Ethernet Switching
Highlighted
Ethernet Switching

Disable Inter-VLAN Switching/Routing on EX4300-48MP

[ Edited ]
‎03-31-2020 05:36 AM

Hi guys,

first: I'm totally new to Juniper and CLI-only enterprise switches - condemn me, but I prefer a web-based GUI for our humble needs... ;-)

 

Our newly installed EX4300-48MP does routing between VLANs that are connected to the device and I don't know why. I actually know the concept of VLANs differently: hosts of a VLAN are able to communicate with each other, but traffic between VLANs needs a routing instance. I hope you can help me with that.

 

 

lw11cfcyxhm41.png

 

 

The initial scenario: One Cisco SG500 in L3 mode doing the routing between VLANs (and a few other things like ACLs and DHCP). Two "stupid" Cisco SG300 in L2 mode. If VLAN 20 wants to communicate with VLAN 100 (even on the same switch), the traffic needs to be routed by the L3 switch.

 

New scenario: Unfortunately, the EX4300-48MP seems to be a bit smarter than the SG300... VLAN 20 can communicate with VLAN 100 and vice versa when connected to the EX4300-48MP. There are some ACLs on the SG500 that are bypassed if the EX does this type of Inter-VLAN Switching/Routing.

 

How do I force the traffic between VLANs to be routed only by the Cisco SG500?

 

The current configuration (I just created the VLANs and assigned them to some access ports and one trunk port):

 

Spoiler
root> show configuration | display set
set version 18.4R2-S2.3
set system root-authentication encrypted-password "xxx"
set system services ssh protocol-version v2
set system services netconf ssh
set system services web-management http
set system time-zone Europe/Berlin
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system processes dhcp-service traceoptions file dhcp_logfile
set system processes dhcp-service traceoptions file size 10m
set system processes dhcp-service traceoptions level all
set system processes dhcp-service traceoptions flag packet
set interfaces ge-0/0/0 unit 0 family ethernet-switching storm-control default
set interfaces ge-0/0/1 unit 0 family ethernet-switching storm-control default
set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members guests
set interfaces ge-0/0/2 unit 0 family ethernet-switching storm-control default
set interfaces ge-0/0/3 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members guests
set interfaces ge-0/0/3 unit 0 family ethernet-switching storm-control default
set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members guests
set interfaces ge-0/0/4 unit 0 family ethernet-switching storm-control default
set interfaces ge-0/0/5 unit 0 family ethernet-switching storm-control default
set interfaces ge-0/0/6 unit 0 family ethernet-switching storm-control default
...
set interfaces ge-0/0/23 unit 0 family ethernet-switching storm-control default
set interfaces mge-0/0/24 unit 0 family ethernet-switching interface-mode access
set interfaces mge-0/0/24 unit 0 family ethernet-switching vlan members servers
set interfaces mge-0/0/24 unit 0 family ethernet-switching storm-control default
set interfaces mge-0/0/25 unit 0 family ethernet-switching interface-mode access
set interfaces mge-0/0/25 unit 0 family ethernet-switching vlan members servers
set interfaces mge-0/0/25 unit 0 family ethernet-switching storm-control default
set interfaces mge-0/0/26 unit 0 family ethernet-switching storm-control default
set interfaces mge-0/0/27 unit 0 family ethernet-switching storm-control default
...
set interfaces mge-0/0/47 unit 0 family ethernet-switching storm-control default
set interfaces xe-0/2/0 native-vlan-id 1
set interfaces xe-0/2/0 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/2/0 unit 0 family ethernet-switching vlan members guests
set interfaces xe-0/2/0 unit 0 family ethernet-switching vlan members default
set interfaces xe-0/2/0 unit 0 family ethernet-switching vlan members servers
set interfaces xe-0/2/0 unit 0 family ethernet-switching storm-control default
set interfaces xe-0/2/1 native-vlan-id 1
set interfaces xe-0/2/1 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/2/1 unit 0 family ethernet-switching vlan members guests
set interfaces xe-0/2/1 unit 0 family ethernet-switching vlan members default
set interfaces xe-0/2/1 unit 0 family ethernet-switching vlan members servers
set interfaces xe-0/2/1 unit 0 family ethernet-switching storm-control default
set interfaces xe-0/2/2 unit 0 family ethernet-switching storm-control default
set interfaces xe-0/2/3 unit 0 family ethernet-switching storm-control default
set interfaces vme unit 0 family inet address 192.168.1.9/24
set forwarding-options storm-control-profiles default all
set routing-options static route 0.0.0.0/0 next-hop 192.168.1.2
set protocols lldp interface all
set protocols lldp-med interface all
set protocols igmp-snooping vlan default
set protocols rstp interface all
set vlans default vlan-id 1
set vlans guests vlan-id 20
set vlans servers vlan-id 100
set poe interface all

