Switching

Hi

The feature explore says that i can configure RVI for PVLAN(picture below).

But the oficial manual:

http://www.juniper.net/techpubs/en_US/junos/information-products/pathway-pages/ex4300/ethernet-switching-vlans.pdf

say that you can do RVI for PVLANS only on EX8200.

So the official info is inconsistent.  

Has anyone use RVI on EX3400 in PVLANS?

It does seem like it is. Maybe the feature will be supported later on EX3400:) BTW what version are you running?

root@ex3400-testowy1# run show version | match 15.1X     
Junos: 15.1X53-D51

You probably right.

Strange, that this feature is only on massive and expensive ex8200 and on rather cheap ex3400. Nothing between 🙂

Still trying:) I just test it in my lab.  I can add L3 interface to PVLAN. When i try to ping from the switch to hosts, arp broadcast go to all community vlans. This is good 🙂 But there is no accepted reply from hosts:/

Please help.

root@ex3400-testowy1# show interfaces
ge-0/0/0 {
    unit 0 {
        family ethernet-switching {
            interface-mode trunk;
            inter-switch-link;
            vlan {
                members 100;
            }
        }
    }
}
ge-0/0/1 {
    unit 0 {
        family ethernet-switching {
            vlan {
                members 101;
            }
        }
    }
}
ge-0/0/2 {
    unit 0 {
        family ethernet-switching {
            vlan {
                members 102;
            }
        }
    }
}
irb {
    unit 100 {
        proxy-arp unrestricted;
        family inet {
            address 192.168.0.1/24;
        }
    }
} 

klient1 {
    vlan-id 101;
    private-vlan community;
}
klient2 {
    vlan-id 102;
    private-vlan community;
}
pv100 {
    vlan-id 100;
    l3-interface irb.100;
    community-vlans [ klient1 klient2 ];
}

root@ex3400-testowy1# run show ethernet-switching table

MAC flags (S - static MAC, D - dynamic MAC, L - locally learned, P - Persistent static, C - Control MAC
           SE - statistics enabled, NM - non configured MAC, R - remote PE MAC, O - ovsdb MAC)


Ethernet switching table : 2 entries, 2 learned
Routing instance : default-switch
    Vlan                MAC                 MAC         Age    Logical               NH        RTR
    name                address             flags interface              Index     ID
    pv100               00:21:70:bb:e1:98   D             - ge-0/0/2.0             0         0
    pv100               00:21:70:c0:c9:cf   D             - ge-0/0/1.0             0         0 

root@ex3400-testowy1# run show vlans extensive

Routing instance: default-switch
  VLAN Name: default                        State: Active
Tag: 1
Internal index: 2, Generation Index: 2, Origin: Static
MAC aging time: 300 seconds
VXLAN Enabled : No
Number of interfaces: Tagged 0    , Untagged 0
Total MAC count: 0

Routing instance: default-switch
  VLAN Name: klient1                        State: Active
Tag: 101
PVLAN type : Community
Internal index: 6, Generation Index: 6, Origin: Static
MAC aging time: 300 seconds
VXLAN Enabled : No
Interfaces:
    ge-0/0/0.0,tagged,trunk,Inter-switch-link
    ge-0/0/1.0*,untagged,access
Number of interfaces: Tagged 1    , Untagged 1
Total MAC count: 0

Routing instance: default-switch
  VLAN Name: klient2                        State: Active
Tag: 102
PVLAN type : Community
Internal index: 7, Generation Index: 7, Origin: Static
MAC aging time: 300 seconds
VXLAN Enabled : No
Interfaces:
    ge-0/0/0.0,tagged,trunk,Inter-switch-link
    ge-0/0/2.0*,untagged,access
Number of interfaces: Tagged 1    , Untagged 1
Total MAC count: 0

