Ethernet Switching
Highlighted
Ethernet Switching

Best practices and configuration changes

[ Edited ]
‎06-15-2020 02:42 AM

I have 6 EX2300-24P. One of the switch will be the core switch and together with remaining five will form hub and spoke topology. There will be 3 VLANS on each switch including Management VLAN.
My questions are:
1. Do I need to define IRB L3-interface for each VLAN on every switch or just the core which will be doing the inter-vlan routing?
2. Do I at least configure RB L3-interface for Management VLAN on every switch? This is how I intend to manage the switches.
3. If I want to restrict internet access (default gateway) on one of the VLANs, how do I do that?
4. Can I setup DHCP server on the core switch for each VLANS?
5. When I try to delete the irb interface for VLANs that I defined in access switch, I get following error: 

'l3-interface irb.48'
Interface must already be defined under [edit interfaces]
error: commit failed: (statements constraint check failed)

6. How do I delete or undo configuration changes made by set command, e.g.

user@switch# set vlans support vlan-id 111
user@switch# set interfaces irb unit 111 family inet address 10.0.0.X/8
user@switch# set vlans support l3-interface irb.111

How do I untie vlan 111 from irb.111 and delete it?

23 REPLIES 23
Highlighted
Ethernet Switching

Re: Best practices and configuration changes

‎06-15-2020 03:07 AM

1. Do I need to define IRB L3-interface for each VLAN on every switch or just the core which will be doing the inter-vlan routing?

No, if you extend the layer 2 vlan to all the switches only one layer 3 interface in the entire layer 2 domain is needed to activate inter vlan routing.


2. Do I at least configure RB L3-interface for Management VLAN on every switch? This is how I intend to manage the switches.

Yes, if you want to have irb as the mgmt interface than each switch will have a unique ip address assigned for mgmt typically in the same vlan.


3. If I want to restrict internet access (default gateway) on one of the VLANs, how do I do that?

You could block the vlan subnet on your internet firewall via a policy that denies internet access to devices in the desired subnet.  


4. Can I setup DHCP server on the core switch for each VLANS?

Yes the ex can be a dhcp server

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/dhcp-for-switching-devices.html#i...


5. When I try to delete the irb interface for VLANs that I defined in access switch, I get following error: 

'l3-interface irb.48'
Interface must already be defined under [edit interfaces]
error: commit failed: (statements constraint check failed)

To remove the interface you also need to delete the reference in vlans

delete vlans support l3-interface irb.48

delete interfaces irb unit 48

 

6. How do I delete or undo configuration changes made by set command, e.g.

user@switch# set vlans support vlan-id 111
user@switch# set interfaces irb unit 111 family inet address 10.0.0.X/8
user@switch# set vlans support l3-interface irb.111

How do I untie vlan 111 from irb.111 and delete it?

delete vlans support l3-interface irb.111

delete interfaces irb unit 111

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Ethernet Switching

Re: Best practices and configuration changes

[ Edited ]
‎06-15-2020 06:27 AM

@spuluka answers are 100% on.  You could block the VLAN (I assume management) from reaching Internet by creating an IP Firewall Filter at the Core (L3) EX2300 as well.  Alternately if you are using static routes to get to Internet, instead of any routing protocol, do not create a 0.0.0.0/0 static route, but instead use specific static routes for the VLANs you want to reach the Internet.  In this case those VLANs would need to use Internet Routeable IP addresses.  I assume your management VLAN will be using RFC 1918 IP address scheme, like 10.x.x.x or 192.x.x.x, etc.  Of course using static routes does not scale well.  No idea of your future plans/needs.

Highlighted
Ethernet Switching

Re: Best practices and configuration changes

‎06-15-2020 07:01 PM

In regard to undoing changes you made with the set command, there are a few things you can do.

As already mentioned, using 'delete' is one option ('delete' is like 'no' for some other vendors).

 

The other thing you should consider is 'rollback x' (where 'x' is the rollback point).

So, if you want to rollback one commit, you can use 'rollback 1', and then commit again.

 

If you're not sure if you want to roll back, try 'show | compare rollback x' from configuration mode.

