Using vJunos-Switch,

If I can do it on a specific L2 interface, can someone point me or show me the ELS command to do so.

So far i only see options to set it per vlan.

Topic. I've set up DHCP snooping (although it's enabled by default), and i would like to view the snooping table on a vJunos-Switch which uses ELS commands.

How do I do this?

Literally read 3 documents on google all seem to point to traditional command syntax.

Have vEX ge-0/0/7 as access vlan 10

vEX is the relay agent

trunk ge-0/0/6 between vEX1 and vEX.

vEX1 is server.

Have relay and server configured. Relay seems to be working fine:

root> show dhcp relay statistics

Packets dropped:

Total 0

Messages received:

BOOTREQUEST 9

DHCPDECLINE 0

DHCPDISCOVER 9

wireshark caputre on vEX1 shows it is receiving Discover packets. vEX1 does not seem to be replying. I can ping from the VPCS host to both vEX(relay) and vEX1 (server) irbs

Here are configs: vEX

processes {

dhcp-service {

traceoptions {

file dhcp_logfile size 10m;

level all;

flag packet;

interfaces {

ge-0/0/6 {

unit 0 {

family ethernet-switching {

interface-mode trunk;

vlan {

members all;

ge-0/0/7 {

unit 0 {

family ethernet-switching {

vlan {

members 10;

irb {

unit 10 {

description management1;

family inet {

address 172.23.10.1/24;
forwarding-options {

dhcp-relay {

forward-only;

server-group {

dhcp-servers {

172.23.10.2;

}

}

group relay-group {

active-server-group dhcp-servers;

interface irb.10;

vlans {

management1 {

vlan-id 10;

l3-interface irb.10;

}

Configuration for vEX1(the server)

services {

dhcp-local-server {

group dhcp-group {

interface irb.10;

}

}

##

## Warning: configuration block ignored: unsupported platform (ex9214)

##

dhcp {

pool 172.23.10.3/24 {

router {

172.23.10.2;

accessedit

address-assignment {

pool POOl1 {

family inet {

network 172.23.10.0/24;

range RANGE {

low 172.23.10.3;

high 172.23.10.55;

}

dhcp-attributes {

server-identifier 172.23.10.2;

}

}

}

}

Edit: Figured it out with this command:

set system services dhcp pool 172.23.10.3/24 router 172.23.10.2

The new ELS command structure sucks, makes following the docs and workbooks difficult for someone starting out

https://preview.redd.it/32ogdsbj12yd1.png?width=926&format=png&auto=webp&s=309a52fea757559ffe3f61e2dce87d994df84290

Hey guys,

does somebody know what lane is really mean if i type in the command:

"show interfaces diagnostics optics"

I know i can see the transmit/receive output etc

But what mean lane ? I Have a mulitmode connection between to devices, thats 2 sfps and 2 cables in total.

kind regards

Configuring Multicast over vpn & MPLS in an Environment with Junos and Cisco . Any good configuration examples would be appreciated .

It's Thursday, and you're finally coasting into the weekend. Let's open the floor for a Weekly Question Thread, so we can all ask those Juniper-related questions that we are too embarrassed to ask!

Post your Juniper-related question here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer.

Note: This post is created at 00:00 UTC. It may not be Thursday where you are in the world, no need to comment on it.

So I have trying to research this type of configuration and have not been able to find what I am really looking for. Lots of things close and for other hardware, like SRX or EX, but not MX.

I have a situation where I have a GRE tunnel configured between an MX router and a firewall on VRF C and the two GRE end points currently have IP's assigned and BGP is up and established. I am trying to take this one step further by removing the BGP from the GRE interfaces and configure vlan interfaces in VRF's A,B,F, and J on the MX and then on the firewall. The VLAN interfaces will get PtP IP allocations and have BGP neighbors configured.

Is this possible and can someone point me to a doc with example config snippet.

The goal here is to use a connection that has a few hops, not internet based, and doesn't allow vlan tagging across that connection but does allow GRE. Think hosted cloud connection where the underlying connectivity supports multiple VIF's and we only have access to one of those.

Using a switch lab manual from a few years ago.

i've read Juniper OS has gone through some changes. Is the command edit ethernet-switching-options deprecated, or is this a vJunos-Switch limitation? I'm trying to add a static mac entry to a layer 2 interface.

Eve-ng.

I load it up without connected interfaces it works.

I connect the interfaces then load it and it says cant load kernel.

So I need to load it, then shut it off via request system power off command then connect devices to it and reload it...?

I saw a similar post years earlier, but there was no clear answer as I didn't find good info in Juniper documentation either.

I would like to gather flow data in a collector and I'm open to any solutions and formats (jflow v9, ipfix whatever). The MX has multiple logical systems configured which makes this difficult. Do you have any recommendation or are you aware of any helpful documentation in this case?

Hi, We have a problem with Security Director (what a surprise) that one of our colleague searched for something in shared objects - adresses page, which would return too much entries and now SD is just stuck on loading since it does not forget about the search cruterias upon login or after some time.

This seems and sounds too trivial, but as funny as it is a real problem 🤣

Any tips for solving this? Thanks for any help in advance.

I've just migrated our edge routers from some Cisco ASR1ks to a pair of EX4400s. We are multihomed, receiving default routes from three WAN circuits: two handoffs from our main ISP and a backup 1Gbps circuit. Transit is flowing as expected, but I'm trying to make the non-active links reachable for external monitoring. It's mostly a nice-to-have for me, but our backup ISP does require that our side of the circuit respond to ping in order for them to provide the SLA.

Topology diagram here

I need to direct RE-generated traffic on my side of the non-active WAN links out of their respective interfaces (instead of the BGP best path). For example, in normal operation all outbound traffic will flow through ISP 1 handoff 1, so if I try to ping the backup interface at 192.51.100.2 from the internet, the response will be sent through main handoff 1. This is fine when trying to ping the main ISP's second handoff (asymmetric routing works), but this doesn't work for the backup ISP as the main ISP sees an unrelated subnet and filters the traffic.

On Cisco, I used policy-based routing in the "ip local" context and define the next-hop for a given source address. I'm having trouble figuring this out on these EXs, though. I've tried the standard FBF setup of forwarding-type routing-instances with RIB groups and static routes to define the next-hop, but it appears that this simply isn't supported for RE-sourced traffic (I'm applying the FBF at the lo0.0 output). When I have the output filter in place, affected traffic like BGP sessions or manually sourced pings return "Operation not permitted". This is the only discussion I can find on the topic.

Surely this is doable - what am I missing?

Hey all

I have an AP here at my house that has been running just fine for several months now. Over the weekend i noticed a bunch of my iot type devices had dropped off the wireless network.

Looking into Mist - I see the normal RRM changes, but i also see a change Mist made, and right after all my clients dropped.

Configured. 2:19:47.106 AM Oct 27, 2024

Then for the description of the change it says

This event has no details

Is there any way I can see what was changed?

edit - Solution is in comments - but Mist RRM decided to change my dual band radio from 2.4 to 5 for some random reason. Even though I had ~12 clients that could only connect to 2.4. Also FWIW - Marvis was completely useless in this instance.. Once the RRM decided to change the dual band to 5ghz - the AP and subsequently Marvis couldn't see the issue..

TBH - with all the hype of Marvis and AI - I am disappointed that the AI wasn't smart enough to see it lost almost 50% of it's clients, and revert that change to see if it resolved it

Hello Guys please advise whats is included MX240 premium bundle vs base bundle? Does it include scbe cards as well RE included in that bundle? Or is just chassis price and no components? Does any have MX series BOM to see what goes in hardware configuration?

Thanks

Hi everyone,

I have the following scenario, a factory reset RE-S-1800x4 (previously configured as a slave RE) installed in an MX480, taken out and installed in an MX240 chassis as a master RE.

First, booting just with SCB. With SCBE or SCBE2, it isn't booting... no console at all.

Second, if I execute "show chassis hardware", I get the title error "Aborted! This command can only be used on the master routing engine."

The RE came with Junos OS 21 (I don't remember the exact version number). I downgraded to Junos OS 20.4R3-S5.4 but still had the same problem; everything stayed the same.

I also tried the "request system zeroize" command, which is doing the job. The router reboots at the end, but I still get the title error message when I try "show chassis hardware" or other commands.

Thanks,
Alex

https://preview.redd.it/aiz8hy4nqgxd1.png?width=725&format=png&auto=webp&s=be70765c0388de6da296093881ff3bdcde7ebb16

I have 2 WAN interfaces in the same zone with ping configured. 1 interface is the primary connection, and the other a backup. Whilst I can ping the external interface of the primary connection, I cannot ping the backup. 

static {
route 0.0.0.0/0 {
next-hop 213.X.X.X;
qualified-next-hop pp0.0 {
preference 25;
}
}
}

Is there anything I can do to have the backup interface respond? The backup connection is up and running, and I can ping out from it.

So, as I mentioned I am new to Juniper, and on my switch (EX4200-48T 8POE + 4x1/10sfp) I am seeing constant flash of the speed. Its driving me nuts and playing tricks on my eyes. The led on the left (status LED) is constantly blinking 2x or 3x depending on device attached. I get its blinking for the speed, but is there a way to stop this? Its rather obnoxious to see lights flashing like this instead of a flicker indicating traffic movement which is on the right side.

My EX3300-48P only flashes the status light on certain devices and I read it does this when the device is not operating at the fastest speed possible. I just want the light to stop flashing the link speed constantly. I can understand for the first 30 to 60 seconds but indefinitely is obnoxious lmao.

I have set the limits of the port to match the device speed such as Brother HL8710DW I set to 100m, then changed to 10m/100m. Still blinks away. Yes, I have hit the commit as well. I have configured using the CLI, and tried using JWeb interface. Im at a loss.

Thanks in advance!

I am pretty new to the Juniper realm and this is a pretty simple solution with Arista MLAG or Cisco VPC which is what we currently mostly use.

I have been tasked to figure out how to fit Juniper QFX's into our client facing edge for internet delivery.

L3 is pretty easy, each client gets a VLAN that gets provisioned on core routers as a sub-if along with their public network, we run VRRP between the core routers for redundancy. L2 is where the problems comes in. We do not have any way to determine what a client will terminate into their redundant handoffs from us, This could be a couple switches on their side which they drop the internet into a VLAN and sort it out from there, it could be firewalls directly attached, it could be routers directly attached. With this being said we need the following requirements to be able to accommodate.

• prevent the customer being able to loop us up.
• Most of the time the 2 handoffs are independent of each other, just simple l2 vlan access ports (not trunks, the customer does not see the VLAN we assign to them) from 2 different switches and let STP handle itself.
• every once in a while we may deliver multi chassis lag to the customer so both handoffs are active for them. We do that currently with MLAG on Arista

I have looked into Juniper MCLAG and it has been horrible, it does not work the same as Arista or Cisco, STP doesn't really work along with it so if the ports are non MC-AE's and a switch get put on the 2 handoffs it gets looped up.

I have attempted to do a collapsed ESI fabric between the 2 QFX's. This looked promising since I can do ESI LAG to a customer if they require 2 active handoffs but I cannot find a way to gracefully handle the orphaned ports heading to the customer and the core routers. I need to be able to prevent MAC flaps from the local QFX port and the remote QFX VXLAN.

We could do Virtual Chassis but the single control plane is scary to people

The last solution is simply a L2 STP fabric but we wouldn't be able to delivery dual active LACP bundles to anyone if they wanted it

https://preview.redd.it/xznbgbsgf4xd1.jpg?width=569&format=pjpg&auto=webp&s=de05f822ca2226e4f7df551bcce7b907063fd4ce

According to the topics I don't see it in there:

https://www.juniper.net/us/en/training/certification/tracks/enterprise-routing-switching/jncis-ent.html

According to this blog post, the JNCIP-ENT it was part of the exam topics, and we should be comfortable with these concepts when taking the JNCIP-ENT:

https://www.networkfuntimes.com/jncip-ent-the-ultimate-resource-for-junipers-professional-enterprise-cert/#:\~:text=Then%20again%2C%20JNCIP%2DENT%20has%20multicast%20and%20Quality,a%20substantial%20commitment%20in%20terms%20of%20learning.

I'm assuming the JNCIS-ENT doesn't include VxLan and EVPN? I'm really interested in data centers and VPN\s so choosing between the service provier or DC track

Hi,

I am installing a new pair of Ex4600's. Im using a templatized install that I have installed maybe 20 pairs with in the last couple months. The only difference is these are on 21.4R3S9 where my other pairs latest version is 21.4R3S6. I am trying to use a radius server for authentication but its not even making the radius attempts.

I'm monitoring outbound on my firewall and I don't even see the Juniper trying to hit the radius server, and whenever I try to connect I'm seeing thiss pop up in my logs. Anyone know what this is or how to resolve it?

