Vlan in Vlan

We have an EX4500 switch, we are using it for routings and there 10 EX4200 switch connected to the EX4500 .
We have a vlan topology like that
1.switch 1. port vlan is 1101
5. switch 12.port vlan is 1512
but we have a mainly problem at the moment. There are some customers who requested to use same ip subnets on multiple servers for ex. 192.168.1.33/27 will be able to used on 1101 and 1512 .

we tryed qinqvlan but our trunks has been created as :

    }
    xe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ SPD-R-201 SPD-R-212 SPD-R-211 SPD-R-228 KURUMSAL SPD-R-206 SPD-R-205 SPD-R-230 SPD-R-226 SPD-R-209 SPD-R-test SPD-R-test2 ];
                }
                native-vlan-id default;
            }
        }
    }

Open in new window


and it does not allow me to add a vlan which dot1qtunelling enabled  i can not add merkez vlan to the interface trunk ? Is there any way to resolve this issue ?

vlans {
    KURUMSAL {
        vlan-id 100;
        l3-interface vlan.100;
    }
    ISP {
        vlan-id 51;
        interface {
            ae0.0;
        }
        l3-interface vlan.0;
    }
    SPD-R-101 {
        vlan-id 101;
        l3-interface vlan.101;
    }
    SPD-R-103 {
        vlan-id 103;
        l3-interface vlan.103;
    }
    SPD-R-104 {
        vlan-id 104;
        l3-interface vlan.104;
    }
    SPD-R-108 {
        vlan-id 108;
        l3-interface vlan.108;
    }
    SPD-R-109 {
        vlan-id 109;
        l3-interface vlan.109;
    }
    SPD-R-113 {
        vlan-id 113;
        l3-interface vlan.113;
    }
    SPD-R-114 {
        vlan-id 114;
        l3-interface vlan.114;
    }
    SPD-R-115 {
        vlan-id 115;
        l3-interface vlan.115;
    }
    SPD-R-117 {
        vlan-id 117;
        l3-interface vlan.117;
    }
    SPD-R-118 {
        vlan-id 118;
        l3-interface vlan.118;
    }
    SPD-R-123 {
        vlan-id 123;
        l3-interface vlan.123;
    }
    SPD-R-124 {
        vlan-id 124;
        l3-interface vlan.124;
    }
    SPD-R-125 {
        vlan-id 125;
        l3-interface vlan.125;
    }
    SPD-R-126 {
        vlan-id 126;
        l3-interface vlan.126;
    }
    SPD-R-129 {
        vlan-id 129;
        l3-interface vlan.129;
    }
    SPD-R-130 {
        vlan-id 130;
        l3-interface vlan.130;
    }
    SPD-R-131 {
        vlan-id 131;
        l3-interface vlan.131;
    }
    SPD-R-132 {
        vlan-id 132;
        l3-interface vlan.132;
    }
    SPD-R-133 {
        vlan-id 133;
        l3-interface vlan.133;
    }
    SPD-R-139 {
        vlan-id 139;
        l3-interface vlan.139;
    }
    SPD-R-201 {
        vlan-id 201;
        l3-interface vlan.201;
    }
    SPD-R-205 {
        vlan-id 205;
        l3-interface vlan.205;
    }
    SPD-R-206 {
        vlan-id 206;
