IGB Ports - LAN configs for VLANS
-
Hi All,
I am unsure as how to conifg the IP address for the OPT 2,3,4 ports for using to connect to layer 2 juniper switches.
It was advised to me by a JunOS expert to use my netgate as a core for the VLANS and routing between the switches so I do not have to config any layer 3 at the switch level. I have 4 of them. One is already connected to the predefined LAN port on mt SG firewall gateway appliance.
This LAN interface has a static IP of 10.235.17.1. So, for the other 3 igb interfaces should I assign the same static IP and the same subnet notation /24 so that they can communicate VLAN info? Will this cause conflict once I physically connect each one to their respective netgate port? And the pfsense machine is also functioning as my network DHCP server, so that service must apply to all interface ports now.
If not, can someone refer me to the proper set up for this type of deployment? Also, I do not know how to set up VLANS in pfsense so I must refer to the pfsense online book I suppose.
I have never done this before so just trying to procure any helpful insight. PLease excuse any ignorant questions as just that, absence of knowledge, not the lack of trying or stupidity.
Thanks in advance.
-
You can't have more than one interface in the same subnet, layer 3, including VLAN interfaces.
How many subnets do you have now? One on each switch?
If so you would just connect each switch to an interface and give that interface an IP on that subnet.VLANs would usually be a separate subnet so maybe you have numerous VLANs that exist across all 4 switches?
If that's the case then you would pass all the VLANs to pfSense and route between them there. How you do that though could vary. Perhaps the physical location of the switches would determine the wiring scheme.
Typically though you might setup a LAGG to the switch(es) and pass all the VLANs over it.
If they are stacked switches you might use MC-LAG to get true redundancy.Steve
-
Hi Steve,
So to elaborate:
Netgate default Gateway LAN interface static IP: 10.235.17.1/24
(Connected to LAN network port igb0 on pfsense device at port ge-0/0/0 )
Juniper SW1: vlan { unit 0 {family inet { address 10.235.17.6/24}
(Connected to SW1 via port ge-0/0/23)
Juniper SW2: vlan { unit 0 {family inet { address 10.235.17.5/24}
(Connected to SW2 via port ge-0/0/23)
Juniper SW3: vlan { unit 0 {family inet { address 10.235.17.4/24}
(Connected to SW3 via port ge-0/0/23)
Juniper SW4: vlan { unit 0 {family inet { address 10.235.17.3/24 }
(Connected to SW4 via port ge-0/0/23)
Juniper SW5: vlan { unit 0 {family inet { address 10.235.17.2/24}All switches routing-options are set to-> static route 0.0.0.0/0 next-hop 10.235.17.1(default gateway).
All switches have vlan config of default l3-interface vlan.0Netgate igb 3, 4, 5 network ports are unassigned and available for use.
I was initially working on doing all the layer 3 set up via routed vlan interfaces (RVI) on the switches themselves as they are interconnected by diagonal cascading patch cables so the segmented vlan members could reside on disparate switches/broadcast domains yet still communicate.
Then I went to Junos forums to try to get some insight on best practice and one of the experts informed me to core it either on a consolidated switch or using the available OPT ports on my firewall as 3 more LAN/VLAN interfaces and then plug each switch singularly into the ports. The remaining SW5 would just get plugged to SW4.So this is where I am currently. Even if this VLAN thing is too much for me to do solo(for clarity, I went to school for CS, not CCNA, so I am learning by real-time practice basically) , I want to at least get the switches detached from each other physically and instead attach them directly to the firewall with their respective igb port, in order to increase fault tolerance/decrease points of failure.
To answer your questions as best I can: Each switch has its on subnet( I think), yet all are on default vlan.0.
Much appreciated.
Alexi -
Hmm, OK. So currently you have 5 switches daisy-chained together and all in the same subnet?
Is that just the management subnet?
So currently you don't have any VLANs configured? What VLANs do you actually need?
Steve
-
Why do you have all the switches daisy chained? Normally you'd fan out from one.
-
I think that is so.
This is how I inherited the network infrastructure when I was hired on.
I am not sure if it is the management subnet or not. I have not made any discrete subnets for data, control, or management.
The config with subnets is how it was set when I was hired on. The contractor IT company did all this for them.As for the VLANS, correct, there are none configured, only the default one. The ones that I want to set up are for VoIP department (sales), one for IT department, and one for management department.
Also, what IP numberings do I use for the (3) OPT ports when I enable the interfaces as LAN?
Can I just use any of the IP addresses that are reserved for private networks per RFC 1918 (10/8, 172.16/12, 192.168/16), or is this something that has to be the similar to my main LAN inteface, 10.235.17.1. I am just unsure as to how the IP address is determined, like is it arbitrary or no? For example, the 10.xxx.xx.x, how did they decide on the second, third and fourth octets, and why did they choose the 10/8 notation? Can I just decide on whatever for the OPT 2, 3, and 4 interface assignments for private IP address range and they each get their own DHCP server? -
This is how I inherited the network infrastructure when I was hired on.
The config with subnets is how it was set when I was hired on. The contractor IT company did all this for them. Just patch cables cascading from the firewall all the way down to the last switch .
This is why I am seeking insight because I am no expert, but their is a best practice of device arrangement and deployment at layer 2 and layer 3 that is not what this SMB is utilizing so I want to improve it for them.Okay, so I undid all the daisy-chained connections and instead consolidated the connections to the first switch. Could you tell me why is this preferred?
-
@VirtuousVigor said in IGB Ports - LAN configs for VLANS:
I want to improve it for them
Well, you can start by configuring the switches by fanning out from a common one. The only reason I can think of for daisy chaining them is to cover a significant distance. Each hop can cover 100 M. Otherwise, what happens when a switch or daisy chain cable fails? Also, with fan out, you can easily add a redundant common switch.
As for VLANs, they're easy enough to configure. Just add them and give them a number as desired. Then configure DHCP on each VLAN, with it's own subnet. Then you'll have to determine where you need trunk and access ports. As discussed above, you might have a management VLAN. Hopefully that IT contractor documented the network somewhere. Otherwise, it can be real "fun" trying to figure out where what is.
-
What are the switches you have there exactly? Are they stacking? Are they already stacked?
Physically I assume they are in the same rack?
Steve
-
They are Juniper ex2200 24 port GbE switches. They are all rack mounted within the same network closet.
They are not stacked as of yet. Juniper uses Virtual Chassis to stack switches, but that has not been configured yet. I am also working on that in tandem with this.