[j-nsp] different default for different vlans

Sergio D. sdanelli at gmail.com
Fri Mar 20 23:31:31 EDT 2009 

Or this can be a good opportunity for the EX or proxy to send back an
icmp redirect (sometimes they are useful)
 back to the hosts in order to find the correct gateway for a given
destination. my suggestion is having the proxy
be the gateway and provide the proxy with a next hop of the EX for
inter-vlan traffic.
 if your proxy is a *nix variant you can check if redirects are
enabled with "sysctl -a | grep -i redirect"
I think most are by default.


> I wish it were.  This is all traffic except for local traffic.  Any
> explanation for why the ex4200 doesn't have the except keyword?
>
> On Mar 20, 2009, at 6:55 PM, Nilesh Khambal wrote:
>
>* Are using proxy just for http and https? Is so, then can you be
*>* specific in the filters with protocol and ports. You can add a
*>* default accept at the end of the filter to accept all other traffic
*>* that does not match http or https. Traffic accepted by default
*>* accept will get routed using inet.0 routing table.
*>*
*>* This way you don't have to use "except" in filter terms.
*>*
*>* Thanks,
*>* Nilesh
*>*
*>* Cord MacLeod wrote:
*>>* That would be great, and I thought of it just after I sent the
*>>* email.   There's one big thing I'm missing though... except.
*>>* From an m7:
*>>* Possible completions:
*>>*   <[Enter]>            Execute this command
*>>*   except               Match address not in this prefix
*>>* From an ex4200:
*>>*   <[Enter]>            Execute this command
*>>* In other words, all of my traffic would hit this proxy and it
*>>* would  break routing between the vlans if I use policy based
*>>* routing and  can't use except.
*>>* On Mar 20, 2009, at 6:37 PM, Nilesh Khambal wrote:
*>>>* Can you try policy based routing using input firewall filter on
*>>>* EX?  This was you can redirect the traffic to another forwarding-
*>>>* instance  where your proxy resides. You will also have to take
*>>>* care of reverse  routing from the proxy forwarding instance back
*>>>* to inet.0 on EX so  that return traffic can go back to client VLANs.
*>>>*
*>>>* Thanks,
*>>>* Nilesh.
*>>>*
*>>>* Cord MacLeod wrote:
*>>>>* I feel silly for asking this, but apparently my brain isn't
*>>>>* working  today.
*>>>>* I've got some machines in a public vlan, 100 and some RFC 1918
*>>>>* machines on another vlan, 120.  I redistribute 0.0.0.0 in ospf
*>>>>* through  my network down to these EX4200's that the machines are
*>>>>* hanging off  of.  Is there a way for my RFC 1918 machines to
*>>>>* default to different  next hop (proxy machine) when not
*>>>>* attempting  to route between vlans so  they can hit outside.  The
*>>>>* way we do it  now is changing the default  gateway on the
*>>>>* machines.  I'd like to  perform this automatically on  the
*>>>>* ex4200s if possible.
*>>>>* Any ideas?
*>>>>* _______________________________________________
*>>>>* juniper-nsp mailing list juniper-nsp at puck.nether.net
<https://puck.nether.net/mailman/listinfo/juniper-nsp>
*>>>>* https://puck.nether.net/mailman/listinfo/juniper-nsp
*>>* .
*



-- 
Sergio Danelli

More information about the juniper-nsp mailing list