ROMON + EX4200 Juniper SW

loloski · October 15, 2023, 11:14pm

Good day, does anyone from you guys know the knobs to turn on/off in Juniper so that it can forward romon traffic? we deploy this switch as an interim edge switch while we are waiting for the proper hardware to be delivered in DC, the switch has a couple of VLAN and nothing spectacular, thanks in advance

chechito · October 16, 2023, 2:37am

maybe this can help

https://help.mikrotik.com/docs/display/ROS/RoMON

RoMON packets are encapsulated with EtherType 0x88bf and DST-MAC 01:80:c2:00:88:bf

loloski · October 16, 2023, 3:03am

Yeah I read that too, but we haven’t turned on any security of the switch because this was a temporary thing

[root@EX4200# show ethernet-switching-options
secure-access-port {
    interface ge-0/0/8.0 {
        dhcp-trusted;
    }
    interface ge-0/0/12.0 {
        dhcp-trusted;
    }
}
voip;
storm-control {
    interface all;
}

{master:0}[edit]

Amm0 · October 16, 2023, 11:54am

Sometime security setting are default… RoMON’s different ether-type is something unexpected in a managed L3 switch (e.g. ether-type is normally VLAN or Q-in-Q)

Also, if Juniper SW access port is connected to a Mikrotik bridge port, RoMON isn’t going work (i.e. ether-type is VLAN)

loloski · October 16, 2023, 12:24pm

@Amm0

Thanks for the input to answer your question both device in question that participate in ROMON their interface are both not part of the bridge, so the problem really lies on Juniper (None ELS) security default policy, I’m really stuck since this device does not have J-Care support contract

All the reference material on juniper site pertains on newer model all ether-switching-options is not comparable to newer version and that’s understandable because this ex4200 is working but ancient so to speak.

Will try to dig more thanks again

Amm0 · October 16, 2023, 12:33pm

If temp, maybe make it a trunk port. Or turn off “storm control”?

Fundamentally “enterprise” switch do try to enforce traffic separation & RoMON’s raison d’être is to violate that

loloski · October 16, 2023, 12:51pm

Out of desperation I ask bing chat and this should do it but unfortunately not for EX4200 because ether-type-list is not available in EX4200

set ethernet-switching-options secure-access-port vlan members INTERNAL
set ethernet-switching-options secure-access-port interface ge-0/0/18 mac-limit 1
set ethernet-switching-options secure-access-port interface ge-0/0/18 mac-move-limit 1
set ethernet-switching-options secure-access-port interface ge-0/0/18 vlan members INTERNAL
set ethernet-switching-options secure-access-port interface ge-0/0/18 ether-type-list 88bf  #### romon

set ethernet-switching-options secure-access-port vlan members INTERNAL
set ethernet-switching-options secure-access-port interface ge-0/0/19 mac-limit 1
set ethernet-switching-options secure-access-port interface ge-0/0/19 mac-move-limit 1
set ethernet-switching-options secure-access-port interface ge-0/0/19 vlan members INTERNAL
set ethernet-switching-options secure-access-port interface ge-0/0/19 ether-type-list 88bf  ### romon

loloski · October 16, 2023, 12:52pm

I already tried removing storm control and still doesn’t work

loloski · October 16, 2023, 12:54pm

root@EX4200# set ethernet-switching-options secure-access-port interface ge-0/0/18 ?
Possible completions:
+ allowed-mac          Allowed MAC address on this interface
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  dhcp-trusted         Make this interface trusted for DHCP
> mac-limit            Number of dynamic MAC addresses allowed on this interface
  no-allowed-mac-log   Do not log violation of allowed MAC on this interface
  no-dhcp-trusted      Don't make this interface trusted for DHCP
  persistent-learning  Enable persistent MAC learning on this interface
> static-ip            Static IP address configuration
> vlan                 Configure access port security for this VLAN
  voip-mac-exclusive   Voip mac exclusive feature flag
{master:0}[edit]

Amm0 · October 16, 2023, 1:36pm

I really dunno Juniper, but isn’t there a “unit 0” needed?

set unit 0 family ethernet-switching port-mode access
set unit 0 family ethernet-switching vlan members all

loloski · October 16, 2023, 2:09pm

a shorthand syntax if you want to set ge-0/0/18 as access port with vlan member 20 for example the right syntax would be at least on Juniper with legacy Junos (NON ELS)

set interfaces ge-0/0/18 unit 0 family ethernet-switching port-mode access vlan members 20

holvoetn · October 16, 2023, 2:20pm

Simply put an EOIP tunnel across both Tik devices
Done.

I have a couple of stupid switches playing havoc on me as well in ROMON-context. Simple EOIP and case closed.
Not even needed to add them to bridge. Just the fact they are present makes it work (and assuming ROMON uses all interfaces).

loloski · October 16, 2023, 2:27pm

@holvoetn

what a clever workaround, hehehe let me try that approach and will update this post , thanks a ton

Edit: @holvoetn you’re a genius it works! like what you said EOIP interface doesn’t need to be a member of a bridge

JJT211 · June 2, 2024, 2:50am

Wow, thank you! Been trying to figure this one out for a while now on the EX4200