Switching

vlans - Guest

vlans - Data

 

Active firewall 192.168.1.25 - LAN interface 1/7 connects to Cisco 2960 gi-1/0/25

Passive firewall 192.168.1.26 - LAN interface 1/7 connects to ex2200 ge-0/1/0 interface

Cisco 2960 gi-1/0/25 - setup as access vlan member is DATA

Juniper ex2200 ge-0/1/0- setup as access vlan member is DATA. switched to trunk with native vlan-id DATA in config below. 

Topology attached. 

show vlan command attached

Junos OS version: JUNOS EX Software Suite [15.1R5.5]

 

We have a small network flat network in a remote office. We have 1 Cisco 2960 and 1 Juniper EX2200. interface gi-1/0/28 and interface ge-0/1/3 are setup as trunk with native vlan-id DATA. traffic is flowing between the switches. We just installed PA-820 firewalls in HA. when we failover we lose the site completely behind the firewall.  When looking at the switch the arp is not updating to point to the correct MAC and interface to route the traffic between the Cisco and Juniper. Both Mac tables are incorrect. When i run a show vlan on the ex2200 i am seeing that ge-0/1/0 is showing up on the default vlan and not the DATA vlan. The traffic from the PA-820 1/7 interface is untagged as well. 

 

How can i fix this so that interface shows in the DATA vlan and not the default so the failover works with our Firewall? 

 

EX2200 config

interfaces {
interface-range Production {
member-range ge-0/0/0 to ge-0/0/22;
description  DATA";
unit 0 {
family ethernet-switching {
port-mode trunk;
native-vlan-id DATA;
}
}
}
ge-0/0/0 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/16 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/17 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/18 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/19 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/20 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/21 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/22 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/23 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members GUEST;
}
}
}
}
ge-0/1/0 {
description "BOTTOM PA820 192.168.1.26 INT1/7 UPLINK";
unit 0 {
family ethernet-switching {
port-mode trunk;
native-vlan-id DATA;
}
}
}
ge-0/1/1 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/2 {
description "Trunk to Cisco C2960";
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members GUEST;
}
native-vlan-id DATA;
}
}
}
ge-0/1/3 {
description "Trunk to Cisco C2960";
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members GUEST;
}
native-vlan-id DATA;
}
}
}
ae0 {
unit 0;
}
me0 {
unit 0 {
family inet;
}
}
vlan {
unit 0 {
family inet;
}
unit 1 {
family inet {
address 192.168.1.14/24;
}
}
}
}
forwarding-options {
helpers {
bootp {
interface {
vlan.1;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.1.1;
}
}
protocols {
rstp;
lldp {
interface all;
}
lldp-med {
interface all;
}
}
ethernet-switching-options {
voip;
storm-control {
interface all;
}
}
vlans {
DATA {
description "Default Cisco VLAN";
vlan-id 1;
l3-interface vlan.1;
}
GUEST {
description "GuestNet VLAN";
vlan-id 3;
}
}
poe {
interface all;
}

Seems ge-0/1/0 is missing "

vlan members DATA

under family ethernet-switching?

ge-0/1/0 { description "BOTTOM PA820 192.168.1.26 INT1/7 UPLINK";

unit 0 {

 family ethernet-switching {

  port-mode trunk;

  native-vlan-id DATA; } } }

i tried the following:

added as vlan member and removed native vlan-id: DATA

set interfaces ge-0/1/0 description "BOTTOM PA820 192.168.1.26 INT1/7 UPLINK"
set interfaces ge-0/1/0 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/1/0 unit 0 family ethernet-switching vlan members DATA

 

commited but the ge-0/1/0 interface still shows up in the default vlan and not the DATA vlan.

 

added as vlan member and left native vlan-id: DATA

set interfaces ge-0/1/0 description "BOTTOM PA820 192.168.1.26 INT1/7 UPLINK"
set interfaces ge-0/1/0 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/1/0 unit 0 family ethernet-switching vlan members DATA

set interfaces ge-0/1/0 unit 0 family ethernet-switching native-vlan-id DATA

 

commited but the ge-0/1/0 interface still shows up in the default vlan and not the DATA vlan.

Try this combination.

 

set interfaces ge-0/1/0 description "BOTTOM PA820 192.168.1.26 INT1/7 UPLINK"
set interfaces ge-0/1/0 unit 0 family ethernet-switching port-mode trunk

set interfaces ge-0/1/0 unit 0 family ethernet-switching native-vlan-id DATA

set vlans DATA interface ge-0/1/0.0

 

Curious why this is a trunk port if there is only one untagged vlan.  If that is all you want an access port would be more normal.

 

I reverted back to an access port with vlan member DATA. I also used the set vlans DATA interface GE-0/1/0.0 command.

Next, i ran show vlans and show Ethernet switching interfaces commands.
Interface ge-0/1/0 is still showing Up in the vlan default and not the vlan DATA and committed.

Hi RKEB,

Is there group config applied somewhere that's putting the interface in default VLAN? Please check "show configuration interfaces ge-0/1/0 | display inheritance".
If not, this might be worth sending over to JTAC.

Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated :).

Agree there has to be some residual configuration you don't want here.  I assume you are not using the default vlan.  Is this still in the configuration:

show vlans default

 

Looking for groups

show groups

 

See if groups are applied to the interface

show configuration interface ge-0/1/0 | display inheritance

 

 

 

JTAC Determined that code 15.R5.5 was not the right code on the switch. Recommended to downgrade to 12.3R12S10.
workaround for now until we downgrade was to delete interface config, then commit.
Then, add interface config back and commit.
Now interface showed up under correct “DATA”.

I was removing and adding back but not committing inbetween.