on > the refurbished market - sometimes even cheaper than a much older EX4550. > > Are there any caveats when using the QFX5100-48S as a normal aggregation > switch without QFabric? We have a pretty basic setup of Access (EX), > Aggregation (EX or QFX) and Core (MX). We're only switching at our > aggregation layer but we would like to have options for the future. > > Regards > Karl > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Junos 15 on EX2200's
Hi all, I'm wondering what your stories are with Junos 15 on EX2200 switches. I ask because we need a decent captive portal (probably one better than the one Junos 12 offers us but we're testing it) for our residence halls so people can plug a new device in and be made to register with a captive portal. Right now you have to find out your MAC address and use another device that's already online to register the thing that's offline or you just can't go anywhere. I think our best option is to get to Junos 15 so we can do centralized web authentication instead of pushing some poorly done web page that posts stuff back to our NAC, but I need some input on how bad Junos 15 is on EX2200's. Thanks for your time! Matt Freitag Network Engineer Information Technology Michigan Technological University (906) 487-3696 <%28906%29%20487-3696> https://www.mtu.edu/ https://www.mtu.edu/it ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] 10Gbps xe interface to 20Gbps ae interface
Hi all, I'm wondering if anybody had any issues on an MX480 (13.3R9) moving a single xe interface to an aggregated ethernet bundle of 2 xe interfaces. These interfaces go to an EX virtual chassis. I already made the ae interface on the switch side and assigned all the relevant VLANs. Specifically my change plan for the MX reads: top rename interfaces xe-1/0/0 to ae0 top replace pattern xe-1/0/0 with ae0 Generally I'm wondering what people's experiences with this have been. Good/bad/ugly/indifferent...? Thanks for the time! Let me know if you need more info. Matt Freitag Network Engineer Information Technology Michigan Technological University (906) 487-3696 <%28906%29%20487-3696> https://www.mtu.edu/ https://www.mtu.edu/it ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MC-LAG on QFX5100
Is there something preventing you from using VCF or qfabric? On Jul 9, 2017 7:25 AM, "Vincent Bernat"wrote: > ❦ 9 juillet 2017 09:07 GMT, "Jackson, William" < > william.jack...@gibtele.com> : > > > We have been testing an MC-LAG active/active setup on qfx5100 using the > latest 14.1x53 code. > > We are seeing issues when using L3 in the MC-LAG. > > We are using IRB with VRRP on a number of vlans that face the downstream > client. > > It seems that in active/active both nodes process traffic even if they > > are not the VRRP master, so we have taken that into account. > > > > The issue we are seeing seems to be that the ARP sync is not working on > the ICCP between the peers. > > We can reach downstream nodes via one peer but not the other. > > And it works correctly on some vlans but not others so isn’t related to > the downstream client. > > > > JTAC is on it albeit at snail’s pace. > > > > Has anyone got this working on qfx5100 and can share some config > > examples? > > I ran into similar limitations with the same version. I have tried both > MAC synchronization and VRRP. When packets hit the "wrong" node (the one > that didn't learn the neighbor information), they are not > forwarded. See: > > https://lists.gt.net/nsp/juniper/60956#60956 > > I got additional private feedback from people with similar issues > (MC-LAG and L3 forwarding). I didn't try to involve JTAC. > -- > Don't stop at one bug. > - The Elements of Programming Style (Kernighan & Plauger) > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX104 recommended Junos version?
I'm still on 13.3R9, their previous recommendation, and don't have a problem. Matt Freitag Network Engineer Information Technology Michigan Technological University (906) 487-3696 <%28906%29%20487-3696> https://www.mtu.edu/ https://www.mtu.edu/it On Fri, Jun 23, 2017 at 9:28 AM, Josh Baird <joshba...@gmail.com> wrote: > This page [1] shows that the recommended version is 15.1R6, but this page > [1] says 14.1R7 for the MX104. I know the MX104's PPC RE cannot use the > SMP kernel included in 15.1, but I understand an older kernel will be > installed for these PPC devices. > > I'm currently running 14.2R6.5 but I am having some problems with high CPU > sporadically that doesn't necessarily correlate to any periods of high > traffic, etc. Every 6 hours, the RE CPU climbs until it reaches ~60% > (sometimes higher into the ~80% range) and then falls back down to ~5%. I > never saw this behavior when we were running 13.x with the same traffic > levels. > > "show chassis routing-engine" shows most of the CPU usage at this time is > used by the kernel. > > "show system process extensive" shows that chassisd is the main hog. > > I suppose my question is.. what Junos release appears to be the most stable > for the MX104 platform? Not doing anything special here - a few eBGP > peers, simple routing policy, etc. > > Thanks, > > Josh > > [1] > https://kb.juniper.net/InfoCenter/index?page=content; > id=KB21476=METADATA > [2] http://www.juniper.net/support/downloads/?p=mx104#sw > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX100B L3 VLAN Interface Issue
I figured it out after checking /var/log/messages and seeing this: rpd[1712]: WARNING: Ethernet-switching interface fe-0/0/0.0 detected in the routing instance 'priv-blah' configuration. This configuration will cause traffic to be dropped I forgot this would happen and set up a new security zone called l2-priv-blah and allowed full communication between it and trust-priv-blah in the security policies, then removed fe-0/0/0 from the trust-priv-blah security zone and the priv-blah routing instance. Worked great. Matt Freitag Network Engineer I Information Technology Michigan Technological University (906) 487-3696 <%28906%29%20487-3696> https://www.mtu.edu/ https://www.it.mtu.edu/ On Tue, Dec 20, 2016 at 1:43 PM, Matt Freitag <mlfre...@mtu.edu> wrote: > All, I have an SRX100B on Junos 12.1X46-D40.2. It's configured as a remote > end of a site-to-site VPN. The site-to-site VPN works fine as verified by > show security ike security-associations. > > I'm having trouble with a layer 3 VLAN interface in a separate routing > instance from the normal one. The interface is named vlan.224. > > "show vlans" shows no physical interfaces in VLAN 224 even though > fe-0/0/0.0 is a configured member of the VLAN. > > The layer 3 interface won't advertise its presence to the rest of the > network through OSPF because the logical interface is down because there > aren't any interfaces assigned to the VLAN. > > Even though there are interfaces assigned to the VLAN why does it think > there are no interfaces assigned to the VLAN? > > I already have a ticket with TAC and reached out to my SE but wondered if > the community has any insights or suggestions. I have a hunch that this is > happening because the sort of thing I'm trying is not allowed. > > Thank you for your time. > > Here is a brief config snippet illustrating how interfaces and VLANs > should be set up and the output of "show interfaces vlan terse" and "show > vlans": > > interfaces { > fe-0/0/0 { > unit 0 { > family ethernet-switching { > port-mode access; > vlan { > members vlan0224; > } > } > } > } > vlan { > unit 224 { > family inet { > address priv-network/22; > } > } > } > } > vlans { > vlan0224 { > vlan-id 224; > interface { > fe-0/0/0.0; > } > l3-interface vlan.224; > } > } > > mlfreita@srx> show interfaces vlan terse > Interface Admin Link ProtoLocal Remote > vlanupup > vlan.224 updown inet priv-network/22 > > mlfreita@srx> show vlans > Name Tag Interfaces > default1 >None > vlan0224 224 >None > > Matt Freitag > Network Engineer I > Information Technology > Michigan Technological University > (906) 487-3696 <%28906%29%20487-3696> > https://www.mtu.edu/ > https://www.it.mtu.edu/ > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX100B L3 VLAN Interface Issue
