[j-nsp] Network configuration question / vlan and bridging related
Alexander Arsenyev (GU/ETL)
alexander.arsenyev at ericsson.com
Tue Jul 5 10:23:18 EDT 2005
Hello
Sorry if this question has already been answered/beaten to death but would Netscreen firewall in Transparent mode
help at all in this situation?
Check the following PDF out http://www.juniper.net/techpubs/software/screenos/screenos5.2.0/CE_v2.pdf ,
diagram on page 104 for the Netscreen FW in bridge mode. I would imagine that inserting Netscreens into the appropriate places could help administering IP addressing (Netscreens works as DHCP server/client/relay agent) and filtering unwanted/malicious traffic.
My $0.02
HTH,
Cheers
Alex
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of Steinar Torsvik
Sent: 23 June 2005 17:31
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] Network configuration question / vlan and bridging
related
Hi,
First post to this list, well here is the case:
We have a customer who owns 1 Juniper M7i connected to a 700 ports
d-link switched network. The topology is the following:
gigabit uplink
|
|
|-------------|
| m7i |
|-------------|
|
|
|-------------|
| d-link core |
| switch |
|-------------|
| | | |
|-------------|
| cheap vlan |
| capable edge|
| d-link |
|-------------|
|
client
There are 700 edge ports who all is in one separate vlan. This making
the traffic separated until it reaches the Juniper. The goal here is to
get all client traffic separated so nobody can mess up / hijack ip
addresses and so on.
My question is basicly, what is the best way to administrate /
distribute the ip addresses in a simple and easy to maintain way.
I have come up with two solutions, there may be many more or better ways
to do this so please correct me :)
1) Give a /30 network to each client and configure up all 700 interfaces
this way. This may be a nightmare to maintain and configure, even though
most of the configuration process can be automated.
2) Find a cool way to bridge all interfaces together and filtering out
unwanted traffic, a kind of Cisco private vlan but not on the edge. The
edge switches is not capable of this l3 filtering - so it must be solved
in the router.
Is there a way to do this on Juniper? Make a "virtual" interface and
bridge all 700 interfaces up against this one, filter the traffic
forcing all clients to only reach the default gw and nothing else - and
then distribute /32 networks to each client.
If the second solution is possible - I am hoping to be able to
distribute all ip addresses with one single DHCP pool, giving also each
client port the possibility to connect several clients at each port
without forcing the client to do NAT (wich he must do in the first
solution since he only gets one ip address).
Anyone have any experience / ideas / pointers here? The hardware is
pretty much set - and replacing the edge switches with someone who has
better l3 capability is not an option.
--
Regards,
Steinar Torsvik
Fasthost AS
Tlf: +47 22 00 88 50
Mob: +47 99 02 99 88
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list