Switching

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Need Help with Cisco to Juniper translation

  • 1.  Need Help with Cisco to Juniper translation

    Posted 08-04-2021 08:59
    Hi all,

    I'm trying to learn networking and need to configure Juiper ex4300, don't know much about it as it's my first time with programable switches.

    I'm trying to recreate a working config from CISCO Catalyst switch.  It has an LACP LAG on 2 fibre ports + 2 Test Vlans 123 and 321.  Both of these Vlans have interface addresses assigned and one of them points to a default gateway on the same subnet.  Layer 3 routing on the Cisco switch is disabled, we want the firewall to do that.

    Both the firewall and the client see switch and can ping it however they can't ping each other firewall/gateway <--> Client (PC) via the Juniper switch.  Its like there is a mismatch with the routing the packets IP packets the access mode ports to the tagged vlans which are in the port channel (that connects to the firewall).

    Also are there any good guides to help me migrate from a Cisco way of doing this to Juniper, the config is very different.


    JUNIPER:

    host-name testNet;
    services {
    ssh {
    root-login allow;
    protocol-version v2;
    }
    netconf {
    ssh;
    }
    }
    chassis {
    aggregated-devices {
    ethernet {
    device-count 2;
    }
    }
    }
    # Placeholder for QFX platform config.
    interfaces {
    ge-0/0/0 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members 123;
    }
    storm-control default;
    }
    }
    }
    ge-0/0/1 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members 321;
    }
    storm-control default;
    }
    }
    }
    xe-0/2/0 {
    ether-options {
    802.3ad ae0;
    }
    inactive: unit 0 {
    family ethernet-switching {
    storm-control default;
    }
    }
    }
    xe-0/2/1 {
    ether-options {
    802.3ad ae0;
    }
    inactive: unit 0 {
    family ethernet-switching {
    storm-control default;
    }
    }
    }
    ae0 {
    vlan-tagging;
    aggregated-ether-options {
    minimum-links 2;
    link-speed 10g;
    lacp {
    active;
    periodic fast;
    }
    }
    unit 123 {
    vlan-id 123;
    }
    unit 321 {
    vlan-id 321;
    }
    }
    irb {
    unit 123 {
    family inet {
    address 10.10.20.1/24;
    }
    }
    unit 321 {
    family inet {
    address 10.20.20.1/24;
    }
    }
    }
    vme {
    unit 0 {
    family inet {
    address 10.10.20.1/24;
    }
    }
    }forwarding-options {
    storm-control-profiles default {
    all;
    }
    }
    routing-options {
    static {
    route 0.0.0.0/0 next-hop 10.10.20.254;
    }
    }
    protocols {
    lldp {
    interface all;
    }
    lldp-med {
    interface all;
    }
    igmp-snooping {
    vlan default;
    }
    rstp {
    interface all;
    }
    }
    vlans {
    Main-Test-VLAN {
    vlan-id 123;
    }
    2nd-Test-VLAN {
    vlan-id 321;
    }
    default {
    vlan-id 1;
    }
    }
    poe {
    interface all;
    }
    Cisco:
    version 16.12
    no service pad
    service timestamps debug datetime localtime show-timezone
    service timestamps log datetime localtime show-timezone
    service password-encryption
    service compress-config
    service sequence-numbers
    service call-home
    service unsupported-transceiver
    no platform punt-keepalive disable-kernel-core
    !
    hostname TEMP-SW-TEST
    !
    !
    vrf definition Mgmt-vrf
    !
    address-family ipv4
    exit-address-family
    !
    address-family ipv6
    exit-address-family
    !
    logging buffered 100000
    logging monitor warnings
    enable secret 8----------
    !
    no aaa new-model
    clock timezone gmt 0 0
    clock summer-time bst recurring last Sun Mar 1:00 last Sun Oct 1:00
    switch 1 provision ws-c3850-12x48u
    !
    call-home
    ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
    ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
    contact-email-addr sch-smart-licensing@cisco.com
    profile "---"
    active
    destination transport-method http
    no destination transport-method email
    no ip source-route
    !
    no ip domain lookup
    ip domain name xxx.local
    no ip cef optimize neighbor resolution
    ip cef load-sharing algorithm universal ---
    !
    !
    !
    ip dhcp snooping vlan 123,321
    ip dhcp snooping
    login on-failure log
    login on-success log
    !
    !
