Re: [j-nsp] EX4200: Ricoh printers, DHCP Snooping, dot1x Dynamic VLAN assignments

2017-07-10 Thread Jason Healy 
On Jul 10, 2017, at 8:22 PM, Chuck Anderson  wrote:
> 
> Is anyone using EX4200 with DHCP Snooping + dot1x Dynamic VLAN
> assignments?

Yes, we've been running that setup for several years on EX3200 and 4200 VC 
setups campus-wide.  During the first year we hit several bugs with the dot1x 
process having memory leaks and some other issues, things stabilized and have 
been solid for a while.  We dynamically assign VLANs for all printers and 
phones so they can be plugged into any port on campus and put on the correct 
VLAN.  We don't use voice VLANs.

There are occasional log messages about ARP inspection, but I believe it's 
devices that aren't renewing their leases often enough or aren't transmitting 
enough traffic to stay in the MAC table.  We've set our monitoring software to 
ping or probe all printers once a minute and that keeps everything active in 
the MAC tables.  We're also looking at cranking up the global mac aging timeout.

> I've also discovered that all VLANs that might end up being assigned
> to a port either statically or dynamically or via the VOIP VLAN
> feature must have matching examine-dhcp/ip-source-guard/arp-inspection
> settings under ethernet-switching-options secure-access-port.

Yes.  We have a "vlan all" for everything, and then carve out exceptions for 
VLANs that have old devices that use static addressing and won't support DAI.

Jason
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] EX4200: Ricoh printers, DHCP Snooping, dot1x Dynamic VLAN assignments

2017-07-10 Thread Chuck Anderson 
Is anyone using EX4200 with DHCP Snooping + dot1x Dynamic VLAN
assignments?  I appear to be hitting bugs where some devices can't
DHCP (such as Ricoh printer/copier/fax/scanners), or once they do DHCP
they can't communicate through the EX4200 switch port.  It seems I can
make things work better by statically configuring the VLAN on the port
rather than relying on dot1x RADIUS to dynamically assign the VLAN.

I've also discovered that all VLANs that might end up being assigned
to a port either statically or dynamically or via the VOIP VLAN
feature must have matching examine-dhcp/ip-source-guard/arp-inspection
settings under ethernet-switching-options secure-access-port.  The
easiest way to accomplish this is to use "ethernet-switching-options
secure-access-port vlan all" rather than specifiy individual VLANs.

But even then I'm still having problems when combined with RADIUS
Dynamic VLANs.  I'm using 12.3R12-S3.1.

Thanks.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp