Switching

 View Only
last person joined: 19 hours ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

  • 1.  EX4300 / PulseSecure Gateway Internal Port Native VLAN

    Posted 04-23-2018 01:04

    Hi all,

     

    we currently facing following scenario.

    We try to implement two PulseSecure Gateways in a High-Availibilty-Setup.
    (Maybe some of you already have some experiences with the devices. Pulse was once owned by Juniper and the PulseSecure Gateways was onced known as Juniper MAG`s).

    So we have two datacenters. In each datacenter we run a virtual chassis of 3 EX4300 in each datacenter.

    An aggregated interface which is configured as trunk via DWDM-Line connects the both datacenters.
    A PulseSecure Gateway should be deployed per datacenter and the both PulseSeucreGateways should form a cluster and run HA.

     

    PulseSecureGateway = PSA

     

    PSANODE0---EX4300===DWDM===EX4300---PSANODE1

     

    The problem we are currently facing is:

    The PSAs have 3 ports: Internal / External / Mgmt

    The Issue we now have is with the INternal-Port.

    The Internal-Port is used for device-related services, like establishing HA, send AUTH-Requests, query DNS ....

    These traffic is configured wihtin the "native" Internal-Port and the traffic also always send untagged.

    But also, you can configure VLAN-Interfaces upon the INternal Interface, like customer traffic, and these traffic of course is tagged.

    So, you have one pyhsical cabel, but you send and receive tagged and untagged traffic at the same time over it.

     

    So, in my understandig, we need to set the native-vlan-statament.

    Like I mention, some system services are send untagged via internal port. these are for example auth-request, or also DNS-Queries.

    My DNS-Server is reachable via VLANXY. The DNS-Server is a virtual machine and the hypervisor is connected via trunk to the network.

    So, lets assume, the VLAN in which my DNS-Server is located is VLAN25. The VLAn25 of course is a productive VLAN in which many servers and devices are located.

    So I end up with the question. Can I now set on this specific port, which connects the EX4300 to the PSA INternal Port, the native vlan to 25.

    Could this lead to issues in my productive vlan25 ?

    For exmaple:

     

    ge-0/0/31 {
    description "psanode0";
    native-vlan-id 25;
    unit 0 {
    family ethernet-switching {
    interface-mode trunk;
    vlan {
    members [ 5 10 15 25 ];
    }
    }
    }
    }

     

    As I mentioned, keed in mind. The vlan25 already exists and it is a productive vlan, in which many devices are already located and running.

    So the important question for me: Will there be issues / anomalies or something like this, when I akctivate native-vlan statement.

     

    Thanks to you all, Christoph.



  • 2.  RE: EX4300 / PulseSecure Gateway Internal Port Native VLAN

    Posted 04-23-2018 02:54

    It sounds like you don't need vlan 25 on the PSA at all.  The PSA DNS request will originate from the internal port ip address and this VLAN needs a gateway address that can then reach the rest of the required resources like VLAN 25 DNS server.

     

    Where is the layer 3 gateway address for the internal port VLAN

    Is the gateway setup in the PSA

    Is there a firewall where rules are needed to allow the communication to the DNS server

     



  • 3.  RE: EX4300 / PulseSecure Gateway Internal Port Native VLAN

    Posted 04-23-2018 03:48

    Hi,

     

    the gateway for the internal port (which is needed to form a valid cluster) should also be memeber of VLAN25.

    I cannot configure VLAN-Parameters on the internal port. I only can configure vlan-parameters for the VLAN-Interfaces which are created "onto" the internal port. So, the internal port itself will always send untagged traffic, destined for VLAN1. But we don`t want to have VLAN1 in use.

     

    Here some links, which mayb help you to understand my situation:

     

    https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40271/?q=internal+port&l=en_US&fs=Search&pn=1&atype=

    https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40645/?q=internal+port&l=en_US&fs=Search&pn=2&atype=

    https://docs.pulsesecure.net/WebHelp/PCS/8.3R1/Home.htm#PCS/PCS_AdminGuide_8.3/Configuring_the_Internal_Port.htm

    https://docs.pulsesecure.net/WebHelp/PCS/8.3R1/Home.htm#PCS/PCS_AdminGuide_8.3/Configuring_VLAN_Ports.htm

     

    Thanks, Christoph

     



  • 4.  RE: EX4300 / PulseSecure Gateway Internal Port Native VLAN
    Best Answer

    Posted 04-24-2018 02:50

    Reviewing the documentation then your configuration is correct.   The appliance will have a untagged address in vlan 25 and that is what you will configure on the port on the ex as well.

     



  • 5.  RE: EX4300 / PulseSecure Gateway Internal Port Native VLAN

    Posted 04-24-2018 23:35

    Hi,

    thanks for your feedback.

    In the meantime, we were able to setup a LAB and tested this out.

    It works well. Just one modification was needed: the native vlan was only in the native-vlan-statement and not in the trunk itself.

    I guess this was needed, because the PSA is sending and also receiving untagged frames over its internal port.

    So, in the end, the config looks like this:

     

    ge-0/0/31 {
    description "psanode0";
    native-vlan-id 25;
    unit 0 {
    family ethernet-switching {
    interface-mode trunk;
    vlan {
    members [ 5 10 15 ];
    }
    }
    }
    }

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB17419

     

    BR, Christoph.