Switching

Expand all | Collapse all

Filter-based VLAN assignment does't work

Jump to Best Answer
  • 1.  Filter-based VLAN assignment does't work

    Posted 06-02-2020 07:35

    Hello All,

     

    PC1 -->ge-0/0/2 Juniper Sw1O===LACP-trunk====OSw2 ---->PC2

     

    PC1

    en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV>
    ether 98:5a:eb:e2:22:9e
    inet6 fe80::c2e:c452:ea33:f26f%en0 prefixlen 64 secured scopeid 0x7
    inet 10.10.11.1 netmask 0xffffff00 broadcast 10.10.11.255
    nd6 options=201<PERFORMNUD,DAD>
    media: autoselect (1000baseT <full-duplex,flow-control>)
    status: active



    PC2

    Ethernet adapter Ethernet:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) Ethernet Connection (4) I219-LM
    Physical Address. . . . . . . . . : E4-B9-7A-51-AA-29
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::f08d:f3ce:1267:161c%28(Preferred)
    IPv4 Address. . . . . . . . . . . : 10.10.11.2(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0

     

    In Juniper switch, I have configured vlan map with ID 3 and using filter to assign VLAN

     

    root@juniper-lab# show vlans map
    vlan-id 3;
    interface {
    ge-0/0/2.0 {
    mapping {
    policy;
    }
    }
    }

    {master:0}[edit interfaces ge-0/0/2]
    root@juniper-lab# show
    unit 0 {
    family ethernet-switching {
    filter {
    input vlan-assign;
    }
    }
    }

     

    {master:0}[edit firewall family ethernet-switching]
    root@juniper-lab# show
    filter vlan-assign {
    term 1 {
    from {
    source-address {
    10.10.11.0/24;
    }
    }
    then {
    accept;
    vlan map;
    }
    }
    }



    {master:0}
    root@juniper-lab> show ethernet-switching interfaces ge-0/0/2
    Interface State VLAN members Tag Tagging Blocking
    ge-0/0/2.0 up map 3 untagged unblocked




    root@juniper-lab> show ethernet-switching table
    Ethernet-switching table: 4 entries, 2 learned, 0 persistent entries
    VLAN MAC address Type Age Interfaces
    test * Flood - All-members
    map * Flood - All-members
    map 98:5a:eb:e2:22:9e Learn 0 ge-0/0/2.0
    map e4:b9:7a:51:aa:29 Learn 0 ae0.0

    {master:0}

    It knows to forward the traffic to port channel connected to SW2

     

    SW2


    (aruba-lab) (config) #show vlan

    VLAN CONFIGURATION
    ------------------
    VLAN Description Ports
    ---- ----------- -----
    1 VLAN0001 GE0/0/1 GE0/0/3-4 GE0/0/7-9 GE0/0/12-47
    GE0/1/0-1 Pc0
    2 test GE0/0/0 GE0/0/2 GE0/0/5 GE0/0/16
    Pc0
    3 VLAN0003 GE0/0/6 GE0/0/16 Pc0

    (aruba-lab) (config) #show mac-address-table

    Total MAC address: 2
    Learnt: 2, Static: 0, Auth: 0, Phone: 0 Sticky: 0

    MAC Address Table
    -----------------
    MAC Address Address Type VLAN Interface
    ----------- ------------ ---- ---------
    98:5a:eb:e2:22:9e Learned 0003 Pc0
    e4:b9:7a:51:aa:29 Learned 0003 GE0/0/6

    I see the mac address too. 

     

    I had an defective ethernet on the last test PC . I verified this PC, when I connect to a normal access port on both switches , it works . From the packet captures , I dont see the ICMP entering the ingress interface ge0/0/2

     

    On the PC1 , I see the arp entry for 

    MacBook-Pro:~ PC1$ arp -a
    ? (10.10.11.2) at e4:b9:7a:51:aa:29 on en0 ifscope [ethernet]

    or the ping from other PC2.

     

    On PC2, I dont see the arp entry on the machine

    I dont see arp entry for PC1

    Interface: 10.10.11.2 --- 0x1c
    Internet Address Physical Address Type
    10.10.11.255 ff-ff-ff-ff-ff-ff static
    224.0.0.22 01-00-5e-00-00-16 static

     

    On  What am I missing here ?. How do I troubleshoot this ?

     



  • 2.  RE: Filter-based VLAN assignment does't work
    Best Answer

    Posted 06-04-2020 04:04

    I just thought you guys should know. I found that arp is never passing thro since the filter is based on IP . The arp never gets placed on the right VLAN, thus the client PCs do not know where to send. Once I added, source mac address as the filter instead of the IP, it works right away.  

     

     



  • 3.  RE: Filter-based VLAN assignment does't work

     
    Posted 06-04-2020 05:01

    I believe this behavior is by design.  If you create an IP filter with default action of drop, you need an ARP allow to have ARPs pass.

     

    Just FYI.



  • 4.  RE: Filter-based VLAN assignment does't work

    Posted 06-06-2020 22:43

    Could you provide an example filter with both?