Ethernet Switching
Highlighted
Ethernet Switching

Juniper ex4600 - disable/block local route but let IRB and VRRP online

‎03-23-2020 12:07 AM

Hi Guys,

 

i need an idea to solve my task.

I had two ex4600 MCL with IRB and VRRP Interfaces. In some Vlans i would like that local route of the IRB will disbled. But the IP of the IRB and the VRRP Adresse should be online.

 

The Devices in the Vlan should not be able to route over the irb and vrrp adresse, but i will use ping with the irb and would the ethernet-switching table.

 

On my ex9200 i can solve it with an output Firwall policy on the irb but the ex4600 don´t support output firewall policys.

 

Is there any possibility to block routing with out disbale interfaces?

 

Thx 

6 REPLIES 6
Highlighted
Ethernet Switching

Re: Juniper ex4600 - disable/block local route but let IRB and VRRP online

‎03-23-2020 01:15 AM

Hi,

 

What is your use-case? That local route is only needed when routing between VLANs.  So host to host traffic in the same VLAN (as the irb) still uses ethernet-switching.  If your use-case is to block inter-vlan routing, there's still an option to apply ingress ACLs to block IP subnets "source-address x.x.x.x" and/or "destination-address x.x.x.x" on the IRB unit interfaces.  If you're trying to block communication within a VLAN, consider using family ethernet-switching filters for protecting specific server(s) or use private VLANs: https://www.juniper.net/documentation/en_US/release-independent/nce/topics/concept/private-vlans-qfx...

 

Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated :).

Highlighted
Ethernet Switching

Re: Juniper ex4600 - disable/block local route but let IRB and VRRP online

‎03-23-2020 02:58 AM

I think you want to just isolate a vlan or set of vlans so that layer 3 routing does not connect with the main group.

 

If that is correct, simply create a routing instance of virtual router and place the interfaces for the isolated vlan here.  This behaves as if they are on an independent router/switch and they will only be able to see and route to each other.

 

you will also then need to move the upstream connection for this vlan over to the virtual router as well so the outbound default route will work if they need to leave the switch for something else.  But if they are completely local nothing else needs to be done.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Ethernet Switching

Re: Juniper ex4600 - disable/block local route but let IRB and VRRP online

‎03-24-2020 12:24 AM

Hi,

 

thx for the two answers. Mriyaz i explain the case again, your understandiung of my case is not quite correct.

 

Spuluka you are on the right way, but i explain my case a little bit detailed again. So i hope you can check it again with your idea.

 

I have the two ex4600 with some vlans, every with IRB und VRRP. For example:

 

  • Vlan ID 1 and Vlan ID 22
  • The Clients in Vlan 1 have setup IPs and the Gateway right because this are Office clients.
  • The Clients in Vlan 22 are production clients and shoud not be reached by the office clients.
    • The most clients have no Gateway setup, so they could not be answer request of the office clients.
    • Some clients have setup the Gateway of the Vlan, but i have a input Firewall-Filter on the ex4600 to block that traffic.
    • But some Clients have setup a Server in the Vlan as Gateway and that Server has two NICs, one in Vlan 1 and one in Vlan 22. The Server routes these packets between the Vlans.

So i would block the traffic from Vlan 1 to vlan 22. But i have much Office Vlans, so i can´t and would not setup input Filter on all that IRBs. And the ex4600 can´t setup output filter like the ex9200.

In the future we will remove the server and setup the clients with other setting but and the moment its not possible. So i search and easy way to block that traffic from one vlan to vlan 22.

 

Highlighted
Ethernet Switching

Re: Juniper ex4600 - disable/block local route but let IRB and VRRP online

‎03-25-2020 02:39 AM

Thanks for the additional detail.

 

It sounds like you temporarily want all the devices in this subnet to only communicate with each other and nothing else except the server that also has an interface in that vlan.

 

If that is the case you can simply delete the layer 3 interface in that vlan and make this layer 2 only.  

 

If the devices do need to communicate out to the internet but not to other vlans.  Then the virtual router solution is the way to go.  Put their interface in a virtual router then connect another interface out of that virtual interface up to your firewall as a routed link so that is the only path in/out of the virtual router.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Ethernet Switching

Re: Juniper ex4600 - disable/block local route but let IRB and VRRP online

‎03-30-2020 06:44 AM

Hi,

 

the Clients should talk to each other and to the L3 Interfaces, but not to other vlans or the internet. I would see the ARP Entrys of the devices on the switch. So the Device should not be route on the Switch.

 

Is the there a possibility to set the direct Route to disable but let the L3 interface online?

Highlighted
Ethernet Switching

Re: Juniper ex4600 - disable/block local route but let IRB and VRRP online

‎04-01-2020 02:52 AM

I'm confused by your latest post. 

 

If the devices only need to talk to each other then a layer 3 interface in that vlan is not required for that to work.

 

But if you just want an layer 3 interface in order to be able to track mac addresses.  Then moving the vlan and layer 3 interface into a virtual router routing instance will also work.

 

But if you are saying the devices need to talk to the layer 3 interface in other vlans but not devices in that vlan I'm not sure how that works.  And it would require a very complex filter.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Feedback