Hi all,
I'm trying to learn networking and need to configure Juiper ex4300, don't know much about it as it's my first time with programable switches.
I'm trying to recreate a working config from CISCO Catalyst switch. It has an LACP LAG on 2 fibre ports + 2 Test Vlans 123 and 321. Both of these Vlans have interface addresses assigned and one of them points to a default gateway on the same subnet. Layer 3 routing on the Cisco switch is disabled, we want the firewall to do that.
Both the firewall and the client see switch and can ping it however they can't ping each other firewall/gateway <--> Client (PC) via the Juniper switch. Its like there is a mismatch with the routing the packets IP packets the access mode ports to the tagged vlans which are in the port channel (that connects to the firewall).
Also are there any good guides to help me migrate from a Cisco way of doing this to Juniper, the config is very different.
JUNIPER:
host-name testNet;
services {
ssh {
root-login allow;
protocol-version v2;
}
netconf {
ssh;
}
}
chassis {
aggregated-devices {
ethernet {
device-count 2;
}
}
}
# Placeholder for QFX platform config.
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
vlan {
members 123;
}
storm-control default;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members 321;
}
storm-control default;
}
}
}
xe-0/2/0 {
ether-options {
802.3ad ae0;
}
inactive: unit 0 {
family ethernet-switching {
storm-control default;
}
}
}
xe-0/2/1 {
ether-options {
802.3ad ae0;
}
inactive: unit 0 {
family ethernet-switching {
storm-control default;
}
}
}
ae0 {
vlan-tagging;
aggregated-ether-options {
minimum-links 2;
link-speed 10g;
lacp {
active;
periodic fast;
}
}
unit 123 {
vlan-id 123;
}
unit 321 {
vlan-id 321;
}
}
irb {
unit 123 {
family inet {
address 10.10.20.1/24;
}
}
unit 321 {
family inet {
address 10.20.20.1/24;
}
}
}
vme {
unit 0 {
family inet {
address 10.10.20.1/24;
}
}
}forwarding-options {
storm-control-profiles default {
all;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.10.20.254;
}
}
protocols {
lldp {
interface all;
}
lldp-med {
interface all;
}
igmp-snooping {
vlan default;
}
rstp {
interface all;
}
}
vlans {
Main-Test-VLAN {
vlan-id 123;
}
2nd-Test-VLAN {
vlan-id 321;
}
default {
vlan-id 1;
}
}
poe {
interface all;
}
Cisco:
version 16.12
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
service call-home
service unsupported-transceiver
no platform punt-keepalive disable-kernel-core
!
hostname TEMP-SW-TEST
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 100000
logging monitor warnings
enable secret 8----------
!
no aaa new-model
clock timezone gmt 0 0
clock summer-time bst recurring last Sun Mar 1:00 last Sun Oct 1:00
switch 1 provision ws-c3850-12x48u
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "---"
active
destination transport-method http
no destination transport-method email
no ip source-route
!
no ip domain lookup
ip domain name xxx.local
no ip cef optimize neighbor resolution
ip cef load-sharing algorithm universal ---
!
!
!
ip dhcp snooping vlan 123,321
ip dhcp snooping
login on-failure log
login on-success log
!
!
auto qos global compact
!
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
memory free low-watermark processor 79502
!
!
redundancy
mode sso
!
transceiver type all
monitoring
!
vlan 123
name Main-Test-VLAN
!
vlan 321
name 2nd-Test-VLAN
!
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
description EWLC control, EWLC data, Inter FED
class-map match-any system-cpp-police-sys-data
description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-multicast
description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
description DHCP snooping
class-map match-any system-cpp-police-system-critical
description System Critical and Gold Pkt
!
policy-map system-cpp-policy
!
interface Port-channel1
description Uplink between trh-testnet-fw and TEMP-SW-TEST
switchport trunk allowed vlan 123,321
switchport mode trunk
ip dhcp snooping trust
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip address 192.168.252.100 255.255.255.0
negotiation auto
!
interface GigabitEthernet1/0/1
switchport access vlan 123
switchport mode access
spanning-tree portfast
!
!
interface GigabitEthernet1/0/2
switchport access vlan 321
switchport mode access
spanning-tree portfast
!
interface TenGigabitEthernet1/1/1
description Uplink between testnet-fw and TEMP-SW-TEST
switchport trunk allowed vlan 321,123
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
spanning-tree link-type point-to-point
ip dhcp snooping trust
!
interface TenGigabitEthernet1/1/2
description Uplink between testnet-fw and TEMP-SW-TEST
switchport trunk allowed vlan 321,123
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
spanning-tree link-type point-to-point
ip dhcp snooping trust
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/5
!
interface TenGigabitEthernet1/1/6
!
interface TenGigabitEthernet1/1/7
!
interface TenGigabitEthernet1/1/8
!
interface FortyGigabitEthernet1/1/1
!
interface FortyGigabitEthernet1/1/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan123
ip address 10.10.20.1 255.255.255.0
!
interface Vlan321
ip address 10.20.20.1 255.255.255.0
!
ip default-gateway 10.10.20.254
ip forward-protocol nd
ip http server
ip http secure-server
ip ssh time-out 60
ip ssh pubkey-chain
username xxxx
key-hash ssh-rsa x
!
control-plane
service-policy input system-cpp-policy
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
session-timeout 480
login local
transport input ssh
line vty 5 15
session-timeout 480
login
transport input ssh
!
end
------------------------------
ALEKSANDER KARAPETIAN
------------------------------