VLAN Routing Between Layer 3 and Layer 2 Switch

Discussion in 'Networking' started by PGlover, Aug 16, 2016.

  1. PGlover

    PGlover Active Member

    Joined:
    Nov 8, 2014
    Messages:
    439
    Likes Received:
    48
    One other thought.. Maybe the firewall on the host pc with IP address 192.168.1.207 is causing my issue..

    The reason for my thought is because I can ping the core switch with IP address 192.168.1.5 from the Juniper switch with no problem from all the RVIs IP addresses (192.168.1.2, 192.168.10.1, and 10.0.0.1) with no problem.

    I will find another host PC at home and turn off all firewalls and try it...
     
    #41
    Last edited: Aug 25, 2016
  2. aero

    aero Active Member

    Joined:
    Apr 27, 2016
    Messages:
    309
    Likes Received:
    51
    Can you post your current juniper config? Since you are able to reach the internet from all of your vlans I suspect that you do have a proper default route on the ex3300.

    The gateways on hosts (and lb6m) you have set to 192.168.1.2 is preferred, although .1 would work too. Not to confuse you, but for anyone else reading this thread, no matter if you set it to .1 or 2. you're going to rely on icmp redirect behavior, or if redirects are off then traffic through .1 to local subnets will also have to be processed by the firewall.
     
    #42
  3. PGlover

    PGlover Active Member

    Joined:
    Nov 8, 2014
    Messages:
    439
    Likes Received:
    48
    This is the latest version


    ## Last changed: 2016-08-21 20:48:37 EDT
    version 12.3R12.4;
    system {
    backup-router 192.168.1.1;
    time-zone America/New_York;
    root-authentication {
    encrypted-password "$1$m4KyMRba$mLIqDdgMmjrDZFGomQ5dF/";
    }
    login {
    user gLo {
    full-name "XXXXXXXXXX";
    uid 100;
    class super-user;
    authentication {
    encrypted-password "$1$ebVCQowU$/0iH1VJMpo6Tk8c59/YFl.";
    }
    }
    }
    services {
    ssh {
    protocol-version v2;
    }
    netconf {
    ssh;
    }
    web-management {
    http;
    }
    dhcp {
    traceoptions {
    file dhcp_logfile;
    level all;
    flag all;
    }
    }
    }
    syslog {
    user * {
    any emergency;
    }
    file messages {
    any notice;
    authorization info;
    }
    file interactive-commands {
    interactive-commands any;
    }
    }
    }
    chassis {
    aggregated-devices {
    ethernet {
    device-count 1;
    }
    }
    auto-image-upgrade;
    }
    interfaces {
    ge-0/0/0 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/1 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/2 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/3 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/4 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/5 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/6 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    }
    }
    }
    ge-0/0/7 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/8 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/9 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/10 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/11 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/12 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/13 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/14 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/15 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/16 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/17 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/18 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/19 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/20 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/21 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/22 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/23 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/1/0 {
    unit 0 {
    family ethernet-switching;
    }
    }
    xe-0/1/0 {
    ether-options {
    802.3ad ae0;
    }
    }
    ge-0/1/1 {
    unit 0 {
    family ethernet-switching;
    }
    }
    xe-0/1/1 {
    ether-options {
    802.3ad ae0;
    }
    }
    ge-0/1/2 {
    unit 0 {
    family ethernet-switching;
    }
    }
    xe-0/1/2 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/1/3 {
    unit 0 {
    family ethernet-switching;
    }
    }
    xe-0/1/3 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ae0 {
    description "A LAG interface to Quanta LB6M switch w/802.1q vlan trunking";
    aggregated-ether-options {
    lacp {
    active;
    }
    }
    unit 0 {
    family ethernet-switching {
    port-mode trunk;
    vlan {
    members [ Hypervisors_Servers NAS_SAN_Storage ];
    }
    native-vlan-id default;
    }
    }
    }
    vlan {
    unit 0 {
    family inet {
    address 192.168.1.2/24;
    }
    }
    unit 10 {
    family inet {
    address 192.168.10.1/24;
    }
    }
    unit 20 {
    family inet {
    address 10.0.0.1/24;
    }
    }
    }
    }
    routing-options {
    static {
    route 0.0.0.0/0 next-hop 192.168.1.1;
    }
    }
    protocols {
    igmp-snooping {
    vlan all;
    }
    rstp;
    lldp {
    interface all;
    }
    lldp-med {
    interface all;
    }
    }
    ethernet-switching-options {
    voip;
    storm-control {
    interface all;
    }
    }
    vlans {
    Hypervisors_Servers {
    vlan-id 10;
    l3-interface vlan.10;
    }
    NAS_SAN_Storage {
    vlan-id 20;
    l3-interface vlan.20;
    }
    default {
    l3-interface vlan.0;
    }
    }
     
    #43
  4. aero

    aero Active Member

    Joined:
    Apr 27, 2016
    Messages:
    309
    Likes Received:
    51
    your default route is good.

    routing-options {
    static {
    route 0.0.0.0/0 next-hop 192.168.1.1;
    }
    }
     
    #44
  5. PGlover

    PGlover Active Member

    Joined:
    Nov 8, 2014
    Messages:
    439
    Likes Received:
    48
    Do you think it would be a good idea to create a transit network? If yes, is this another vlan on the Juniper or Quanta switch?
     
    #45
  6. aero

    aero Active Member

    Joined:
    Apr 27, 2016
    Messages:
    309
    Likes Received:
    51
    yes, on both. Another RVI on the juniper, add the vlan to the trunk to the quanta, and change the vlan of the port pfsense is patched into. And of course re-ip pfsense, and update static routes to the new next-hop (new RVI IP of the Juniper).
     
    #46
  7. PGlover

    PGlover Active Member

    Joined:
    Nov 8, 2014
    Messages:
    439
    Likes Received:
    48
    I understand everything except the part about update static routes. Are these the static routes I created in pfsense?
     
    #47
  8. PGlover

    PGlover Active Member

    Joined:
    Nov 8, 2014
    Messages:
    439
    Likes Received:
    48
    I think I understand the proposed setup for the transit vlan. Can you please verify.

    Here is the current setup.

    Drawing1.jpg


    Here is the proposed setup using a transit vlan.

    Drawing1_2.jpg
     
    #48
  9. aero

    aero Active Member

    Joined:
    Apr 27, 2016
    Messages:
    309
    Likes Received:
    51
    Yes, that diagram is what I proposed.
     
    #49
  10. PGlover

    PGlover Active Member

    Joined:
    Nov 8, 2014
    Messages:
    439
    Likes Received:
    48
    So all the IP addresses and gateways are correct?

    Not sure I am all clear on the Quanta LB6M changes. For the trunk LAGG/LACP port (port 25 & 26 on the LB6M) connecting the core switch to the pfsense router, the two ports and port channel 1/1 needs to assign to vlan 2000. Does the LB6M commands below look correct?

    vlan database
    vlan 2000
    vlan name 2000 Transit Network

    interface 0/25
    vlan participation exclude 1,10,20
    vlan participation include 2000
    vlan pvid 2000
    addport 1/1

    interface 0/26
    vlan participation exclude 1,10,20
    vlan participation include 2000
    vlan pvid 2000
    addport 1/1

    interface 1/1
    vlan pvid 2000
    vlan participation exlcude 1,10,20
    vlan participation include 2000
    vlan tagging 2000 [Not sure about this command]
     
    #50
    Last edited: Aug 25, 2016
  11. PGlover

    PGlover Active Member

    Joined:
    Nov 8, 2014
    Messages:
    439
    Likes Received:
    48
    Another thing.. Should I be using the /30 or /29 subnet mask. The /30 only give me 2 useable IPs. The /29 gives me 8 useable IPs.

    On the Quanta LB6M switch, do I need to assign an IP address and gateway to Vlan 2000?
     
    #51
    Last edited: Aug 26, 2016
  12. PGlover

    PGlover Active Member

    Joined:
    Nov 8, 2014
    Messages:
    439
    Likes Received:
    48
    The one thing I am afraid of is locking myself out of pfSense and not being able to use the Web interface to make changes.
     
    #52
  13. PGlover

    PGlover Active Member

    Joined:
    Nov 8, 2014
    Messages:
    439
    Likes Received:
    48
    Here is a revised version of the proposed setup using transit vlan 2000.

    Drawing1_2.jpg
     
    #53
  14. aero

    aero Active Member

    Joined:
    Apr 27, 2016
    Messages:
    309
    Likes Received:
    51
    Use a /30. The Quanta isn't doing any routing, and doesn't need an IP for vlan 2000.
     
    #54
  15. aero

    aero Active Member

    Joined:
    Apr 27, 2016
    Messages:
    309
    Likes Received:
    51
    For changes like this you really should have some local console access.
     
    #55
  16. PGlover

    PGlover Active Member

    Joined:
    Nov 8, 2014
    Messages:
    439
    Likes Received:
    48
    I will confirm my console access to the pfSense tonight. Haven't used it in awhile.

    For the /30 subnet, I am afraid if my network expands and a add more downstream routers, I will run out of IP addresses.
     
    #56
  17. aero

    aero Active Member

    Joined:
    Apr 27, 2016
    Messages:
    309
    Likes Received:
    51
    The only scenario I can think of where you would need more is if you add a second core and run vrrp or something like that...

    Anyway, it's your own internal network, and you can be as wasteful as you want with RFC 1918 private IP space. Use a /24, makes no difference.
     
    #57
  18. PGlover

    PGlover Active Member

    Joined:
    Nov 8, 2014
    Messages:
    439
    Likes Received:
    48
    As I learn more about this network stuff, I read an article about network hairpinning. It looks like I have one in my design with the Quanta switch being the core switch connecting to the pfSense box and the routing being downstream on the Juniper switch.

    If I promote the Juniper as the core switch connected to the pfSense box, I think I will avoid the hairpin. Your opinions please. Do you think the Juniper switch is up to par for being the core switch?
     
    #58
  19. aero

    aero Active Member

    Joined:
    Apr 27, 2016
    Messages:
    309
    Likes Received:
    51
    The juniper is an excellent switch. You do not have a hairpin in your network. Hairpin is if hosts have to communicate post-NAT because they don't have internal routing to each other. You are doing inter-vlan routing on the Juniper, so that isn't a concern.
     
    #59
  20. PGlover

    PGlover Active Member

    Joined:
    Nov 8, 2014
    Messages:
    439
    Likes Received:
    48
    Maybe I don't understand hairpinning.

    Currently a host on the quanta switch (layer 2 mode and not routing) wants to go to the internet it has to transverse the uplink to the juniper for routing and gets routed and then back through the same uplink to get to the quanta again and then on to the pfsense to go to the internet.

    This could be avoided by making the Juniper the core switch connected directly to the pfSense PC.

    Thoughts please.
     
    #60
Similar Threads: VLAN Routing
Forum Title Date
Networking Aruba VLAN/routing help! Nov 18, 2019
Networking LB6M (brocade firmware) Trouble Routing Vlans Jul 13, 2018
Networking LB6M and PfSense vlan routing issue Aug 2, 2017
Networking VLANs, Bridges, Routing, oh my... Feb 24, 2017
Networking Cisco NXOS Layer 3 Switch, DHCP Relay, Intervlan Routing - How to make it work Feb 13, 2015

Share This Page