Inter-vlan Routing

[masterbuilder]

Hi,
I have a Juniper EX4200 series switch that I'm planning to use as the core switch for my home network. Directly connected to it I have:

* Vodafone Connect gateway switch (DHCP disabled)
* ASUS RT-AC 66U running DD-WRT (DHCP disabled, WAN interface disabled)
* 2 x Desktop PCs and some raspberry pis
* NAS
* A few devices like TVs, XBOX, Apple TV etc

My intention is to partition the switch ports into VLANs for different traffic types. To explore the concept I've created a VLAN for my NAS and other servers I'll put in my rack.

Right now my vlans look like this:

root@core-sw# show vlan
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
unit 100 {
family inet {
primary;
address 169.254.100.1/16;
}
}​

And since setting up the storage-net vlan and RVIs to support routing I've had problems. Basically, hosts in each vlan are unable to ping hosts in the other. I'm not sure what I'm doing wrong and hope someone with Juniper knowledge night be able to help me out. To aid that here is more info on my setup:

root@core-sw> run show interfaces vlan

Physical interface: vlan, Enabled, Physical link is Up
Interface index: 128, SNMP ifIndex: 547
Type: VLAN, Link-level type: VLAN, MTU: 1518, Speed: 1000mbps
Device flags : Present Running
Link type : Full-Duplex
Link flags : None
Current address: 00:21:59:c0:55:c1, Hardware address: 00:21:59:c0:55:c1
Last flapped : Never
Input packets : 2296238
Output packets: 2325876

Logical interface vlan.0 (Index 65) (SNMP ifIndex 545)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 492403883
Output packets: 2279586
Protocol inet
Flags: None
Addresses, Flags: Is-Preferred Is-Primary
Destination: 192.168.1/24, Local: 192.168.1.1, Broadcast: 192.168.1.255

Logical interface vlan.100 (Index 66) (SNMP ifIndex 590)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 113889
Output packets: 46401
Protocol inet
Flags: Primary, Is-Primary
Addresses, Flags: Is-Default Is-Preferred Is-Primary
Destination: 169.254/16, Local: 169.254.100.1,
Broadcast: 169.254.255.255​

root@core-sw# show vlans
default {
l3-interface vlan.0;
}
storage-net {
description "Storage Network";
vlan-id 100;
interface {
ge-0/0/45.0;
ge-0/0/46.0;
ge-0/0/44.0;
}
l3-interface vlan.100;
}​

root@core-sw# run show interfaces vlan.0 detail
Logical interface vlan.0 (Index 65) (SNMP ifIndex 545) (HW Token 1)
(Generation 130)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Traffic statistics:
Input bytes : 407834580117
Output bytes : 142346783
Input packets: 492470596
Output packets: 2280668
Local statistics:
Input bytes : 151307153
Output bytes : 142346783
Input packets: 2293730
Output packets: 2280668
Transit statistics:
Input bytes : 407683272964 0 bps
Output bytes : 0 0 bps
Input packets: 490176866 0 pps
Output packets: 0 0 pps
Protocol inet, Generation: 149, Route table: 0
Flags: None
Addresses, Flags: Is-Preferred Is-Primary
Destination: 192.168.1/24, Local: 192.168.1.1, Broadcast: 192.168.1.255,
Generation: 133​

root@core-sw# run show interfaces vlan.100 detail
Logical interface vlan.100 (Index 66) (SNMP ifIndex 590) (HW Token 2)
(Generation 131)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Traffic statistics:
Input bytes : 15533969
Output bytes : 3633270
Input packets: 114240
Output packets: 46452
Local statistics:
Input bytes : 294978
Output bytes : 3633270
Input packets: 4250
Output packets: 46452
Transit statistics:
Input bytes : 15238991 0 bps
Output bytes : 0 0 bps
Input packets: 109990 0 pps
Output packets: 0 0 pps
Protocol inet, Generation: 150, Route table: 0
Flags: Primary, Is-Primary
Addresses, Flags: Is-Default Is-Preferred Is-Primary
Destination: 169.254/16, Local: 169.254.100.1,
Broadcast: 169.254.255.255, Generation: 135​