    auto qos global compact
    !
    !
    diagnostic bootup level minimal
    !
    spanning-tree mode rapid-pvst
    spanning-tree extend system-id
    memory free low-watermark processor 79502
    !
    !
    redundancy
    mode sso
    !
    transceiver type all
    monitoring
    !
    vlan 123
    name Main-Test-VLAN
    !
    vlan 321
    name 2nd-Test-VLAN
    !
    class-map match-any system-cpp-police-topology-control
    description Topology control
    class-map match-any system-cpp-police-sw-forward
    description Sw forwarding, L2 LVX data, LOGGING
    class-map match-any system-cpp-default
    description EWLC control, EWLC data, Inter FED
    class-map match-any system-cpp-police-sys-data
    description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed
    class-map match-any system-cpp-police-punt-webauth
    description Punt Webauth
    class-map match-any system-cpp-police-l2lvx-control
    description L2 LVX control packets
    class-map match-any system-cpp-police-forus
    description Forus Address resolution and Forus traffic
    class-map match-any system-cpp-police-multicast-end-station
    description MCAST END STATION
    class-map match-any system-cpp-police-multicast
    description Transit Traffic and MCAST Data
    class-map match-any system-cpp-police-l2-control
    description L2 control
    class-map match-any system-cpp-police-dot1x-auth
    description DOT1X Auth
    class-map match-any system-cpp-police-data
    description ICMP redirect, ICMP_GEN and BROADCAST
    class-map match-any system-cpp-police-stackwise-virt-control
    description Stackwise Virtual
    class-map match-any non-client-nrt-class
    class-map match-any system-cpp-police-routing-control
    description Routing control and Low Latency
    class-map match-any system-cpp-police-protocol-snooping
    description Protocol snooping
    class-map match-any system-cpp-police-dhcp-snooping
    description DHCP snooping
    class-map match-any system-cpp-police-system-critical
    description System Critical and Gold Pkt
    !
    policy-map system-cpp-policy
    !
    interface Port-channel1
    description Uplink between trh-testnet-fw and TEMP-SW-TEST
    switchport trunk allowed vlan 123,321
    switchport mode trunk
    ip dhcp snooping trust
    !
    interface GigabitEthernet0/0
    vrf forwarding Mgmt-vrf
    ip address 192.168.252.100 255.255.255.0
    negotiation auto
    !
    interface GigabitEthernet1/0/1
    switchport access vlan 123
    switchport mode access
    spanning-tree portfast
    !
    !
    interface GigabitEthernet1/0/2
    switchport access vlan 321
    switchport mode access
    spanning-tree portfast
    !
    interface TenGigabitEthernet1/1/1
    description Uplink between testnet-fw and TEMP-SW-TEST
    switchport trunk allowed vlan 321,123
    switchport mode trunk
    channel-protocol lacp
    channel-group 1 mode active
    spanning-tree link-type point-to-point
    ip dhcp snooping trust
    !
    interface TenGigabitEthernet1/1/2
    description Uplink between testnet-fw and TEMP-SW-TEST
    switchport trunk allowed vlan 321,123
    switchport mode trunk
    channel-protocol lacp
    channel-group 1 mode active
    spanning-tree link-type point-to-point
    ip dhcp snooping trust
    !
    interface TenGigabitEthernet1/1/3
    !
    interface TenGigabitEthernet1/1/4
    !
    interface TenGigabitEthernet1/1/5
    !
    interface TenGigabitEthernet1/1/6
    !
    interface TenGigabitEthernet1/1/7
    !
    interface TenGigabitEthernet1/1/8
    !
    interface FortyGigabitEthernet1/1/1
    !
    interface FortyGigabitEthernet1/1/2
    !
    interface Vlan1
    no ip address
    shutdown
    !
    interface Vlan123
    ip address 10.10.20.1 255.255.255.0
    !
    interface Vlan321
    ip address 10.20.20.1 255.255.255.0
    !
    ip default-gateway 10.10.20.254
    ip forward-protocol nd
    ip http server
    ip http secure-server
    ip ssh time-out 60
    ip ssh pubkey-chain
    username xxxx
    key-hash ssh-rsa x
    !
    control-plane
    service-policy input system-cpp-policy
    !
    line con 0
    exec-timeout 0 0
    stopbits 1
    line aux 0
    stopbits 1
    line vty 0 4
    session-timeout 480
    login local
    transport input ssh
    line vty 5 15
    session-timeout 480
    login
    transport input ssh
    !
    end



    ------------------------------
    ALEKSANDER KARAPETIAN
    ------------------------------