Routing

last person joined: yesterday 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.

  • 1.  Vlan per customer

    Posted 01-30-2017 06:50

    Hi

    In my datacenter network there are

    - 2 * MX80 as BGP speakers to ISP

    - VC EX4550 

    - and a lot of ex3300 as a access switches.

     

    Do you have any idea how to get on these devices what "Private VLANs" do? As I understand, i would need powerful SRX to run private VLANs, so im looking to workaround/alternative.

     



  • 2.  RE: Vlan per customer

    Posted 01-30-2017 16:33

    I'm not sure what you are looking for as Private VLANs and SRX firewalls are two entirely different things.

     

    https://www.juniper.net/documentation/en_US/junos15.1/topics/concept/private-vlans-ex-series.html

     

    pVLANs allow a speaker to connect with the default gateway but not other hosts in the same network.

     

    SRX firewalls provide stateful inspection of traffic between security zones and allow nuanced control of traffic and the use of NAT for internet access.

     

    If you are looking from something SRX like on switches perhaps firewall filters would give you some of the traffic control. But these are packet filter based not stateful.  And they are more cumbersome to manage and monitor.

     

    http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-ex-series-overview.html



  • 3.  RE: Vlan per customer

    Posted 01-30-2017 23:44
      |   view attached

    Thanks for answer. 

    We have got ex4550 as a L3 gateway and a few  ex3300 as an access switches. All of them support pvlan.

    The problem is that i would need router with promiscous port -i think our MXes cant (od can) do that. Thats why i write about SRX.

     

    I enclosed schema. I would like to separate customers from the same ip class.

     

    Any ideas how to do it without SRX? 

     

     

     



  • 4.  RE: Vlan per customer

    Posted 01-31-2017 03:14

    I'm sorry this is still not clear to me what your end state is desired.   You currently use PVLAN for the gateway.

     

    Are you looking to move the gateway to the MX and no longer have PVLAN?

     

    Or you want some kind of separation of the clients AND keep them in the same broadcast domain?

     

    Or you want separation from the clients and need normal VLAN operation?



  • 5.  RE: Vlan per customer

    Posted 01-31-2017 03:46

    Thanks for trying to understand me 🙂

    I don't use pvlan at the moment because i don't have router that support promiscous mode.

     

    At the moment all customers are in the same vlan, in one broadcast domain and in one network class.

    I'm looking for solution to prohibit customer1 from use customer2's ip adresses.

    The other thing is that customer2 has vmware and he can move his ip adresses between VMs so MAC addresses can change.  

     

    Yes I can move gateway to MXes.



  • 6.  RE: Vlan per customer
    Best Answer

    Posted 02-01-2017 02:12

    Thanks for the clarification.

     

    PVLAN is not a solution for our issue.  With PVLAN each host can only communicate with the gateway not each other.  This would likely not be good for your customers with multiple devices that they would want to talk to each other.  And it will not prevent someone for adding another host ip address in the same subnet which you had allocated to someone else.

     

    Your only real solution to locking down ip addresses per client is to assign each client their own subnet and gateway.  With this restriction they cannot step outside their allocation onto other client services.  The MX is a good platform to scale out this type of multiple VLAN and ip range setup.