Security

i have a few racks with virtual chassis inside connected via their management ports to an ex2200 at top of the rack. these ex2200's at the top of the racks all feed back into an ex4300-fibre switch via their ge-0/1/0 ports.

i have simply used ezsetup to run through initial configurations on them all. the ex4300 is set at 192.168.1.1/24, the racks are setup as 192.168.1.10,11,12.../24. only the default lan has been created for this management.

i am unable to connect to any of the switches via jweb or ssh and they cannot be pinged from anywhere either.

so to recap im using in-band management for the ex2200's and out of band management for the ex3400's. locally in the racks i can connect to the ex3400 virtual chassis in it.

should the ge-0/1/0 (on the ex2200's) be set as uplink ports, trunks, or simply connected?

should the ge-0/0/x interfaces on the ex4300 be set as trunks or just connected to the downstream switches as is?

yes. when configured initially using ezsetup the management port is chosen for the ex3400's out of band. when setting up ex2200's in-band is chosen and defualt vlan.

the ex2200's and the ex3400's have default gateway set as 192.168.1.1/24 which is the ex4300 irb interface address 

The reason I'm asking is that the routing on these switches is a bit tricky.

The ME interface is in the master or root routing instance along with the regular default route and all RVI by default.

So if you are using both ME and in-band traffic the default route can only really work for one of them and typically it will be the in-band thus the ME will only have reability within the configured subnet.  Traffic coming in via normal ports cannot reach the ME interface.

so you would have two options:

NAT any inbound traffic to the ME subnet so that the source address is in the same subnet and the reply traffic will be local and work.

create a virtual router routing instance for the irb interfaces and the inband traffic so that it has a separate routing table from the ME in the master or root instance.  You cannot move the ME out of the the master instance.

maybe it wasnt clear from what i wrote. but it is only the ex2200's that are using in-band management. the ex3400's are out of band via the ex2200's. there is a separate network for this management and all of the ex2200's terminate into the ex4300-32f from the ge-0/1/0 port of the ex2200's to whichever port ge-0/0/x on the ex4300.

Sorry for not understanding the nuances here but I do think there is a routing issue at play.

You can connect  to mgmt locally on the subnet but not remotely across the network to that subnet correct?

If that is correct, let's try getting traceroutes in both directions.

From the ex switch run a trace route to the subnet you are trying to connect to the switches from with a source of the ip address you are suing for mgmt of that switch.

From the mgmt workstation network run the trace route to the mgmt ip address of the  same switch.

Let's see where one or both of these fail and what the difference in path is for the trace.  This will help us see where the routing setup is either asymmetrical or not reachable.

yes i am able to plug directly in to the ex2200 ports and get access to the ex3400's connected to it.

when i connect the ex2200's ge-0/1/0 to the ex4300 ge-0/0/0 and try to access the same switches remotely is where it seems to be failing. there are no routes listed when show route command is used.

i can do the checks you suggest tomorrow when back on site. but before i get there maybe you can tell me if i need to set these ports specifically as routed uplinks or layer 2 uplinks, or just leave them unconfigured as they are now?

The ex2200 can be all layer 2 and don't require routed links since the gateway is on the upstream switch.

I've never used the wizard but I'm assuming that when you choose a default gateway it is creating a default route in the routing table.  I would expect to see this on the switches so that the return path for your remote mgmt traffic would work.