On Jul 10, 2017, at 8:22 PM, Chuck Anderson wrote:
>
> Is anyone using EX4200 with DHCP Snooping + dot1x Dynamic VLAN
> assignments?
Yes, we've been running that setup for several years on EX3200 and 4200 VC
setups campus-wide. During the first year we hit several bugs with the dot1x
process having memory leaks and some other issues, things stabilized and have
been solid for a while. We dynamically assign VLANs for all printers and
phones so they can be plugged into any port on campus and put on the correct
VLAN. We don't use voice VLANs.
There are occasional log messages about ARP inspection, but I believe it's
devices that aren't renewing their leases often enough or aren't transmitting
enough traffic to stay in the MAC table. We've set our monitoring software to
ping or probe all printers once a minute and that keeps everything active in
the MAC tables. We're also looking at cranking up the global mac aging timeout.
> I've also discovered that all VLANs that might end up being assigned
> to a port either statically or dynamically or via the VOIP VLAN
> feature must have matching examine-dhcp/ip-source-guard/arp-inspection
> settings under ethernet-switching-options secure-access-port.
Yes. We have a "vlan all" for everything, and then carve out exceptions for
VLANs that have old devices that use static addressing and won't support DAI.
Jason
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp