Switching

Expand all | Collapse all

Best practices and configuration changes

Jump to Best Answer
  • 1.  Best practices and configuration changes

    Posted 06-15-2020 02:43

    I have 6 EX2300-24P. One of the switch will be the core switch and together with remaining five will form hub and spoke topology. There will be 3 VLANS on each switch including Management VLAN.
    My questions are:
    1. Do I need to define IRB L3-interface for each VLAN on every switch or just the core which will be doing the inter-vlan routing?
    2. Do I at least configure RB L3-interface for Management VLAN on every switch? This is how I intend to manage the switches.
    3. If I want to restrict internet access (default gateway) on one of the VLANs, how do I do that?
    4. Can I setup DHCP server on the core switch for each VLANS?
    5. When I try to delete the irb interface for VLANs that I defined in access switch, I get following error: 

    'l3-interface irb.48'
    Interface must already be defined under [edit interfaces]
    error: commit failed: (statements constraint check failed)

    6. How do I delete or undo configuration changes made by set command, e.g.

    user@switch# set vlans support vlan-id 111
    user@switch# set interfaces irb unit 111 family inet address 10.0.0.X/8
    user@switch# set vlans support l3-interface irb.111

    How do I untie vlan 111 from irb.111 and delete it?



  • 2.  RE: Best practices and configuration changes

     
    Posted 06-15-2020 03:07

    1. Do I need to define IRB L3-interface for each VLAN on every switch or just the core which will be doing the inter-vlan routing?

    No, if you extend the layer 2 vlan to all the switches only one layer 3 interface in the entire layer 2 domain is needed to activate inter vlan routing.


    2. Do I at least configure RB L3-interface for Management VLAN on every switch? This is how I intend to manage the switches.

    Yes, if you want to have irb as the mgmt interface than each switch will have a unique ip address assigned for mgmt typically in the same vlan.


    3. If I want to restrict internet access (default gateway) on one of the VLANs, how do I do that?

    You could block the vlan subnet on your internet firewall via a policy that denies internet access to devices in the desired subnet.  


    4. Can I setup DHCP server on the core switch for each VLANS?

    Yes the ex can be a dhcp server

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/dhcp-for-switching-devices.html#id-configuring-a-dhcp-server-on-switches-cli-procedure


    5. When I try to delete the irb interface for VLANs that I defined in access switch, I get following error: 

    'l3-interface irb.48'
    Interface must already be defined under [edit interfaces]
    error: commit failed: (statements constraint check failed)

    To remove the interface you also need to delete the reference in vlans

    delete vlans support l3-interface irb.48

    delete interfaces irb unit 48

     

    6. How do I delete or undo configuration changes made by set command, e.g.

    user@switch# set vlans support vlan-id 111
    user@switch# set interfaces irb unit 111 family inet address 10.0.0.X/8
    user@switch# set vlans support l3-interface irb.111

    How do I untie vlan 111 from irb.111 and delete it?

    delete vlans support l3-interface irb.111

    delete interfaces irb unit 111

     



  • 3.  RE: Best practices and configuration changes

     
    Posted 06-15-2020 06:28

    @spuluka answers are 100% on.  You could block the VLAN (I assume management) from reaching Internet by creating an IP Firewall Filter at the Core (L3) EX2300 as well.  Alternately if you are using static routes to get to Internet, instead of any routing protocol, do not create a 0.0.0.0/0 static route, but instead use specific static routes for the VLANs you want to reach the Internet.  In this case those VLANs would need to use Internet Routeable IP addresses.  I assume your management VLAN will be using RFC 1918 IP address scheme, like 10.x.x.x or 192.x.x.x, etc.  Of course using static routes does not scale well.  No idea of your future plans/needs.



  • 4.  RE: Best practices and configuration changes

    Posted 06-16-2020 00:49

    Thanks @spuluka, that is great. I'm new in Juniperverse, so please bear with me.

     

    So, basically, here's my network - nothing fancy. All of the switchs are EX2300-24P (including the core).

    1. So I setup management addresses on MGMT VLAN for each switch using L3 irb interface with IP address. Is this okay as I'm only looking to manage using SSH or HTTP and not do routing on the access switches. Also, do I need to enable HTTP service for the web interface to work?
    2. Can the EX2300 core switch serve as DHCP server for VLANs 10 & 20?
    3. I don't want Vlan 20 & MGMT (for that matter) to have default gateway access (internet). Is it better to do that in the firewall or the core switch?
    4. Please feel free to recommend any other best practices that you can think of.

     

    MyNetwork.PNG



  • 5.  RE: Best practices and configuration changes

     
    Posted 06-16-2020 05:00

    @thethakuri wrote:

    Thanks @spuluka, that is great. I'm new in Juniperverse, so please bear with me.

     

    So, basically, here's my network - nothing fancy. All of the switchs are EX2300-24P (including the core).

    1. So I setup management addresses on MGMT VLAN for each switch using L3 irb interface with IP address. Is this okay as I'm only looking to manage using SSH or HTTP and not do routing on the access switches. Yes this is OK.
      Also, do I need to enable HTTP service for the web interface to work? Yes
    2. Can the EX2300 core switch serve as DHCP server for VLANs 10 & 20? Yes
    3. I don't want Vlan 20 & MGMT (for that matter) to have default gateway access (internet). Is it better to do that in the firewall or the core switch? Either but I think most do this at the FW.  In that case only 1 static route for 0.0.0.0/0 on the 2300 pointing to next-hop of 192.168.10.254 is all that is needed.  You can block further access there.
    4. Please feel free to recommend any other best practices that you can think of. @smicker may have other suggestions.

     

    MyNetwork.PNG


     



  • 6.  RE: Best practices and configuration changes

    Posted 06-17-2020 00:14

    Guys I've been beating myself too much for such simple configuration. Here's where I am right now:

    • I can't  get the inter-vlan routing going - i.e. ping ComputerA to ComputerB
    • If I put ComputerB on same vlan as A, ping works. So vlan is working.
    • I can't ping the management address (10.21.38.x) on any switch from either Computer A or B.
    • Do I need to allocate ports to management vlan and connect a device to get it up and working? Please note that beside those two devices, I don't have anything else connected to access switched.
    • Do I need to define default static route on Access switches for this to work?
    • I've read that I need active VLAN ports for the VLAN interface to be up. So, do I need to have device for every VLAN (inlcuding management VLAN ) in every switch (including core)  ?
    • What am I missing here ?

    MyNet.PNG

     

    Configurations:

