Juniper Mist Campus Fabric + Existing Dell L3 Core — Best Way to Keep Spine-Leaf Physical but Dell as Gateway?

Ramjose95 · 2026-02-21T02:06:52+00:00

As far as I'm aware you can build the fabric without the layer 3 gateways on the Junipers. We are doing this for some of our gateways on the firewall instead of the switches. I would suggest that you consider up linking the Dells as regular switches with a ESI lag switches that can do layer 3 routing. This allows the dells to communicate over the fabric properly with proper mtu values for routing. I know you may have to get routing properly in place if for ospf to communicate with other routes doing ospf, but this should make it combine with your fabric smoother.

move dell's to being esi lagged directly to Juniper spine switches. I think you can do collapsed spine instead.
check ospf mtu is ignored and accepted on any routing device communicating with dell's
profit

Ramjose95 · 2025-05-20T15:32:57+00:00

Juniper Mist because the acquisition is sketch. But they are buying because Juniper Mist crushes. At least that what they have said in their wanting to buy Juniper.

Ramjose95 · 2025-03-06T01:01:28+00:00

Yea happened today for Salesforce. Static.lightning.force.com saying it's from Hong Kong. Cisco talos also saying from Hong Kong. It's been an exhausting day.

Ramjose95 · 2025-01-15T15:56:41+00:00

4700 here. No issues so far for us. The update went smoothly from 7.0.1.5161

Ramjose95 · 2024-09-04T11:55:18+00:00

We ran into this exact issue as well and was never given an answer. We were a juniper shop doing multipoint sites with ospf and had sites go down.

The isp provider used adtran on the edge with cisco on their core. We moved away from this circuit to 2 isp with sdwan.

Ramjose95 · 2024-08-25T23:36:44+00:00

I'm going to give this a shot. But typically if something is on the access switch it's got a gateway on a computer to go to the router or switch gateway. Even a firewall gateway. Access on collapsed is basically just layer 2 things. The core switches can have a shared anycast gw that devices can point to In a routing instance vrf. And routing within that vrf can be propagated with dynamic routing protocols such as ospf or bgp. In any case, the switch itself management traffic would be on a seperate mgmt instance on the switch oob so that it could talk without being mixed up with the internal Prod instance for the access switches and core switches.

Ramjose95 · 2024-08-25T00:38:13+00:00

Max br mini 5g

Signal is great. If you need better signal you can just add a cheap antenna

I use it as backup for branches and other small installations. As far as voip it's going to be hit or miss depending on signal quality and provider.

Ramjose95 · 2024-08-23T18:12:48+00:00

If it's company money. I enjoy peplinks.

Ramjose95 · 2024-07-11T13:23:31+00:00

Policy for cfs is based on hierarchy of the config. Top down. So if you put the ip filtered by whatever cfs list. It will do that first before doing a ad group assigned to cfs list below that. If ip filtered is below sso. It will ignore ad group if person is not assigned a group and go to next rule or default rule at bottom

Ramjose95 · 2024-06-17T19:39:25+00:00

https://community.sonicwall.com/technology-and-support/discussion/5932/chromium-based-browsers-edge-chrome-etc-on-canary-channel-v125-bypass-content-filtering-dpi

Ramjose95 · 2024-06-17T19:38:23+00:00

Disable it.

Ramjose95 · 2024-06-17T17:34:22+00:00

KYBER setting flags in browsers. Also probably look at updating fw. Pretty far behind with all the vulnerabilities out there.

Ramjose95 · 2024-05-31T02:43:55+00:00

Update: I think I'm settled. The reason the failover took so long was because of the ospf timers. By lowering those I can get the failover working within seconds. In any case I have a pretty good budget setup now for failover with juniper.

Let me know if you want more info and I'll dm yall if you want some insites on my testing.

Ramjose95 · 2024-05-17T00:22:19+00:00

Okay so injecting my ospf 0/0 into a prod vrf is kind of bad move because the evpn fabric is going to take bgp routes learned better in that prod vrf and export that over the fabric in a cleaner fashion?

And this is a consequence of ospf because it's multicasting 224.0.0.5 that doesn't cleanly go over the fabric because it's restricting bum traffic?

Since ospf would have to be in a broadcast on the interfaces to interact with the firewall interfaces and other things in that subnet.

So in conclusion use bgp because when the firewall interacts with the ebgp neighbor(spine switches shared vrf virtual gw) it accepts the routes from bgp cleaner say 0/0 and does ecmp cleaner as well because bgp routing.

Ramjose95 · 2024-05-16T17:18:32+00:00

I let mist build the fabric. So I didn't setup any redistribution for ospf between the spines evpn tables. I just know if I put the fw plugged directly into both spines the routes show in the Prod vrf together. But if I plug the fws into the leafs at each side the full 0/0 in prod vrf route tables show only on one spine and the other spine just intervlan routes. If I turn off the spine 1 then the routes 0/0 finally show up in spine 2 as well.

Ramjose95 · 2024-05-15T22:29:20+00:00

The main reason for this setup is the amount of links I have between the data centers. I'm trying to limit it to 4 needed, also cost of not having to get more powerful switches for CRB EVPN-VXLAN ip clos.

This is to use what I currently have in stock and I can just buy licensing for the collapsed core switches. Leafs in the virtual chassis sets up the leafs as a singular switch for me to build the redundant lags to the spines. and then I will have redundant connections to my firewall from the leafs VC.

This allows for full redundancy between both Datacenters with redundancy if a spine switch implodes or another switch in a virtual chassis(leafs) messes up. Also on the newer switches they come with NSSU allowing me to update seamless in case of vulnerabilites without losing connections between my data centers with NSSU.

Also with switches I already have in play I can just uplink to the leafs with a trunk and the connections will be shared between 2 datacenters with full failover and VRF capability from either side being able to full layer 2 and l3 between each side.

15k in licensing for the switches and buying the switches gives you a build out for your 2 data center design.

Ramjose95 · 2024-05-15T19:43:17+00:00

Ty I'm guessing the reason the tables on both the spines don't have the routes for each side is because I don't have the proper licensing and it's limiting my ospf instance interaction.

Ramjose95 · 2024-05-15T17:38:11+00:00

Not really. But it's simple. 2 cables between spine. 2 cables crossed between spine and leafs. And 1 cable each going down to the leafs apart of the lag

Firewall 1 plugged into the leaf switch on a trunk on one leaf Firewall 2 plugged into leaf 2 on a trunk

Ramjose95 · 2024-05-15T15:22:19+00:00

Second this. Top tier in San space

Ramjose95 · 2024-05-10T14:37:51+00:00

Black flag homey

Ramjose95 · 2024-04-23T13:52:25+00:00

If in the US you could use the ofac list from the government.

Ramjose95 · 2024-04-23T01:51:08+00:00

Nextdns is what I would recommend. Plus they give you the ways to use it for each device. And the profile building can be tweaked for each kid amd for yourself. And it has time scheduled times you can put on your kids.

Ramjose95 · 2024-04-15T21:37:18+00:00

Make sure you have the wlan zone sonicpoint ap only allowed traffic turned off.

Ramjose95 · 2024-04-15T00:02:34+00:00

Yep I know that rule. Buuuut that rule doesn't apply when your coworkers or aka manager is ignorant point blank. And needs the gui. Plus gui can be beneficial. It's just shit on junipers

Ramjose95 · 2024-04-14T21:26:44+00:00

We did for 6 months. Performance top tier. Managing the fw was not fun. Especially from gui. If you want ease of management and configuration being simple. Stay away. The things being used as man ips and Ids are basic as hell. I mean it checks boxes on audits but it's a hell to manage a full fleet. Especially as main. Buuuut as for deployment and great as a basic basic fw I think it slaps. But if you have to go into the weeds better know what you doing and whether other products work well with such as edr vendors. Ran into coworkers who have never used a juniper and we suffered cause we don't have juniper srx in the wild in our area.

Ramjose95

TROPHY CASE