Highlighted
Ethernet Switching

Re: Best practices and configuration changes

‎06-16-2020 12:48 AM

Thanks @spuluka, that is great. I'm new in Juniperverse, so please bear with me.

 

So, basically, here's my network - nothing fancy. All of the switchs are EX2300-24P (including the core).

  1. So I setup management addresses on MGMT VLAN for each switch using L3 irb interface with IP address. Is this okay as I'm only looking to manage using SSH or HTTP and not do routing on the access switches. Also, do I need to enable HTTP service for the web interface to work?
  2. Can the EX2300 core switch serve as DHCP server for VLANs 10 & 20?
  3. I don't want Vlan 20 & MGMT (for that matter) to have default gateway access (internet). Is it better to do that in the firewall or the core switch?
  4. Please feel free to recommend any other best practices that you can think of.

 

MyNetwork.PNG

Highlighted
Ethernet Switching

Re: Best practices and configuration changes

‎06-16-2020 04:59 AM

@thethakuri wrote:

Thanks @spuluka, that is great. I'm new in Juniperverse, so please bear with me.

 

So, basically, here's my network - nothing fancy. All of the switchs are EX2300-24P (including the core).

  1. So I setup management addresses on MGMT VLAN for each switch using L3 irb interface with IP address. Is this okay as I'm only looking to manage using SSH or HTTP and not do routing on the access switches. Yes this is OK.
    Also, do I need to enable HTTP service for the web interface to work? Yes
  2. Can the EX2300 core switch serve as DHCP server for VLANs 10 & 20? Yes
  3. I don't want Vlan 20 & MGMT (for that matter) to have default gateway access (internet). Is it better to do that in the firewall or the core switch? Either but I think most do this at the FW.  In that case only 1 static route for 0.0.0.0/0 on the 2300 pointing to next-hop of 192.168.10.254 is all that is needed.  You can block further access there.
  4. Please feel free to recommend any other best practices that you can think of. @smicker may have other suggestions.

 

MyNetwork.PNG


 

Highlighted
Ethernet Switching

Re: Best practices and configuration changes

[ Edited ]
‎06-17-2020 12:14 AM

Guys I've been beating myself too much for such simple configuration. Here's where I am right now:

  • I can't  get the inter-vlan routing going - i.e. ping ComputerA to ComputerB
  • If I put ComputerB on same vlan as A, ping works. So vlan is working.
  • I can't ping the management address (10.21.38.x) on any switch from either Computer A or B.
  • Do I need to allocate ports to management vlan and connect a device to get it up and working? Please note that beside those two devices, I don't have anything else connected to access switched.
  • Do I need to define default static route on Access switches for this to work?
  • I've read that I need active VLAN ports for the VLAN interface to be up. So, do I need to have device for every VLAN (inlcuding management VLAN ) in every switch (including core)  ?
  • What am I missing here ?

MyNet.PNG

 

Configurations:

root@SW-RCP-CORE-E01# show
## Last changed: 1970-01-03 13:26:23 AEST
version 18.1R3.3;
system {
    host-name SW-RCP-CORE-E01;
    auto-snapshot;
    time-zone Australia/Sydney;
    root-authentication {
        encrypted-password ""; ## SECRET-DATA
    }
    services {
        ssh {
            root-login allow;
        }
        web-management {
            https {
                system-generated-certificate;
                interface irb.10;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    processes {
        dhcp-service {
            traceoptions {
                file dhcp_logfile size 10m;
                level all;
                flag all;
            }
        }
    }
}
chassis {
    redundancy {
        graceful-switchover;
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 50;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 50;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 50;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 50;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 50;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 50;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 50;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 50;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/8 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 50;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/9 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 50;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/10 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 48;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/11 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 48;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/12 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 48;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/13 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 48;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/14 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 48;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/15 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 48;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/16 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 48;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/17 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 48;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/18 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 48;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/19 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 48;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/20 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    ge-0/0/21 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    ge-0/0/22 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    ge-0/0/23 {
        unit 0 {
            family ethernet-switching {
                interface-mode trunk;
                vlan {
                    members all;
                }
                storm-control default;
            }
        }
    }
    ge-0/1/0 {
        unit 0 {
            family ethernet-switching {
                interface-mode trunk;
                vlan {
                    members all;
                }
                storm-control default;
            }
        }
    }
    xe-0/1/0 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    ge-0/1/1 {
        unit 0 {
            family ethernet-switching {
                interface-mode trunk;
                vlan {
                    members all;
                }
                storm-control default;
            }
        }
    }
    xe-0/1/1 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    ge-0/1/2 {
        unit 0 {
            family ethernet-switching {
                interface-mode trunk;
                vlan {
                    members all;
                }
                storm-control default;
            }
        }
    }
    xe-0/1/2 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    ge-0/1/3 {
        unit 0 {
            family ethernet-switching {
                interface-mode trunk;
                vlan {
                    members all;
                }
                storm-control default;
            }
        }
    }
    xe-0/1/3 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    irb {
        unit 0 {
            family inet {
                dhcp {
                    vendor-id Juniper-ex2300-24p-JY0220020620;
                }
            }
        }
        unit 10 {
            family inet {
                address 10.21.38.245/24;
            }
        }
        unit 48 {
            family inet {
                address 192.168.48.245/24;
            }
        }
        unit 50 {
            family inet {
                address 192.168.50.245/24;
            }
        }
    }
    vme {
        unit 0 {
            family inet {
                dhcp {
                    vendor-id Juniper-ex2300-24p-JY0220020620;
                }
            }
        }
    }
}
forwarding-options {
    storm-control-profiles default {
        all;
    }
}
protocols {
    lldp {
        interface all;
    }
    lldp-med {
        interface all;
    }
    igmp-snooping {
        vlan default;
    }
    rstp {
        interface ge-0/0/0;
        interface ge-0/0/1;
        interface ge-0/0/2;
        interface ge-0/0/3;
        interface ge-0/0/4;
        interface ge-0/0/5;
        interface ge-0/0/6;
        interface ge-0/0/7;
        interface ge-0/0/8;
        interface ge-0/0/9;
        interface ge-0/0/10;
        interface ge-0/0/11;
        interface ge-0/0/12;
        interface ge-0/0/13;
        interface ge-0/0/14;
        interface ge-0/0/15;
        interface ge-0/0/16;
        interface ge-0/0/17;
        interface ge-0/0/18;
        interface ge-0/0/19;
        interface ge-0/0/20;
        interface ge-0/0/21;
        interface ge-0/0/22;
        interface ge-0/0/23;
        interface ge-0/1/0;
        interface xe-0/1/0;
        interface ge-0/1/1;
        interface xe-0/1/1;
        interface ge-0/1/2;
        interface xe-0/1/2;
        interface ge-0/1/3;
        interface xe-0/1/3;
    }
}
poe {
    interface all;
}
vlans {
    ACCESS {
        vlan-id 48;
        l3-interface irb.48;
    }
    MGMT {
        vlan-id 10;
        l3-interface irb.10;
    }
    SECURITY {
        vlan-id 50;
        l3-interface irb.50;
    }
    default {
        vlan-id 1;
        l3-interface irb.0;
    }
}

 

 