    root@SW-RCP-CORE-E01# show
    ## Last changed: 1970-01-03 13:26:23 AEST
    version 18.1R3.3;
    system {
        host-name SW-RCP-CORE-E01;
        auto-snapshot;
        time-zone Australia/Sydney;
        root-authentication {
            encrypted-password ""; ## SECRET-DATA
        }
        services {
            ssh {
                root-login allow;
            }
            web-management {
                https {
                    system-generated-certificate;
                    interface irb.10;
                }
            }
        }
        syslog {
            user * {
                any emergency;
            }
            file messages {
                any notice;
                authorization info;
            }
            file interactive-commands {
                interactive-commands any;
            }
        }
        processes {
            dhcp-service {
                traceoptions {
                    file dhcp_logfile size 10m;
                    level all;
                    flag all;
                }
            }
        }
    }
    chassis {
        redundancy {
            graceful-switchover;
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members 50;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members 50;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members 50;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/3 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members 50;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/4 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members 50;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/5 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members 50;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/6 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members 50;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/7 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members 50;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/8 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members 50;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/9 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members 50;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/10 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members 48;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/11 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members 48;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/12 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members 48;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/13 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members 48;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/14 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members 48;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/15 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members 48;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/16 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members 48;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/17 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members 48;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/18 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members 48;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/19 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members 48;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/20 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        ge-0/0/21 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        ge-0/0/22 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        ge-0/0/23 {
            unit 0 {
                family ethernet-switching {
                    interface-mode trunk;
                    vlan {
                        members all;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/1/0 {
            unit 0 {
                family ethernet-switching {
                    interface-mode trunk;
                    vlan {
                        members all;
                    }
                    storm-control default;
                }
            }
        }
        xe-0/1/0 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        ge-0/1/1 {
            unit 0 {
                family ethernet-switching {
                    interface-mode trunk;
                    vlan {
                        members all;
                    }
                    storm-control default;
                }
            }
        }
        xe-0/1/1 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        ge-0/1/2 {
            unit 0 {
                family ethernet-switching {
                    interface-mode trunk;
                    vlan {
                        members all;
                    }
                    storm-control default;
                }
            }
        }
        xe-0/1/2 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        ge-0/1/3 {
            unit 0 {
                family ethernet-switching {
                    interface-mode trunk;
                    vlan {
                        members all;
                    }
                    storm-control default;
                }
            }
        }
        xe-0/1/3 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        irb {
            unit 0 {
                family inet {
                    dhcp {
                        vendor-id Juniper-ex2300-24p-JY0220020620;
                    }
                }
            }
            unit 10 {
                family inet {
                    address 10.21.38.245/24;
                }
            }
            unit 48 {
                family inet {
                    address 192.168.48.245/24;
                }
            }
            unit 50 {
                family inet {
                    address 192.168.50.245/24;
                }
            }
        }
        vme {
            unit 0 {
                family inet {
                    dhcp {
                        vendor-id Juniper-ex2300-24p-JY0220020620;
                    }
                }
            }
        }
    }
    forwarding-options {
        storm-control-profiles default {
            all;
        }
    }
    protocols {
        lldp {
            interface all;
        }
        lldp-med {
            interface all;
        }
        igmp-snooping {
            vlan default;
        }
        rstp {
            interface ge-0/0/0;
            interface ge-0/0/1;
            interface ge-0/0/2;
            interface ge-0/0/3;
            interface ge-0/0/4;
            interface ge-0/0/5;
            interface ge-0/0/6;
            interface ge-0/0/7;
            interface ge-0/0/8;
            interface ge-0/0/9;
            interface ge-0/0/10;
            interface ge-0/0/11;
            interface ge-0/0/12;
            interface ge-0/0/13;
            interface ge-0/0/14;
            interface ge-0/0/15;
            interface ge-0/0/16;
            interface ge-0/0/17;
            interface ge-0/0/18;
            interface ge-0/0/19;
            interface ge-0/0/20;
            interface ge-0/0/21;
            interface ge-0/0/22;
            interface ge-0/0/23;
            interface ge-0/1/0;
            interface xe-0/1/0;
            interface ge-0/1/1;
            interface xe-0/1/1;
            interface ge-0/1/2;
            interface xe-0/1/2;
            interface ge-0/1/3;
            interface xe-0/1/3;
        }
    }
    poe {
        interface all;
    }
    vlans {
        ACCESS {
            vlan-id 48;
            l3-interface irb.48;
        }
        MGMT {
            vlan-id 10;
            l3-interface irb.10;
        }
        SECURITY {
            vlan-id 50;
            l3-interface irb.50;
        }
        default {
            vlan-id 1;
            l3-interface irb.0;
        }
    }
    

     

     

    root@SW-RCP-ACC-A01# show
    ## Last changed: 1970-01-02 04:12:14 AEST
    version 18.1R3.3;
    system {
        host-name SW-RCP-ACC-A01;
        auto-snapshot;
        time-zone Australia/Sydney;
        root-authentication {
            encrypted-password ""; ## SECRET-DATA
        }
        services {
            ssh {
                protocol-version v2;
            }
            netconf {
                ssh;
            }
            web-management {
                http;
            }
        }
        syslog {
            user * {
                any emergency;
            }
            file messages {
                any notice;
                authorization info;
            }
            file interactive-commands {
                interactive-commands any;
            }
        }
        processes {
            dhcp-service {
                traceoptions {
                    file dhcp_logfile size 10m;
                    level all;
                    flag all;
                }
            }
        }
    }
    chassis {
        redundancy {
            graceful-switchover;
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members SECURITY;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members SECURITY;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members SECURITY;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/3 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members SECURITY;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/4 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members SECURITY;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/5 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members SECURITY;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/6 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members SECURITY;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/7 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members SECURITY;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/8 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members SECURITY;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/9 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members SECURITY;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/10 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members ACCESS;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/11 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members ACCESS;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/12 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members ACCESS;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/13 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members ACCESS;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/14 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members ACCESS;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/15 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members ACCESS;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/16 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members ACCESS;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/17 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members ACCESS;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/18 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members ACCESS;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/19 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members ACCESS;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/20 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        ge-0/0/21 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        ge-0/0/22 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        ge-0/0/23 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        ge-0/1/0 {
            unit 0 {
                family ethernet-switching {
                    interface-mode trunk;
                    vlan {
                        members all;
                    }
                    storm-control default;
                }
            }
        }
        xe-0/1/0 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        ge-0/1/1 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        xe-0/1/1 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        ge-0/1/2 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        xe-0/1/2 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        ge-0/1/3 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        xe-0/1/3 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        irb {
            unit 0 {
                family inet {
                    dhcp {
                        vendor-id Juniper-ex2300t;
                    }
                }
            }
            unit 10 {
                family inet {
                    address 10.21.38.241/24;
                }
            }
        }
    }
    snmp {
        location "Building A";
        contact "support@tritechsolutions.com.au";
        community rcpublic {
            authorization read-only;
        }
    }
    forwarding-options {
        storm-control-profiles default {
            all;
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 10.21.38.245;
        }
    }
    protocols {
        lldp {
            interface all;
        }
        lldp-med {
            interface all;
        }
        igmp-snooping {
            vlan default;
        }
        rstp {
            interface ge-0/0/0;
            interface ge-0/0/1;
            interface ge-0/0/2;
            interface ge-0/0/3;
            interface ge-0/0/4;
            interface ge-0/0/5;
            interface ge-0/0/6;
            interface ge-0/0/7;
            interface ge-0/0/8;
            interface ge-0/0/9;
            interface ge-0/0/10;
            interface ge-0/0/11;
            interface ge-0/0/12;
            interface ge-0/0/13;
            interface ge-0/0/14;
            interface ge-0/0/15;
            interface ge-0/0/16;
            interface ge-0/0/17;
            interface ge-0/0/18;
            interface ge-0/0/19;
            interface ge-0/0/20;
            interface ge-0/0/21;
            interface ge-0/0/22;
            interface ge-0/0/23;
            interface ge-0/1/0;
            interface xe-0/1/0;
            interface ge-0/1/1;
            interface xe-0/1/1;
            interface ge-0/1/2;
            interface xe-0/1/2;
            interface ge-0/1/3;
            interface xe-0/1/3;
        }
    }
    poe {
        interface all;
    }
    vlans {
        ACCESS {
            vlan-id 48;
        }
        MGMT {
            vlan-id 10;
            l3-interface irb.10;
        }
        SECURITY {
            vlan-id 50;
        }
        default {
            vlan-id 1;
            l3-interface irb.0;
        }
    }
    
    

     

     

    root@SW-RCP-ACC-B01# show
    ## Last changed: 1970-01-06 13:04:12 AEST
    version 18.1R3.3;
    system {
        host-name SW-RCP-ACC-B01;
        auto-snapshot;
        time-zone Australia/Sydney;
        root-authentication {
            encrypted-password ""; ## SECRET-DATA
        }
        syslog {
            user * {
                any emergency;
            }
            file messages {
                any notice;
                authorization info;
            }
            file interactive-commands {
                interactive-commands any;
            }
        }
        processes {
            dhcp-service {
                traceoptions {
                    file dhcp_logfile size 10m;
                    level all;
                    flag all;
                }
            }
        }
    }
    chassis {
        redundancy {
            graceful-switchover;
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members SECURITY;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members SECURITY;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members SECURITY;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/3 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members SECURITY;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/4 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members SECURITY;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/5 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members SECURITY;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/6 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members SECURITY;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/7 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members SECURITY;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/8 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members SECURITY;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/9 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members SECURITY;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/10 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members ACCESS;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/11 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members ACCESS;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/12 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members ACCESS;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/13 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members ACCESS;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/14 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members ACCESS;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/15 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members ACCESS;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/16 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members ACCESS;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/17 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members ACCESS;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/18 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members ACCESS;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/19 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members ACCESS;
                    }
                    storm-control default;
                }
            }
        }
        ge-0/0/20 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        ge-0/0/21 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        ge-0/0/22 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        ge-0/0/23 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        ge-0/1/0 {
            unit 0 {
                family ethernet-switching {
                    interface-mode trunk;
                    vlan {
                        members all;
                    }
                    storm-control default;
                }
            }
        }
        xe-0/1/0 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        ge-0/1/1 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        xe-0/1/1 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        ge-0/1/2 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        xe-0/1/2 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        ge-0/1/3 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        xe-0/1/3 {
            unit 0 {
                family ethernet-switching {
                    storm-control default;
                }
            }
        }
        irb {
            unit 0 {
                family inet {
                    dhcp {
                        vendor-id Juniper-ex2300-24p-JY0220020332;
                    }
                }
            }
            unit 10 {
                family inet {
                    address 10.21.38.242/24;
                }
            }
        }
        vme {
            unit 0 {
                family inet {
                    dhcp {
                        vendor-id Juniper-ex2300-24p-JY0220020332;
                    }
                }
            }
        }
    }
    forwarding-options {
        storm-control-profiles default {
            all;
        }
    }
    protocols {
        lldp {
            interface all;
        }
        lldp-med {
            interface all;
        }
        igmp-snooping {
            vlan default;
        }
        rstp {
            interface ge-0/0/0;
            interface ge-0/0/1;
            interface ge-0/0/2;
            interface ge-0/0/3;
            interface ge-0/0/4;
            interface ge-0/0/5;
            interface ge-0/0/6;
            interface ge-0/0/7;
            interface ge-0/0/8;
            interface ge-0/0/9;
            interface ge-0/0/10;
            interface ge-0/0/11;
            interface ge-0/0/12;
            interface ge-0/0/13;
            interface ge-0/0/14;
            interface ge-0/0/15;
            interface ge-0/0/16;
            interface ge-0/0/17;
            interface ge-0/0/18;
            interface ge-0/0/19;
            interface ge-0/0/20;
            interface ge-0/0/21;
            interface ge-0/0/22;
            interface ge-0/0/23;
            interface ge-0/1/0;
            interface xe-0/1/0;
            interface ge-0/1/1;
            interface xe-0/1/1;
            interface ge-0/1/2;
            interface xe-0/1/2;
            interface ge-0/1/3;
            interface xe-0/1/3;
        }
    }
    poe {
        interface all;
    }
    vlans {
        ACCESS {
            vlan-id 48;
        }
        MGMT {
            vlan-id 10;
            l3-interface irb.10;
        }
        SECURITY {
            vlan-id 50;
        }
        default {
            vlan-id 1;
            l3-interface irb.0;
        }
    }
    
    
    

     

     



  • 7.  RE: Best practices and configuration changes
    Best Answer

     
    Posted 06-17-2020 02:46

    You do need to have active physical ports in a vlan for the irb interfaces to come up.  In your case the trunk ports between the switches should cover this for your interfaces.  I don't generally use vlan all so I am not sure if this is recognized or not.  You might have to explicitly configure the vlans on the trunk ports for that port to count.

     

    You can verify this by looking at the interface status

    show interfaces terse irb

     

    You will also need the default route installed on the switches for the mgmt irb interface to have a route back as well.  the downstream switches should have the core switch as their default next hop.  And the core switch should have your firewall upstream as the next hop address.

     

    And your computers will need to have the irb interface on the switch as their gateway configured.  This allows them to route outside their local vlan and get the responses.

     



  • 8.  RE: Best practices and configuration changes

    Posted 06-17-2020 16:02

    And your computers will need to have the irb interface on the switch as their gateway configured.  This allows them to route outside their local vlan and get the responses.

    The computers have the irb interface of their respective vlans on the core switch as their gateway as the access switch only have irb interface for the management vlan.

     

    I have following static deafult gateway to Management vlan defined on access switches A & B

    routing-options {
        static {
            route 0.0.0.0/0 next-hop 10.21.38.245;
        }
    }

     

    Looks like the interfaces are up but I still can't do intervlan routing.

     

    Core:

     

    root@SW-RCP-CORE-E01> show interfaces terse irb
    Interface               Admin Link Proto    Local                 Remote
    irb                     up    up
    irb.0                   up    up   inet
    irb.10                  up    up   inet     10.21.38.245/24
    irb.48                  up    up   inet     192.168.48.245/24
    irb.50                  up    up   inet     192.168.50.245/24

     

     

    Switch A

     

    root@SW-RCP-ACC-A01> show interfaces terse irb
    Interface               Admin Link Proto    Local                 Remote
    irb                     up    up
    irb.0                   up    up   inet
    irb.10                  up    up   inet     10.21.38.241/24

     

     

    Switch B

    root@SW-RCP-ACC-B01> show interfaces terse irb
    Interface               Admin Link Proto    Local                 Remote
    irb                     up    up
    irb.0                   up    up   inet
    irb.10                  up    up   inet     10.21.38.242/24

     



  • 9.  RE: Best practices and configuration changes

    Posted 06-17-2020 22:36

    Thanks guys for the inputs. It was a really silly mistake - I had the wifi connected on both computers so it wasn't using the right DG. All good now. 

     

    One queston though, why is the latecny between edge device and interface so high. 10.21.38.245 is the management interface on the core switch.

    Latency.PNG



  • 10.  RE: Best practices and configuration changes

     
    Posted 06-18-2020 02:16

    Yes, 10ms seems high for hopping through a switch.  Can you run a ping from the edge switch itself to the mgmt ip of the core switch and verify what the actual switch to switch latency is?

     



  • 11.  RE: Best practices and configuration changes

    Posted 06-18-2020 15:47

    This is a ping from Access Switch B to Core Switch. Latency looks as bad.

     

    ping-latency.PNG



  • 12.  RE: Best practices and configuration changes

     
    Posted 06-19-2020 02:45

    This verifies that the delay is internal to the switch stacking and does look unusually high.  I would expect these to be under 5ms and much more consistent since the switches are directly connected.

     

    From the config and diagram it looks like only one port is connected so there can be no layer 2 loops.

    Are thes switches reasonably close together and that cable not very long or in different buildings?

     

    I'm also wondering about storm control on the trunk port.  This is generally an access port control only.

     



  • 13.  RE: Best practices and configuration changes

    Posted 06-20-2020 18:20

    This is a test environment so switches are right next to each other. And yes, only one port connected so no loops.



  • 14.  RE: Best practices and configuration changes

     
    Posted 06-22-2020 03:02
    This is a test environment so switches are right next to each other. And yes, only one port connected so no loops.

    Were you able to turn off storm control on the trunk ports and test again?

     

     



  • 15.  RE: Best practices and configuration changes

    Posted 06-21-2020 17:52

    DHCP server is not working, clients are not getting the address assigned. Here's what I have in the config:

     

    ##
            ## Warning: configuration block ignored: unsupported platform (ex2300-24p)
            ##
            dhcp {
                pool 192.168.48.0/24 {
                    address-range low 192.168.48.100 high 192.168.48.150;
                    domain-name rcpinsight.local;
                    name-server {
                        8.8.8.8;
                    }
                    router {
                        192.168.48.254;
                    }
                }
            }
    


  • 16.  RE: Best practices and configuration changes

     
    Posted 06-22-2020 03:01

    That is the deprecated old method for dhcp server configuration.  On the newer switches like the ex2300 you need to use the version under system services.  Both are documented here and this link should jump to the version you should use.

     

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/dhcp-for-switching-devices.html#id-configuring-an-extended-dhcp-server-on-a-switch

     



  • 17.  RE: Best practices and configuration changes

    Posted 06-24-2020 00:45

    Great that helped. On more question, is it good idea to set up Core EX2300-24P as NTP server for the rest of the access switches. If so, can you please guide me on how to configure that?



  • 18.  RE: Best practices and configuration changes

     
    Posted 06-24-2020 02:59

    When you configure ntp to in Junos to a valid source it can be a downstream source to others.

     

    https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/network-time-protocol-time-server-time-services-configuring.html

     

    But in a small network I would generally just point everyone to a public ntp source directly like the tick.usno.navy.mil and tock.usno.navy.mil

     



  • 19.  RE: Best practices and configuration changes

    Posted 06-28-2020 00:09

    Thanks Steve, you've been instrumental. One last query and I promise I'll bug off.

     

    If I want to disable Inter-Vlan routing between Vlan-48 and Vlan-50 I believe I use firewall filter on the edge switches. Is there a way to do that on the core switch so I don't have to re-program every edge switches. Please remember I still want Management Vlan-10 to be accessible from every other Vlan and Vlan-48 should have internet access (shares the same subnet with the firewall/router).



  • 20.  RE: Best practices and configuration changes

     
    Posted 06-28-2020 02:56

    The firewall filters are applied to the routed vlan interfaces themselves so only need to be applied on the switch with these interfaces configured. 

     

    The downstream switches in your case have only one routed interface so they cannot cross vlans directly.  They are using the interface on the core switch.

     



  • 21.  RE: Best practices and configuration changes

    Posted 06-29-2020 00:11

    This is what I tried to create firewall filter that stops traffic from Vlan50 (192.168.50.0/24) routing to Vlan48 (192.168.48.0/24)

     

    root@SW-RCP-CORE-E01# edit firewall family ethernet-switching filter vlan_48
    
    {master:0}[edit firewall family ethernet-switching filter vlan_48]
    root@SW-RCP-CORE-E01# set term discard_vlan_50 from destination-
    'destination-' is ambiguous.
    Possible completions:
    > destination-mac-address  Match MAC destination address
    + destination-port     Match TCP/UDP destination port
    > destination-prefix-list  Match IP destination prefixes in named list
    
    

    This is where I'm stuck. I can't get the option destination-address as shown here https://www.juniper.net/documentation/en_US/junos/topics/example/firewall-filter-ex-series-configuring.html

     

    Also, I need to create reverse filter for traffic going from Vlan 48 to Vlan 50. 

    I want all Management Vlan to be accessible from all. Do I explicit allow as I think its implicit allow all?



  • 22.  RE: Best practices and configuration changes

     
    Posted 06-29-2020 02:52

    This is a generic example of controling traffic on ex switches with firewall filters.

     

    https://www.juniper.net/documentation/en_US/junos/topics/example/firewall-filter-ex-series-configuring.html

     



  • 23.  RE: Best practices and configuration changes

    Posted 06-30-2020 01:00

    Thats exactly the same document I've referenced. The syntax vary between that and the version on my switch. For example I have to use following:

    edit firewall family ethernet-switching filter vlan_50
    set term 1 from ip-destination-address 192.168.48.0/24
    set term 1 then discard
    
    set vlans 50 forwarding-options filter input vlan_50

    What confuses me where input/output and ingree/egress filters are applied. If you look at my example, filter is applied on vlan 50 on the input although the traffic originates from vlan 50 and goes to vlan 48. Shouldn't the filter be applied on the egress traffic of vlan 50?

     

    On the other note, I'm having issue with web-management interface. If I only have https enabled:

    web-management {
                http;
                https {
                    system-generated-certificate;
                    interface irb.10;
                }
            }

    I get err_too_many_redirects error. If I enable http, that works but its not secure.

     

    Also, in one of the switch I'm getting Phone Home Client on the web interface. I saw following in its conf:

    system {
    .... phone-home {
    server https://redirect.juniper.net;
    rfc-compliant;
    } }

    I can't delete phone-home, it doesn't give me that option:

    root@SW-RCP-ACC-D01# delete system p
                                        ^
    'p' is ambiguous.
    Possible completions:
    + personality-file-list-of-directories  List of Optional directories for personality-tarball of device
    > pic-console-authentication  Authentication for the console port on PICs
    > ports                Craft interface RS-232 ports
    > processes            Process control
    > proxy                Proxy information for the router
    {master:0}[edit]
    root@SW-RCP-ACC-D01# delete system p
    

    I tried deactivate, but same issue. Please bear in mind that I'm remoted in through SSH.

     

     

    How do I get rid of this and get to normal Juniper Web Device Manager ?

    PHC.PNG

     

     



  • 24.  RE: Best practices and configuration changes

    Posted 06-15-2020 19:02

    In regard to undoing changes you made with the set command, there are a few things you can do.

    As already mentioned, using 'delete' is one option ('delete' is like 'no' for some other vendors).

     

    The other thing you should consider is 'rollback x' (where 'x' is the rollback point).

    So, if you want to rollback one commit, you can use 'rollback 1', and then commit again.

     

    If you're not sure if you want to roll back, try 'show | compare rollback x' from configuration mode.