192.168.1.2 is the Cisco SG500 L3 Switch and all hosts are using it as their gateway.

 

Thanks a lot in advance!!!

 

7 REPLIES 7
Highlighted
Ethernet Switching

Betreff: Disable Inter-VLAN Switching/Routing on EX4300-48MP

‎03-31-2020 06:31 AM

Hello,

 

can you please check if this answers your question:
https://forums.juniper.net/t5/Ethernet-Switching/Disable-InterVlan-routing/td-p/460628

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution".
If you think that my answer was helpful, please spend some Kudos.
Highlighted
Ethernet Switching

Betreff: Disable Inter-VLAN Switching/Routing on EX4300-48MP

‎03-31-2020 07:26 AM

Thanks for your reply!

 

I stumbled across this thread while searching the forums and I guess that Private VLANs should solve this issue. But isn't that a wrong default behavior? Hosts of different VLANs shouldn't be able to communicate with each other.

 

 

Unbenannt.JPG

 

Highlighted
Ethernet Switching

Betreff: Disable Inter-VLAN Switching/Routing on EX4300-48MP

‎03-31-2020 08:33 AM

Those guidelines and your reply are 100% accurate, with exception being when a VLAN is made L3 aware.  The switch, VLANs can not communicate, is now turned in a Switch-Router, and a Router by default allows all local subnets/VLANs to communicate with each as they are local to the router.

 

If you do not want the VLANs to communicate there are multiple options, but one would be to create or connect the VLANs to an External Router, while leaving the VLANs as pure L2.  For pure L2, no local IP address is associated with the VLAN on the Switch (Router).

 

This is IP/VLANs/L2/L3 basic 101.

Highlighted
Ethernet Switching

Betreff: Disable Inter-VLAN Switching/Routing on EX4300-48MP

‎04-01-2020 08:18 AM
Thanks for clarification. But... There is a trunk to the L3 Switch/Router and I did not assign any IP addresses to the VLANs, so they should be pure L2.
Highlighted
Ethernet Switching

Betreff: Disable Inter-VLAN Switching/Routing on EX4300-48MP

‎04-01-2020 09:43 AM

So I assume clients in each VLAN have a Def Gateway that points to external Cisco Router over the L2 tagged trunk port, yes?  In this case the external Cisco Router knows how to Route at L3 between the VLANs, so it is there that the VLANs are allowed to communicate with each other.  If you take down the link between the EX4300 switch with the VLANs and the Cisco Router, I predict you will NOT be able to communicate VLAN to VLAN.

 

Again this is all IP/VLANs/L2/L3 basic 101.

Highlighted
Ethernet Switching

Betreff: Disable Inter-VLAN Switching/Routing on EX4300-48MP

‎04-02-2020 12:17 AM

Yes, default gateways point to the Cisco. Yes, the Cisco knows how to route between the VLANs, but there are some ACLs to restrict communication between VLANs. I already tried to take down the trunk between the EX4300 and the Cisco - same behavior.

 

All clients connected to the EX4300 can communicate with each other, no matter which VLANs are set. If you try to communicate with clients connected to another switch, the ACLs are working as expected.

Highlighted
Ethernet Switching

Betreff: Disable Inter-VLAN Switching/Routing on EX4300-48MP

‎04-02-2020 05:03 AM

Maybe you could gather output of the below commands when there is no physical connection to the Cisco.

 

show route

show interface terse | no-more

show configuration interface | no-more

 

Paste all of this into some doc (word/etc.) and send here so we can take a better look.