##Logs:

Oct 25 12:52:31 <hostname redacted> sshd[3490]: PAM_RADIUS_PUT_MESSAGE_AUTHENTIC_FAIL: Putting message authenticator in radius access request failed with error Message Authenticator not supported, please recompile libradius with SSL support
Oct 25 12:52:31 <hostname redacted> sshd[3490]: PAM_USER_LOCK_LOGIN_REQUESTS_DENIED: Login requests from host '<redacted>' are denied
Oct 25 12:52:31 <hostname redacted> sshd[3490]: Failed password for <redacted> from 10.<redacted> port 61292 ssh2
Oct 25 12:52:31 <hostname redacted> sshd: SSHD_LOGIN_FAILED: Login failed for user '<redacted>' from host '10.<redacted>'

##This is my config:

set system authentication-order radius

set system radius-server 10.<redacted> routing-instance mgmt_junos

set system radius-server 10.<redacted> port 1645

set system radius-server 10.<redacted> secret "<redacted>"

set system radius-server 10.<redacted> source-address 10.<redacted>

Good day,

Attempting to migrate a pair of active/passive PA's from an old Cisco switch to a QFX5120.

We swung both cables from the passive unit to the QFX, interfaces appear up/down as expected on the newly created AE

set interfaces et-0/0/49 description "pf-fw-002 - eth21"
set interfaces et-0/0/49 ether-options 802.3ad ae49
set interfaces et-1/0/49 description "pf-fw-002 - eth22"
set interfaces et-1/0/49 ether-options 802.3ad ae49
set interfaces ae49 description "pf-fw-002 - Palo Alto - ae1"
set interfaces ae49 aggregated-ether-options lacp active
set interfaces ae49 unit 0 family ethernet-switching interface-mode trunk
set interfaces ae49 unit 0 family ethernet-switching vlan members all

The active unit remains connected to a cisco nexus device to handle traffic.

After forcing the active to suspended on the PA, we aren't able to communicate out from the PA.

For example, before failover, the active FW (connected to Cisco) is able to ping it's default gateway.

After failover, the active FW (connected to Juniper) is not able to ping it's default gateway.

I've created an L3 interface in the same VLAN as the default gateway on the Juniper and am able to ping the gateway without issue, making me wonder if I'm running into a port configuration issue.

Happy to share any additional information if required.

Hello! I am very new to junos, but hereis my current issue:
We have a device sending data to our system. The firewall rn is been messed around too much I think. I just want to allow all traffic coming on this port (example ge-0/0/0).
What are the basic configs for it?
My trust zone is INTERNAL.

thank you and sorry in advance for the weak explanation

Any links to a website or suggestion for a lab manual or book to get some more hands on training with vQFX data center switches?

For example this site has about 10 labs but no explanations:

https://tisnaahe.wordpress.com/2019/12/01/lab-25-juniper-mc-lag-vqfx/

For someone new to DC concepts some explanations help.

I realize labs not needed for JNCIA level, but no labs = missed opportunity

I don't really need basic switching, I want to lab data center concepts (MC-LAG, Ether Load balancing, maybe a basic OSPF Ip fabric underlay, heck even some wireshark captures and explanations...)

If you have a Professional or Expert Cisco cert in Routing, Switching, Security and Wireless you can go directly to the corresponding Specialist or Professional Certification Exam.and get a 75% off voucher too.

https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=13858#openModalBtn

Using switches 17.4.R.1 in GNS3. Fresh load have not turned them off. The switches can ping themselves but not across interfaces or cannot pass VLAN traffic. I managed to get it working on one occasion 2 days ago while doing a lab manual, attempted to recreate no luck.

I am using both a PFE with 2048 GB and a RE with 4096 GB connected on EM1.

EM3-Em...x is labeled xe-0/0./x

EM1 RE is connected to EM1 PFE ~ RE and PFE can ping. RE can ping itself

When I ping wireshark shows a ping in the output but there's 100% packet loss every time. This is leading me to believe it may be an interface configuration in the GNS template configuration.

Here is my config:

2VPCU's, 4096 memory Disk Image: jinstall-vqfx-10-f-17.4R1.16.img Network Type: virtio-net-pci Individual interfaces: virtio-net-pci

I've tried mixing the interfaces with vmxnet3 on the template and e1000 on the individual.

