Does anyone know of issues with Juniper SW/Router other than the IGMP-snooping issue? we have a RFS7000 with remote AP6522's, the AP's don't seem to be able to establish a Domain Manager among themselves, its as if all of them cannot see each other or something is causing the MINT packets to be filtered out. We are doing Level 2 MINT. All the AP's are on the same VLAN, all the Juniper switches are connect back to the MDF, in theory they all should be able to see each others MINT packets. But it looks like this is not the case.. Just Asking if anyone else has had any issues. We have 40 AP's but only 24 come up under the Dashboard, while under devices they all show up.
Juniper Switches - Having Issues - WING 5.4.3// Expert user has replied. |
4 Replies
Some additional explanation...
Motorola’s MiNT uses an unregistered multicast MAC address of 01:a0:f8:00:00:00, however the EX-Series IGMP Snooping implementation will drop all unregistered multicast MACs by default. So there’s two possible fixes at the moment to correct this:
1) Remove IGMP Snooping from the vlan in question, or delete IGMP outright. The problem with this approach is that IGMP Snooping is inherently a protection mechanism, and without it multicast will generally get flooded unconditionally (which makes for a great DoS mechanism). If you need a quick fix, or something for a lab environment, you can manipulate IGMP Snooping with this configuration bracket:
protocols { igmp-snooping { vlan all; }
2) The better way is that you can use ‘Firewall Filters’ to force the EX to flood a specific MAC address to the control plane, and hence it will be handled. EX-Series ‘Firewall Filters’ have a very misleading name, but they are incredibly powerful (If you ever need to do something which breaks the rules of traditional Ethernet/networking, you can probably do it with Firewall Filters – See http://www.juniper.net/techpubs/en_US/junos12.1/information-products/pa… for a ton of information).
So to accomplish the filter, here’s an example:
Firewall filters can be bound to vlans or interfaces (in this example it’s bound to an interface range). Binding it to a vlan is the equivalent of binding it to every interface in the vlan, and is probably the better way in this case. The actual firewall filter. Term one picks out the MAC address in question, and tells the EX to ‘log’ it (which is handled by the control plane), and accept it (aka, forward it along). Term two tells the EX to accept any else not specified, so that all the remaining traffic is forwarded normally (there is an inherit deny, so without term two the remaining non-multicast traffic would get dropped).
There are additional MAC addresses to take into account. 01-A0-F8-00-00-00 01-A0-F8-00-00-01 01-A0-F8-F0-F0-04 The last MAC is for roam notifications and only applies to the traffic/client VLANs. We ran into issues defining a Mask in the Firewall Filter for anything other than /48 and also had issues defining multiple individual MACs. What we ended up with was a hybrid approach... On the Management VLAN, IGMP Snooping was disabled. (takes care of the first 2 MACs) Then we used a Firewall Filter on the traffic/client VLANs for 01-A0-F8-F0-F0-04. Hope that helps.
FYI - I have confirmed this to also be an issue on Hauwei switches. Specifically models 5328-SI and 5352-SI.
Juniper switches by default block multicast from unregistered MAC addresses. Add the following filter to the switch and apply it to the native or management vlan the AP's use. Below are examples of both the show configuration and the set commands you can edit and paste into the switch. In the example below the native or management vlan name and tag or id is 1000, substitute your configuration vlan and or name } firewall { family ethernet-switching { filter AP_MAC_Multicast { term 1 { from { destination-mac-address { 01:a0:f8:00:00:00/48; } } then { accept; log; } } term 2 { then accept; } } } }
vlans { v1000 { description MGMT; vlan-id 1000; filter { input AP_MAC_Multicast; } l3-interface vlan.1000;
set firewall family ethernet-switching filter AP_MAC_Multicast term 1 from destination-mac-address 01:a0:f8:00:00:00/48 set firewall family ethernet-switching filter AP_MAC_Multicast term 1 then accept set firewall family ethernet-switching filter AP_MAC_Multicast term 1 then log set firewall family ethernet-switching filter AP_MAC_Multicast term 2 then accept set vlans v1000 description MGMT set vlans v1000 vlan-id 1000 set vlans v1000 filter input AP_MAC_Multicast set vlans v1000 l3-interface vlan.1000