Hi all,
I have an EX3400 and I just set up an isolated private VLAN for my endpoint devices. I have the promiscuous port going to my firewall/gateway and everything else in the isolated VLAN.
The isolation works great, but I want to allow some communication between devices in the LAN while blocking the rest. If possible I'd prefer to force the traffic through my firewall since it has more capabilities than the switch's ACLs.
I created an IRB on the primary VLAN, gave it an IP in the subnet, and enabled unrestricted proxy ARP on the EX3400 (and added no-gratuitious-arp-request). As expected, intra-VLAN traffic flows through the IRB and gets routed. To try and force this traffic to go through my firewall, I created a routing instance that imported routes to the firewall (on a different subnet) and setup an input filter on the IRB to use this routing instance. From my understanding this should work, and it does on some devices, but it does not on others. After some testing I realized that traffic that comes into the isolated VLAN from a trunk port (like a wireless device on an AP) ignores the filter and gets routed through the default routing table, never hitting the firewall. On devices wired directly into an access port the redirect works as expected.
Is what I'm trying to do even possible? I don't see any limitations documented as to why it shouldn't be. This feels a lot like a bug but I can't find it reported anywhere and I tried different versions of JunOS (currently on 23.4R2-S6.6). I've tried countless different configs, but here are some of the relevant blocks below that showcase the behavior I'm describing.
Access Port on Isolated VLAN
ge-0/0/4 {
description wrk-nr1;
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members Access-Isolated;
}
storm-control default;
}
}
}
Trunk Port on Isolated VLAN
ge-0/0/6 {
description ap-kn1;
vlan-tagging;
native-vlan-id 10;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ Access-Isolated ... Management ];
}
storm-control default;
}
}
}
LAGG to Firewall and IRB
ae0 {
description rtr-gr1;
vlan-tagging;
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ Management ... Access ];
}
}
}
}
irb {
no-gratuitous-arp-request;
unit 0 {
family inet {
dhcp {
...
}
}
family inet6 {
dhcpv6-client {
...
}
}
}
unit 10 {
family inet {
address 10.0.0.17/23;
}
}
unit 30 {
proxy-arp unrestricted;
family inet {
filter {
input proxy;
}
address 10.0.4.100/23 {
arp 10.0.4.1 l2-interface ae0.0 mac 0c:c4:7a:... publish;
}
}
}
}
FBF and VLAN Config
policy-options {
policy-statement proxy-import {
term 2 {
from {
protocol [ direct local ];
route-filter 10.0.0.0/23 orlonger;
}
to rib proxy.inet.0;
then accept;
}
term 1 {
from protocol static;
to rib proxy.inet.0;
then accept;
}
then reject;
}
}
firewall {
family inet {
filter proxy {
term 1 {
from {
destination-address {
10.0.4.0/23;
}
}
then {
routing-instance proxy;
}
}
}
}
}
routing-instances {
proxy {
instance-type forwarding;
routing-options {
static {
route 10.0.4.0/23 next-hop 10.0.0.1;
}
instance-import proxy-import;
}
}
}
routing-options {
interface-routes {
rib-group inet FBF-rib;
}
static {
route 0.0.0.0/0 next-hop 10.0.0.1;
}
rib-groups {
FBF-rib {
import-rib [ proxy.inet.0 inet.0 ];
import-policy proxy-import;
}
}
}
vlans {
Access {
vlan-id 30;
l3-interface irb.30;
isolated-vlan Access-Isolated;
}
Access-Isolated {
vlan-id 31;
switch-options {
interface ge-0/0/2.31;
}
private-vlan isolated;
}
...
Management {
vlan-id 10;
l3-interface irb.10;
}
default {
vlan-id 1;
l3-interface irb.0;
}
}
-------------------------------------------