Switching

  • 1.  Excluding ports from an interface-range command

    Posted 08-12-2011 00:40

    Hey guys,

     

    We're currently using the following interface-range commands on our EX(22|32|42)00 switches:

     

    interface-range range-edge-ports {

        member-range ge-0/0/0 to ge-0/0/45;

        apply-groups edge-ports;

    }

     

    This is used in a lot of places around the configuration, such as in dot1x:

     

    authenticator {

        authentication-profile-name mab-profile;

        interface {

            range-edge-ports {

                supplicant multiple;

                mac-radius {

                    restrict;

                }

                no-reauthentication;

            }

        }

    }

     

    Etc. So we're basically using MAB on all these ports to dynamically set the VLAN.

     

    Occasionally somebody requires a port to be defined in a static VLAN. For this, we need to remove the port from the member-range command in the interface-range. Is there a way to simply exclude a port from the range without having to redefine the whole range?

     

    Currently the only way I can see is to redefine the entire range by doing this:

     

    interface-range range-edge-ports {

        member-range ge-0/0/0 to ge-0/0/11;

        member-range ge-0/0/13 to ge-0/0/21;

        member-range ge-0/0/23 to ge-0/0/45;

        apply-groups edge-ports;

    }

     

    When I'd much rather do something like this:

    interface-range range-edge-ports {

        member-range ge-0/0/0 to ge-0/0/45;

        member ge-0/0/12 exclude;

        member ge-0/0/22 exclude;

        apply-groups edge-ports;

    }

     

    Any ideas?

     

    Thanks,

    Ben





  • 2.  RE: Excluding ports from an interface-range command

    Posted 08-12-2011 03:52

    instead of using member-range you can use member only, e.g.

     

    interfaces {interface-range range-edge-ports {                        member ge-0/0/[0-11,13-21,23-45];

    }}

     

    however, exclude way is not supported ...

     

    regards


    #wildcard


  • 3.  RE: Excluding ports from an interface-range command

    Posted 08-12-2011 05:27

    You have to wait until next year for when 'REAL'  range commands are available. A feature that is 4 years late...



  • 4.  RE: Excluding ports from an interface-range command

    Posted 08-16-2011 07:21

    It could be confusing, but if you configure an interface range, and then configure a specific interface differently, the more specific configuration will win.



  • 5.  RE: Excluding ports from an interface-range command

    Posted 01-24-2012 08:51

    No it will not wrok, you will get " error: configuration check-out failed"  

     

    error: Access interface <ge-0/0/13.0> has more than one vlan member: <v20> and <v10> Smiley Happy



  • 6.  RE: Excluding ports from an interface-range command

    Posted 05-14-2013 12:20

    BuckWeet, what commands are you referring to?  Any documents you can point us to?



  • 7.  RE: Excluding ports from an interface-range command

    Posted 05-14-2013 13:03

    Adamguy, this is something we have been asking for a long time for this particular configuration. The only way for theat to be done is to use a combination of the interface-range members all/member/add a signle interface. So you would end up with multiple interface ranges which would exclude the ones to be excluded.

    Kind of like adding all vlans to trunk port except specific vlans. Not available. Maybe if enough clients send direct request, juniper may consider it as an update.



  • 8.  RE: Excluding ports from an interface-range command

     
    Posted 05-20-2013 05:08

    The wildcard range command goes a long way to making this easier:

     

    Build your interface-range using a normal Regex to capture all the ports:

     

    bdale@ex42-lab# wildcard range set interfaces interface-range MY-RANGE member ge-0/[1-2]/[0,5,7]
    {master:0}[edit] bdale@ex42-lab# show interfaces interface-range MY-RANGE member ge-0/1/0; member ge-0/1/5; member ge-0/1/7; member ge-0/2/0; member ge-0/2/5; member ge-0/2/7;

     Then you can simply delete the individual member from the interface-range statement to remove it from all apply-group references, or again, use a wildcard delete statement to remove a specific group:

     

    {master:0}[edit]
    bdale@ex42-lab# wildcard delete interfaces interface-range MY-RANGE member ge-0/1/*    
      matched: ge-0/1/0
      matched: ge-0/1/5
      matched: ge-0/1/7
    Delete 3 objects? [yes,no] (no) yes 
    
    {master:0}[edit]
    bdale@ex42-lab# show interfaces interface-range MY-RANGE 
    member ge-0/2/0;
    member ge-0/2/5;
    member ge-0/2/7;

     

    Lyndion, I think what you're trying to achieve is actually doable as well - my understanding of your requirement is that you want to have a single interface-range that you re-use in various places in the configuration, but have the ability to selectively disable ports from it on a per configuration stanza basis.  This actually works already in most places:

     

    {master:0}[edit]
    bdale@ex42-lab# wildcard range set interfaces interface-range MY-RANGE member ge-0/0/[13-18]          
    \
    {master:0}[edit]
    bdale@ex42-lab# show interfaces interface-range MY-RANGE 
    member ge-0/0/13;
    member ge-0/0/14;
    member ge-0/0/15;
    member ge-0/0/16;
    member ge-0/0/17;
    member ge-0/0/18;
    
    {master:0}[edit]
    bdale@ex42-lab# show protocols dot1x 
    authenticator {
        interface {
            ge-0/0/17.0 {
                disable;
            }
            MY-RANGE;
        }
    }
    
    {master:0}[edit]
    bdale@ex42-lab# commit 
    configuration check succeeds
    commit complete
    
    {master:0}[edit]
    bdale@ex42-lab# run show dot1x interface 
    802.1X Information:
    Interface     Role           State           MAC address          User
    ge-0/0/13.0   Authenticator  Initialize     
    ge-0/0/14.0   Authenticator  Initialize     
    ge-0/0/15.0   Authenticator  Initialize     
    ge-0/0/16.0   Authenticator  Initialize     
    ge-0/0/18.0   Authenticator  Initialize  <-- notice ge-0/0/17.0 is disabled