[j-nsp] Network configuration question / vlan and bridging related

Lennon - Orcon lennon at orcon.net.nz
Fri Jun 24 16:01:20 EDT 2005


Yes. the cisco's can be set up to have "Protected" Switch Ports which cannot 
talk to each other. They can only talk to non-protected ports.

See this example: http://www.ifm.net.nz/cookbooks/2950_virus.html

Thanks
Craig

----- Original Message ----- 
From: "zeng watchthinker" <watchthinker at hotmail.com>
To: <steinar at fasthost.no>; <juniper-nsp at puck.nether.net>
Sent: Saturday, June 25, 2005 5:54 AM
Subject: RE: [j-nsp] Network configuration question / vlan and bridging 
related


> As I recall, there is something like L3 switch can support this feature as
> your requeset.
>
> It can make set a vlan group with one gateway and each individual vlan can
> not communicate to each other with same subnet.
>
> In this way, you can save your ip address without using /30 mask with a 
> /24
> mask or so.
>
>>From: Steinar Torsvik <steinar at fasthost.no>
>>To: juniper-nsp at puck.nether.net
>>Subject: [j-nsp] Network configuration question / vlan and bridging
> related
>>Date: Thu, 23 Jun 2005 18:31:15 +0200
>>
>>Hi,
>>
>>First post to this list, well here is the case:
>>
>>We have a customer who owns 1 Juniper M7i connected to a 700 ports
>>d-link switched network. The topology is the following:
>>
>>   gigabit uplink
>>         |
>>         |
>>|-------------|
>>|    m7i      |
>>|-------------|
>>         |
>>         |
>>|-------------|
>>| d-link core |
>>|    switch   |
>>|-------------|
>>     |  |  |  |
>>|-------------|
>>|  cheap vlan |
>>| capable edge|
>>|    d-link   |
>>|-------------|
>>        |
>>      client
>>
>>
>>There are 700 edge ports who all is in one separate vlan. This making
>>the traffic separated until it reaches the Juniper. The goal here is to
>>get all client traffic separated so nobody can mess up / hijack ip
>>addresses and so on.
>>
>>My question is basicly, what is the best way to administrate /
>>distribute the ip addresses in a simple and easy to maintain way.
>>
>>I have come up with two solutions, there may be many more or better ways
>>to do this so please correct me :)
>>
>>1) Give a /30 network to each client and configure up all 700 interfaces
>>this way. This may be a nightmare to maintain and configure, even though
>>most of the configuration process can be automated.
>>
>>2) Find a cool way to bridge all interfaces together and filtering out
>>unwanted traffic, a kind of Cisco private vlan but not on the edge. The
>>edge switches is not capable of this l3 filtering - so it must be solved
>>in the router.
>>
>>Is there a way to do this on Juniper? Make a "virtual" interface and
>>bridge all 700 interfaces up against this one, filter the traffic
>>forcing all clients to only reach the default gw and nothing else - and
>>then distribute /32 networks to each client.
>>
>>If the second solution is possible - I am hoping to be able to
>>distribute all ip addresses with one single DHCP pool, giving also each
>>client port the possibility to connect several clients at each port
>>without forcing the client to do NAT (wich he must do in the first
>>solution since he only gets one ip address).
>>
>>Anyone have any experience / ideas / pointers here? The hardware is
>>pretty much set - and replacing the edge switches with someone who has
>>better l3 capability is not an option.
>>
>>--
>>Regards,
>>
>>Steinar Torsvik
>>Fasthost AS
>>Tlf: +47 22 00 88 50
>>Mob: +47 99 02 99 88
>>_______________________________________________
>>juniper-nsp mailing list juniper-nsp at puck.nether.net
>>http://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _________________________________________________________________
> 与世界各地的朋友进行交流,免费下载 MSN Messenger:
> http://messenger.msn.com/cn
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
> 



More information about the juniper-nsp mailing list