All, I have an SRX100B on Junos 12.1X46-D40.2. It's configured as a remote end of a site-to-site VPN. The site-to-site VPN works fine as verified by show security ike security-associations. I'm having trouble with a layer 3 VLAN interface in a separate routing instance from the normal one. The interface is named vlan.224. "show vlans" shows no physical interfaces in VLAN 224 even though fe-0/0/0.0 is a configured member of the VLAN. The layer 3 interface won't advertise its presence to the rest of the network through OSPF because the logical interface is down because there aren't any interfaces assigned to the VLAN. Even though there are interfaces assigned to the VLAN why does it think there are no interfaces assigned to the VLAN? I already have a ticket with TAC and reached out to my SE but wondered if the community has any insights or suggestions. I have a hunch that this is happening because the sort of thing I'm trying is not allowed. Thank you for your time. Here is a brief config snippet illustrating how interfaces and VLANs should be set up and the output of "show interfaces vlan terse" and "show vlans": interfaces { fe-0/0/0 { unit 0 { family ethernet-switching { port-mode access; vlan { members vlan0224; } } } } vlan { unit 224 { family inet { address priv-network/22; } } } } vlans { vlan0224 { vlan-id 224; interface { fe-0/0/0.0; } l3-interface vlan.224; } } mlfreita@srx> show interfaces vlan terse Interface Admin Link ProtoLocal Remote vlanupup vlan.224updown inet priv-network/22 mlfreita@srx> show vlans Name Tag Interfaces default1 None vlan0224 224 None Matt Freitag Network Engineer I Information Technology Michigan Technological University (906) 487-3696 <%28906%29%20487-3696> https://www.mtu.edu/ https://www.it.mtu.edu/ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Free JNCIA Practice test
Simone, I've found the Junos Genius app for Android (and maybe iOS) is a really good practice testing tool. It asks a lot of the same questions as the Learning Portal, but also seems to have a lot more questions than just what's in the Portal's practice exam. Junos OS for Dummies and the O'Reilly books Junos Enterprise Routing and Junos Enterprise Switching have been very helpful to me. The O'Reilly books also have review questions and answers at the back of every chapter. Good luck! I'm studying up for my JNCIA myself. Matt Freitag Network Engineer I Information Technology Michigan Technological University (906) 487-3696 <%28906%29%20487-3696> https://www.mtu.edu/ https://www.it.mtu.edu/ On Mon, Jul 18, 2016 at 4:52 PM, Simone Spinelli <simone.spine...@gmail.com> wrote: > Hi everybody! > > I'm going to do JNCIA test, I was wondering if you have any advice about > where to find free practice test besides the Juniper learning portal. > > Any advice is very welcome! > > Thank you > > Simone > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] mixed interface, switching + routed
Josh, You should be able to define interfaces vlan unit 600 family inet address 192.168.1.1/24, and then vlans vlan600 l3-interface vlan.600. Matt Freitag Network Engineer I Information Technology Michigan Technological University (906) 487-3696 <%28906%29%20487-3696> https://www.mtu.edu/ https://www.it.mtu.edu/ On Tue, Jul 5, 2016 at 2:51 PM, Josh Reynolds <j...@kyneticwifi.com> wrote: > Thanks Hugo, I'll try and give that a shot. > > So basically setup an ethernet-switching interface on unit 0, port > mode trunk, native vlan as the current access vlan, member list > includes the new vlan? I think I'm confused about how I would assign > an RVI to this in that state. > > Do you have a quick example config I might be able to work off of? > > Thank you! > > On Tue, Jul 5, 2016 at 1:32 PM, Hugo Slabbert <h...@slabnet.com> wrote: > > > > On Tue 2016-Jul-05 13:23:38 -0500, Josh Reynolds <j...@kyneticwifi.com> > > wrote: > > > >> EX4500 > > > > > > This would be done with flexible-ethernet-services on MX, but I don't > > believe it's supported to mix L2 and L3 on the same port on the EX4500. > > We've tried that on 4550, and you can't mix family ethernet-switching > with > > e.g. vlan-tagging, which is what you would use for your L3 unit. > > > > You could change the interface into a trunk, run your existing access > vlan > > as native, and create an RVI for your L3 interface, but that may or may > not > > cut it depending on what you need that L3 interface for. > > > > > > -- > > Hugo Slabbert | email, xmpp/jabber: h...@slabnet.com > > pgp key: B178313E | also on Signal > > > >> > >> On Tue, Jul 5, 2016 at 1:20 PM, Hugo Slabbert <h...@slabnet.com> wrote: > >>> > >>> > >>> On Tue 2016-Jul-05 13:17:52 -0500, Josh Reynolds <j...@kyneticwifi.com > > > >>> wrote: > >>> > >>>> Hello, > >>>> > >>>> I'm sure this is a fairly basic question, but I'm having trouble > >>>> finding a solution. > >>>> > >>>> I have a port that is currently an ethernet switching port, set in > >>>> access mode that is tagging a vlan for upstream. This works fine. What > >>>> I'd like to do, is add a sub interface on the master port (say, unit > >>>> 600 / vlan 600) that is a tagged/routed interface. > >>>> > >>>> I've tried to do this a couple of ways now, and every time I seem to > >>>> get thrown a different error. > >>>> > >>>> Anybody have any tips? > >>> > >>> > >>> > >>> Support for this varies depending on what platform you are using. You > >>> haven't told us what equipment you're talking about. > >>> > >>>> Thanks :) > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp