VLAN Routing Between Layer 3 and Layer 2 Switch

PGlover

Active Member
Nov 8, 2014
465
52
28
53
One other thought.. Maybe the firewall on the host pc with IP address 192.168.1.207 is causing my issue..

The reason for my thought is because I can ping the core switch with IP address 192.168.1.5 from the Juniper switch with no problem from all the RVIs IP addresses (192.168.1.2, 192.168.10.1, and 10.0.0.1) with no problem.

I will find another host PC at home and turn off all firewalls and try it...
 
Last edited:

aero

Active Member
Apr 27, 2016
312
54
28
50
Can you post your current juniper config? Since you are able to reach the internet from all of your vlans I suspect that you do have a proper default route on the ex3300.

The gateways on hosts (and lb6m) you have set to 192.168.1.2 is preferred, although .1 would work too. Not to confuse you, but for anyone else reading this thread, no matter if you set it to .1 or 2. you're going to rely on icmp redirect behavior, or if redirects are off then traffic through .1 to local subnets will also have to be processed by the firewall.
 

PGlover

Active Member
Nov 8, 2014
465
52
28
53
This is the latest version


## Last changed: 2016-08-21 20:48:37 EDT
version 12.3R12.4;
system {
backup-router 192.168.1.1;
time-zone America/New_York;
root-authentication {
encrypted-password "$1$m4KyMRba$mLIqDdgMmjrDZFGomQ5dF/";
}
login {
user gLo {
full-name "XXXXXXXXXX";
uid 100;
class super-user;
authentication {
encrypted-password "$1$ebVCQowU$/0iH1VJMpo6Tk8c59/YFl.";
}
}
}
services {
ssh {
protocol-version v2;
}
netconf {
ssh;
}
web-management {
http;
}
dhcp {
traceoptions {
file dhcp_logfile;
level all;
flag all;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
}
chassis {
aggregated-devices {
ethernet {
device-count 1;
}
}
auto-image-upgrade;
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/16 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/17 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/18 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/19 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/20 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/21 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/22 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/23 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/0 {
unit 0 {
family ethernet-switching;
}
}
xe-0/1/0 {
ether-options {
802.3ad ae0;
}
}
ge-0/1/1 {
unit 0 {
family ethernet-switching;
}
}
xe-0/1/1 {
ether-options {
802.3ad ae0;
}
}
ge-0/1/2 {
unit 0 {
family ethernet-switching;
}
}
xe-0/1/2 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/3 {
unit 0 {
family ethernet-switching;
}
}
xe-0/1/3 {
unit 0 {
family ethernet-switching;
}
}
ae0 {
description "A LAG interface to Quanta LB6M switch w/802.1q vlan trunking";
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ Hypervisors_Servers NAS_SAN_Storage ];
}
native-vlan-id default;
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.2/24;
}
}
unit 10 {
family inet {
address 192.168.10.1/24;
}
}
unit 20 {
family inet {
address 10.0.0.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.1.1;
}
}
protocols {
igmp-snooping {
vlan all;
}
rstp;
lldp {
interface all;
}
lldp-med {
interface all;
}
}
ethernet-switching-options {
voip;
storm-control {
interface all;
}
}
vlans {
Hypervisors_Servers {
vlan-id 10;
l3-interface vlan.10;
}
NAS_SAN_Storage {
vlan-id 20;
l3-interface vlan.20;
}
default {
l3-interface vlan.0;
}
}
 

aero

Active Member
Apr 27, 2016
312
54
28
50
your default route is good.

routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.1.1;
}
}
 

PGlover

Active Member
Nov 8, 2014
465
52
28
53
Do you think it would be a good idea to create a transit network? If yes, is this another vlan on the Juniper or Quanta switch?
 

aero

Active Member
Apr 27, 2016
312
54
28
50
Do you think it would be a good idea to create a transit network? If yes, is this another vlan on the Juniper or Quanta switch?
yes, on both. Another RVI on the juniper, add the vlan to the trunk to the quanta, and change the vlan of the port pfsense is patched into. And of course re-ip pfsense, and update static routes to the new next-hop (new RVI IP of the Juniper).
 

PGlover

Active Member
Nov 8, 2014
465
52
28
53
yes, on both. Another RVI on the juniper, add the vlan to the trunk to the quanta, and change the vlan of the port pfsense is patched into. And of course re-ip pfsense, and update static routes to the new next-hop (new RVI IP of the Juniper).
I understand everything except the part about update static routes. Are these the static routes I created in pfsense?
 

