[j-nsp] Network configuration question / vlan and bridging related

Steinar Torsvik steinar at fasthost.no
Thu Jun 23 12:31:15 EDT 2005 

Hi,

First post to this list, well here is the case:

We have a customer who owns 1 Juniper M7i connected to a 700 ports 
d-link switched network. The topology is the following:

  gigabit uplink
        |
        |
|-------------|
|    m7i      |
|-------------|
        |
        |
|-------------|
| d-link core |
|    switch   |
|-------------|
    |  |  |  |
|-------------|
|  cheap vlan |
| capable edge|
|    d-link   |
|-------------|
       |
     client


There are 700 edge ports who all is in one separate vlan. This making 
the traffic separated until it reaches the Juniper. The goal here is to 
get all client traffic separated so nobody can mess up / hijack ip 
addresses and so on.

My question is basicly, what is the best way to administrate / 
distribute the ip addresses in a simple and easy to maintain way.

I have come up with two solutions, there may be many more or better ways 
to do this so please correct me :)

1) Give a /30 network to each client and configure up all 700 interfaces 
this way. This may be a nightmare to maintain and configure, even though 
most of the configuration process can be automated.

2) Find a cool way to bridge all interfaces together and filtering out 
unwanted traffic, a kind of Cisco private vlan but not on the edge. The 
edge switches is not capable of this l3 filtering - so it must be solved 
in the router.

Is there a way to do this on Juniper? Make a "virtual" interface and 
bridge all 700 interfaces up against this one, filter the traffic 
forcing all clients to only reach the default gw and nothing else - and 
then distribute /32 networks to each client.

If the second solution is possible - I am hoping to be able to 
distribute all ip addresses with one single DHCP pool, giving also each 
client port the possibility to connect several clients at each port 
without forcing the client to do NAT (wich he must do in the first 
solution since he only gets one ip address).

Anyone have any experience / ideas / pointers here? The hardware is 
pretty much set - and replacing the edge switches with someone who has 
better l3 capability is not an option.

-- 
Regards,

Steinar Torsvik
Fasthost AS
Tlf: +47 22 00 88 50
Mob: +47 99 02 99 88

More information about the juniper-nsp mailing list