Routing instance: default-switch
  VLAN Name: pv100                          State: Active
Tag: 100
PVLAN type : Primary
Community VLAN :
        vlan-id : 101 vlan name : klient1
        vlan-id : 102 vlan name : klient2
Internal index: 5, Generation Index: 5, Origin: Static
MAC aging time: 300 seconds
Layer 3 interface: irb.100
VXLAN Enabled : No
Interfaces:
    ge-0/0/0.0,tagged,trunk,Inter-switch-link
    ge-0/0/1.0*,untagged,access
    ge-0/0/2.0*,untagged,access
Number of interfaces: Tagged 1    , Untagged 2
Total MAC count: 2

Assuming that pv100 is your Primary vlan, I dont see these two statements which are required for pvlan to create and isolate the traffic
set vlans pv100 no-local-switching
You have to nest the community vlans under the primary vlan
set vlans klient1 primary-vlan pv100
set vlans klient2 primary-vlan pv100
Your output "show vlans extensive" does not show the pvlan_pvlan<#>_<interface>
The mode should show teh commuty vlan ALONG with 

Community, Primary VLAN: pv100

the primary vlan 

Those statements has been removed.

http://forums.juniper.net/t5/Ethernet-Switching/no-local-switching-missing-on-EX3400/m-p/304158#M15774

Ahh! Thats why it will not work. I just don't understand why remove the feature???!! I mean of what benefit is it remove that feature??

I think that just pvlan is configured in different way, but i still cant get it working.

in show vlans extensive i got:

Routing instance: default-switch
  VLAN Name: pv100                          State: Active
Tag: 100
PVLAN type : Primary
Community VLAN :
        vlan-id : 101 vlan name : klient1
        vlan-id : 102 vlan name : klient2

Yes you are correct. After reading more I realied the configuration you have is how it is done on els. This note maybe what is causing the issue:

IRB Interface Limitation in a PVLAN

If your PVLAN includes multiple switches, an issue can occur if the Ethernet switching table is cleared on a switch that does not have an IRB interface. If a Layer 3 packet transits the switch before its destination MAC address is learned again, it is broadcast to all the Layer 3 hosts connected to the PVLAN. Note: Each host device that you want to connect at Layer 3 must be in the same subnet as the IRB interface and use the IP address of the IRB interface as its default gateway address.

Take a look at this artcile specifically the verification outputs and see if they compare to your system

https://www.juniper.net/techpubs/en_US/junos/topics/example/private-vlans-multiple-switches-irb-qfx-series.html

Thank you for your reply lyndidon, but Im trying on only one switch

ok I see. Could you show this output?

show vlans klient1 extensive

One thing i would like to see from your test.

remove or deactive the irb. then ping host 1 on klient1 from host on klient2

activate the irb and repeat the same. i am really more curious now about this els. I don't have any such systems to test so I have to rely on the efforts of you and others with such experience.

I found this for EX4300, whose syntax should be same as that for EX3400.  This is without IRB but at least this should help you get the L2 PVLAN stuff set-up right, if other posting is accurate:

https://forums.juniper.net/t5/Ethernet-Switching/PVLAN-on-EX4300/m-p/283272

I'd like to know if you are using similar config or not.

My config is similar, but i didnt configure any isolated vlan.

I have already checked it. Without L3 interface IRB on primary vlan those devices in different communities don't see each other. The thing is that i need routing between community vlans.

I have got VC EX3400. Feature explorer say that it support IRB on PVLAN, but manual say it doesnt support RVI on PVLAN.

Junos allow me to configure irb on PVLAN, but it doesnt work.  From switch to hosts broadcast arp requests get, but there is no answer come back to switch. 

Sorry very confused by your latest statements.  If you want routing/communication between the communities why are you using PVLAN in the first place?  Is the idea that communities can only talk to each other once they hit some Security point, like say a FW?

What is the subnet mask associated with the IRB and what is the subnet mask of the communities.  Does a community know it needs to route (from an IP perspective) if it is trying to reach a different community?

Trying to figure out the big picture requirement, not just if IRB works with PVLAN, . . .