        l3-interface vlan.206;
    }
    SPD-R-209 {
        vlan-id 209;
        l3-interface vlan.209;
    }
    SPD-R-211 {
        vlan-id 211;
        l3-interface vlan.211;
    }
    SPD-R-212 {
        vlan-id 212;
        l3-interface vlan.212;
    }
    SPD-R-226 {
        vlan-id 226;
        l3-interface vlan.226;
    }
    SPD-R-228 {
        vlan-id 228;
        l3-interface vlan.228;
    }
    SPD-R-230 {
        vlan-id 230;
        l3-interface vlan.230;
    }
    SPD-R-test {
        vlan-id 500;
        l3-interface vlan.500;
    }
    SPD-R-test2 {
        vlan-id 501;
        l3-interface vlan.501;
    }
    SPD-T-005 {
        vlan-id 305;
        l3-interface vlan.305;
    }
    SPD-T-006 {
        vlan-id 306;
        l3-interface vlan.306;
    }
    SPD-T-015 {
        vlan-id 315;
        l3-interface vlan.315;
    }
    SPD-T-030 {
        vlan-id 330;
        l3-interface vlan.330;
    }
    SPD-T-034 {
        vlan-id 334;
        l3-interface vlan.334;
    }
    SPD-T-046 {
        vlan-id 346;
        l3-interface vlan.346;
    }
    SPD-T-047 {
        vlan-id 347;
        l3-interface vlan.347;
    }
    SPD-T-048 {
        vlan-id 348;
        l3-interface vlan.348;
    }
    SPD-T-049 {
        vlan-id 349;
        l3-interface vlan.349;
    }
    SPD-T-054 {
        vlan-id 354;
        l3-interface vlan.354;
    }
    SPD-T-056 {
        vlan-id 356;
        l3-interface vlan.356;
    }
    SPD-T-058 {
        vlan-id 358;
        l3-interface vlan.358;
    }
    SPD-T-059 {
        vlan-id 359;
        l3-interface vlan.359;
    }
    SPD-T-060 {
        vlan-id 360;
        l3-interface vlan.360;
    }
    SPD-T-061 {
        vlan-id 361;
        l3-interface vlan.361;
    }
    SPD-T-062 {
        vlan-id 362;
        l3-interface vlan.362;
    }
    SPD-T-063 {
        vlan-id 363;
        l3-interface vlan.363;
    }
    SPD-T-064 {
        vlan-id 364;
        l3-interface vlan.364;
    }
    SPD-T-065 {
        vlan-id 365;
        l3-interface vlan.365;
    }
    SPD-T-068 {
        vlan-id 368;
        l3-interface vlan.368;
    }
    SPD-T-070 {
        vlan-id 370;
        l3-interface vlan.370;
    }
    SPD-T-317 {
        vlan-id 317;
        l3-interface vlan.317;
    }
    SPD-T-331 {
        vlan-id 331;
        l3-interface vlan.331;
    }
    SPD-T-333 {
        vlan-id 333;
        l3-interface vlan.333;
    }
    SPD-T-344 {
        vlan-id 344;
        l3-interface vlan.344;
    }
    SPD-T073 {
        vlan-id 373;
        l3-interface vlan.373;
    }
    T045 {
        vlan-id 345;
        l3-interface vlan.345;
    }
    default {
        l3-interface vlan.1;
    }
    merkez{
        vlan-id 502;
        l3-interface vlan.502;
        dot1q-tunneling {
            customer-vlans 500-501;
        }
    }
}

Open in new window

FireBallITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

StolsieCommented:
are you trying to describe inter Vlan routing?
are you saying if people are on Vlan 1512 they want to access servers on vlan 1101
FireBallITAuthor Commented:
no i want to allow people from 1512 to use the subnet ip addresses on vlan 1001
StolsieCommented:
so you want them to have two IP addresses?
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

FireBallITAuthor Commented:
for example 192.168.1.1/27 subnet has added to the vlan 1512 but i want to allow to vlan 1001 to use same subnet as added to 1001
giltjrCommented:
Are you using VLAN's over another network that you do NOT control that is also using VLAN tagging?

If all VLAN's are within your network and your control, you don't have to do Q-in-Q tunneling.  

The only time you should need to do Q-in-Q tunneling is when your VLAN traffic is flowing over somebody else network that is also doing VLAN tagging.
FireBallITAuthor Commented:
All vlansin our network but we do not want to change configs on edge switches
giltjrCommented:
??? That makes no sense to me.  If all VLAN's are within your network, then your edge switches need to know about them.  If they need to know about them, then their configuration needs to change
giltjrCommented:
Do you get an error when you try and add merkez? If so what message do you get?
FireBallITAuthor Commented:
vlan
This is how our network topology for decided config.
and 27 port hast access to the vlan 1027 and 25. port has access to the vlan 1025

for efficiency of ipv4 resources we do not want to serve to much resource to customers. so we wan to add

address 192.168.1.1/27 ;  

to both of vlans .

I think qinq is not a logical way for this because all vlans has been build in ex4500 what we should do to allow bot ports to use same address subnet on EX4500
giltjrCommented:
How do the customers access these hosts?  VPN tunnel from their location using the 192.168.1.1/27 addresses or a NAT from the Internet.
FireBallITAuthor Commented:
we are a member of ripe (icann) so theese ip addresses assigned to servers directly
http://bgp.he.net/AS57844#_asinfo
FireBallITAuthor Commented:
we ordered an mx480 router but now we are handling bgp on EX4500
giltjrCommented:
--> we are a member of ripe (icann) so theese ip addresses assigned to servers directly

 The 192.168.0.0/16 network is a private IP address range and can't be routed to over the Internet.  IP addresses within that range can only be used on a private network.  If they need to be accessed over the Internet then you either have to setup a VPN connection or do NAT.

So, when the customers need to access the hosts using the 192.168.1.1/27 addresses, are they accessing a public IP address that NAT's to these, or do they have a VPN tunnel to you.
FireBallITAuthor Commented:
I give it as an example glitjr we are working on

185.9.158.1/27

theese both vlans need to assign to servers ip addresses from same subnet
giltjrCommented:
All I needed to know what that you NAT.

So you want to NAT:

PUBAddress#1 to 192.168.1.1 on VLAN 500

PUBAddress#2 to 192.168.1.1 on VLAN 501

Is that right?
FireBallITAuthor Commented:
no actually there is no nat
185.9.158.0/24 is routed to our isp on ex4500 and we have split it to subnets on ex4500 again

vlan500 and vlan501 is the same customer's servers connected and they want to use the same subnet on both server
we do not want to change confing on edge switches so how should i allow to usage of 185.9.157.1/27 on both vlans
giltjrCommented:
Ah,  the 192.168.1.1/27 was just a example.  However, I'm  still a bit confused.  

A VLAN is not server.  If "customer#1"  needs servers to be on the same subnet, they SHOULD be on the same VLAN.  If there are two hosts that are the the same subnet and they need to talk to each other, then they MUST be on the same VLAN.

A single VLAN can have multiple subnets, but normally a subnet is only on a single VLAN.

My question is why are these host on different VLAN's?

I'm trying to understand the customer's requirements to see if there is some flaw in what they are asking.
FireBallITAuthor Commented:
different vlans have to be on the same subnet
giltjrCommented:
Why?

One problem you will have is that the hosts on VLAN 500 will NOT be able to talk to the hosts on VLAN 501.

I also think there will be a problem with hosts on other VLAN's attempting to communicate with hosts on these two VLAN.

You will especially run into a problem if you have hosts with the same IP address on both VLAN's.
FireBallITAuthor Commented:
because ipv4 resources has been running out of sources and we have 10k public ip addresses and we have 1k + servers so we need to use ipv4 efficient.
we have assigned /27 to a single customer who has 5 servers and we want to let them use this /27 on their vlans and do  not want to chage the edge switch's config's  

it is easy to allow their server to access  same vlan but  this is not a way of what we are looking for
giltjrCommented:
Is there a valid reason for them having multiple VLAN's?   For what you are attempting to do, there is no way to have the same subnet on multiple VLAN's without causing possible problems.

If they really, really need VLAN's.  There are only two ways to do this.

The right way.  Take their current /27 and make it a /28.

