Switching

Hi,

Fairly unique situation.

I have two EX4200 switches (12.1R3), a SSG-5, and we use RIverbed Steelhead which have Gigabit dual port adapters with bypass. When in bypass it is effectively a straight through cable.

I am trying to use VLANs to segment the switch and use the several ports separately - even though the traffic is on the same IP subnet - it is either side of the Steelhead accelerator.

So here is what I have:

The SSG-5 and EX4200-1 are in the comms rack.

EX4200-2 and the steelhead are in the server rack.

The two racks are connected via a 10G fibre in XE-0/1/0 in each EX4200.

So my packets flow like this (well if it worked !):

SSG-5 WAN > EX4200-1 (Vlan 10) > Fibre Trunk > EX4200-2 (VLAN10) > Steelhead WAN > Steelhead LAN > EX4200-2 (VLAN20)

The fibre is set as a Trunk port both ends with all the VLANS on it. (There are more VLANS but they are unrelated).

VLAN10 is my "WAN side of Steelhead" traffic.

VLAN 20 is my "LAN side of Steelhead" traffic.

I have tried pretty much every combination of Trunk, Trunk with Native, and Access settings on the ports to no avail.

I note that "access" ports are meant to be for a single end-point connection - but the Steelhead isn't really an endpoint - especially in bypass mode which is relays on the card - so a straight cable.

I have link lights.

Anyone point me in the right direction ?

Regards

Ian 

Is the Steelhead a layer 2 or layer 3 device?

Does only one vlan connect on each side of the Steelhead device or is this also a tagged trunk port?

If there is only one vlan on each side then the two ports will be access ports in your designated two vlans.

You would need to be sure there are no RVI for those two vlans on the switch that would then bypass your Steelhead connection ports.

Hi Steve,

The Steelhead does stuff right up the stack as it has application specific accelerations, however if we consider it in physical bypass mode though it is a straight through cable. That was how I was testing.

Yes, I only require one VLAN on each side of it. VLAN10 on one side, VLAN20 on the other side.

I have tried it with both the ports on the EX that connect to the Steelhead card being set to Access with the VLANs set as previous sentence. This did not pass packets.

Will the packets coming out of the port assigned as Access VLAN10 still carry their VLAN10 tagging ? And will the port assigned as Access VLAN20 accept these packets (and vice versa) ?

There isn't any RVIs setup on the switches. As you said - I don't want the traffic to mingle !

Cheers

Ian

Try connecting the two access configured ports with an ethernet cable and verify that communicaiton works.

If it does, then the issue is with the Steelhead.  If not, we can look at the VLAN switch configuration and the server settings along with their default gateway.

Sounds like a good idea. Thanks for helping !

Okay, so I put a straight through cable between 0/1 and 0/12.

I have 0/1 set as Access for the WAN VLAN ( vlan_102_wan)

I have 0/12,13,14,15 set as Access on the LAN VLAN. (vlan_102)

My "target" host is on 0/13.

As soon as I commit the changes I can no longer ping the target.

If I change 0/13 to the WAN VLAN, then I can ping the target again.

My ports are configured like this:

Trunk between switches:

xe-0/1/0 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ vlan_102 vlan_14_wan vlan_200_99 vlan_203_52 vlan_102_wan ];

Switch in server rack:

ge-0/0/1 {
        description "SSG5 0.3 to Steelhead";
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan_102_wan;

ge-0/0/12 {
        description "102 LAN from Steelhead";
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan_102;


 ge-0/0/13 {
        description "Ironport ESA LAN";
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan_102;

Cheers

Ian

Mystery solved !

Having the ports in Access mode with the two different VLANs was valid.

The issue was that despite these ports being different isolated VLANS, the Spanning Tree is global on the switch by default.

The default is RSTP which is one instance for all VLANS. So checking it I found one of the "looped" ports was in blocking state. Some brands of switches indicate this using the Link LEDs on the ports - but Juniper does not.

According to the documents I could choose MSTP or VSTP. Given the small number of VLANs I choose VSTP.

The web interface on the EX2200 does not list VSTP but it is available via CLI. For me, enabling for all VLANs except VLAN1 was acceptable so a simple "set protocol vstp vlan all" got it working.

Once enabled, the port started passing packets and comms worked in the desired configuration.

The web interface still does not show that VSTP is in use, and it then removes the STP states in the monitor tab. Sigh...

Thanks for your help - having my config confirmed as valid meant I looked further and check the Spanning Tree !

Thanks,

Ian

Thanks for the update.  Makes sense now why it was an issue.