PGlover

Active Member
Nov 8, 2014
465
52
28
53
I think I understand the proposed setup for the transit vlan. Can you please verify.

Here is the current setup.

Drawing1.jpg


Here is the proposed setup using a transit vlan.

Drawing1_2.jpg
 

PGlover

Active Member
Nov 8, 2014
465
52
28
53
Yes, that diagram is what I proposed.
So all the IP addresses and gateways are correct?

Not sure I am all clear on the Quanta LB6M changes. For the trunk LAGG/LACP port (port 25 & 26 on the LB6M) connecting the core switch to the pfsense router, the two ports and port channel 1/1 needs to assign to vlan 2000. Does the LB6M commands below look correct?

vlan database
vlan 2000
vlan name 2000 Transit Network

interface 0/25
vlan participation exclude 1,10,20
vlan participation include 2000
vlan pvid 2000
addport 1/1

interface 0/26
vlan participation exclude 1,10,20
vlan participation include 2000
vlan pvid 2000
addport 1/1

interface 1/1
vlan pvid 2000
vlan participation exlcude 1,10,20
vlan participation include 2000
vlan tagging 2000 [Not sure about this command]
 
Last edited:

PGlover

Active Member
Nov 8, 2014
465
52
28
53
Another thing.. Should I be using the /30 or /29 subnet mask. The /30 only give me 2 useable IPs. The /29 gives me 8 useable IPs.

On the Quanta LB6M switch, do I need to assign an IP address and gateway to Vlan 2000?
 
Last edited:

PGlover

Active Member
Nov 8, 2014
465
52
28
53
The one thing I am afraid of is locking myself out of pfSense and not being able to use the Web interface to make changes.
 

aero

Active Member
Apr 27, 2016
312
54
28
50
Another thing.. Should I be using the /30 or /29 subnet mask. The /30 only give me 2 useable IPs. The /29 gives me 8 useable IPs.

On the Quanta LB6M switch, do I need to assign an IP address and gateway to Vlan 2000?
Use a /30. The Quanta isn't doing any routing, and doesn't need an IP for vlan 2000.
 

aero

Active Member
Apr 27, 2016
312
54
28
50
The one thing I am afraid of is locking myself out of pfSense and not being able to use the Web interface to make changes.
For changes like this you really should have some local console access.
 

PGlover

Active Member
Nov 8, 2014
465
52
28
53
I will confirm my console access to the pfSense tonight. Haven't used it in awhile.

For the /30 subnet, I am afraid if my network expands and a add more downstream routers, I will run out of IP addresses.
 

aero

Active Member
Apr 27, 2016
312
54
28
50
The only scenario I can think of where you would need more is if you add a second core and run vrrp or something like that...

Anyway, it's your own internal network, and you can be as wasteful as you want with RFC 1918 private IP space. Use a /24, makes no difference.
 

PGlover

Active Member
Nov 8, 2014
465
52
28
53
As I learn more about this network stuff, I read an article about network hairpinning. It looks like I have one in my design with the Quanta switch being the core switch connecting to the pfSense box and the routing being downstream on the Juniper switch.

If I promote the Juniper as the core switch connected to the pfSense box, I think I will avoid the hairpin. Your opinions please. Do you think the Juniper switch is up to par for being the core switch?
 

aero

Active Member
Apr 27, 2016
312
54
28
50
The juniper is an excellent switch. You do not have a hairpin in your network. Hairpin is if hosts have to communicate post-NAT because they don't have internal routing to each other. You are doing inter-vlan routing on the Juniper, so that isn't a concern.
 

PGlover

Active Member
Nov 8, 2014
465
52
28
53
The juniper is an excellent switch. You do not have a hairpin in your network. Hairpin is if hosts have to communicate post-NAT because they don't have internal routing to each other. You are doing inter-vlan routing on the Juniper, so that isn't a concern.
Maybe I don't understand hairpinning.

Currently a host on the quanta switch (layer 2 mode and not routing) wants to go to the internet it has to transverse the uplink to the juniper for routing and gets routed and then back through the same uplink to get to the quanta again and then on to the pfsense to go to the internet.

This could be avoided by making the Juniper the core switch connected directly to the pfSense PC.

Thoughts please.