[j-nsp] Network configuration question / vlan and bridging related

Niels Bakker niels=juniper-nsp at bakker.net
Thu Jun 23 20:17:48 EDT 2005


* steinar at fasthost.no (Steinar Torsvik) [Fri 24 Jun 2005, 01:08 CEST]:
>Niels Bakker wrote:
>>* steinar at fasthost.no (Steinar Torsvik) [Thu 23 Jun 2005, 18:33 CEST]:
>>>There are 700 edge ports who all is in one separate vlan. This making 
>>>the traffic separated until it reaches the Juniper. The goal here is to 
>>>get all client traffic separated so nobody can mess up / hijack ip 
>>>addresses and so on.
>>>
>>>My question is basicly, what is the best way to administrate / 
>>>distribute the ip addresses in a simple and easy to maintain way.
>>
>>Get an ERX with local-proxy-arp and treat 'em all as private VLANs.
>
>This is partly a solution i am hoping for. You say here "get an erx" - 
>according to http://www.juniper.net/products/junos/105021.html the 
>functionality is included in the M series router we already have, is 
>there any reason for you advising another Juniper product?

I once built something similar to your setup, back when ERX was 
still Siemens.


>According to http://www.juniper.net/products/junos/105021.html the 
>configuration of proxy-arp is quite simple.

Proxy ARP is not what I meant.  Proxy ARP means that you send ARP 
answers to queries about networks you know about, not just about IP 
addresses configured on the very interface a request was received on.


>I am thinking simple here, As far as I understand proxy arp works as 
>long as the router has the address looking for in its local arp table or 
>routing table?
>
>Will the following example configuration work out-of-the box?
>
>unit 0 {
>     description default-gateway;
>     vlan-id 800;
>     family inet {
>         address 192.168.0.1/16;
>     }
>     proxy-arp;
>}
>unit 1 {
>     description client1;
>     vlan-id 1000;
>     proxy-arp;
>}
>unit 2 {
>     description client2;
>     vlan-id 1001;
>     proxy-arp;
>}
>
>and so on?

No.  A Juniper M-Series is not a switch, and it will not "bridge" 
between these client VLANs.  Also, anything connected to VLANs 1000 and 
1001 won't be able to route IP as there is no family inet statement on 
the router for those subinterfaces.

Maybe someone with significantly higher J-guru status than me (which is 
quite easy, really :) can think of a way to make this happen.

Local proxy ARP makes an ERX answer on every ARP request, including 
those for hosts on otherwise directly connected networks.  Therefore all 
traffic, even between end stations, will flow over the ERX, as it 
bridges IP traffic between hosts on different VLANs, yet can still route 
IP traffic destined elsewhere.

Disclaimer: it's been a while, and we never really got to put this to 
production use...

Regards,


	-- Niels.

-- 


More information about the juniper-nsp mailing list