[j-nsp] Network configuration question / vlan and bridging related

Erdem Sener erdems at gmail.com
Thu Jun 23 16:32:51 EDT 2005 

Hi,

 I'm not very familiar with d-link switches, but IMHO you should be do
traffic limiting kind of stuff (bandwidth-wise and broadcast-wise) an
the switch, not on the hop after (which is M7i, in your case).

 If not possible for some reason, you always have the possibility to
"terminate" the vlan's on M7i, use [edit groups] section for template
config and <sigh> mess with ip allocation.

 Erdem

On 6/23/05, Steinar Torsvik <steinar at fasthost.no> wrote:
> Hi,
> 
> First post to this list, well here is the case:
> 
> We have a customer who owns 1 Juniper M7i connected to a 700 ports
> d-link switched network. The topology is the following:
> 
>  gigabit uplink
>        |
>        |
> |-------------|
> |    m7i      |
> |-------------|
>        |
>        |
> |-------------|
> | d-link core |
> |    switch   |
> |-------------|
>    |  |  |  |
> |-------------|
> |  cheap vlan |
> | capable edge|
> |    d-link   |
> |-------------|
>       |
>     client
> 
> 
> There are 700 edge ports who all is in one separate vlan. This making
> the traffic separated until it reaches the Juniper. The goal here is to
> get all client traffic separated so nobody can mess up / hijack ip
> addresses and so on.
> 
> My question is basicly, what is the best way to administrate /
> distribute the ip addresses in a simple and easy to maintain way.
> 
> I have come up with two solutions, there may be many more or better ways
> to do this so please correct me :)
> 
> 1) Give a /30 network to each client and configure up all 700 interfaces
> this way. This may be a nightmare to maintain and configure, even though
> most of the configuration process can be automated.
> 
> 2) Find a cool way to bridge all interfaces together and filtering out
> unwanted traffic, a kind of Cisco private vlan but not on the edge. The
> edge switches is not capable of this l3 filtering - so it must be solved
> in the router.
> 
> Is there a way to do this on Juniper? Make a "virtual" interface and
> bridge all 700 interfaces up against this one, filter the traffic
> forcing all clients to only reach the default gw and nothing else - and
> then distribute /32 networks to each client.
> 
> If the second solution is possible - I am hoping to be able to
> distribute all ip addresses with one single DHCP pool, giving also each
> client port the possibility to connect several clients at each port
> without forcing the client to do NAT (wich he must do in the first
> solution since he only gets one ip address).
> 
> Anyone have any experience / ideas / pointers here? The hardware is
> pretty much set - and replacing the edge switches with someone who has
> better l3 capability is not an option.
> 
> --
> Regards,
> 
> Steinar Torsvik
> Fasthost AS
> Tlf: +47 22 00 88 50
> Mob: +47 99 02 99 88
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list