[j-nsp] EX4200: Ricoh printers, DHCP Snooping, dot1x Dynamic VLAN assignments

Jason Healy jhealy at logn.net
Mon Jul 10 21:15:52 EDT 2017

On Jul 10, 2017, at 8:22 PM, Chuck Anderson <cra at WPI.EDU> wrote:
> Is anyone using EX4200 with DHCP Snooping + dot1x Dynamic VLAN
> assignments?

Yes, we've been running that setup for several years on EX3200 and 4200 VC setups campus-wide.  During the first year we hit several bugs with the dot1x process having memory leaks and some other issues, things stabilized and have been solid for a while.  We dynamically assign VLANs for all printers and phones so they can be plugged into any port on campus and put on the correct VLAN.  We don't use voice VLANs.

There are occasional log messages about ARP inspection, but I believe it's devices that aren't renewing their leases often enough or aren't transmitting enough traffic to stay in the MAC table.  We've set our monitoring software to ping or probe all printers once a minute and that keeps everything active in the MAC tables.  We're also looking at cranking up the global mac aging timeout.

> I've also discovered that all VLANs that might end up being assigned
> to a port either statically or dynamically or via the VOIP VLAN
> feature must have matching examine-dhcp/ip-source-guard/arp-inspection
> settings under ethernet-switching-options secure-access-port.

Yes.  We have a "vlan all" for everything, and then carve out exceptions for VLANs that have old devices that use static addressing and won't support DAI.


More information about the juniper-nsp mailing list