The wrong way, but it may work.  
Configure their switch ports as trunks and put 500 and 501 on them.  Then they would need to configure their servers to support tagged frames.   They just need to remember to keep track of what IP addresses they use on which VLAN and they need to know that a host on VLAN500 will NEVER, EVER be able to communicate with a host on VLAN 501.
FireBallITAuthor Commented:
185.9.157.2 is db serer
185.9.157.3  is web server
....
etc cisco has exvlan brocade has ipaccess rules but juniper has no solution for this and if we create different subnets we lost too many ip addresses for gw / subnet / broadcasts ....etc
FireBallITAuthor Commented:
lets decide that we have spllited 10k ip addresses for /27 it it lost 120 global ip addresses if is create /28 for each vlan it lost 240 global ip adress
giltjrCommented:
I understand that you will lose IP addresses.

Again, why does the customer want/require two unique VLAN's ?
FireBallITAuthor Commented:
Actually that is our system not customer's request. Vlan numbers writtne with some combination of / port / switch / router port. So we do not wat to change edge configuration
pergrCommented:
I am really confused about the discussion you are having above, but I will add my 2c to the original question.

First of all, I see no reason to use q-in-q tunneling.

Secondly, the easy solution is just to configure the link between EX4500 and EX4200 as a trunk, and include the VLANs you need. In this case 500 and 501, and then you make the server port an access port in 501, where you have its IP subnet and default gateway on the core switch.

Another option, which means you do not make any changes to trunks and VLANs, and still put the server and its IP "in the wrong VLAN" is to use Proxy ARP on the EX4500.

With proxy ARP, when the server is looking for its default gateway "in the wrong VLAN" the EX4500 will still respond, and give the server connectivity.

http://www.juniper.net/techpubs/en_US/junos13.2/topics/concept/port-security-ex-series-proxy-arp-understanding.html
askincakirCommented:
Selam Cahit,

Juniper de bunun için policy yapman gerekiyor. Bu policy de her iki vlan ile görüşmesi gereken port a uyguluyorsun.
Policy de "match destination" ile paketleri yakala ve ilgili vlan 1101 de "then set vlan 1101" et.
Bunun dışında başka bir şansın yok gibi görünüyor. QinQ bu iş için uygun değil.
Juniper in sitesinde örnek vardı ama şu anda bakamadım. Policy statement ler ile ilgili bir yerde de geçiyordu bu konu.

Kolay gelsin,
FireBallITAuthor Commented:
1. yes qinq is wrong selection
2. there is no problem with giving access to 500 port to 501 vlan but this is not what we asked
3. proxy arp is a solution whicth is for static usage. it shoulld be a  way but still not a perfect solution
pergrCommented:
Proxy ARP is not "static", it is fully dynamic.
No need to configure specific MAC or IP, etc. Just put in on all IRB interfaces that will have "wrong IP hosts".

http://www.juniper.net/techpubs/en_US/junos13.2/topics/example/port-security-proxy-arp-ex-series.html
FireBallITAuthor Commented:
aşkın hocam tam olarak dediğin gibi bir yöntem bilmiyorum ancak
http://kb.juniper.net/InfoCenter/index?page=content&id=KB16755
böyle bir şey var ki bu da işi görmüyor :(

dear pergr should you send a sample config please , i could not find sample to apply on vlans
pergrCommented:
It should be something like:

set vlan unit 500 proxy-arp restricted

And you might as well do that for all your vlan L3 interfaces on the EX4500.

http://www.juniper.net/documentation/en_US/junos13.2/topics/task/configuration/port-security-proxy-arp-cli-qfx-series.html
FireBallITAuthor Commented:
res
not worked and also this is not secure
pergrCommented:
Why do you not have any IP address configured in vlan.501?

Also, it would make sense to check mac table (and ARP table) for VLAN  501, to make sure the server is actually learned in it between EX4500 and EX4200.

Obviously there is a security issue with using IP addresses in the wrong VLAN - but that is what you want to achieve...
FireBallITAuthor Commented:
we just want to allow this 2 vlan to use same subnet not more or less :)
pergrCommented:
Also, looking at your picture, it appears you have VLAN 500 on the switch with the server - and the IP address comes from the subnet that is normally in VLAN 501. That would mean you configure proxy arp in vlan.500.
FireBallITAuthor Commented:
still the same
pergrCommented:
Actually, you should probably change "restricted" to "unrestricted".
I do not have the full insight in your actual VLAN and IP addressing.
FireBallITAuthor Commented:
actually i have tryed 4 possible combination and not worked :)
pergrCommented:
> show ethernet-switching table vlan 500
> show ethernet-switching table vlan 501

To make sure you have learning the MAC on the EX4500.
pergrCommented:
And why now:

> show arp interface vlan.500
> show arp interface vlan.501
askincakirCommented:
Selam Cihat,

Çok özür dilerim. Ben yanlış hatırlamışım. Policy statement değil, firewall da yapıyorsun bu olayı.
Port ve ip bilgilerini kendine göre özelleştiriyor olursun. ge-0/0/0 da 192.168.1.1 ip adresli birisi olduğunu varsayalım. O port tan 192.168.1.2 VLAN 200 de olacak şekilde habereştiriyoruz. 192.168.1.3 ise vlan 300 de olacak şekilde haberleştirmeye çalışıyoruz diyelim.


set firewall family ethernet-switching filter VLAN-ASSIGN term RULE-1 from destination-address 192.168.1.2/32
set firewall family ethernet-switching filter VLAN-ASSIGN term RULE-1 then vlan VLAN200
set firewall family ethernet-switching filter VLAN-ASSIGN term RULE-2 from destination-address 192.168.1.3/32
set firewall family ethernet-switching filter VLAN-ASSIGN term RULE-2 then vlan VLAN300
set firewall family ethernet-switching filter VLAN-ASSIGN term RULE-LAST then accept


set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input VLAN-ASSIGN

#
işin sonunda run show etherswitching table dediğinde senin 192.168.1.1 cihazının mac adresini hem 200 hem de 300 lü vlan da görmen gerekiyor.
FireBallITAuthor Commented:
root@gate.spdnet.net> show arp interface vlan.500
MAC Address       Address         Name                      Interface           Flags
00:26:b9:75:ac:cf 37.123.100.236  37.123.100.236            vlan.500            none

{master:0}
root@gate.spdnet.net> show arp interface vlan.501

{master:0}
root@gate.spdnet.net> show ethernet-switching table vlan 500
Ethernet-switching table: 1 unicast entries
  VLAN              MAC address       Type         Age Interfaces
  SPD-R-test        *                 Flood          - All-members
  SPD-R-test        00:26:b9:75:ac:cf Learn          0 xe-0/0/4.0
  SPD-R-test        78:19:f7:99:95:c1 Static         - Router

{master:0}
root@gate.spdnet.net> show ethernet-switching table vlan 501
Ethernet-switching table: 1 unicast entries
  VLAN              MAC address       Type         Age Interfaces
  SPD-R-test2       *                 Flood          - All-members
  SPD-R-test2       78:19:f7:99:95:c1 Static         - Router
  SPD-R-test2       b8:ac:6f:8c:0c:3f Learn          0 xe-0/0/4.0

{master:0}
root@gate.spdnet.net>

Open in new window



Aşkın hocam bu seferde tek tek static route gibi firewall filter oluşturmak gerekecek her kullanılan ip adresine biz public bir datacenter işletiyoruz içerisi çocuk parkı / savaş alanı gibi :) bu sebeple olabildiğince otomasyon dışına çıkmaktan korkuyoruz aslında yukarıdaki tüm bu çabada bunun için 5651 kanunu olmadan önce tek tek static route atıp geçiyorduk /20 subnetler kullanıyorduk şimdi /28 /29 lar doldu ortalık sadece merkezi bir takip amacıyla.
askincakirCommented:
Evet, haklısın maalesef.
pergrCommented:
I am really confused about what VLAN goes where...

