Switching

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  Isolated VLAN not working as intended on EX3400?

    Posted 02-14-2022 09:48
    Hi there!

    I'm trying to secure the out-of-band management network here.
    So I'm trying to set up some isolated/private VLAN configuration.  
    But somehow, it doesn't work as intended. Probably a  simple configuration thing, Juniper is somewhat new for me (coming for Cisco).

    Situation:
    Out-of-Band network switch: EX3400.
    Switches to be managed: QFX5120. 

    Simple network drawing:

    Configuration on the EX3400:
    VLANS:
    VL_OOB_1 {
        vlan-id 80;
        l3-interface irb.80;
        isolated-vlan VL_OOB_ISOLATED;
    }
    VL_OOB_ISOLATED {
        vlan-id 100;
        private-vlan isolated;
    ​}
    default {
        vlan-id 1;
        l3-interface irb.0;
    }

    Interfaces:

    show configuration interfaces ge-0/0/1    
    description "[ Link to QFX5120]";
    unit 0 {
        family ethernet-switching {
            interface-mode access;
            vlan {
                members VL_OOB_ISOLATED;
            }
        }
    }
    
    show configuration interfaces ge-0/0/0   
    description "[ Link to QFX5120]";
    unit 0 {
        family ethernet-switching {
            interface-mode access;
            vlan {
                members VL_OOB_ISOLATED;
            }
        }
    }
    show configuration interfaces irb.80   
    family inet {
        address 10.10.0.1/24;
    }
    

    Configuration on the QFX5120's
    QFX1:

    show configuration interfaces em0.0 
    family inet {
        address 10.10.0.2/24;
    }
    

    QFX2:

    show configuration interfaces em0.0 
    family inet {
        address 10.10.0.3/24;
    }
    


    But the QFX switches still can communicate with each other:
    From QFX1:

    ping 10.10.0.3 interface em0.0     
    PING 10.10.0.3 (10.10.0.3): 56 data bytes
    64 bytes 10.10.0.3: icmp_seq=0 ttl=64 time=0.618 ms
    

    Am I missing something that simple over here? 

    Thanks for help!


    ------------------------------
    Bart van Kampen
    ------------------------------


  • 2.  RE: Isolated VLAN not working as intended on EX3400?

    Posted 02-15-2022 10:00
    Hi Bart,
    have you tried the no-local-switching knob ?
    It is here stated as a must for isolated VLANs:
    https://www.juniper.net/documentation/us/en/software/junos/multicast-l2/topics/topic-map/private-vlans.html#d35e185

    Configuring a primary VLAN consists of these steps:

    1. Configure the primary VLAN name and 802.1Q tag.

    2. Set no-local-switching on the primary VLAN.

    3. Configure the promiscuous trunk port and access ports.

    4. Make the promiscuous trunk and access ports members of the primary VLAN.

    Within a primary VLAN, you can configure secondary community VLANs or secondary isolated VLANs or both. Configuring a secondary community VLAN consists of these steps:

    1. Configure a VLAN using the usual process.

    2. Configure access interfaces for the VLAN.

    3. Assign a primary VLAN to the community VLAN,

    Isolated VLANs are created internally when the isolated VLAN has access interfaces as members and the option no-local-switching is enabled on the primary VLAN.

    Regards,
    Mohummad



    ------------------------------
    MOHUMMAD MAHDY ABBASS
    ------------------------------



  • 3.  RE: Isolated VLAN not working as intended on EX3400?

    Posted 02-15-2022 10:36
    Hi,

    no-local-switching isn't available in ELS.

    But found the problem:
    https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1626710

    Removed the VLAN configuration from both the interfaces (0/0/0 and (0/0/1). Commit, and reapply.

    ------------------------------
    Bart van Kampen
    ------------------------------