root@SW-RCP-ACC-A01# show
## Last changed: 1970-01-02 04:12:14 AEST
version 18.1R3.3;
system {
    host-name SW-RCP-ACC-A01;
    auto-snapshot;
    time-zone Australia/Sydney;
    root-authentication {
        encrypted-password ""; ## SECRET-DATA
    }
    services {
        ssh {
            protocol-version v2;
        }
        netconf {
            ssh;
        }
        web-management {
            http;
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    processes {
        dhcp-service {
            traceoptions {
                file dhcp_logfile size 10m;
                level all;
                flag all;
            }
        }
    }
}
chassis {
    redundancy {
        graceful-switchover;
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members SECURITY;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members SECURITY;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members SECURITY;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members SECURITY;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members SECURITY;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members SECURITY;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members SECURITY;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members SECURITY;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/8 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members SECURITY;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/9 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members SECURITY;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/10 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members ACCESS;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/11 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members ACCESS;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/12 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members ACCESS;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/13 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members ACCESS;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/14 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members ACCESS;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/15 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members ACCESS;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/16 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members ACCESS;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/17 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members ACCESS;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/18 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members ACCESS;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/19 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members ACCESS;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/20 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    ge-0/0/21 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    ge-0/0/22 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    ge-0/0/23 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    ge-0/1/0 {
        unit 0 {
            family ethernet-switching {
                interface-mode trunk;
                vlan {
                    members all;
                }
                storm-control default;
            }
        }
    }
    xe-0/1/0 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    ge-0/1/1 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    xe-0/1/1 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    ge-0/1/2 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    xe-0/1/2 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    ge-0/1/3 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    xe-0/1/3 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    irb {
        unit 0 {
            family inet {
                dhcp {
                    vendor-id Juniper-ex2300t;
                }
            }
        }
        unit 10 {
            family inet {
                address 10.21.38.241/24;
            }
        }
    }
}
snmp {
    location "Building A";
    contact "support@tritechsolutions.com.au";
    community rcpublic {
        authorization read-only;
    }
}
forwarding-options {
    storm-control-profiles default {
        all;
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.21.38.245;
    }
}
protocols {
    lldp {
        interface all;
    }
    lldp-med {
        interface all;
    }
    igmp-snooping {
        vlan default;
    }
    rstp {
        interface ge-0/0/0;
        interface ge-0/0/1;
        interface ge-0/0/2;
        interface ge-0/0/3;
        interface ge-0/0/4;
        interface ge-0/0/5;
        interface ge-0/0/6;
        interface ge-0/0/7;
        interface ge-0/0/8;
        interface ge-0/0/9;
        interface ge-0/0/10;
        interface ge-0/0/11;
        interface ge-0/0/12;
        interface ge-0/0/13;
        interface ge-0/0/14;
        interface ge-0/0/15;
        interface ge-0/0/16;
        interface ge-0/0/17;
        interface ge-0/0/18;
        interface ge-0/0/19;
        interface ge-0/0/20;
        interface ge-0/0/21;
        interface ge-0/0/22;
        interface ge-0/0/23;
        interface ge-0/1/0;
        interface xe-0/1/0;
        interface ge-0/1/1;
        interface xe-0/1/1;
        interface ge-0/1/2;
        interface xe-0/1/2;
        interface ge-0/1/3;
        interface xe-0/1/3;
    }
}
poe {
    interface all;
}
vlans {
    ACCESS {
        vlan-id 48;
    }
    MGMT {
        vlan-id 10;
        l3-interface irb.10;
    }
    SECURITY {
        vlan-id 50;
    }
    default {
        vlan-id 1;
        l3-interface irb.0;
    }
}

 

 