DHCP pools for the two vlans:

root@core-sw# show system services dhcp
name-server {
8.8.8.8;
8.8.4.4;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.60;
router {
192.168.1.1;
}
}
pool 169.254.100.0/16 {
address-range low 169.254.100.2 high 169.254.100.100;
router {
169.254.100.1;
}
}​

A quick check from my laptop shows dhcp network config looks ok:

PS C:\> ipconfig
Windows IP Configuration

Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::609c:cd3:5c0a:3740%5
IPv4 Address. . . . . . . . . . . : 192.168.1.16
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1​

A similar check from the NAS on the storage vlan shows the same though its connection isn't routable so I can't show it here.

Routing table on the switch:

root@core-sw> show route detail
inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
0.0.0.0/0 (1 entry, 1 announced)
*Static Preference: 5
Next hop type: Router, Next hop index: 1314
Address: 0x2ba0270
Next-hop reference count: 3
Next hop: 192.168.1.254 via vlan.0, selected
State: <Active Int Ext>
Age: 6w1d 4:07:15
Task: RT
Announcement bits (1): 0-KRT
AS path: I
169.254.0.0/16 (1 entry, 0 announced)
*Direct Preference: 0
Next hop type: Interface
Address: 0x2ba0308
Next-hop reference count: 1
Next hop: via vlan.100, selected
State: <Active Int>
Age: 33:51
Task: IF
AS path: I
169.254.100.1/32 (1 entry, 0 announced)
*Local Preference: 0
Next hop type: Local
Address: 0x2734530
Next-hop reference count: 5
Next hop:
Interface: vlan.100
State: <Active NoReadvrt Int>
Age: 6w1d 4:07:21
Task: IF
AS path: I
192.168.1.0/24 (1 entry, 0 announced)
*Direct Preference: 0
Next hop type: Interface
Address: 0x2ba01d8
Next-hop reference count: 1
Next hop: via vlan.0, selected
State: <Active Int>
Age: 6w1d 4:07:15
Task: IF
AS path: I
192.168.1.1/32 (1 entry, 0 announced)
*Local Preference: 0
Next hop type: Local
Address: 0x2734530
Next-hop reference count: 5
Next hop:
Interface: vlan.0
State: <Active NoReadvrt Int>
Age: 6w1d 4:07:21
Task: IF
AS path: I
224.0.0.5/32 (1 entry, 1 announced)
*OSPF Preference: 10
Next hop type: MultiRecv
Address: 0x2735568
Next-hop reference count: 2
State: <Active NoReadvrt Int>
Age: 6w1d 4:07:28 Metric: 1
Task: OSPF I/O./var/run/ppmd_control
Announcement bits (1): 0-KRT
AS path: I​

So, in so far as I can tell, this should be working but no traffic is able to pass between vlans. If someone can help me out with where I'm going wrong I'll really appreciate it as this is blocking me reworking and extending my setup

Regards
D

 

[MichaelCG]

First...Why are you "assigning" and using 169.254.x.x IP space? That is generally not a range you actually assign and use in this manner.

Second...On your clients, do you see ARP entries for their default gateways? This will establish if you have a Layer3 connection to your router.
YES - This is a routing or firewall issue
NO - This is a Layer2/Layer3 switch configuration issue

Third...What is 192.168.1.254? That looks like the default route of the switch. Is there a simpler route command you can use? It has been 10+ years since I have worked on anything Juniper...but in the Cisco world it would have been as simple as "show ip route" to get the basic routing tables. Don't need the details.

 

[masterbuilder]

First...Why are you "assigning" and using 169.254.x.x IP space? That is generally not a range you actually assign and use in this manner.

Yes, I used it simply to test to concept but don't intend to use it in the future. But seeing as I hit this issue I didn't want to start changing stuff willy nilly that wasn't tackling the core issue.

