Junos OS

Hello everybody,

I'm trying set up the following basic connections, as explained or mentioned here.

EX2200----trunk----EX2200
  |                        |
  |control link          | control link
  |                        |
J6350--data-link----J6350 

But I just can't get the control link to work.

This is what I tried (using just one EX2200 to simplify):

EX2200----------------
  |                         |
  |control link           | control link
  |                         |
J6350---data-link---J6350

EX2200:
ge-X/X/1
ge-X/X/2

both:

vlan-tagging;
unit 0 {
    vlan-id 4094;
}

 I get the following message:

##
## Warning: statement ignored: unsupported platform (ex2200-24t-4g)
##
vlan-tagging;

 
If I just try to configure the port as shown below, the control link never come up 😞

ether-options {
    no-flow-control;
}
unit 0 {
    family ethernet-switching {
        port-mode trunk;
        vlan {
            members FWcontrollLine;
        }
    }
}


FWcontrollLine {
    vlan-id 4094;
}

Just to answer the question in advance, the J6350 chassis clustering works just fine, when I directly connection all the cables. I rechecked the same setting but instead of using a EX2200 I used an HP ProCurve 2848 and even a HP ProCurve 1800 and it worked (control link running in VLAN 4094 through the rest of the infrastructure). So, I guess, the problem is the not tagged packets on the control interface on the EX2200.

The EX2200 is running on firmware 10.4R5.5

The J650 is running on firmware 10.4R4.5

My question now is:

1) Does the EX2200 support tagged ports?
2) What am I doing wrong? 🙂

As stated in http://www.juniper.net/techpubs/en_US/junos11.2/topics/concept/ex-series-software-features-overview.html, the switch is supposed to support "802.1Q VLAN tagging"...

Any help would be greatly appreciated, thank you very much in advance,

Julian

Hi,

I am not experienced in configuring chassis cluster control/data links through switches. But what do you mean by configuring this?

vlan-tagging;
unit 0 {
vlan-id 4094;
}

because vlan-tagging on for example srx branch series is statement to configure routed interfaces

ge-0/0/0 {

vlan-tagging;
unit 0 {
vlan-id 4094;

family inet {

address 1.2.3.4/24 

}
}

unit 1 {
 vlan-id 4093;

family inet {

address 1.1.1.1/24 

}
} 

}

Instead of that you sholud use switched ports as you wrote later

itnerfaces {

ge-0/0/0 { 

ether-options {
no-flow-control;
}
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members FWcontrollLine;
}
}
}
}

}

vlans {
FWcontrollLine {
vlan-id 4094;
} 

}

Jozef Klacko 

Junos VLAN ports are either access ports or trunk ports:

• Access - port is a member of 1, and only 1, VLAN
• Access - ports do not carry 802.1q VLAN tagged traffic
• Trunk - port carries mulitple VLANs via 802.1q VLAN tagged traffic

Junos EX has a default VLAN named 'default' and this VLANis untagged with no VLAN ID. Junos trunk ports do not accept untagged traffic.

ProCurves use VLAN ID 1 for the default VLAN and will carry this (via untagged command) on a port.

It sounds like you want to have ge-0/0/0 and ge-0/0/1 as members of VLAN 4094 only so that the firewall cluster is able to communicate over the VLAN but not have other VLAN traffic interfere with it.

You would do this with access ports since the following is true:

• No other VLAN traffic is needed on the switch ports
• The firewall control link ports are not VLAN tagged
• The firewall control link ports are essentially a dedicated link (like a cross-over cable using switches)

[edit]

root@blue# edit vlans

[edit vlans]

root@blue# set srxControl vlan-id 4094

root@blue# top

[edit]

root@blue# commit comment "Created VLAN 4094"

[edit]

root@blue# edit interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members srxControl

root@blue# edit interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members srxControl

root@blue# commit comment "Added ge-0/0/0 and ge-0/0/1 to VLAN 4094 as access ports"

Thank you for your replies. I did test both setting, but the firewall still shows:

Control link 0 name: fxp1
Control link status: Down

As I said, using a ProCurve it worked with the following settings:

vlan 1
   name "DEFAULT_VLAN"
   untagged 1-48
   no ip address
   exit
vlan 4094
   name "VLAN4094"
   tagged 1-2
   exit

Meaning, the two control links (Port 1 + 2) are untagged in vlan-id 1 and transport vlan-tagged packets in vlan-id 4094.

The trunk mode:

ether-options {
    no-flow-control;
}
unit 0 {
    family ethernet-switching {
        port-mode trunk;
        vlan {
            members FWcontrollLine;
        }
    }
}

did not work, even with the nativ-vlan-switch:

ether-options {
    no-flow-control;
}
unit 0 {
    family ethernet-switching {
        port-mode trunk;
        vlan {
            members FWcontrollLine;
        }
        native-vlan-id 1;
    }
}

and

unit 0 {
    family ethernet-switching {
        vlan {
            members FWcontrollLine;
        }
    }
}

did not work.

When I look at the common set up on SRX or my J6350 devices I have to use the following settings to have a interface transport tagged packets:

vlan-tagging;
unit 0 {
vlan-id 4094;
}

For me, it seems like, the EX2200 discards any packets on the interfaces, that contain tagged packets.

Just to make one thing clear, as the docu of Juniper states, the control link is using vlan-id 4094 tagged packets to communicate. As far as I know, I can't change this bad and stiff behaviour, so the switches have to support it somehow. 😞

• Do I use the wrong firmware?
• Do I need a different license?

Can you post the configuration of your Juniper switch?

The tagged packet part is a clue since that means that you will need to have port 0 and 1 on the Juniper switch setup as trunk ports since access ports do not handle tagged traffic.

[edit]

root@orange# edit vlans

root@orange# set FWcontrollLine vlan-id 4094

root@orange# set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members FWcontrolLine

root@orange# set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members FWcontrolLine

Now we set ge-0/0/0 and ge-0/0/1 as trunk ports:

[edit]

root@orange# set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode trunk

root@orange# set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk

If you want the default VLAN to be handled by the trunk ports like your ProCurve:

[edit]

root@orange# edit interfaces

[edit interfaces]

root@orange# set vlans default vlan-id 1

root@orange# set ge-0/0/0 unit 0 family ethernet-switching native-vlan-id default

root@orange# set ge-0/0/1 unit 0 family ethernet-switching native-vlan-id default

root@orange# top

[edit]

root@orange# commit comment "VLAN 4094 trunk setup with default VLAN 1"

If you run 'show vlans detail' from operational mode you should see VLAN 1 (default) as untagged and VLAN 4094 as tagged on ports ge-0/0/0 and ge-0/0/1.

This is the same setup as ProCurve VLAN 1 untagged and VLAN 4094 tagged (we run a bunch of ProCurves so I'm pretty familiar with the way they do VLANs).

As long as the SRX control link traffic is tagged with the VLAN ID 4094 you should be good to go.

@NateK: Thank you very much for your help. I did do what you wrote down before, but not with any success.

While I was cleaning up my config to upload it here, I deleted all protocols settings. The second I did that, it worked 🙂

The problem seems to be the LLDP packets, that confuse the JSR6350 😞

For anybody, running into the same problem, I attached my config.

Thank you everybody for your support!

Attachment(s)

ex.txt   3 KB 1 version