Ethernet Switching
Highlighted
Ethernet Switching

RVI in Private VLAN on EX3400

02.17.17   |  
‎02-17-2017 12:39 AM

Hi

 

The feature explore says that i can configure RVI for PVLAN(picture below).

But the oficial manual:

http://www.juniper.net/techpubs/en_US/junos/information-products/pathway-pages/ex4300/ethernet-switc...

say that you can do RVI for PVLANS only on EX8200.

So the official info is inconsistent.  

 

Has anyone use RVI on EX3400 in PVLANS?

 

ex3400-pvlan-rvi.png

13 REPLIES
Ethernet Switching
Solution
Accepted by topic author bartek_iq
‎02-17-2017 02:19 AM

Re: RVI in Private VLAN on EX3400

02.17.17   |  
‎02-17-2017 01:57 AM

It does seem like it is. Maybe the feature will be supported later on EX3400Smiley Happy BTW what version are you running?

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Ethernet Switching

Re: RVI in Private VLAN on EX3400

02.17.17   |  
‎02-17-2017 02:18 AM

 

root@ex3400-testowy1# run show version | match 15.1X     
Junos: 15.1X53-D51

You probably right.

Strange, that this feature is only on massive and expensive ex8200 and on rather cheap ex3400. Nothing between Smiley Happy

Ethernet Switching

Re: RVI in Private VLAN on EX3400

02.20.17   |  
‎02-20-2017 02:05 AM

Still tryingSmiley Happy I just test it in my lab.  I can add L3 interface to PVLAN. When i try to ping from the switch to hosts, arp broadcast go to all community vlans. This is good Smiley Happy But there is no accepted reply from hosts:/

 

Please help.

 

root@ex3400-testowy1# show interfaces
ge-0/0/0 {
    unit 0 {
        family ethernet-switching {
            interface-mode trunk;
            inter-switch-link;
            vlan {
                members 100;
            }
        }
    }
}
ge-0/0/1 {
    unit 0 {
        family ethernet-switching {
            vlan {
                members 101;
            }
        }
    }
}
ge-0/0/2 {
    unit 0 {
        family ethernet-switching {
            vlan {
                members 102;
            }
        }
    }
}
irb {
    unit 100 {
        proxy-arp unrestricted;
        family inet {
            address 192.168.0.1/24;
        }
    }
} 
klient1 {
    vlan-id 101;
    private-vlan community;
}
klient2 {
    vlan-id 102;
    private-vlan community;
}
pv100 {
    vlan-id 100;
    l3-interface irb.100;
    community-vlans [ klient1 klient2 ];
}

root@ex3400-testowy1# run show ethernet-switching table

MAC flags (S - static MAC, D - dynamic MAC, L - locally learned, P - Persistent static, C - Control MAC
           SE - statistics enabled, NM - non configured MAC, R - remote PE MAC, O - ovsdb MAC)


Ethernet switching table : 2 entries, 2 learned
Routing instance : default-switch
    Vlan                MAC                 MAC         Age    Logical               NH        RTR
    name                address             flags interface              Index     ID
    pv100               00:21:70:bb:e1:98   D             - ge-0/0/2.0             0         0
    pv100               00:21:70:c0:c9:cf   D             - ge-0/0/1.0             0         0 
root@ex3400-testowy1# run show vlans extensive

Routing instance: default-switch
  VLAN Name: default                        State: Active
Tag: 1
Internal index: 2, Generation Index: 2, Origin: Static
MAC aging time: 300 seconds
VXLAN Enabled : No
Number of interfaces: Tagged 0    , Untagged 0
Total MAC count: 0

Routing instance: default-switch
  VLAN Name: klient1                        State: Active
Tag: 101
PVLAN type : Community
Internal index: 6, Generation Index: 6, Origin: Static
MAC aging time: 300 seconds
VXLAN Enabled : No
Interfaces:
    ge-0/0/0.0,tagged,trunk,Inter-switch-link
    ge-0/0/1.0*,untagged,access
Number of interfaces: Tagged 1    , Untagged 1
Total MAC count: 0

Routing instance: default-switch
  VLAN Name: klient2                        State: Active
Tag: 102
PVLAN type : Community
Internal index: 7, Generation Index: 7, Origin: Static
MAC aging time: 300 seconds
VXLAN Enabled : No
Interfaces:
    ge-0/0/0.0,tagged,trunk,Inter-switch-link
    ge-0/0/2.0*,untagged,access
Number of interfaces: Tagged 1    , Untagged 1
Total MAC count: 0

Routing instance: default-switch
  VLAN Name: pv100                          State: Active
Tag: 100
PVLAN type : Primary
Community VLAN :
        vlan-id : 101 vlan name : klient1
        vlan-id : 102 vlan name : klient2
Internal index: 5, Generation Index: 5, Origin: Static
MAC aging time: 300 seconds
Layer 3 interface: irb.100
VXLAN Enabled : No
Interfaces:
    ge-0/0/0.0,tagged,trunk,Inter-switch-link
    ge-0/0/1.0*,untagged,access
    ge-0/0/2.0*,untagged,access
Number of interfaces: Tagged 1    , Untagged 2
Total MAC count: 2
Ethernet Switching

Re: RVI in Private VLAN on EX3400

02.20.17   |  
‎02-20-2017 11:23 AM

Assuming that pv100 is your Primary vlan, I dont see these two statements which are required for pvlan to create and isolate the traffic
set vlans pv100 no-local-switching
You have to nest the community vlans under the primary vlan
set vlans klient1 primary-vlan pv100
set vlans klient2 primary-vlan pv100
Your output "show vlans extensive" does not show the pvlan_pvlan<#>_<interface>
The mode should show teh commuty vlan ALONG with 

Community, Primary VLAN: pv100

the primary vlan 

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Ethernet Switching

Re: RVI in Private VLAN on EX3400

02.20.17   |  
‎02-20-2017 11:52 AM
Ethernet Switching

Re: RVI in Private VLAN on EX3400

02.20.17   |  
‎02-20-2017 02:08 PM

Ahh! Thats why it will not work. I just don't understand why remove the feature???!! I mean of what benefit is it remove that feature??

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Ethernet Switching

Re: RVI in Private VLAN on EX3400

02.20.17   |  
‎02-20-2017 02:20 PM

I think that just pvlan is configured in different way, but i still cant get it working.

 

in show vlans extensive i got:

Routing instance: default-switch
  VLAN Name: pv100                          State: Active
Tag: 100
PVLAN type : Primary
Community VLAN :
        vlan-id : 101 vlan name : klient1
        vlan-id : 102 vlan name : klient2
Ethernet Switching

Re: RVI in Private VLAN on EX3400

[ Edited ]
02.20.17   |  
‎02-20-2017 04:12 PM

Yes you are correct. After reading more I realied the configuration you have is how it is done on els. This note maybe what is causing the issue:

IRB Interface Limitation in a PVLAN

If your PVLAN includes multiple switches, an issue can occur if the Ethernet switching table is cleared on a switch that does not have an IRB interface. If a Layer 3 packet transits the switch before its destination MAC address is learned again, it is broadcast to all the Layer 3 hosts connected to the PVLAN. Note: Each host device that you want to connect at Layer 3 must be in the same subnet as the IRB interface and use the IP address of the IRB interface as its default gateway address.

 

Take a look at this artcile specifically the verification outputs and see if they compare to your system

https://www.juniper.net/techpubs/en_US/junos/topics/example/private-vlans-multiple-switches-irb-qfx-...

 

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Ethernet Switching

Re: RVI in Private VLAN on EX3400

02.20.17   |  
‎02-20-2017 05:00 PM

Thank you for your reply lyndidon, but Im trying on only one switch

Ethernet Switching

Re: RVI in Private VLAN on EX3400

02.20.17   |  
‎02-20-2017 05:39 PM

ok I see. Could you show this output?

show vlans klient1 extensive

One thing i would like to see from your test.

remove or deactive the irb. then ping host 1 on klient1 from host on klient2

activate the irb and repeat the same. i am really more curious now about this els. I don't have any such systems to test so I have to rely on the efforts of you and others with such experience.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Ethernet Switching

Re: RVI in Private VLAN on EX3400

02.20.17   |  
‎02-20-2017 06:54 PM

I found this for EX4300, whose syntax should be same as that for EX3400.  This is without IRB but at least this should help you get the L2 PVLAN stuff set-up right, if other posting is accurate:

 

https://forums.juniper.net/t5/Ethernet-Switching/PVLAN-on-EX4300/m-p/283272

 

I'd like to know if you are using similar config or not.

Ethernet Switching

Re: RVI in Private VLAN on EX3400

[ Edited ]
02.20.17   |  
‎02-20-2017 11:16 PM

My config is similar, but i didnt configure any isolated vlan.

 

I have already checked it. Without L3 interface IRB on primary vlan those devices in different communities don't see each other. The thing is that i need routing between community vlans.

 

I have got VC EX3400. Feature explorer say that it support IRB on PVLAN, but manual say it doesnt support RVI on PVLAN.

Junos allow me to configure irb on PVLAN, but it doesnt work.  From switch to hosts broadcast arp requests get, but there is no answer come back to switch. 

Ethernet Switching

Re: RVI in Private VLAN on EX3400

02.21.17   |  
‎02-21-2017 07:43 AM

Sorry very confused by your latest statements.  If you want routing/communication between the communities why are you using PVLAN in the first place?  Is the idea that communities can only talk to each other once they hit some Security point, like say a FW?

 

What is the subnet mask associated with the IRB and what is the subnet mask of the communities.  Does a community know it needs to route (from an IP perspective) if it is trying to reach a different community?

 

Trying to figure out the big picture requirement, not just if IRB works with PVLAN, . . .