VLAN Routing Between Layer 3 and Layer 2 Switch

[PGlover]

Below is a link to the exact problem I am having. Unfortunately no one provided a solution to the issue.

How to route traffic between tagged and untagged traffic on Juniper EX3300 switch?

 

[PGlover]

I still have a few things to work out... One of the RVI interface on the Juniper switch is not working. Vlan 10 and 20 cannot access the internet.. I am wondering of there is a problem with default Vlans on the Quanta and Juniper. On the Quanta the default vlan number is 1. On the Juniper the default vlan number is 0.

I appreciate any help whatsoever...

 

[PGlover]

Still having some problems with routing between vlans on my Juniper switch. For some reason, the default vlan (0) is not routable. I can route between the other vlans with no problems.

Below is some troubleshooting information. The IP address 10.x.x.2 is the ip address assigned to my SAN server. The IP address 192.x.x.207 is assigned to one of my personal PC. For some reason, I am unable to ping this IP address using the RVI gateway of 192.x.x.10.1 and 10.x.x.1 on the Juniper switch.

root> show interfaces vlan terse
Interface Admin Link Proto Local Remote
vlan up up
vlan.0 up up inet 192.x.x.254/24
vlan.10 up up inet 192.x.x.1/24
vlan.20 up up inet 10.x.x.1/24

root> ping 192.x.x.207 source 192.x.x.254 count 3
PING 192.x.x.207 (192.x.x.207): 56 data bytes
64 bytes from 192.x.x.207: icmp_seq=0 ttl=128 time=2.324 ms
64 bytes from 192.x.x.207: icmp_seq=1 ttl=128 time=1.165 ms
64 bytes from 192.x.x.207: icmp_seq=2 ttl=128 time=1.257 ms

root> ping 192.x.x.207 source 192.x.x.1 count 3
PING 192.x.x.207 (192.x.x.207): 56 data bytes

--- 192.x.x.207 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

root> ping 192.x.x.207 source 10.x.x.1 count 3
PING 192.x.x.207 (192.x.x.207): 56 data bytes

--- 192.x.x.207 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

Making some progress. The out-of-band management interface (me0) was in the same vlan (default) and same subnet as the RVI for the default vlan. Looking at the route table, it looks like this was a problem. I deleted the management interface and is now using in-band remote management based on the RVI for the default vlan. Clearing up some issues...

 

[PGlover]

Inter-vlan routing with Juniper switches is driving me crazy. For some reason, the RVI gateway of 192.168.10.1 and 10.0.0.1 is not able to reach any devices on the 192.168.1.0 subnet. All of the other RVIs are able to route between the subnets... I have a feeling that the issue is around routing and the fact that my internet gateway (Pfsense box) ip address is 192.168.1.1.

The RVIs are:

vlan.0 = 192.168.1.2
vlan.10 = 192.168.10.1
vlan.20 = 10.0.0.1

Please help in troubleshooting this issue. What else do I need to post to help in the troubleshooting?

root> show route

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 07:49:43
> to 192.168.1.1 via vlan.0
10.0.0.0/24 *[Direct/0] 07:49:38
> via vlan.20
10.0.0.1/32 *[Local/0] 07:49:53
Local via vlan.20
192.168.1.0/24 *[Direct/0] 07:49:43
> via vlan.0
192.168.1.2/32 *[Local/0] 07:49:53
Local via vlan.0
192.168.10.0/24 *[Direct/0] 07:49:38
> via vlan.10
192.168.10.1/32 *[Local/0] 07:49:53
Local via vlan.10


root> ping 192.168.1.5 source 192.168.1.2 count 3
PING 192.168.1.5 (192.168.1.5): 56 data bytes
64 bytes from 192.168.1.5: icmp_seq=0 ttl=64 time=1.850 ms
64 bytes from 192.168.1.5: icmp_seq=1 ttl=64 time=2.220 ms
64 bytes from 192.168.1.5: icmp_seq=2 ttl=64 time=1.811 ms

--- 192.168.1.5 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.811/1.960/2.220/0.184 ms


root> ping 192.168.1.5 source 192.168.10.1 count 3
PING 192.168.1.5 (192.168.1.5): 56 data bytes

--- 192.168.1.5 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss


root> ping 192.168.1.5 source 10.0.0.1 count 3
PING 192.168.1.5 (192.168.1.5): 56 data bytes

--- 192.168.1.5 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

 

[aero]

I would suggest not to use the default vlan for anything; it should be treated as an administrative network. This is common practice for a number of reasons.

Regarding your ping testing, what is 192.168.1.5? Is it a host connected to the juniper or the lb6m?

Are you able to ping the pfsense IP from each of those source vlans?

edit: also, what is the default gateway set to on your test host (192.168.1.5)?

 

[PGlover]

I would suggest not to use the default vlan for anything; it should be treated as an administrative network. This is common practice for a number of reasons.

Regarding your ping testing, what is 192.168.1.5? Is it a host connected to the juniper or the lb6m?

Are you able to ping the pfsense IP from each of those source vlans?

edit: also, what is the default gateway set to on your test host (192.168.1.5)?

192.168.1.5 is the IP address of the LB6M. This is probably not a good example...

So lets use 192.168.1.207 as the example. This is a PC connected to the Juniper switch. The gateway is 192.168.1.2 which is the IP addresses of the RVI on vlan 0.

This PC can access the Internet. It can ping the RVIs IP address. It can connect to the SAN server at 10.0.0.2.

 

[aero]

In other words then, all routing for PC 192.168.1.207 is working fine?

What exactly is not working?

I suspect your ping issues to 192.168.1.5 have to do with the default gateway set on the LB6m. It should be set to 192.168.1.2.

 

[PGlover]

In other words then, all routing for PC 192.168.1.207 is working fine?

What exactly is not working?

I suspect your ping issues to 192.168.1.5 have to do with the default gateway set on the LB6m. It should be set to 192.168.1.2.

Good point... I will change tonight and post results.

 

[PGlover]

In other words then, all routing for PC 192.168.1.207 is working fine?

What exactly is not working?

I suspect your ping issues to 192.168.1.5 have to do with the default gateway set on the LB6m. It should be set to 192.168.1.2.

Making some progress, but still have so problems. I was able to successfully ping the IP address of the LB6M from all RVIs on the Juniper switch (see below) by changing the gateway to 192.168.1.2. For the PC with IP address 192.168.1.207, the gateway is set to the RVI 192.168.1.2. I am only able to ping successfully from the RVI gateway 192.168.1.2 but not others (see below). I tried connecting the PC directly to the LB6M and Juniper switch and the same results.

What is the world is going on?


root> ping 192.168.1.5 source 10.0.0.1 count 3
PING 192.168.1.5 (192.168.1.5): 56 data bytes
64 bytes from 192.168.1.5: icmp_seq=0 ttl=64 time=6.377 ms

root> ping 192.168.1.5 source 192.168.1.2 count 3
PING 192.168.1.5 (192.168.1.5): 56 data bytes
64 bytes from 192.168.1.5: icmp_seq=0 ttl=64 time=3.515 ms

root> ping 192.168.1.5 source 192.168.10.1 count 3
PING 192.168.1.5 (192.168.1.5): 56 data bytes
64 bytes from 192.168.1.5: icmp_seq=0 ttl=64 time=22.090 ms

------------------------------------------------------------------------

root> ping 192.168.1.207 source 192.168.1.2 count 3
PING 192.168.1.207 (192.168.1.207): 56 data bytes
64 bytes from 192.168.1.207: icmp_seq=0 ttl=128 time=1.787 ms

root> ping 192.168.1.207 source 10.0.0.1 count 3
PING 192.168.1.207 (192.168.1.207): 56 data bytes

--- 192.168.1.207 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

root> ping 192.168.1.207 source 192.168.10.1 count 3
PING 192.168.1.207 (192.168.1.207): 56 data bytes

--- 192.168.1.207 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

 

[PGlover]

I would suggest not to use the default vlan for anything; it should be treated as an administrative network. This is common practice for a number of reasons.

Regarding your ping testing, what is 192.168.1.5? Is it a host connected to the juniper or the lb6m?

Are you able to ping the pfsense IP from each of those source vlans?

edit: also, what is the default gateway set to on your test host (192.168.1.5)?

Below are the ping results from trying to ping the pfsense IP of 192.168.1.1. Only successful from the RVI with IP address 192.168.1.2.

root> ping 192.168.1.1 source 192.168.1.2 count 3
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=1.499 ms

root> ping 192.168.1.1 source 10.0.0.1 count 3
PING 192.168.1.1 (192.168.1.1): 56 data bytes

--- 192.168.1.1 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

root> ping 192.168.1.1 source 192.168.10.1 count 3
PING 192.168.1.1 (192.168.1.1): 56 data bytes

--- 192.168.1.1 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

 

[PGlover]

Just wondering about the default vlan on the LB6M and the Juniper switch.

LB6M use VLAN ID 1 for the default VLAN and will carry tagged and untagged traffic over the trunk port to the Juniper switch. Here is the configuration of the trunk port:

interface 0/23
no auto-negotiate
addport 1/2
exit
interface 0/24
no auto-negotiate
addport 1/2
exit
interface 0/23
description 'Juniper EX3300 Switch Ethernet nic0'
snmp-server enable traps violation
exit
interface 0/24
description 'Juniper EX3300 Switch Ethernet nic1'
snmp-server enable traps violation
exit
interface 1/2
description 'A LAG interface to Juniper EX3300 Switch w/802.1q vlan trunking'
no port-channel static
vlan participation include 10,20
vlan tagging 10,20
snmp-server enable traps violation

Juniper use VLAN ID 0 for the default VLAN. Here is the configuration of the trunk port:

xe-0/1/0 {
ether-options {
802.3ad ae0;
}
}
xe-0/1/1 {
ether-options {
802.3ad ae0;
}
}

ae0 {
description "A LAG interface to Quanta LB6M switch w/802.1q vlan trunking";
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ Hypervisors_Servers NAS_SAN_Storage ];
}
native-vlan-id default;
}
}
}

vlan {
unit 0 {
family inet {
address 192.168.1.2/24;
}
}
unit 10 {
family inet {
address 192.168.10.1/24;
}
}
unit 20 {
family inet {
address 10.0.0.1/24;
}
}
}

vlans {
Hypervisors_Servers {
vlan-id 10;
l3-interface vlan.10;
}
NAS_SAN_Storage {
vlan-id 20;
l3-interface vlan.20;
}
default {
l3-interface vlan.0;
}

See anything wrong with the trunk port configuration?

 

[aero]

the default vlan carries untagged traffic only. You have tagged traffic defined for vlans 10 and 20 on your trunk right now.

Since the default vlans mismatch, untagged traffic (vlan 0) on the juniper will be vlan 1 on the LB6m. Shouldn't be an issue, but remember that vlan 0 on juniper = vlan 1 on lb6m.

 

[aero]

Below are the ping results from trying to ping the pfsense IP of 192.168.1.1. Only successful from the RVI with IP address 192.168.1.2.

root> ping 192.168.1.1 source 192.168.1.2 count 3
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=1.499 ms

root> ping 192.168.1.1 source 10.0.0.1 count 3
PING 192.168.1.1 (192.168.1.1): 56 data bytes

--- 192.168.1.1 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

root> ping 192.168.1.1 source 192.168.10.1 count 3
PING 192.168.1.1 (192.168.1.1): 56 data bytes

--- 192.168.1.1 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

Does your pfsense have routes added? It needs to know that to reach 10.0.0/24 and 192.168.10.0/24 it has to go through 192.168.1.2.

I'm not really a fan of the way you are using the vlan 0 subnet though. My preference would be to create a /30 transit network between the juniper and the pfsense box, like 10.1.1.0/30, rather than use 192.168.1.0/24.

What you have though, should still work. Check the static routes on pfsense.

 

[PGlover]

the default vlan carries untagged traffic only. You have tagged traffic defined for vlans 10 and 20 on your trunk right now.

Since the default vlans mismatch, untagged traffic (vlan 0) on the juniper will be vlan 1 on the LB6m. Shouldn't be an issue, but remember that vlan 0 on juniper = vlan 1 on lb6m.

ok.. thanks....

 

[PGlover]

Does your pfsense have routes added? It needs to know that to reach 10.0.0/24 and 192.168.10.0/24 it has to go through 192.168.1.2.

I'm not really a fan of the way you are using the vlan 0 subnet though. My preference would be to create a /30 transit network between the juniper and the pfsense box, like 10.1.1.0/30, rather than use 192.168.1.0/24.

What you have though, should still work. Check the static routes on pfsense.

I have not created static routes on the pfsense box for the routing of traffic from the 10.0.0.0/24 and 192.168.10.0/24 subnets. Not sure I know how to do this. Any good documentation on how to create static routes in pfsense?

 

[PGlover]

Does your pfsense have routes added? It needs to know that to reach 10.0.0/24 and 192.168.10.0/24 it has to go through 192.168.1.2.

I'm not really a fan of the way you are using the vlan 0 subnet though. My preference would be to create a /30 transit network between the juniper and the pfsense box, like 10.1.1.0/30, rather than use 192.168.1.0/24.

What you have though, should still work. Check the static routes on pfsense.

Just for clarity.. Do you mean that 10.0.0/24 and 192.168.10.0/24 it has to go through 192.168.1.2 or 192.168.1.1?

 

[PGlover]

Does your pfsense have routes added? It needs to know that to reach 10.0.0/24 and 192.168.10.0/24 it has to go through 192.168.1.2.

I'm not really a fan of the way you are using the vlan 0 subnet though. My preference would be to create a /30 transit network between the juniper and the pfsense box, like 10.1.1.0/30, rather than use 192.168.1.0/24.

What you have though, should still work. Check the static routes on pfsense.

Here is what I did to setup a static route in pfsense. I now have access to the internet from the subnets 10.0.0.0/24 and 192.168.10.0/24; however, my original issue has not been resolved. Any advice on the static route setup in pfsense?


1. Create Gateway




2. Create Static Route





3. Create LAN Firewall Rule

 

[PGlover]

Here is what I believe the static routes needs to be in pfsense. Just having a hard time configuring the routes in pfsense.

10.0.0.0/24 next-hop 192.168.1.2

192.168.10.0/24 next-hop 192.168.1.2

I found these examples:

http://serverfault.com/questions/635253/pfsense-routing-a-packet-out-the-same-interface-it-arrived-on

https://forum.pfsense.org/index.php?topic=11973.0

 

[aero]

10.0.0.0/24 next-hop 192.168.1.2

192.168.10.0/24 next-hop 192.168.1.2

correct.

 

[PGlover]

I worked with folks on the pfsense forum and they confirmed my static route setup is correct. I still feel that I have a gateway issue on the host PCs and core switch (LB6M). Can you please confirm that the gateway should be 192.168.1.2 and not 192.168.1.1.

Below is simple diagram of my setup.


Internet
|
|
|
[pfsense]
WAN = 192.168.50.x
LAN = 192.168.1.1
|
|
|
[Core Switch - Quanta LB6M]
IP = 192.168.1.5
GW = 192.168.1.2 [Should the Gateway be 192.168.1.1?]
SubNetMask = 255.255.255.0
|
|
|
[Juniper Switch - EX3300]
Default vlan = 192.168.1.2, SubNetMask = 255.255.255.0, No GW
Vlan 10 = 192.168.10.1, SubNetMask = 255.255.255.0, No GW
Vlan 20 = 10.0.0.1, SubNetMask = 255.255.255.0, No GW
|
|
|
[Host PC A]
IP = 192.168.1.207
GW = 192.168.1.2 [Should the Gateway be 192.168.1.1?]
SubNetMask = 255.255.255.0

Also I feel I have not configured an overall IP address and gateway for the Juniper switch. I found the article below.

Example: Configuring the Name of the Switch, IP Address, and System ID - Technical Documentation - Support - Juniper Networks