Ethernet Switching
Reply
Visitor
ne0031
Posts: 3
Registered: ‎07-21-2010
0

EX vlan (trunk/access) tagging question - solved by defaulting switch

[ Edited ]

I have two 4200-24s. One of these is purely for testing, the other is production, but currently as a 'dumb switch.'

 

I'm new to Junos and have read several books such as O'Reily's Enterprise Switching, as well as tech pubs in general.

 

On my test 4200, I am trying to configure ge-0/0/0 and /1 to be trunk ports, for connection to access points. These access points support 5 vlans (10, 20, 30, 40, and 50). For the purposes of this test, as well as to use some of the information I have found, there are also several access ports for vlan50 (MGMT). A port mirror runs on /23 for testing purposes.

 

Originally, APs connected to ge-0/0/15, /16 as access ports, could communicate to each other, but not the AP utilizing a trunk port on ge-0/0/1. This mysteriously changed upon power cycling the 4200.

 

Currently, the AP on ge-0/0/1 can communicate to the AP on ge-0/0/16. The AP on /15 is unreachable from other ports.

The AP on /1 can not communicate with the AP on /10 either.

 

When setting port mirror options to vlan10 (PUBLIC), both the trunked AP on /1, as well as the AP on /10, can be seen arping for the destination.

When the mirror is set to the /1 port, only traffic originating from the AP on /1 is seen arping. Traffic sourced from the AP on /10 is not visible.

When the mirror is set to vlan50 (MGMT), the AP on /1 is visible both pinging the AP on /16 and arping for the AP on /15. The AP on /15 can be seen arping for the AP on /1.

When the mirror is set to the /1 port, both /1 and /15 are seen arping for each other.

 

Below is the switch configuration, minus unused ports that were snipped out to shorten the config.

 

Also, the rvi for the each vlan is not pingable from APs. No ping is successful from the 4200 either.

 

I am at wits end trying to figure out how to configure this. I haven't been able to get a trunk up between the two 4200s either, but I'll work that after getting this running.

 

AP addresses are 172.20.vlan.x where:

/1 is .203 (trunk)

/10 is .206 (vlan10)

/15 is .204 (vlan50)

/16 is .205 (vlan50)

 

version 10.1R1.8;
system {
    host-name Core-2;
    backup-router 172.16.8.1;
    root-authentication {
        encrypted-password bJGlojzEL3f.I;
    }
    services {
        ssh {
            protocol-version v2;
        }
        telnet;
        netconf {
            ssh;
        }
        web-management {
            http;
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
interfaces {
    ge-0/0/0 {
        mtu 1514;
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ EXIB MGMT PUBLIC STAFF VOIP ];
                }
            }
        }
    }
    ge-0/0/1 {
        mtu 1514;
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ EXIB MGMT PUBLIC STAFF VOIP ];
                }
            }
        }
    }
 
    ge-0/0/15 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members MGMT;
                }
            }
        }
    }
    ge-0/0/16 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members MGMT;
                }
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 172.16.20.1/24;
            }
        }
        unit 1 {
            family inet {
                address 172.16.50.1/24;
            }
        }
        unit 2 {
            family inet {
                address 172.16.10.1/24;
            }
        }
        unit 3 {
            family inet {
                address 172.16.30.1/24;
            }
        }
        unit 4 {
            family inet {
                address 172.16.40.1/24;
            }
        }
    }
    vme {
        unit 0 {
            family inet {
                address 172.16.8.2/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 172.16.8.1;
    }
    router-id 172.16.8.2;
}
protocols {
    ospf {
        disable;
    }
    igmp-snooping {
        vlan all;
    }
    rstp;
    lldp {
        interface all;
    }
    lldp-med {
        interface all;
    }
}
ethernet-switching-options {
    analyzer t23 {
        ratio 1;
        loss-priority low;
        input {
            ingress {
                interface ge-0/0/1.0;
            }
            egress {
                interface ge-0/0/1.0;
            }
        }
        output {
            interface {
                ge-0/0/23.0;
            }
        }
    }
    voip;
    storm-control {
        interface all;
    }
}
vlans {
    EXIB {
        vlan-id 20;
        interface {
            ge-0/0/12.0;
        }
        l3-interface vlan.0;
    }
    MGMT {
        vlan-id 50;
        l3-interface vlan.1;
    }
    PUBLIC {
        vlan-id 10;
        interface {
            ge-0/0/10.0;
        }
        l3-interface vlan.2;
    }
    STAFF {
        vlan-id 30;
        interface {
            ge-0/0/13.0;
        }
        l3-interface vlan.3;
    }
    VOIP {
        vlan-id 40;
        interface {
            ge-0/0/14.0;
        }
        l3-interface vlan.4;
    }
    default;
}
poe {
    interface all;
}

 

 

Distinguished Expert
firewall72
Posts: 806
Registered: ‎05-04-2008
0

Re: EX vlan (trunk/access) tagging question

Hi,

 

May I ask if these are Cisco AP's?  The reason I ask is because I recently had a similar issue with a new implementation that involved some Cisco AP's and a EX switch.  Long story short, the AP's were in HREAP mode and I had to explicity define the Native VLAN ID to match the management VLAN in order for the AP's to reach the Controller and locally switch clients via the other VLANs.  I've pasted an example below.  With regards to the RVI ping issue, I think you need "accept-data" command for the RVI to respond.  Let me know how you make out.

 

    ge-0/0/4 {
        description "Link to AP-1";
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ v159 v157 v158 ];
                }
                native-vlan-id v159;

 

        unit 157 {
            family inet {
                address x.x.x.x/24 {
                    vrrp-group 0 {
                        virtual-address x.x.x.x;
                        priority 110;
                        accept-data;
                    }
                }
            }
        }
        unit 158 {
            family inet {
                address x.x.x/24 {
                    vrrp-group 0 {
                        virtual-address x.x.x.x;
                        accept-data;
                    }
                }
            }
        }
        unit 159 {
            family inet {
                address x.x.x.x/24 {
                    vrrp-group 0 {
                        virtual-address x.x.x.x;
                        accept-data;
                    }
                }
            }
        }
    }
}

vlans {
    default {       
        l3-interface vlan.0;
    }
    v152 {
        vlan-id 152;
        l3-interface vlan.152;
    }
    v156 {
        vlan-id 156;
        l3-interface vlan.156;
    }
    v157 {
        vlan-id 157;
        l3-interface vlan.157;
    }
    v158 {
        vlan-id 158;
        l3-interface vlan.158;
    }
    v159 {
        vlan-id 159;
        l3-interface vlan.159;
    }
}

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT, JNCIA-JUNOS, JNSS-Firewall

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Visitor
ne0031
Posts: 3
Registered: ‎07-21-2010
0

Re: EX vlan (trunk/access) tagging question

No they are not. They run RouterOS.

 

The accept-data isn't available unless I establish a vrrp interface.

 

With or without a native vlan, one access port works, while one doesn't, yet the AP configs are the same short of the ip address on each. Swapping the physical connections, the pingable AP moves. This would indicate a config error on the AP, yet copying the config from the working unit to a new unit, and changing the ip, does not correct the issue.

Visitor
ne0031
Posts: 3
Registered: ‎07-21-2010
0

Re: EX vlan (trunk/access) tagging question

The solution? I defaulted the switch and started over.

 

Natives were not needed. So if someone sees something out of the ordinary with my config that was posted, I'm all ears.

Visitor
mpking
Posts: 3
Registered: ‎04-03-2012
0

Re: EX vlan (trunk/access) tagging question

Yes, it's two years later, but I hit this exact same problem.

 

I have a Cisco HREAP accesspoint (1140 series) and I couldn't get it working.

 

I finally found this reference:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17419&cat=EX_SERIES&actp=LIST

 

which has this Gem of Knowledge:

 

The EX will tag and transmit the MGMT packets. To send untagged packets on the native vlan, the MGMT vlan has to be removed as a member of the trunk but left in the native vlan set to the MGMT.

 

I removed the Native VLAN from the members list, and all works as expected

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.