[j-nsp] Network configuration question / vlan and bridging related

Alexander Arsenyev (GU/ETL) alexander.arsenyev at ericsson.com
Tue Jul 5 10:23:18 EDT 2005 

Hello

Sorry if this question has already been answered/beaten to death but would Netscreen firewall in Transparent mode
help at all in this situation? 
Check the following PDF out http://www.juniper.net/techpubs/software/screenos/screenos5.2.0/CE_v2.pdf ,
diagram on page 104 for the Netscreen FW in bridge mode. I would imagine that inserting Netscreens into the appropriate places could help administering IP addressing (Netscreens works as DHCP server/client/relay agent) and filtering unwanted/malicious traffic.
My $0.02
HTH,
Cheers
Alex

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of Steinar Torsvik
Sent: 23 June 2005 17:31
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] Network configuration question / vlan and bridging
related


Hi,

First post to this list, well here is the case:

We have a customer who owns 1 Juniper M7i connected to a 700 ports 
d-link switched network. The topology is the following:

  gigabit uplink
        |
        |
|-------------|
|    m7i      |
|-------------|
        |
        |
|-------------|
| d-link core |
|    switch   |
|-------------|
    |  |  |  |
|-------------|
|  cheap vlan |
| capable edge|
|    d-link   |
|-------------|
       |
     client


There are 700 edge ports who all is in one separate vlan. This making 
the traffic separated until it reaches the Juniper. The goal here is to 
get all client traffic separated so nobody can mess up / hijack ip 
addresses and so on.

My question is basicly, what is the best way to administrate / 
distribute the ip addresses in a simple and easy to maintain way.

I have come up with two solutions, there may be many more or better ways 
to do this so please correct me :)

1) Give a /30 network to each client and configure up all 700 interfaces 
this way. This may be a nightmare to maintain and configure, even though 
most of the configuration process can be automated.

2) Find a cool way to bridge all interfaces together and filtering out 
unwanted traffic, a kind of Cisco private vlan but not on the edge. The 
edge switches is not capable of this l3 filtering - so it must be solved 
in the router.

Is there a way to do this on Juniper? Make a "virtual" interface and 
bridge all 700 interfaces up against this one, filter the traffic 
forcing all clients to only reach the default gw and nothing else - and 
then distribute /32 networks to each client.

If the second solution is possible - I am hoping to be able to 
distribute all ip addresses with one single DHCP pool, giving also each 
client port the possibility to connect several clients at each port 
without forcing the client to do NAT (wich he must do in the first 
solution since he only gets one ip address).

Anyone have any experience / ideas / pointers here? The hardware is 
pretty much set - and replacing the edge switches with someone who has 
better l3 capability is not an option.

-- 
Regards,

Steinar Torsvik
Fasthost AS
Tlf: +47 22 00 88 50
Mob: +47 99 02 99 88
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list