Creating Trunk from MX64W to Juniper EX2300

techsupportdor
Here to help

Creating Trunk from MX64W to Juniper EX2300

Hi, I have a MX65W which I plan to install into a small site along with a handful of MR32/33s.

As the MX65W only has two POE ports, I have a Juniper EX2300 ready to patch into the MX65W and then patch the access points into the EX2300.

 

I have a configured a port on the MX65W  as a trunk and set the native vlan to 89.

On my EX2300, I have created a trunk port and again set the native vlan to 89.

I have then also added vlans 90 and 91 as members so that traffic from those vlans can pass up the trunk.

 

To test, I have set a port on the EX2300 to an access port and then set it to either vlan 90 or 91, but the traffic never gets there and the client doesn't receive a dhcp address from the MX65W.

 

I'm I missing some config on the EX2300?

 

I'm sure its a vlan tagging issue, I just can't see where.MX_Port.pngMX_Subnets.png

 

Has anyone got a Juniper working like this with a MX firewall?

 

Switch config
12 REPLIES 12
SoCalRacer
Kind of a big deal

I am assuming the MX is handling the DHCP?

 

If so I believe you will need to setup DHCP relay on the juniper to point to the MX. I am not familiar with the Juniper switch, but with HP or most others each VLAN will have a DHCP relay server set. I don't see anything in the config like that.

 

Also next time possibly post a pastebin link to your config instead of the whole config.

Hi, thanks for the suggestions, I will check the dhcp relay, and report back.
dalmiroy2k
Getting noticed

I believe VLANs 90 and 91 should also be "Allowed VLANs" In your "Per-port VLAN Settings". I don't see them in your screenshot.

 

 

As @dalmiroy2k says, have you allowed the VLANs on the MX port?

@PhilipDAth and @dalmiroy2k You cannot see the headers on the image but the Allowed VLANs field has the "all" in it on the MX65.
SELBYCA
Comes here often

you could try changing the ae0.0 to this and see if it works:

set interfaces ae0 native-vlan-id 89
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ae0 unit 0 family ethernet-switching interface-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members all

 

but your irb interface is in a different VLAN than your firewall. I might need some more info regarding your desired topology but try this.

 

VLAN 1 (default) is used for management traffic between all of your network devices. Firewall, Switches and Access Points. Use VLAN tags to allow traffic to flow between your wireless/wired clients. Use firewall rules to restrict clients access to management network x.x.88.0/24

 

Lastly, how did you get your MX65W to connect via LACP?

SELBYCA
Comes here often

or you could test moving your l3-interface from your "default" vlan to your "Wireless_DMZ" vlan. that would be the fastest test.

Hi, I think that would be my preferred option.
I want my default vlan to be 89 as it is the management vlan and only APs will be patched into the switch.

The MX is running DHCP.

Hi, although LACP is configured, Its only using one link, so I could probrarly remove it. There is no config for LACP on the MX.
techsupportdor
Here to help

I have taken another look at the switch config and made the following changes.

I have made the default native vlan, 89.

I have managed to get it all working, but not quite how I would have wanted it.

 

To make it all work, I've had to add the default vlan into each member vlan and it works.

 

Its this correct?

 

EX2300 Config v2 

It looks like you removed VLAN 89 from your config. If you add that back in and change your interfaces to look like this your config should start working as you intended.

 

You had your irb.0 under the "default" VLAN which is why you had to add the "default" VLAN to your interfaces to get DHCP to work.

 

Once you add the WirelessDMZ VLAN to the vlan members list on your trunk interfaces it will begin to look for that tag at the interface. You were really close the first time, but the default switch config might have led you astray a little.

 

https://pastebin.com/2SZnKSyC

Hi SELBYCA,

 

Thanks for your input.

 

Please see my current working config EX2300 v3 and a config from an EX2200 v1 which is doing the same role.

With regards to the EX2200 config, it is patched to an interface on a Fortigate Firewall with the main interface being the WirelessDMZ, then all the other subnets are subinterfaces and configured as vlans.

 

The EX2200 is works as intended with the default untagged vlan being the WirelessDMZ and all the other vlans tagged.

 

The EX2200 in this instance is the core switch with three other WirelessDMZ switches uplinking to it.

When an "AP" is patched to a trunk port, it receives an IP address from the WirelessDMZ range, which is the management vlan, then each SSID with issue an ip from any other the tagged vlans depending on what vlan id the ssid has.

 

I have tried to replicate the config in the EX2300 as in the EX2200, but I suppose that dealing with different switches and different firewalls, you don't always get the result you want, unless I'm missing something.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels