/r/Juniper

Photograph via snooOG

Welcome to the Juniper subreddit, a Subreddit dedicated to discussing Routers, Switches and Security Appliances manufactured by Juniper.

Welcome to the Juniper subreddit, a Subreddit dedicated to discussing Routers, Switches and Security Appliances manufactured by Juniper

Related Subreddits

Resources

Rules

  1. No threatening/harassing
  2. No spam/advertising
  3. No requests such as:
  1. Requests for or posting of software without a service contract
  2. Requests or posting of certification braindumps
  • Stay on topic
  • Meta posts may only be posted with moderator approval.
  • Any post that fails to display a minimal level of effort prior to asking for help is at risk of being locked or deleted.
  • /r/Juniper

    20,108 Subscribers

    1

    SRX "any" zone wildcard

    I am wondering how the heck you do a wildcard zone.

    I really thought it was <*>. Doing 'any' or '*' throws up an error:

    (I am sorry Reddit screwed up the formatting)

    from-zone MDC-EXT to-zone * { ## ## Warning: Security zone must be defined ## Warning: Security zone must be defined ## policy deny-mdc-ext-all { match { source-address any; destination-address any; application any; } then { reject; log { session-init; } } } }

    from-zone MDC-EXT to-zone any { ## ## Warning: Security zone must be defined ## Warning: Security zone must be defined ## policy deny-mdc-ext-all { match { source-address any; destination-address any; application any; } then { reject; log { session-init; } } } }

    If I do <*> then there is no error.

    from-zone MDC-EXT to-zone <*> { policy deny-mdc-ext-all { match { source-address any; destination-address any; application any; } then { reject; log { session-init; } } } }

    But then when I do a commit check it fails:

    [edit security policies from-zone MDC-EXT to-zone <*> to-zone] 'to-zone <*>' Security zone must be defined error: configuration check-out failed

    There is no way Juniper is going to make me do individual policies for every destination zone and source zone. (in this instance yes I can delete this deny and just have it be caught by the implicit but I have other rules that depend on 'any' destination or source zone) What is the proper syntax for 'any' zone? Config checkout fails for <*> source zone too.

    3 Comments
    2024/12/02
    03:30 UTC

    3

    SRX320 port forwarding with virtual routers

    Hi, in need of some help, if any one has ideas or knows what I'm missing then please help

    We have a remote site with a VPN tunnel back to our main site where all traffic is directed. This is in its own virtual router on the SRX Prod-vr. We administer the SRX remotely via ssh'ing to its external IP address. this all works fine.

    We have now rented out a space at this site to a 3rd party who want to attach their own router and remote manage it via ssh and HTTPS.

    I have created a new virtual router for them, Customer2 and assigned a DHCP scope to this to allow a single IP which is given to their routers wan interface, this then provides internet access for all of Customer 2.

    However when it comes to remote management of their equipment I cant seem to get the port forwarding correctly routing. I have checked by doing a port scan to confirm the external port is open, but don't get to the 3rd party's router admin via ssh or HTTPS. I believe I have opened up ports 20022 and 20443 and for SSH and HTTPS port forwarding and created applications.

    Can anyone see what I am missing?? Thanks

    Config below has been altered for names and IP's etc.

    192.168.200.0/30 Network assigned to Cusomter2

    192.168.254.0/24 Network used at Customer2 internal network

    213.x.x.x/32 our external IP

    10.10.10.0/24 Our internal Prod-vr range

    set security nat source rule-set Customer2-NAT-Out from zone Customer2

    set security nat source rule-set Customer2-NAT-Out to zone Untrust

    set security nat source rule-set Customer2-NAT-Out rule Customer2-NAT match source-address 192.168.200.0/30

    set security nat source rule-set Customer2-NAT-Out rule Customer2-NAT match destination-address 0.0.0.0/0

    set security nat source rule-set Customer2-NAT-Out rule Customer2-NAT then source-nat interface

    set security nat source rule-set NAT-Out from zone Trust

    set security nat source rule-set NAT-Out to zone Untrust

    set security nat source rule-set NAT-Out rule interface-nat match source-address 10.10.10.0/24

    set security nat source rule-set NAT-Out rule interface-nat match destination-address 0.0.0.0/0

    set security nat source rule-set NAT-Out rule interface-nat then source-nat interface

    set security nat destination pool Customer2-SSH description "Customer2 for Wessex SSH"

    set security nat destination pool Customer2-SSH routing-instance Customer2-vr

    set security nat destination pool Customer2-SSH address 192.168.200.2/32

    set security nat destination pool Customer2-SSH address port 22

    set security nat destination pool Customer2-HTTPS description "Customer2 for Wessex HTTPS"

    set security nat destination pool Customer2-HTTPS routing-instance Customer2-vr

    set security nat destination pool Customer2-HTTPS address 192.168.200.2/32

    set security nat destination pool Customer2-HTTPS address port 443

    set security nat destination rule-set Customer2-NAT-In from zone Untrust

    set security nat destination rule-set Customer2-NAT-In rule Customer2-NAT-In-SSH match destination-address 213.x.x.x/32

    set security nat destination rule-set Customer2-NAT-In rule Customer2-NAT-In-SSH match destination-port 20022

    set security nat destination rule-set Customer2-NAT-In rule Customer2-NAT-In-SSH then destination-nat pool Customer2-SSH

    set security nat destination rule-set Customer2-NAT-In rule Customer2-NAT-In-HTTPS match destination-address 213.x.x.x/32

    set security nat destination rule-set Customer2-NAT-In rule Customer2-NAT-In-HTTPS match destination-port 20443

    set security nat destination rule-set Customer2-NAT-In rule Customer2-NAT-In-HTTPS then destination-nat pool Customer2-HTTPS

    set security policies from-zone Customer2 to-zone Untrust policy Customer2-Out match source-address addr_192.168.200.0/30

    set security policies from-zone Customer2 to-zone Untrust policy Customer2-Out match destination-address any

    set security policies from-zone Customer2 to-zone Untrust policy Customer2-Out match application any

    set security policies from-zone Customer2 to-zone Untrust policy Customer2-Out then permit

    set security policies from-zone Customer2 to-zone Untrust policy Customer2-Out then log session-init

    set security policies from-zone Customer2 to-zone Untrust policy Customer2-Out then count

    set security policies from-zone Untrust to-zone Customer2 policy Customer2-In match source-address addr_213.x.x.x/32

    set security policies from-zone Untrust to-zone Customer2 policy Customer2-In match destination-address any

    set security policies from-zone Untrust to-zone Customer2 policy Customer2-In match application Customer2-APP-SSH

    set security policies from-zone Untrust to-zone Customer2 policy Customer2-In match application Customer2-APP-HTTPS

    set security policies from-zone Untrust to-zone Customer2 policy Customer2-In then permit

    set security policies from-zone Untrust to-zone Customer2 policy Customer2-In then log session-init

    set security policies from-zone Untrust to-zone Customer2 policy Customer2-In then count

    set security zones security-zone Untrust screen untrust-screen

    set security zones security-zone Untrust host-inbound-traffic system-services ike

    set security zones security-zone Untrust host-inbound-traffic system-services ssh

    set security zones security-zone Untrust interfaces ge-0/0/4.0

    set security zones security-zone Untrust interfaces pp0.0

    set security zones security-zone VPN interfaces st0.0

    set security zones security-zone MGMT address-book address addr_10.10.10.254/32 10.10.10.254/32

    set security zones security-zone MGMT interfaces lo0.0 host-inbound-traffic system-services netconf

    set security zones security-zone MGMT interfaces lo0.0 host-inbound-traffic system-services ssh

    set security zones security-zone Customer2 address-book address addr_192.168.200.0/30 192.168.200.0/30

    set security zones security-zone Customer2 address-book address addr_192.168.254.0/24 192.168.254.0/24

    set security zones security-zone Customer2 interfaces irb.1100 host-inbound-traffic system-services dhcp

    set security zones security-zone Customer2 interfaces irb.1100 host-inbound-traffic system-services ssh

    set security zones security-zone Customer2 interfaces ge-0/0/1.0

    set interfaces ge-0/0/1 description "Uplink to Customer2"

    set interfaces ge-0/0/1 unit 0 family inet address 192.168.200.1/30

    set interfaces ge-0/0/4 description "PPP over Ethernet port"

    set interfaces ge-0/0/4 unit 0 encapsulation ppp-over-ether

    set interfaces irb unit 1100 family inet

    set interfaces pp0 unit 0 family inet filter input Management

    set firewall filter Customer2-In term Allow-Customer2-Management from source-address 0.0.0.0/0

    set firewall filter Customer2-In term Allow-Customer2-Management from protocol tcp

    set firewall filter Customer2-In term Allow-Customer2-Management from destination-port 20443

    set firewall filter Customer2-In term Allow-Customer2-Management from destination-port 20022

    set firewall filter Customer2-In term Allow-Customer2-Management from destination-port ssh

    set firewall filter Customer2-In term Allow-Customer2-Management then accept

    set firewall filter Customer2-In term deny_everything_else then discard

    set firewall filter Management term block_non_headoffice from source-address 0.0.0.0/0

    set firewall filter Management term block_non_headoffice from source-address X.X.X.X/32 except (main Site external IP)

    set firewall filter Management term block_non_headoffice from protocol tcp

    set firewall filter Management term block_non_headoffice from destination-port ssh

    set firewall filter Management term block_non_headoffice then discard

    set firewall filter Management term accept_everything_else then accept

    set routing-instances Customer2-vr interface ge-0/0/1.0

    set routing-instances Customer2-vr interface irb.1100

    set routing-instances Customer2-vr instance-type virtual-router

    set routing-instances Customer2-vr system services dhcp-local-server group Customer2-grp interface irb.1100

    set routing-instances Customer2-vr access address-assignment pool Customer2-grp family inet network 192.168.200.0/30

    set routing-instances Customer2-vr access address-assignment pool Customer2-grp family inet range r1 low 192.168.200.2

    set routing-instances Customer2-vr access address-assignment pool Customer2-grp family inet range r1 high 192.168.200.2

    set routing-instances Customer2-vr access address-assignment pool Customer2-grp family inet dhcp-attributes maximum-lease-time 3600

    set routing-instances Customer2-vr access address-assignment pool Customer2-grp family inet dhcp-attributes name-server 8.8.8.8

    set routing-instances Customer2-vr access address-assignment pool Customer2-grp family inet dhcp-attributes name-server 1.1.1.1

    set routing-instances Customer2-vr access address-assignment pool Customer2-grp family inet dhcp-attributes name-server 8.8.4.4

    set routing-instances Customer2-vr access address-assignment pool Customer2-grp family inet dhcp-attributes router 192.168.200.1

    set routing-instances Customer2-vr routing-options static route 0.0.0.0/0 next-table inet.0

    set applications application Customer2-APP-SSH protocol tcp

    set applications application Customer2-APP-SSH source-port 20022

    set applications application Customer2-APP-SSH destination-port 22

    set applications application Customer2-APP-HTTPS protocol tcp

    set applications application Customer2-APP-HTTPS source-port 20443

    set applications application Customer2-APP-HTTPS destination-port 443

    set vlans Customer2-vlan vlan-id 1100

    set vlans Customer2-vlan l3-interface irb.1100

    set routing-options interface-routes rib-group inet group1

    set routing-options static route 0.0.0.0/0 next-hop pp0.0

    2 Comments
    2024/12/01
    14:17 UTC

    2

    EX3400 QinQ config help

    Hi all,

    I'm recently (read: right now) been lumped with replacing 2x Cisco 3750X switches with 2x Juniper EX3400s. Most things have worked out, but I need to set up QinQ between them and it's just not going well.

    I'm following the guide https://supportportal.juniper.net/s/article/EX-Understanding-and-configuring-802-1Q-Q-in-Q-dot1q-tunneling?language=en_US as it seems to pretty accurately describe what I'm after. I've got 2x 10G ports in a LAG on each, and I'm trying to trunk a vlan between them, then hand that off to a 3rd 10G port as an S vlan, capturing all C vlans presented there. My LAG ports and trunk works, if I put an IP on an IRB interface within that VLAN I can ping switch to switch, it's just not doing QinQ between them,

    Is there anything from the above guide that could be missing?

    8 Comments
    2024/11/30
    12:53 UTC

    30

    Replaced 100% of our EX4400 switches. The s**t show continues.

    So the rot has finally ended, hopefully. We got noticed from Juniper that another batch of our EX4400 have a faulty PoE power module/controller and should be replaced proactively. This mean that we've now replaced every EX4400 we've purchased: ~70.

    About 1/3rd were replaced under a previous advisory, 1/3 went back via RMA. Some of the RMA replacements were also RMA'd and now this.

    We've had Juniper's EX4400 developers out as they would like us to believe that "we're the only ones experiencing this" but I know from friends at a large medical establishment that this isn't the case. They're at 150+ returns (failures and proactive replacement) and counting...

    ... the explanation given: The PoE controllers, versions R2V5 and R2V6 that were installed in EX4400 are faulty. Switches that are powered on all the time will eventually be unable to give PoE to devices requesting it. Our initial returns were switches with R2V5, the latest is for R2V6. Of course being able to run a command like "show poe bt system status" and getting the version info would be too easy but Juniper can only get this information by running the list of serial numbers from our 'installed base' and cross checking with their manufacturing database. They were clear in stating that it's not IF they'll fail, it's WHEN.

    Apparently, even though Juniper has a large "proof of concept lab" at their headquarters in San Jose, they don't have any EX4400 that are turned on all the time and are unable to replicate the issue that customers are seeing. I'm calling BS on this.

    When told of the cause of the issue, there was no reply from the two hardware developers from Juniper when asked "so what happens if/when you discover R2V7 is faulty?"

    Because of this, RMA times for replacement have also skyrocketed. Our last failure took 3 weeks to arrive from Europe. We're in the Bay Area and apparently there are none available in the US for RMA replacements. Awesome!

    So if you have EX4400 and haven't yet experienced problems and you purchased them between 6 months and 2 years ago, get ready for a shit show :)

    18 Comments
    2024/11/30
    05:29 UTC

    1

    Srx110 installing OS issues

    Hello there!

    I work for a big retailer in the UK and we use srx110 in stores. I am currently trying to "recondition" some that have been returned as faulty as we have no new ones in stock and obviously can't buy anymore new. A common issue I keep running into is that the router will get stuck in a boot loop prompting me to go into the >loader. I have tried booting from USB once this happens and re installing from USB to CF card, but to no avail. I have also tried re installing straight from loader to CF card via USB but again it never seems to work. I either get a cannot load media error or it will seem to install for a bit then just error out.

    Do you guys think that due to the routers being older or whatever that internal components could have failed such as capacitors and the CF card just cannot be read as there's no power going there?

    I'm very new to all this and I'm just trying to muddle through as I've just started a network engineer apprenticeship so I'm kinda self teaching ATM. Any advice on my router issue would be greatly appreciated, thanks a lot!

    6 Comments
    2024/11/29
    15:34 UTC

    3

    EX3400-24P PSU fan speed

    Hi all!

    I'm not sure if homelab environments with second-hand gear are welcome here, if not please ignore my post or let me know to delete it.

    I've noted that the PSU fan keeps spinning at full speed after boot, while the chassis fans spin at the minimal rate and wanted to know if this is normal for the EX3400 PSUs, or if's because of my setup. This happens with one or both PSUs installed and active. I have an EX3400-24P, which according to the Juniper docs uses the JPSU-600-... PSUs, however I installed JPSU-920-AC-AFO (that the -48P uses), which would be one possible cause. If someone has the 600W one running, could you please let me know if the fan is at full speed after boot?

    One thing I'd also like to add, the PSUs themself use the PMBus interface, based on I2C. I managed to access it in U-Boot, and I can successfully read the registers of the PSU, however writing to the fan register seems to get ignored. If someone has any hints or ideas, please let me know.

    Thanks and kind regards!

    12 Comments
    2024/11/28
    22:32 UTC

    1

    JN0-281 passig score

    Hey ! Can someone please tell me what's the passing score for the JNCIA-DC (JN0-281). Do the topics really differs from JN0-280 ?

    2 Comments
    2024/11/28
    13:55 UTC

    0

    EX-4100-48 Switch

    What do you mean they have 4 SFP+ ports *and* 4 Stacking Ports, and I can VC 10 units. Compared to some other vendors, this is the nicest setup I've seen for this price range.

    I'm really tempted to get these as our core/switch stack of two, server stack of 2 and endpoint stack of 6 and call it a day. Maybe stick in two 2300 POE for some APs.

    23 Comments
    2024/11/28
    11:58 UTC

    1

    Weekly Question Thread!

    It's Thursday, and you're finally coasting into the weekend. Let's open the floor for a Weekly Question Thread, so we can all ask those Juniper-related questions that we are too embarrassed to ask!

    Post your Juniper-related question here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer.

    Note: This post is created at 00:00 UTC. It may not be Thursday where you are in the world, no need to comment on it.

    1 Comment
    2024/11/28
    00:00 UTC

    4

    BGP export policy redistributes everything

    I'm trying to set nexthop self policy on a vJunos-router, and seems it redistributes everyhing. I thought by adding the term 20 it would only allow routes that are in the BGP table, but seems this redistributes everyhing I have in the inet.0 routing table. Is this how JunOS works or is this something to do with my lab/vJunos-router?

    set policy-options policy-statement NHS term 10 from protocol bgp
    set policy-options policy-statement NHS term 10 from route-type external
    set policy-options policy-statement NHS term 10 then next-hop self
    set policy-options policy-statement NHS term 10 then accept
    set policy-options policy-statement NHS term 20 then accept
    set protocols bgp group int-100 export NHS

    Should I also specify term 10 from protocol BGP? I think with some other vendors I would need to be specific if I wanted to export static/drectly connected routes to the BGP table

    Thanks!

    12 Comments
    2024/11/27
    21:54 UTC

    1

    After upgrading MX80, policy statement is reverted to previous config

    so I have a pair of MX80 to 2 diff ISPs, I moved traffic from routerA to routerB using policy statement A applied on router A, and after the reboot, the routerA policy statement is reverted back to the previous (it is no longer policy statement A)

    what makes it do this?

    2 Comments
    2024/11/27
    19:27 UTC

    0

    Srx4200 RAID status "inconsistent" or "under"

    A node from my 4200 HA pair rebooted and failed over because of issues with RAID. Worked with Jtac to try and re-create the RAID but got nowhere. We are RMA'ing the thing, which we should have done from the beginning if Jtac wasn't drawing out the troubleshooting.

    0 Comments
    2024/11/27
    02:51 UTC

    2

    EX4100-F-12 VC Ports AND Network Ports

    I have 2 12 port EX4100 switches that are sitting in two adjacent buildings that I'm trying to setup as a virtual chassis. I'm not seeing that I can configure both vc ports AND networks ports using the SFP ports. Is this an accurate observation?

    Currently the virtual chassis mode is the following and the virtual chassis is up with ports 0/1/1-3 configured as vc ports. Presumably 0 as well but I don't have a SFP in it. However, I want to use 1 as a network uplink back into my network.

    root@4100-12> show virtual-chassis mode
    fpc0:
    --------------------------------------------------------------------------
    Current mode : Virtual Chassis with similar devices
    Future mode after reboot : Virtual chassis with hgoe mode devices
    
    fpc1:
    --------------------------------------------------------------------------
    Current mode : Virtual Chassis with similar devices
    Future mode after reboot : Virtual chassis with hgoe mode devices

    When I try to delete a vc-port to use as a network port, I get the following

    root@4100-12> request virtual-chassis vc-port delete pic-slot 1 port 1
    Error: Please use request virtual-chassis mode network-port/disable command to interchange port mode

    So I configure it to use network mode which deletes all of my vc-ports and reboots the switch. Note Juniper if you are watching, you have an error with spelling in your output. "Chasiss"

    root@4100-12> request virtual-chassis mode network-port disable
    fpc1:
    --------------------------------------------------------------------------
    Mode set to 'Virtual Chasiss with network-port-mode disabled'.  (Reboot required)
    
    fpc0:
    --------------------------------------------------------------------------
    Mode set to 'Virtual Chasiss with network-port-mode disabled'.  (Reboot required)
    
    {master:0}
    root@4100-12>

    After the 2 switches reboot, nothing seems to have changed and my virtual chassis mode is the same as it was before

    root@4100-12> show virtual-chassis mode
    fpc0:
    --------------------------------------------------------------------------
    Current mode : Virtual Chassis with similar devices
    Future mode after reboot : Virtual chassis with hgoe mode devices
    
    fpc1:
    --------------------------------------------------------------------------
    Current mode : Virtual Chassis with similar devices
    Future mode after reboot : Virtual chassis with hgoe mode devices

    I also still can't delete an existing vc-port.

    If I run the virtual chassis mode command without the disable, the virtual chassis breaks and I'm seeing no vc-ports on either of the switches, only network ports.

    If I then try to create a vc-port, I get the same network-port/disable command from before. What am I missing? Can different SFP slots be used for different purposes?

    9 Comments
    2024/11/27
    00:25 UTC

    7

    Full Juniper Stack

    Hi,

    So there's a fair amount of discussion about the benefits of say going "full Fortinet" in terms of visibility into the network and the security stack.

    Would you get the same benefits of a full Juniper stack e.g. Juniper Switching and Firewall?

    35 Comments
    2024/11/26
    15:59 UTC

    2

    Configuring SSL on Junos for gNMI Dial in Telemetry?

    Has anyone done this before and can help me with where and how to install the certificates?

    I have followed this guide: Configure gRPC Services on the Juniper website. have ended up with the following files:

    ├── ca.crt
    ├── ca.key
    ├── ca.srl
    ├── ptx.crt
    ├── ptx.csr
    └── ptx.key

    I have a Juniper device and according to the guide i installed both the ptx.crt and ptx.key on the router to act as the gNMI server. What certificate do I install on the gNMI collector?

    0 Comments
    2024/11/26
    11:15 UTC

    5

    SRX320 for home use?

    Having, in the dim and distant past run SRX650’s at work, I’m considering a 320 for home use. How much functionality will I get without licenses? I now have FTTH which terminates in my ISP’s media converter/TA device, which gives me a 1G Ethernet out in to my house which then has their crappy Linksys router plugged in. What can I do on the SRX without having to license features?

    27 Comments
    2024/11/25
    11:27 UTC

    2

    Struggling to migrate DHCP pools and vlans from 12.3/21.4 to 23.4

    Hello,

    I've been struggling to convert a configuration from 12.3/21.4 to 23.4.

    The configuration appears to be valid but the issue is I can't run a speedtest (Ookla cli version) and get a vague cannot read error. When I go to certain, but not all, websites they time out. If I use the default 23.4 version it works but its default version is different from 12.3's. The 23.4 default configuration is the same as 21.4.

    Basically my configuration has several address-assignment pools that point to a router IP. The router IP is defined in interfaces irb. I have vlans that associate the ID with l3-interface irb.n. WAN is defined in zones security-zone untrust interfaces. Finally I have system services dhcp-local-server that point to irb.n. My ethernet interfaces have family ethernet-switching where they reference vlan members.

    In 21.4/23.4, the default configuration have interfaces with family inet with a router IP and there is only 1 address-assignment pool (192.168.2.0/24). It has a dhcp-attributes propagate-settings ge-0/0/0.

    My configuration works under 21.4 but not 23.4.

    What am I doing wrong?

    Here's my config that works under 12.3 and 21.4. Instead of including all my vlans, I just include 1. Here xe-0/0/19 is the WAN and xe-0/0/17 is where a workstation can get an IP from 192.168.3.0/24.

    system {
        services {
            dns {
                dns-proxy {
                    interface {
                        irb.0;
                    }
                default-domain * {
                    forwarders {
                        1.1.1.1;
                    }
                }
            }
            dhcp-local-server {
                group jdhcp-group {
                    interface irb.0;
                }
            }
        }
    }
    security {
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        policies {
            from-zone trust to-zone untrust {
                policy default-permit {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    irb.0;
                }
            }
            security-zone untrust {
                screen untrust-screen;
                interfaces {
                    xe-0/0/19.0 {
                        host-inbound-traffic {
                            system-services {
                                dhcp;
                                ping;
                                ntp;
                            }
                        }
                    }
                }
            }
        }
    interfaces {
        xe-0/0/17 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        xe-0/0/19 {
            unit 0 {
                family inet {
                    dhcp {
                        update-server;
                    }
                }
            }
        }
        irb {
            unit 0 {
                family inet {
                    address 192.168.3.254/24;
                }
            }
        }
    }
    access {
        address-assignment {
            pool DefaultPool {
                family inet {
                    network 192.168.3.0/24;
                range 1 {
                    low 192.168.3.100;
                    high 192.168.3.199;
                }
                dhcp-attributes {
                    router {
                        192.168.3.254;
                    }
                }
            }
        }
    }
    vlans {
        vlan-trust {
            vlan-id 3;
            l3-interface irb.0;
        }
    }

    Here's the config that won't work under 23.4. xe-0/0/19 and xe-0/0/17 mirror the working 23.4 default configuration and that works. But xe-0/0/18 and xe-0/0/16 are converted from my original configuration and that doesn't work. In this current configuration xe-0/0/18 does get an IP (it's actually connected to my SRX running 21.3) but when I connect my workstation to xe-0/0/16 I get a 192.168.2.2 IP and there's no route to the internet. I tried adding propagate-settings xe-0/0/18 but that doesn't make any difference. If I reconfigure xe-0/0/16 into family inet with the appropriate router IP and place the interface to jdhcp-group then it works. But I want to define a trunk so I could pass all my VLANs to my switch.

    system {
        services {
            dhcp-local-server {
                group jdhcp-group {
                    interface ge-0/0/1.0;
                    interface xe-0/0/17.0;
                    interface irb.4;
                }
            }
        }
        name-server {
            8.8.8.8;
            8.8.4.4;
        }
    }
    security {
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone trust {
                policy default-permit {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone untrust {
                policy default-permit {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            pre-id-default-policy {
                then {
                    log {
                        session-close;
                    }
                }
            }
        }
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    xe-0/0/17.0;
                    irb.4;
                }
            }
            security-zone untrust {
                screen untrust-screen;
                interfaces {
                    xe-0/0/18.0 {
                        host-inbound-traffic {
                            system-services {
                                dhcp;
                                ntp;
                                ping;
                            }
                        }
                    }
                    xe-0/0/19.0 {
                        host-inbound-traffic {
                            system-services {
                                dhcp;
                                ntp;
                                ping;
                            }
                        }
                    }
                }
            }
        }
    }
    interfaces {
        xe-0/0/16 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        xe-0/0/17 {
            unit 0 {
                family inet {
                    address 192.168.2.1/24;
                }
            }
        }
        xe-0/0/18 {
            unit 0 {
                family inet {
                    dhcp {
                        update-server;
                    }
                }
            }
        }
        xe-0/0/19 {
            unit 0 {
                family inet {
                    dhcp {
                        update-server;
                    }
                }
            }
        }
        irb {
            unit 4 {
                family inet {
                    address 192.168.4.254/24;
                }
            }
        }
    }
    access {
        address-assignment {
            pool junosDHCPPool {
                family inet {
                    network 192.168.2.0/24;
                    range junosRange {
                        low 192.168.2.2;
                        high 192.168.2.254;
                    }
                    dhcp-attributes {
                        router {
                            192.168.2.1;
                        }
                        propagate-settings xe-0/0/19.0;
                    }
                }
            }
            pool DefaultPool {
                family inet {
                    network 192.168.4.0/24;
                    range junosRange {
                        low 192.168.4.100;
                        high 192.168.4.199;
                    }
                    dhcp-attributes {
                        name-server {
                            192.168.4.254;
                        }
                        router {
                            192.168.4.254;
                        }
                    }
                }
            }
        }
    }
    vlans {
        vlan-trust {
            vlan-id 4;
            l3-interface irb.4;
        }
    }
    1 Comment
    2024/11/25
    09:31 UTC

    4

    JNCIE: NTP server selection criteria

    Hi everyone,

    I am wondering what the below command does:

    set system ntp server 99.99.99.1 prefer

    set system ntp server 99.99.99.2

    I thought if there are multiple NTP severs like above, JUNOS will pick the one with prefer . In order to prove this, I set up this lab:

    https://preview.redd.it/up0as2sfoz2e1.png?width=1289&format=png&auto=webp&s=7001b92dfa6065bd135c034356c6d0951224a54c

    MX is configured with following NTP:

    https://preview.redd.it/acwfxrcmoz2e1.png?width=591&format=png&auto=webp&s=1303f0eb6b056b3544efa4253eed370cd1b10a0e

    But vMX has selected 99.99.99.2 not 99.99.99.1 even though 99.99.99.1 is stratum 1 and is configured with " Prefer" as shown  below

    https://preview.redd.it/bq7vnrgjoz2e1.png?width=1121&format=png&auto=webp&s=520a6e4e8df6f1d5764891a9b10e4fdda60f60d1

    What is exactly the selection criteria vMX is using to select NTP server above?

    Much appreciated!!

    4 Comments
    2024/11/25
    06:10 UTC

    1

    No interfaces after EX4650 update

    I've got 2x EX4650's in an MC-LAG arrangement, that are a few versions behind where they should be. Finally getting around to updating them and I've hit a tricky situation I cant seem to get past. Started at 18.4 and was able to get them to 22.1 without issues. But anything 22.2 and above and I dont have any interfaces.

    'show interface terse' doesnt show me any of my ge/xe/et interfaces. It does however show my ae interfaces (but they dont work because the underlying IF is missing.)

    'show chassis hardware' isnt showing a routing engine or FPC.

    'show chassis fpc errors' shows nothing at all. 'show chassis fpc' shows Empty for all slots. 'show chassis fpc pic-status' also shows nothing at all.

    The only thing I've been able to do to get my interfaces back is to roll back to 22.1, everything works again after a reboot. I've tried going further ahead to 22.3 & 23.2 and no interfaces there either. Were there any big changes between 22.1 and 22.2 that would cause this behaviour?

    I'll also mention that yes, I do have the required chassis port channelizing config. I've read quite a few posts about people missing that and ending up in a similar situation with interfaces not showing up. Pretty sure thats not whats happening here.

    show interfaces terse:

    Interface               Admin Link Proto    Local                 Remote
    gr-0/0/0                up    up
    ae0                     up    down
    ae0.0                   up    down eth-switch
    ae1                     up    down
    ae1.0                   up    down inet     X.X.X.1/30  
    ae2                     up    down
    ae2.0                   up    down eth-switch
    ae3                     up    down
    ae3.0                   up    down eth-switch
    ae4                     up    down
    ae4.0                   up    down eth-switch
    ae5                     up    down
    ae5.0                   up    down eth-switch
    ae99                    up    down
    ae99.0                  up    down eth-switch
    bme0                    up    up
    bme0.0                  up    up   inet     X.X.X.1/2     
                                                X.X.X.4/2     
                                                X.X.X.63/2    
    cbp0                    up    up
    dsc                     up    up
    em0                     up    down                         
    em0.0                   up    down inet     X.X.X.1/30  
    em1                     up    down
    em1.0                   up    down inet    
    em2                     up    up
    em2.32768               up    up   inet     X.X.X.2/24  
    em3                     up    up
    esi                     up    up
    fti0                    up    up
    gre                     up    up
    ipip                    up    up
    irb                     up    up
    irb.106                 up    down inet     X.X.X.11/24 
    jsrv                    up    up
    jsrv.1                  up    up   inet     X.X.X.127/2   
    lo0                     up    up
    lo0.16384               up    up   inet     127.0.0.1           --> 0/0
    lo0.16385               up    up   inet    
    lsi                     up    up
    mtun                    up    up
    pimd                    up    up
    pime                    up    up
    pip0                    up    up
    tap                     up    up                                
    vme                     up    down
    vtep                    up    up

    show chassis hardware:

    Hardware inventory:
    Item             Version  Part number  Serial number     Description
    Chassis                                XHXXXXXXXXXX     
    Pseudo CB 0     
    Power Supply 0   REV 05   740-070750   1FXXXXXXXXX       JPSU-650W-AC-AI
    Power Supply 1   REV 05   740-070750   1FXXXXXXXXX       JPSU-650W-AC-AI
    Fan Tray 0                                               fan-ctrl-0 0, Back to Front Airflow - AFI
    Fan Tray 1                                               fan-ctrl-0 1, Back to Front Airflow - AFI
    Fan Tray 2                                               fan-ctrl-1 2, Back to Front Airflow - AFI
    Fan Tray 3                                               fan-ctrl-1 3, Back to Front Airflow - AFI
    Fan Tray 4                                               fan-ctrl-2 4, Back to Front Airflow - AFI

    show chassis fpc:

                         Temp  CPU Utilization (%)   CPU Utilization (%)  Memory    Utilization (%)
    Slot State            (C)  Total  Interrupt      1min   5min   15min  DRAM (MB) Heap     Buffer
      0  Empty           
      1  Empty           
      2  Empty           
      3  Empty           
      4  Empty           
      5  Empty           
      6  Empty           
      7  Empty           
      8  Empty           
      9  Empty           

    chassis config:

    fpc 0 {
        pic 0 {
            port 0 {
                speed 1G;
            }
            port 16 {
                speed 25g;
            }
            port 44 {
                speed 1G;
            }
        }
    }

    Open to any and all suggestions here (except for for logging a ticket with TAC. We dont have support on these switches).

    TIA

    5 Comments
    2024/11/25
    05:52 UTC

    2

    SRX 345 alarm LED red

    I found a pretty good deal for 2 SRX 345 on eBay, being sold for parts because the alarm LED is red. The status LED is green, the power LED is green.

    To me, I'm fairly confident that this is because fxp0 is link down and rescue config not saved.

    But I also don't want to buy it, turn it on, and then the alarm is red because of a fatal hardware failure (no returns).

    How risky of a buy would this be?

    What else could cause that LED to be red aside from fxp0 down/config not saved? I don't know if I'm stupid but I am seriously not seeing anything online as to why this LED would be red.

    10 Comments
    2024/11/24
    16:30 UTC

    0

    Value of Juniper certifications w/HPE acquisition?

    With HPE acquisition, do you think that Juniper certs will fade into obscurity?

    I look at something like the vmware expert level certs. Those never really took off. I wonder if the dream is dead for Juniper here too.

    2 Comments
    2024/11/24
    12:08 UTC

    3

    MX firewall filter not catching RADIUS?

    I'm using MX204s and am finishing up my RE protection filter. The only service left that I need to secure is RADIUS (using FreeRADIUS). The issue is that when I remove my test accept-all filter (the last rule), then RADIUS stops working. During normal operation, I am seeing some hits on my filter, but I think I'm somehow missing some return traffic.

    Rules:

            filter accept-radius {
                term accept-radius {
                    from {
                        source-prefix-list {
                            radius-servers;
                        }
                        destination-prefix-list {
                            router-ipv4;
                            router-ipv4-logical-systems;
                        }
                        protocol udp;
                        source-port [ radacct radius ];
                        tcp-established;
                    }
                    then {
                        policer management-1m;
                        count accept-radius;
                        accept;
                    }
                }
            }
            filter accept-remote-auth {
                term accept-radius {
                    filter accept-radius;  
                }                          
            }                           

    Log output when I remove accept-all:

    Nov 21 19:47:03  mx-hostname kernel: FW: fxp0.0       D  udp radius1-ip mx-ip  1812 63798
    Nov 21 19:47:06  mx-hostname kernel: FW: fxp0.0       D  udp radius1-ip mx-ip  1812 63798
    Nov 21 19:47:10  mx-hostname kernel: FW: fxp0.0       D  udp radius2-ip mx-ip  1812 58684
    Nov 21 19:47:12  mx-hostname kernel: FW: fxp0.0       D  udp radius2-ip mx-ip  1812 58684
    Nov 21 19:47:15  mx-hostname kernel: FW: fxp0.0       D  udp radius2-ip mx-ip  1812 58684
    Nov 21 19:50:17  mx-hostname kernel: FW: fxp0.0       D  udp radius1-ip mx-ip  1812 59637
    Nov 21 19:50:20  mx-hostname kernel: FW: fxp0.0       D  udp radius1-ip mx-ip  1812 59637
    Nov 21 19:50:23  mx-hostname kernel: FW: fxp0.0       D  udp radius1-ip mx-ip  1812 59637
    Nov 21 19:50:35  mx-hostname kernel: FW: fxp0.0       D  udp radius1-ip mx-ip  1812 55647
    6 Comments
    2024/11/22
    15:46 UTC

    0

    Route-reflector on srx380

    I have some doubt with regarding below setup

    https://preview.redd.it/vn0r3s2nnf2e1.png?width=1628&format=png&auto=webp&s=5e11a5c7e837b4c7e71307c0b2befc349b99c54d

    I can not test so i need to make sure my proposal makes sense.

    As you can see I want to build up route-reflector cluster and my client will be arista routers in two different vrf.

    The firewall does not have any vrf just grt and it is a cluster of two srx active/stand by.

    My idea:

    - vrf test-internal: the two clients will peer with loopback of route reflector srx
    - vrf test-external: the two clients will peer with loopback of route reflector srx

    - route reflector srx will peer with ip of the connected transit network for each vrf (direct physical link)

    - vrf test-internal: the two clients will need static route for loopback interface srx

    - vrf test-external: the two clients will need static route for loopback interface srx

    Question:

    - do you see anything which need to be done in better way?(I do not like static route for having proper route of the loopback of the srx on the client but no way to use a dynamic protocol like ospf)

    - is correct to assume that the two client inside same vrf will not exchange any route learned from the srx cluster? if no, do not you see an issue in missing redundancy here?

    Assuming one client in vrf test-internal will loose connectivity with the cluster-srx, how this client will know which are the routes advertised by the vrf test-external?

    5 Comments
    2024/11/22
    11:02 UTC

    1

    vMX Enhanced Automations

    Hey there,

    Was there every a vMX release with 'Enhanced Automations' which has veriexec disabled for scripting etc?

    I'm looking into how I can set this up on the vMX I'm trying for my homelab. Setting the 'boot_noveriexec=YES' flag before booting junos from the bootloader doesn't seem to work.

    1 Comment
    2024/11/22
    07:17 UTC

    1

    Noob Needs Guidance: SRX300 in Homelab Setup

    Hi everyone,

    I recently acquired an SRX300 with the goal of integrating it into my homelab to gain hands-on experience with a hardware firewall. My current setup is as basic as it gets:

    A consumer-grade router with no segregation (no VLANs).

    A WDS extender for coverage.

    Plan for New Setup

    My plan is to replace the existing router setup with the SRX300 at the core, alongside two APs (running OpenWRT) for better network segregation. Here's the layout I'm aiming for:

    1. ISP Router in Bridge Mode → SRX300

    Port 0: WAN connection.

    Ports 1 & 2: VLAN10 (home network for trusted devices).

    DHCP: 192.168.0.x.

    Connected to two APs running OpenWRT.

    Ports 3 & 4: VLAN30 (guest/untrusted network).

    DHCP: 192.168.2.x.

    Connected to the second ports on the APs, bridged to a separate "guest" Wi-Fi.

    Port 5: VLAN20 (infrastructure/services).

    DHCP: 192.168.1.x with reservations for my VMs, LXCs, and other services.

    Connected to a switch for wired devices.

    The APs (Deco S4s running OpenWRT) will be set up like this:

    Port 1: 5GHz Wi-Fi (home network).

    Port 2: 2.4GHz Wi-Fi (IoT devices).

    WDS mode: one master, one client, ensuring each radio has its own backhaul to the firewall.

    Why This Setup?

    One major reason for this overhaul is an upcoming move. I want to configure my network now to avoid downtime and headaches later when reconnecting 20+ VMs and LXCs.

    Progress So Far

    Gained access to the SRX300 via the console port.

    Zeroized it and enabled SSH on Port 5.

    Successfully transferred a config.txt file using SCP, intending to load override.

    Current Issue

    When testing the config, I encountered about five errors:

    One error was related to VLAN10 not being defined.

    Others pointed to various closing braces (}), mostly within DHCP pool configurations.

    Unfortunately, I'm not in front of the setup right now, so I can't provide exact error messages, but that's the gist of it.

    Questions

    1. Are there any tools or documentation you'd recommend to debug and validate Junos configurations?

    2. Is it safe/appropriate to share my config file for guidance, or is that frowned upon? (I want to learn, not have someone do it for me!)

    Additional Info:

    The SRX300 is running Junos 15.1.

    I know 24.x is current, but as a non-business user, I don’t have access to updates. I do have a Junos 19.x image I might try upgrading to.

    To be clear, I am not requesting firmware here—I’m aware this is against the rules.

    Thanks for reading! Apologies if I’ve missed any important details or if this isn’t the right place to post. I’m happy to provide more info as needed.

    4 Comments
    2024/11/22
    03:00 UTC

    2

    vJuno-switch: virtual-chassis

    Is there a way to run virtual-chassis on the vJunos switch in eve-ng?

    root> request virtual-chassis vc-port set fpc-slot 0 pic-slot 0 port 0
    WARNING. Virtual Chassis command executed without
    a valid software license.
    Please contact Juniper Networks to obtain a
    valid Virtual Chassis Software License.
    error: chassis-control not running in Virtual-Chassis mode
    2 Comments
    2024/11/21
    19:25 UTC

    6

    what will happen to employess

    With current HPs juniper acquisition, what are your thoughts on what will happen to juniper employees.

    36 Comments
    2024/11/21
    13:14 UTC

    2

    DHCP relay on primary and secondary router, what is the best practice?

    I have 2 routers both connect to the same LAN segment.
    Both router's LAN interface have VRRP configured.
    I also need to configure DHCP relay to forward DHCP packets to the server .

    The DHCP discover message is broadcast so I assume both of the routers will receive it regardless of which one of them has the active VRRP instance (as default gateway). If both router's physical LAN interfaces receive the DHCP discover, then I assume both of the relays will forward the request to the server.

    How should this be handled properly?

    # DHCP relay config
    set forwarding-options dhcp-relay server-group MY-DHCP-SERVER 1.1.1.1
    set forwarding-options dhcp-relay active-server-group MY-DHCP-SERVER
    set forwarding-options dhcp-relay group MY-DHCP-SERVER interface xe-0/0/0.0
    3 Comments
    2024/11/21
    13:08 UTC

    2

    Data Center Interconnect using MAC-VRF on an MX - What am I missing?

    I do a commit check and I get

    Only encapsulation mpls allowed under interconnect

    .......

     root@RTR# show routing-instances Hosted 
     instance-type mac-vrf;
     protocols {
         evpn {
             encapsulation vxlan;
             extended-vni-list 20;
             interconnect {
                 vrf-target target:7000:7000;
                 route-distinguisher 7.7.7.7:7000;
                 esi {
                     01:02:03:04:05:06:07:08:09:10;
                     all-active;
                 }
                 interconnected-vni-list 20;
                 encapsulation vxlan;
             }
         }
     }
     vtep-source-interface lo0.0;
     bridge-domains {
         v20 {
             vlan-id 20;
             vxlan {
                 vni 20;
             }                               
         }
     }
     service-type vlan-aware;
     route-distinguisher 7.7.7.7:65000;
     vrf-target target:65000:65000;
    2 Comments
    2024/11/21
    04:38 UTC

    1

    Weekly Question Thread!

    It's Thursday, and you're finally coasting into the weekend. Let's open the floor for a Weekly Question Thread, so we can all ask those Juniper-related questions that we are too embarrassed to ask!

    Post your Juniper-related question here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer.

    Note: This post is created at 00:00 UTC. It may not be Thursday where you are in the world, no need to comment on it.

    1 Comment
    2024/11/21
    00:00 UTC

    Back To Top