I have a number of VLANs defined on our EX4200 stack (running 10.3R2.11). The network design is such that some of the VLANs are private (e.g. to control traffic between the switch stack, the routers and the "outside world" connections), one is for the DMZ and the remainder are to manage the internal network for different uses.
For the private VLANs, no l3-interface is defined because none is needed. The traffic management here is just layer 2.
For the DMZ and the internal VLANs, there is an l3-interface defined. The intention for the flow of traffic is that all systems on the DMZ will be configured to have the router as their default gateway, and all systems on the internal VLANs will have the switch stack as their default gateway. The switch stack has, as *its* default gateway the internal interface on the router.
So the router is intended as the overall gateway control between the internal network, the DMZ network and the outside world. The switch stack is intended to manage all traffic flow between the internal VLANs.
The problem now is that any system on an internal VLAN that tries to reach a system in the DMZ, the traffic goes into the switch stack and then STRAIGHT into the system in the DMZ ... presumably because the switch stack "knows" where the system is.
I then tried removing the l3-interface definition on the DMZ vlan and that corrected the flow of traffic between the internal network and the DMZ VLAN ... but then stopped the DHCP service from working for DMZ clients.
I need to find a way to stop traffic going directly from the internal LAN into the switch stack and then into the DMZ. I need traffic from the internal LAN to go via the router.
Can someone please point me in the direction of how to do this?
Thanks.
Philip