Switching

I have a number of VLANs defined on our EX4200 stack (running 10.3R2.11). The network design is such that some of the VLANs are private (e.g. to control traffic between the switch stack, the routers and the "outside world" connections), one is for the DMZ and the remainder are to manage the internal network for different uses.

For the private VLANs, no l3-interface is defined because none is needed. The traffic management here is just layer 2.

For the DMZ and the internal VLANs, there is an l3-interface defined. The intention for the flow of traffic is that all systems on the DMZ will be configured to have the router as their default gateway, and all systems on the internal VLANs will have the switch stack as their default gateway. The switch stack has, as *its* default gateway the internal interface on the router.

So the router is intended as the overall gateway control between the internal network, the DMZ network and the outside world. The switch stack is intended to manage all traffic flow between the internal VLANs.

The problem now is that any system on an internal VLAN that tries to reach a system in the DMZ, the traffic goes into the switch stack and then STRAIGHT into the system in the DMZ ... presumably because the switch stack "knows" where the system is.

I then tried removing the l3-interface definition on the DMZ vlan and that corrected the flow of traffic between the internal network and the DMZ VLAN ... but then stopped the DHCP service from working for DMZ clients.

I need to find a way to stop traffic going directly from the internal LAN into the switch stack and then into the DMZ. I need traffic from the internal LAN to go via the router.

Can someone please point me in the direction of how to do this?

Thanks.

Philip

When the INTERNAL vlan traffic hits the EX4200 it becomes a router (your RVI default gateway).

You could put the DMZ vlan in a seperate routing-instance.  This would remove those routes from the switch's default routing-instance and thus the switch would then forward the traffic to the router.

An easier way would be to keep the switch L2 and set default gateway for the INTERNAL VLAN traffic to the router.

---

@benboyd5 wrote:

When the INTERNAL vlan traffic hits the EX4200 it becomes a router (your RVI default gateway).

 

You could put the DMZ vlan in a seperate routing-instance.  This would remove those routes from the switch's default routing-instance and thus the switch would then forward the traffic to the router.

 

An easier way would be to keep the switch L2 and set default gateway for the INTERNAL VLAN traffic to the router.

---

Thanks for the reply.

We did think of keeping the switches L2 and using them just as switches and using the routers as routers, but I felt that this would cause a lot of the intra-VLAN traffic to go out to the router only to be sent back again, when the switches could handle that traffic across the backplane at a much higher speed.

Thanks for the pointer on setting up a separate routing instance. I'll see if I can find the appropriate information in the documentation but if you know where there are examples of how to do this, I would appreciate the pointers.

Regards

Philip

Depending on your security requirements, it might just be easier to add a firewall filter on the RVI. You can create a firewall filter to only allow the desired traffic and then apply it as an input filter

I'm still struggling to understand how to get this set up.

I've tried to find configuration examples of setting up a virtual-router routing-instance but everything I've found seems to work by placing physical ports within a virtual router rather than using the logical layer.

Here is a Juniper example that uses physical ports: http://www.juniper.net/techpubs/en_US/junos10.4/topics/example/bridging-vrf-ex-series.html

It seems to defeat the point of having VLANs if you have to then configure the virtual router based on physical ports. What I would like to be able to do is say:

DMZ virtual router contains the DMZ VLAN

Internal virtual router contains the Internal VLAN, Server VLAN and Infrastructure VLAN

then ensure that traffic coming out of the DMZ virtual router has a default gateway of aaa.bbb.ccc.ddd and traffic coming out of the Internal virtual router has a default gateway of zzz.yyy.xxx.vvv.

Can someone please confirm (or otherwise) that what I want to do is possible and, if it is, suggest where I can read up on how to do this (e.g. some links)?

Many thanks.

Virtual-router routing-instances are primarily for maintaining separate routing tables. If you're only concerned with keeping VLAN A from talking to VLAN B it would be easier to just use the firewall filter feature to filter traffic entering or leaving a VLAN.

---

@robert.juric wrote:

Virtual-router routing-instances are primarily for maintaining separate routing tables. If you're only concerned with keeping VLAN A from talking to VLAN B it would be easier to just use the firewall filter feature to filter traffic entering or leaving a VLAN.

---

I'm sorry if I wasn't clearer.

It isn't that I don't want VLAN A to talk to VLAN B ... it is just that I want the traffic flow to go through our J-Series routers and not directly through the switch. I don't want to have two sets of firewall filters - one on the routers and one on the switches. I want to try to keep the design as clean as possible ... which may ultimately mean that I have to redesign the switches so that they are only doing layer 2 stuff and all of the layer 3 stuff is done on the routers but I believe that that is (a) a waste of money buying the EX switches and (b) a bottleneck because all of the traffic that needs to go between the various "internal" VLANs (e.g. PCs to servers) would then need to go through the routers over a single 1Gb connection, which is a lot slower than the chassis backplane speed.

Going back and reading your original post it seems like you want your DMZ VLAN to have its default gateway reside on the router? But you want the internal VLANs to have their default gateway on the switch?

In order to keep your DMZ completely separate you should create a DMZ virtual router, and add your DMZ ports and a port from the J-series. You're basically making the DMZ portion of the EX4200 L2 only and using the the J-Series interface as the default gateway, using the old router-on-a-stick layout.

Then you can use another link to the J-Series as a L3 link to the EX4200 default virtual router. Create the RVIs for your internal VLANs just like you would normally do and then create a default route pointed to your J-Series.

This way all DMZ traffic is routed through the J-Series and local routing between internal VLANs happens on the EX4200. The default route to the J-Series for your default VR ensures that traffic from Internal to DMZ would have to flow up to the J-Series for routing. Maybe my ugly MS Paint whiteboard will explain it.

I think he wants to keep the RVI on the DMZ becuase of DHCP.

If you want to have the J Series do the DHCP, you could set the following on the EX...

"set forwarding-options helpers bootp server 1.1.1.1"

Otherwise, you are definitely going to need a routing-instance to seperate the tables.

Here's an example of how easy a routing-instance should be in this case....

ben@sinatra-fw3> show configuration routing-instances test | display set 

set routing-instances test instance-type virtual-router

set routing-instances test interface vlan.155

you may actually want to put the internal VLANs in a seperate routing instance and keep the DMZ vlan in the default routing-instance.... I think DHCP servers aren't supported in VRs.

Ben,

DHCP is supported in a VR, you just have to use a helper.

EX3200:

forwarding-options {
    helpers {
        bootp {
            interface {
                vlan.100 {
                    server 10.0.0.1 routing-instance VR_Default;
                }
                vlan.32 {
                    server 10.0.32.1 routing-instance VR_Development;
                }
                vlan.16 {
                    server 10.0.16.1 routing-instance VR_Servers;
                }
            }
        }
    }
}

SRX210:

system {
    services {
        dhcp {
            pool 10.0.0.1/20 {
                address-range low 10.0.0.10 high 10.0.0.254;
                router {
                    10.0.0.2;
                }
                server-identifier 10.0.0.1;
            }
            pool 10.0.16.0/20 {
                address-range low 10.0.16.10 high 10.0.16.254;
                router {
                    10.0.16.2;
                }
                server-identifier 10.0.16.1;
            }
            pool 10.0.32.0/20 {
                address-range low 10.0.32.10 high 10.0.32.254;
                router {
                    10.0.32.2;
                }
                server-identifier 10.0.32.1;
            }
        }
    }
}

So I think i've got a config that will work for you, or at least a start.  I don't have a J series, so I had to use my SRX210 in it's place, but the config should be pretty close to what you need.

DMZ is L2 from the host to the router.  The router is serving as a DHCP server for the DMZ.  All DMZ traffic traverses the router, so you can apply whatever rules you need there.

I have to "internal" vlans "Department_1" and "Department_2".  Traffic between those VLANS stays on the switch using RVI's.  Traffic to the internet and DMZ passes through the router.

If i missed something, let me know and i'll see what I can do.

Dusitn

Attachment(s)

ex3200_dmz.txt   3 KB 1 version

srx210_dmz.txt   3 KB 1 version

---

@dscott wrote:

DMZ is L2 from the host to the router.  The router is serving as a DHCP server for the DMZ.  All DMZ traffic traverses the router, so you can apply whatever rules you need there.

 

I have to "internal" vlans "Department_1" and "Department_2".  Traffic between those VLANS stays on the switch using RVI's.  Traffic to the internet and DMZ passes through the router.

---

Hi Dustin

Many thanks for this ... this really helps. I have a couple of questions arising from looking at the samples you've provided.

1. I'm trying to understand the role played by the trunks to the ESX vSwitches. Presumably I don't need anything like that if the "department" traffic is either entirely within that VLAN or gets shipped out to the SRX for further routing?

2. At the moment, our EX chassis is providing DHCP services to the DMZ. DHCP for the other VLANs is being handled by Windows servers with DHCP helper statements in the switch configuration. If I create a virtual router for the DMZ VLAN, would that still allow me to keep it as an L3 VLAN and use the switch as the DHCP server? I realise that you've provided a configuration where the DHCP service has been moved to the router, and that is certainly an option we can consider, but I'm trying to be aware of the fact that a future network topology might require the DMZ to consist of more than one VLAN and we would therefore then definitely need a virtual router and more flexibility around DHCP.

Thanks again!

I use an ESX host to simulate machine traffic.  Think of it as a trunk port to any other physical L2 switch.  If your equipment is directly connected to the EX4200, you could do something like the following for each port going to a departmental device.

set interfaces ge-0/0/10 description "Workstation 1"
set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members department_1

In my config the DMZ VLAN is L2 on the switch, and all the routing done for it on the actual router.  After going back and re-reading your original post, I see you wanted the DMZ VLAN to be L3 as well.  So to answer your question, you could create a VR routing instance, and configure it just as was done for the other routing instance.  If you don't give that instance a route to the networks on your other VR, all traffic will be sent through the J series.

I'll try and get a modified config later this afternoon that has DHCP for the DMZ on the switch, and add's L3 on the switch for the DMZ VLAN

Holy cow this was a head scratcher....

New configs are attached.  I'm not quite sure why this is the proper way to do it, perhaps it's just a work around for now.

The funky routing options are from the below post, it's the only way i could get DHCP to work in the virtual router.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21169

Traceroute from machine in DMZ to machine in Department_1 VLAN

drone:~# traceroute 192.168.20.10
traceroute to 192.168.20.10 (192.168.20.10), 30 hops max, 40 byte packets
 1  172.16.1.1 (172.16.1.1)  2.730 ms  2.727 ms  2.755 ms
 2  10.10.255.5 (10.10.255.5)  1.076 ms  1.082 ms  1.076 ms
 3  10.10.255.2 (10.10.255.2)  5.314 ms  5.450 ms *
 4  192.168.20.10 (192.168.20.10)  5.412 ms  5.437 ms  5.417 ms

Let me know if i missed anything, but you should now have your DMZ and departmental VLANs at L3 on the switch.  Traffic to and from the DMZ will be going through your router.

Dustin

Attachment(s)

ex3200_dmz_v2.txt   3 KB 1 version

srx210_dmz_v2.txt   3 KB 1 version

Many thanks, Dustin, for the work you've put into this! Really appreciated.

I won't be able to test this config out until the coming weekend but I have one further question if you are able to answer it:  At the moment, the "department" VLANs on my chassis have got DHCP forwarder statements to get DHCP requests handled by a couple of Windows boxes. Given the hassle you had getting the switch to answer DHCP requests from the DMZ VLAN once you'd put it into a virtual router, do you envisage the same issue or do you think that DHCP forwarding should work OK?

Thanks again and I'll hopefully be able to confirm a working configuration at the weekend.

Philip

dhcp forwarding should work just fine.  That is how I've done it in the past when using virtual routers.  I've never put the DHCP service on my switches.  It's always been in a server, or on my firewall/router.

Attached are two configs i've used in my lab (working on a problem for another forum user actually).  It has DHCP services on my SRX, L3 VLAN on my switch, with the different VLANs in their own routing instance.  Using the DHCP helper, everything worked just fine.

Attachment(s)

SRX210_VLANS_v2.txt   5 KB 1 version

EX3200_VLANS_v2.txt   2 KB 1 version

Hi Dustin

The config you provided is working fine except for DHCP on the DMZ VLAN using the DHCP service on the switches. I may just take the easier option here and move the DHCP service to the J-series router and clean up the config that way.

I have hit a slightly unforseen snag on the routing side though, and it is my fault for not explaining everything up front.

We are using IPv6 as well as IPv4 so the switches have the following defined as their original default routes:

routing-options {
    graceful-restart;
    rib inet6.0 {
        static {
            route ::/0 next-hop 2001:630:280::1;
        }
    }
    static {
        route 0.0.0.0/0 next-hop 193.63.211.1;
    }
}

 So, when I got to the bit in the virtual router for the department VLANs, I tried to add the same rib inet6.0 statement (since that next hop is correct for the internal VLANs). However, when I go to commit the config, I get this error:

  'rib inet6.0'
    RT: rib inet6.0 is not in matching routing instance

I've removed the rib set of statements so that I can commit the config and I've tested the routing between the routing instances and it works fine, except that IPv6 traffic now doesn't know how to get out of the department VLAN.

Are you able to clarify how I should be entering the IPv6 route into the routing instance, please?

Many thanks.

Philip

---

it@dante.net wrote:

 

The config you provided is working fine except for DHCP on the DMZ VLAN using the DHCP service on the switches. I may just take the easier option here and move the DHCP service to the J-series router and clean up the config that way.

 

I've now made this change and DHCP is working fine.

Philip

Philip,

I've never done anything with IPv6, but If you want to post your config, I'll see if I can get it working on my lab.

Also not sure why the DHCP isn't working in the DMZ VLAN, was working for me.  Again the config would help.

---

@dscott wrote:

Philip,

I've never done anything with IPv6, but If you want to post your config, I'll see if I can get it working on my lab.

 

Also not sure why the DHCP isn't working in the DMZ VLAN, was working for me.  Again the config would help.

---

I've attached a cut down config - hopefully I've included enough to show how our setup works ... or doesn't work ;-). You'll see the main default static routes under routing-options, and it is this rib statement that I've tried to re-use in the virtual router.

I can post a separate thread about this issue in this forum in case there is someone who has done something similar with IPv6 and virtual routers.

Please don't worry about the DHCP portion - I suspect I made a mistake but my JunOS troubleshooting skills are not great so I felt it was simpler to take the option of moving DHCP out to the router. It makes it more consistent with the other VLANs, so not a problem. I do appreciate all of the time and effort you went to on it though ;-).

Philip

Attachment(s)

EX4200.txt   5 KB 1 version

I figured it out.

rib inet6.0 is for the main (default) part of the routing table. Each routing instance has its own part of the routing table so you have to name the right bit:

rib VR_Private.inet6.0 {
    static {
        route ::/0 next-hop 2001:630:280::1;
    }
}

 All working.

Thanks again, Dustin.

Philip

yeah, each virtual router has it's own inet and inet6 routing tables, so you have to reference them by prepending the virtual router name.

Glad I could help.