I cannot ping a point to point layer 3 interface from switch to hosts nor can I pass vlan traffic within the same vlan on the same switch

My RE options:-nographic -smp 2

My PFE is 2048 and I've never changed the e1000 it has worked with this set up before (maybe it was however 1024 MB at the time)

Any suggesitions?

here's an example:

I just spun up a 17.4.R1 set the interface xe-0/0/0 to set interface xe-0/0/0 unit 0 family inet address 10.0.0.1/24delete interface xe-0/0/0/0 unit 0 family inet dhcp commit

VPCU: ip 10.0.0.2ping 10.0.0.1 timeout, timeout, timeout, timeout wireshark shows an icmp with no response

Now I ping from switch to VPCU it wireshark shows a ping and echo reply: wireshark vlue:

Response Frame 11: Oct 24, 2024 11:38:49.909955000 Pacific Daylight Time

but my switch: --- 10.0.0.2 ping statistics ---

52 packets transmitted, 0 packets received, 100% packet loss

this leads me to believe my interface configurations in the template may be errored

I have the above issue with 2 switches with virtio interfaces 4096 mb, with the PFE at 1024 and 2048 MB respectively

Edit:

Just spun up a third: deleted the entire interface xe-0/0/0 first then set the family inet and ip. Same exact behavior. Virtio-interface

ping bypass-routing and ping interface xe-0/0/0 10..0.0.2 does not work same behavior

Edit:

It seems to work now after using this reddit thread advice and killing the PID. I killed the PID after my configurations and let it reload and it seems to ping across interfaces now.

https://www.reddit.com/r/Juniper/comments/s6f9di/if_youre_experiencing_issues_with_vqfx_in_eveng/

For people saying use vEX or vJunos-Switch

I am practicing DC switching and brushing up on some theory so I can add the skills to my resumé alongside a JNCIA-DC...

After this I may go for a JNCIS-SP and a JNCIP-DC after that. So I need hands on practice as I have no experience with Juniper, and I thought it was ridiculous Juniper not coming out with reliable images.

Hi All,

Currently running a trial of some SSR equipment. Looks like SNMP & SYSLOG traffic are not an option within the MIST portal.

I have managed to configure locally via remote shell but there is no option to apply a CLI template to the SSR devices.

Support techs & SA are also telling me is not an option & possibly going to be removed for switches & APs in the future.

For us it might not be the platform, but just wanted to hear if anyone to managed to configure within the MIST portal as the rest of our requirements are already met...

TIA

It's Thursday, and you're finally coasting into the weekend. Let's open the floor for a Weekly Question Thread, so we can all ask those Juniper-related questions that we are too embarrassed to ask!

Post your Juniper-related question here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer.

Note: This post is created at 00:00 UTC. It may not be Thursday where you are in the world, no need to comment on it.

we have a MX480 with software 15.1R6.7 running on the RE.

I created a bootable USB with release 22.4R3-S3.3.

when the system boot on the usb I get “CPU doesn’t support long mode” error

anyone run into this ?

I ge the same error on both REs

problem solved. Thanks Eveyone.

customer was using an old REs.

RE-S-2000-4096-S

Hi, i am new to juniper coming from cisco. There i have multiple loopback interfaces

• one in the default global routing table for ospf etc.
• in each other vrf one for the same reason

I also have more loopback interfaces in use on cisco routers in the same vrf or global

• for dail-up interfaces (dsl, lte) where i have fixed ip services to use them in NAT statements and as source for gre or vpn tunnel. Multiple loopbacks for multiple tunnels to different devices on remote site(s).

• on central devices to be able to split one device to enhance capacity, the vpn-tunnel move together with their source-adress providing tunnel interface to a new device, so i don't need to reconfigure hundreds remote devices to use a new vpn-tunnel destination

• on some constructions wherw the same ip is configured on multiple interfaces as ip unnumbered loopback 1234

I already found that i can create for each VRF ONE loopback unit in that vrf for ospf etc. (Is that also needed for the null/discard interface so one could null route inside a vrf?)

How shall i do the other usages on juniper?

Have a set of srxes to play with, also vdsl and lte modules for dail and backup scenarios.

I have a Juniper QFX5100 which suddenly isn't letting me in via telnet.

It's been up for 9 years and it's still routing traffic fine, I just can't get remote access. You type the username and password and it then kicks you out with a quick error about "/usr/libexec/ld-elf.so.1: Cannot open "/usr/lib/libjunoscript.so.1"

With Cisco sometimes the VTY lines can get full if they've not been closed properly. I'm wondering if the same could be true of Juniper? Is there a process I can restart when on site rather than having to reboot the whole QFX and cause downtime?

thanks!