root@SW-RCP-ACC-B01# show
## Last changed: 1970-01-06 13:04:12 AEST
version 18.1R3.3;
system {
    host-name SW-RCP-ACC-B01;
    auto-snapshot;
    time-zone Australia/Sydney;
    root-authentication {
        encrypted-password ""; ## SECRET-DATA
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    processes {
        dhcp-service {
            traceoptions {
                file dhcp_logfile size 10m;
                level all;
                flag all;
            }
        }
    }
}
chassis {
    redundancy {
        graceful-switchover;
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members SECURITY;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members SECURITY;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members SECURITY;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members SECURITY;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members SECURITY;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members SECURITY;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members SECURITY;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members SECURITY;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/8 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members SECURITY;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/9 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members SECURITY;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/10 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members ACCESS;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/11 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members ACCESS;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/12 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members ACCESS;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/13 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members ACCESS;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/14 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members ACCESS;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/15 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members ACCESS;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/16 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members ACCESS;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/17 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members ACCESS;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/18 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members ACCESS;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/19 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members ACCESS;
                }
                storm-control default;
            }
        }
    }
    ge-0/0/20 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    ge-0/0/21 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    ge-0/0/22 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    ge-0/0/23 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    ge-0/1/0 {
        unit 0 {
            family ethernet-switching {
                interface-mode trunk;
                vlan {
                    members all;
                }
                storm-control default;
            }
        }
    }
    xe-0/1/0 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    ge-0/1/1 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    xe-0/1/1 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    ge-0/1/2 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    xe-0/1/2 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    ge-0/1/3 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    xe-0/1/3 {
        unit 0 {
            family ethernet-switching {
                storm-control default;
            }
        }
    }
    irb {
        unit 0 {
            family inet {
                dhcp {
                    vendor-id Juniper-ex2300-24p-JY0220020332;
                }
            }
        }
        unit 10 {
            family inet {
                address 10.21.38.242/24;
            }
        }
    }
    vme {
        unit 0 {
            family inet {
                dhcp {
                    vendor-id Juniper-ex2300-24p-JY0220020332;
                }
            }
        }
    }
}
forwarding-options {
    storm-control-profiles default {
        all;
    }
}
protocols {
    lldp {
        interface all;
    }
    lldp-med {
        interface all;
    }
    igmp-snooping {
        vlan default;
    }
    rstp {
        interface ge-0/0/0;
        interface ge-0/0/1;
        interface ge-0/0/2;
        interface ge-0/0/3;
        interface ge-0/0/4;
        interface ge-0/0/5;
        interface ge-0/0/6;
        interface ge-0/0/7;
        interface ge-0/0/8;
        interface ge-0/0/9;
        interface ge-0/0/10;
        interface ge-0/0/11;
        interface ge-0/0/12;
        interface ge-0/0/13;
        interface ge-0/0/14;
        interface ge-0/0/15;
        interface ge-0/0/16;
        interface ge-0/0/17;
        interface ge-0/0/18;
        interface ge-0/0/19;
        interface ge-0/0/20;
        interface ge-0/0/21;
        interface ge-0/0/22;
        interface ge-0/0/23;
        interface ge-0/1/0;
        interface xe-0/1/0;
        interface ge-0/1/1;
        interface xe-0/1/1;
        interface ge-0/1/2;
        interface xe-0/1/2;
        interface ge-0/1/3;
        interface xe-0/1/3;
    }
}
poe {
    interface all;
}
vlans {
    ACCESS {
        vlan-id 48;
    }
    MGMT {
        vlan-id 10;
        l3-interface irb.10;
    }
    SECURITY {
        vlan-id 50;
    }
    default {
        vlan-id 1;
        l3-interface irb.0;
    }
}


 

 

Highlighted
Ethernet Switching
Solution
Accepted by topic author thethakuri
‎06-17-2020 10:34 PM

Re: Best practices and configuration changes

‎06-17-2020 02:45 AM

You do need to have active physical ports in a vlan for the irb interfaces to come up.  In your case the trunk ports between the switches should cover this for your interfaces.  I don't generally use vlan all so I am not sure if this is recognized or not.  You might have to explicitly configure the vlans on the trunk ports for that port to count.

 

You can verify this by looking at the interface status

show interfaces terse irb

 

You will also need the default route installed on the switches for the mgmt irb interface to have a route back as well.  the downstream switches should have the core switch as their default next hop.  And the core switch should have your firewall upstream as the next hop address.

 

And your computers will need to have the irb interface on the switch as their gateway configured.  This allows them to route outside their local vlan and get the responses.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Ethernet Switching

Re: Best practices and configuration changes

[ Edited ]
‎06-17-2020 04:02 PM

And your computers will need to have the irb interface on the switch as their gateway configured.  This allows them to route outside their local vlan and get the responses.

The computers have the irb interface of their respective vlans on the core switch as their gateway as the access switch only have irb interface for the management vlan.

 

I have following static deafult gateway to Management vlan defined on access switches A & B

routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.21.38.245;
    }
}

 

Looks like the interfaces are up but I still can't do intervlan routing.

