I will be assisting a client with a VLAN Configuration. Outside of create the VLAN ports and assigning them to the roles, is there anything else I need to consider? The trunk connects to a EX-3200 switch and the VLAN's are already built out. Since my customer already has his internal port configured with an IP from one of the VLAN's, should we move it to the Management VLAN or does the internal IP need to be in the naitve VLAN? I went through the documentation and posts from the forum but it's still a little unlcear. Any feedback is welcome.
Sounds pretty good...
The only thing to remind is that services like SNMP,Time, Syslog,SFTP (Archiving) use the internal untagged port by default.You cannot select a VLAN interface for this traffic. This is by default. I already tried once by requesting a "feature request" @ Juniper to change this, but my request didn't make a chance. Buy a bigger box with management interface....( SA6500 series)
All other services like authentication / autorisation servers can use a destination in an other VLAN by creating a route in the internal routing table and use the gateway in the appropriate VLAN. (select VLAN interface).
The project went smooth and the VLAN tagging was applied without issue. However, the client through me a curveball when he requested we setup two AD Authentication servers. Typically this wouldn't be a problem, but he DC sits its own Domain and VLAN. DC1 (Internal Port - Native VLAN) works without a problem. However, DC2 authentication packets are sent untagged via the internal interface. I was hoping since there was a VLAN Interface configured with a connected route it would tag the auth frames. So I guess the SA can only tag using Roles?
Do I have any options?
No , not just with roles.
It should work with just a route in the routing table of the internal interface towards the VLAN in which the DC2 server is. Auth servers are adressed from within the internal (untagged) VLAN. So add route in internal interface routing table:
<destination net DC2> <mask> <gateway in VLAN for DC2> <Interface VLAN DC2>
We use this for example with our shared MSP RSA/ACE server in our shared services network while the customer uses their own AD for autorisation. We create a route in the internal interface's routing table towards the gateway of our MSP network using the VLAN interface that is routed on the MSP network.
The background on this behaviour is that Juniper added some of their already existing Instant Virtual Systems (IVS) license features to the IVE os.
In IVS there is a so called root IVS. This root IVS is associated with the internal (untagged) interface.All customers are put in their own IVS ( and thus VLAN).
So, when adding authentication servers that have ip addresses in a different VLAN than the internal interface, you have to specify a route that can actually leave the root IVS ( where you have defined the auth servers) to another IVS. That's what you're doing when adding a route in the internal routing table towards a VLAN.
We have some IVS boxes, so when Juniper added the VLAN tagging option , I noticed that they actually implemented a sort of stripped IVS feature...
Excellent, thank you for the explanation. I will be giving this a shot tonight. Once I see the proper tagging, I will need to help my client with AD as well! We tried adding a second domain controller via inter VLAN routing and it still failed. I'm no AD expert so wish me luck )