The packets that are forwarded within a bridge domain are determined
by the VLAN ID of the packets and the VLAN ID of the bridge domain.
Only the packets with VLAN IDs that match the VLAN ID configured for
a bridge domain are forwarded within the bridge domain.
When configuring bridge domains, you can specify either a single
VLAN ID or a list of specific VLAN IDs. If you specify a list of VLAN
IDs, a bridge domain is created for each VLAN ID in the list. Certain
bridge domain properties, such as the integrated routing and bridging
interface (IRB), are not configurable if bridge domains are created
in this manner (see Understanding Integrated Routing and Bridging Interfaces).
Each Layer 2 logical interface configured on the device is implicitly
assigned to a bridge domain based on the VLAN ID of the packets accepted
by the interface (see Understanding Layer 2 Interfaces). You do not need to explicitly define the logical interfaces when
configuring a bridge domain.
You can configure one or more static MAC addresses for a logical
interface in a bridge domain; this is only applicable if you specified
a single VLAN ID when creating the bridge domain.
Note:
If a static MAC address you configure for a logical interface
appears on a different logical interface, packets sent to that interface
are dropped.
You can configure the following properties that apply to all
bridge domains on the SRX services gateway:
Disable or enable Layer 2 address learning. Layer 2 address
learning is enabled by default. A bridge domain learns unicast media
access control (MAC) addresses to avoid flooding packets to all interfaces
in the bridge domain. Each bridge domain creates a source MAC entry
in its forwarding tables for each source MAC address learned from
packets received on interfaces that belong to the bridge domain. When
you disable MAC learning, source MAC addresses are not dynamically
learned, and any packets sent to these source addresses are flooded
into a bridge domain.
Maximum number of MAC addresses learned from all logical
interfaces on the SRX services gateway. After the MAC address limit
is reached, the default is for any incoming packets with a new source
MAC address to be forwarded. You can specify that the packets be dropped
instead. The default limit is 131,071 MAC addresses. The range that
you can configure is 16 through 131,071.
Timeout interval for MAC table entries. By default, the
timeout interval for MAC table entries is 300 seconds. The minimum
you can configure is 10 seconds and the maximum is 64,000 seconds.
The timeout interval applies only to dynamically learned MAC addresses.
This value does not apply to configured static MAC addresses, which
never time out.
Layer 2 Bridging Exceptions on SRX Services Gateways
The bridging functions on the SRX 3400, 3600, 5600, and 5800
services gateways are similar to the bridging features on Juniper
Networks MX-series routers. However, the following Layer 2 networking
features on MX-series routers are not supported on the SRX services
gateways:
Layer 2 control protocols—These protocols are used
on MX-series routers for Rapid Spanning Tree Protocol (RSTP) or Multiple
Spanning Tree Protocol (MSTP) in customer edge interfaces of a VPLS
routing instance.
Virtual switch routing instance—The virtual switching
routing instance is used on MX-series routers to group one or more
bridge domains.
Virtual private LAN services (VPLS) routing instance—The
VPLS routing instance is used on MX-series routers for point-to-multipoint
LAN implementations between a set of sites in a VPN.
In addition, the SRX services gateways do not support the following
Layer 2 features:
Spanning Tree Protocol (STP), RSTP, or MSTP. It is the
user’s responsibility to ensure that no flooding loops exist
in the network topology.
internet Group Management Protocol (IGMP) snooping.
Double-tagged VLANs, or IEEE 802.1Q VLAN identifiers encapsulated
within 802.1Q packets (also called “Q in Q” VLAN tagging).
Only untagged or single-tagged VLAN identifiers are supported on SRX
services gateways.
VLAN translation or VLAN mapping (for example, when VLAN
identifiers used in private networks are translated into those used
in a carrier network) is not supported in this release.
Nonqualified VLAN learning, where only the MAC address
is used for learning within the bridge domain. VLAN learning on SRX
services gateways is qualified; that is, both the VLAN identifier
and MAC address are used.
Layer 2 Bridging Terms
Before configuring Layer 2 bridge domains, become familiar with
the terms defined in Table 152.
Table 152: Layer 2 Bridging Terms
Term
Definition
Access interface
Logical Layer 2 interface configured to accept untagged packets
and to assign a specified VLAN ID to the packets.
Bridge
A network component defined by the IEEE that forwards frames
from one LAN segment or VLAN to another. This bridging function can
be contained in a router, LAN switch, or other specialized device.
Bridge domain
A set of logical interfaces that share the same flooding or
broadcast characteristics. As in a VLAN, a bridge domain spans one
ore more ports of multiple devices. By default, each bridge domain
maintains its own forwarding database of MAC addresses learned from
packets received on interfaces that belong to that bridge domain.
Forwarding Information Base (FIB)
JUNOS software forwarding information base (also called the
forwarding table). The JUNOS routing protocol process installs active
routes from its routing tables into the Routing Engine forwarding
table. The kernel copies this forwarding table into the Packet Forwarding
Engine, which determines the interface that transmits the packets.
Integrated routing and bridging (IRB) interface
Pseudo physical interface that contains both routing domain
and bridge domain and facilitates simultaneous Layer 2 bridging and
Layer 3 routing within the same bridge domain. Packets arriving on
an interface of the bridge domain are switched or routed based on
the destination MAC address. Packets addressed to the router’s
MAC address are routed to other Layer 3 interfaces.
Learning domain
A MAC address database in the bridge domain where the MAC addresses
are added based on VLAN tags.
Trunk interface
Logical Layer 2 interface that accepts any packets tagged with
a VLAN ID that matches a specified list of VLAN IDs.
VLAN
Defines a broadcast domain, a set of logical ports that share
flooding or broadcast characteristics. VLANs span one or more ports
on multiple devices. By default, each VLAN maintains its own Layer
2 forwarding database containing MAC addresses learned from packets
received on ports belonging to the VLAN.