 

Core:

 

root@SW-RCP-CORE-E01> show interfaces terse irb
Interface               Admin Link Proto    Local                 Remote
irb                     up    up
irb.0                   up    up   inet
irb.10                  up    up   inet     10.21.38.245/24
irb.48                  up    up   inet     192.168.48.245/24
irb.50                  up    up   inet     192.168.50.245/24

 

 

Switch A

 

root@SW-RCP-ACC-A01> show interfaces terse irb
Interface               Admin Link Proto    Local                 Remote
irb                     up    up
irb.0                   up    up   inet
irb.10                  up    up   inet     10.21.38.241/24

 

 

Switch B

root@SW-RCP-ACC-B01> show interfaces terse irb
Interface               Admin Link Proto    Local                 Remote
irb                     up    up
irb.0                   up    up   inet
irb.10                  up    up   inet     10.21.38.242/24

 

Highlighted
Ethernet Switching

Re: Best practices and configuration changes

[ Edited ]
‎06-17-2020 10:35 PM

Thanks guys for the inputs. It was a really silly mistake - I had the wifi connected on both computers so it wasn't using the right DG. All good now. 

 

One queston though, why is the latecny between edge device and interface so high. 10.21.38.245 is the management interface on the core switch.

Latency.PNG

Highlighted
Ethernet Switching

Re: Best practices and configuration changes

‎06-18-2020 02:15 AM

Yes, 10ms seems high for hopping through a switch.  Can you run a ping from the edge switch itself to the mgmt ip of the core switch and verify what the actual switch to switch latency is?

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Ethernet Switching

Re: Best practices and configuration changes

‎06-18-2020 03:46 PM

This is a ping from Access Switch B to Core Switch. Latency looks as bad.

 

ping-latency.PNG

Highlighted
Ethernet Switching

Re: Best practices and configuration changes

‎06-19-2020 02:45 AM

This verifies that the delay is internal to the switch stacking and does look unusually high.  I would expect these to be under 5ms and much more consistent since the switches are directly connected.

 

From the config and diagram it looks like only one port is connected so there can be no layer 2 loops.

Are thes switches reasonably close together and that cable not very long or in different buildings?

 

I'm also wondering about storm control on the trunk port.  This is generally an access port control only.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Ethernet Switching

Re: Best practices and configuration changes

[ Edited ]
‎06-20-2020 06:20 PM

This is a test environment so switches are right next to each other. And yes, only one port connected so no loops.

Highlighted
Ethernet Switching

Re: Best practices and configuration changes

‎06-21-2020 05:51 PM

DHCP server is not working, clients are not getting the address assigned. Here's what I have in the config:

 

##
        ## Warning: configuration block ignored: unsupported platform (ex2300-24p)
        ##
        dhcp {
            pool 192.168.48.0/24 {
                address-range low 192.168.48.100 high 192.168.48.150;
                domain-name rcpinsight.local;
                name-server {
                    8.8.8.8;
                }
                router {
                    192.168.48.254;
                }
            }
        }
Highlighted
Ethernet Switching

Re: Best practices and configuration changes

‎06-22-2020 03:00 AM

That is the deprecated old method for dhcp server configuration.  On the newer switches like the ex2300 you need to use the version under system services.  Both are documented here and this link should jump to the version you should use.

 

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/dhcp-for-switching-devices.html#i...

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Ethernet Switching

Re: Best practices and configuration changes

‎06-22-2020 03:01 AM
This is a test environment so switches are right next to each other. And yes, only one port connected so no loops.

Were you able to turn off storm control on the trunk ports and test again?

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Ethernet Switching

Re: Best practices and configuration changes

‎06-24-2020 12:45 AM

Great that helped. On more question, is it good idea to set up Core EX2300-24P as NTP server for the rest of the access switches. If so, can you please guide me on how to configure that?

Highlighted
Ethernet Switching

Re: Best practices and configuration changes

‎06-24-2020 02:59 AM

When you configure ntp to in Junos to a valid source it can be a downstream source to others.

 

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/network-time-protocol-ti...

 

But in a small network I would generally just point everyone to a public ntp source directly like the tick.usno.navy.mil and tock.usno.navy.mil

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Ethernet Switching

Re: Best practices and configuration changes

‎06-28-2020 12:09 AM

Thanks Steve, you've been instrumental. One last query and I promise I'll bug off.

 

If I want to disable Inter-Vlan routing between Vlan-48 and Vlan-50 I believe I use firewall filter on the edge switches. Is there a way to do that on the core switch so I don't have to re-program every edge switches. Please remember I still want Management Vlan-10 to be accessible from every other Vlan and Vlan-48 should have internet access (shares the same subnet with the firewall/router).

Feedback