From your picture, it appears that 500 is the only VLAN to the EX4200.
It would mean the IP in question goes normally in 501, but it is now connected to 500.
That would mean the default gateway is configured in vlan.501, but according to your output vlan.501 has no IP configured on it.

Could you clarify the IP/VLAN/SERVER/GW/SUBNET... how it is connected and configured?
pergrCommented:
(Just to point it out, my design advice would, of course, be to configure the VLAN to across switches, to the right port. But I understand you do not want to do that.)
FireBallITAuthor Commented:
Dear pergr ;

------ ISP  ------- EX4500 ------- TRUNK for vlan 500 - 501 ---------  EX4200   ----- Access for vlan 500 on one port and access for vlan 501 on one other port.

root@gate.spdnet.net# show interfaces vlan unit 500
proxy-arp restricted;
family inet {
    address 37.123.100.225/27;
}

{master:0}[edit]
root@gate.spdnet.net# show interfaces vlan unit 501
proxy-arp restricted;
family inet;

{master:0}[edit]
root@gate.spdnet.net# show vlans SPD-R-test
vlan-id 500;
l3-interface vlan.500;

{master:0}[edit]
root@gate.spdnet.net# show vlans SPD-R-test2
vlan-id 501;
l3-interface vlan.501;

{master:0}[edit]
root@gate.spdnet.net# show interfaces xe-0/0/4
unit 0 {
    family ethernet-switching {
        port-mode trunk;
        vlan {
            members [ SPD-R-201 SPD-R-212 SPD-R-211 SPD-R-228 KURUMSAL SPD-R-206 SPD-R-205 SPD-R-230 SPD-R-226 SPD-R-209 SPD-R-test SPD-R-test2 ];
        }
        native-vlan-id default;
    }
}

Open in new window



I do not understand why it is about my configs ? , we just need to use same subnet on 2 different vlan easy question but i do not know if there is an answer that is all
pergrCommented:
(Or even better set up the 10xEX4200 switches in a Virtual Chassis, so that you will have all VLAN available in all EX4200. Then you create a LAG/LACP/trunk with 8 or 10 XE ports to the EX4500, with all VLANs on it.)
pergrCommented:
What is the IP address of the server?
What default gateway is to configured with?
What VLAN is it connected to?
What is its MAC address?

Can you see the server's MAC address in the mac table of the EX4200?
Can you see the server's MAC address in the mac table of the EX4500?
FireBallITAuthor Commented:
s
before applying to real system we have created this lab for tests


ex4200 side :
root@3B1.spdnet.net> show ethernet-switching table interface ge-0/0/25
Ethernet-switching table: 1 unicast entries
  VLAN              MAC address       Type         Age Interfaces
  SPD-R-test        *                 Flood          - All-members
  SPD-R-test        00:26:b9:75:ac:cf Learn          0 ge-0/0/25.0

{master:0}
root@3B1.spdnet.net> show ethernet-switching table interface ge-0/0/27
Ethernet-switching table: 1 unicast entries
  VLAN              MAC address       Type         Age Interfaces
  SPD-R-test2       *                 Flood          - All-members
  SPD-R-test2       b8:ac:6f:8c:0c:3f Learn          0 ge-0/0/27.0

{master:0}
root@3B1.spdnet.net> configure
Entering configuration mode

{master:0}[edit]
root@3B1.spdnet.net# show interfaces ge-0/0/25
unit 0 {
    family ethernet-switching {
        port-mode access;
        vlan {
            members SPD-R-test;
        }
    }
}

{master:0}[edit]
root@3B1.spdnet.net# show interfaces ge-0/0/27
unit 0 {
    family ethernet-switching {
        port-mode access;
        vlan {
            members SPD-R-test2;
        }
    }
}

{master:0}[edit]
root@3B1.spdnet.net# show interfaces xe-0/1/0
unit 0 {
    family ethernet-switching {
        port-mode trunk;
        vlan {
            members [ KriwebBGP SPD-R-201 SPD-R-212 SPD-R-211 SPD-R-228 KURUMSAL SPD-R-206 SPD-R-205 SPD-R-342 SPD-R-230 SPD-R-226 SPD-R-209 SPD-R-test SPD-R-test2 ];
        }
        native-vlan-id default;
    }
}

{master:0}[edit]

Open in new window

askincakirCommented:
Selam,

Source address te eklersek senin static olayını çözebilir miyiz ?


set firewall family ethernet-switching filter VLAN-ASSIGN term RULE-1 from destination-address 192.168.1.2/32
set firewall family ethernet-switching filter VLAN-ASSIGN term RULE-1 from source-address 192.168.1.1/32
set firewall family ethernet-switching filter VLAN-ASSIGN term RULE-1 then vlan VLAN200
set firewall family ethernet-switching filter VLAN-ASSIGN term RULE-2 from destination-address 192.168.1.3/32
set firewall family ethernet-switching filter VLAN-ASSIGN term RULE-2 from source-address 192.168.1.1/32
set firewall family ethernet-switching filter VLAN-ASSIGN term RULE-2 then vlan VLAN300
set firewall family ethernet-switching filter VLAN-ASSIGN term RULE-LAST then accept


set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input VLAN-ASSIGN
FireBallITAuthor Commented:
/27 olarak interfaceden öbür vlan'a route edersek çözebilir gibi geliyor

vlan 500 e ip subneti ekleyip , vlan 501 de address eklemeden

set firewall family ethernet-switching filter VLAN-ASSIGN term RULE-1 from source-address 185.9.157.1/27
set firewall family ethernet-switching filter VLAN-ASSIGN term RULE-1 then vlan VLAN501

gibi bir şeyler olurmu diye bakıyorum ama huzursuz eden bir eksik var gibi :)
pergrCommented:
OK, to summarize:

VLAN 500 "test"
0/25
MAC ac:cf
IP 100.236
vlan.500 with 100.225/27

VLAN 501 "test2"
0/27
MAC 0c:3f
IP 100.235
vlan.501 without IP

So, the only place you would need to configure proxy arp is on vlan.501, and it should be "unrestricted".

Next, the server would, of course, need to make an ARP request in order for it to work...

If it does not work, it is not a configuration issue, but a bug... so open a case.
pergrCommented:
Possibly try to configure any other IP/subnet on vlan.501 (could even be a private range), just in case it needs some IP to do ARP at all.
FireBallITAuthor Commented:
pergrCommented:
You are trying to ping from your PC to 100.235.
When the packet reaches the EX4500 it will make an ARP request for 100.235 out of vlan.500, since that is where the network 100.224/27 is connected.
Obviously the server in VLAN 501 will not respond to that ARP request.

Instead the ARP request will have to come from the server (for its gateway 100.225), and with that the EX4500 should proxy arp and answer the request.

Can you try to ping from the server instead? Or you do not have access it?
Once the EX4500 has done proxy arp, it should work also the other way.
giltjrCommented:
--> "Actually that is our system not customer's request."

You are causing your own pain.  If the customer does not require two VLANs then the simplest and best (possibly ONLY) solution , is to put both servers on the same VLAN.  You appear to be using VLAN's for a purpose that they are NOT supposed to be used for.

It does not matter which VLAN you use, pick ONE either 500 or 501 and put all ports that customer's servers are on, in that VLAN.

Networking is complex as it is , why are you trying to make it more complex by doing something for NO valid reason.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FireBallITAuthor Commented:
Thank you for all yoour effort
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.