Second...On your clients, do you see ARP entries for their default gateways? This will establish if you have a Layer3 connection to your router.
YES - This is a routing or firewall issue
NO - This is a Layer2/Layer3 switch configuration issue

The default gateway for the clients is the RVI L3 address for the vlan they're on and they can ping it. It's routing to anything on the other vlan which fails, from either vlan. Most clients are on the 192.168.1.0 network which keeps the network useable and the internet reachable via 192.168.1.254 (vodafone connect). I realised after posting that I should have pointed that out...sorry

Here's another view of the routing table:

root@core-sw> show route

inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 6w2d 01:44:28
> to 192.168.1.254 via vlan.0
169.254.0.0/16 *[Direct/0] 22:11:04
> via vlan.100
169.254.100.1/32 *[Local/0] 6w2d 01:44:34
Local via vlan.100
192.168.1.0/24 *[Direct/0] 6w2d 01:44:28
> via vlan.0
192.168.1.1/32 *[Local/0] 6w2d 01:44:34
Local via vlan.0
224.0.0.5/32 *[OSPF/10] 6w2d 01:44:41, metric 1
MultiRecv​

Thanks for taking a look at this


Regards,
D

 

[MichaelCG]

Disclaimer...I am not a network guy these days and haven't touched network gear in years.....

I don't know the features of that switch, but is there a command related to actually enabling Routing/L3Forwarding? Or what about a FW or ACL feature set? The fact that you have ARP on both sides means your L2 paths are good all around.

 

[MichaelCG]

No idea what version of the chassis and OS you are using.

https://www.juniper.net/documentation/en_US/junos/topics/example/RVIs-qfx-series-example1.html

Looking at this, did you create the IRB to actually enable routing?

 

[masterbuilder]

No idea what version of the chassis and OS you are using.

https://www.juniper.net/documentation/en_US/junos/topics/example/RVIs-qfx-series-example1.html

Looking at this, did you create the IRB to actually enable routing?

Switch is an EX-4200 and loaded software is:

root@core-sw> show version
fpc0:
--------------------------------------------------------------------------
Hostname: core-sw
Model: ex4200-48p
JUNOS Base OS boot [11.4R1.6]
JUNOS Base OS Software Suite [11.4R1.6]
JUNOS Kernel Software Suite [11.4R1.6]
JUNOS Crypto Software Suite [11.4R1.6]
JUNOS Online Documentation [11.4R1.6]
JUNOS Enterprise Software Suite [11.4R1.6]
JUNOS Packet Forwarding Engine Enterprise Software Suite [11.4R1.6]
JUNOS Routing Software Suite [11.4R1.6]
JUNOS Web Management [11.4R1.6]​

Regarding logical interface I created an RVI layer 3 interface for each vlan:

root@core-sw> show interfaces vlan.0
Logical interface vlan.0 (Index 65) (SNMP ifIndex 545)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 502958725
Output packets: 2346356
Protocol inet
Flags: None
Addresses, Flags: Is-Preferred Is-Primary
Destination: 192.168.1/24, Local: 192.168.1.1, Broadcast: 192.168.1.255

root@core-sw> show interfaces vlan.100
Logical interface vlan.100 (Index 66) (SNMP ifIndex 590)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 208344
Output packets: 60261
Protocol inet
Flags: Primary, Is-Primary
Addresses, Flags: Is-Default Is-Preferred Is-Primary
Destination: 169.254/16, Local: 169.254.100.1,
Broadcast: 169.254.255.255​

I do see that the "Is-Default" flag is set for vlan.100 but not for vlan.0. I'll check that out the implications of that...

Regards,
D

 

[Samir]

I'm not familiar with the Juniper products, but is there a way to enable/disable vlan inter-routing? This is what I have to enable on other routers in order for vlans to talk to each other. Otherwise, they will only see their gateway and other traffic in their vlan.

 

[coxhaus]

I have not worked with Juniper layer 3 switches but you need to isolate your testing to within your switch. If you have VLANs defined and gateways setup correctly you should be able to ping other clients in other VLANs.