Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Bridging and VLANs

Understanding Bridging and VLANs on Switches

Network switches use Layer 2 bridging protocols to discover the topology of their LAN and to forward traffic toward destinations on the LAN. This topic explains the following concepts regarding bridging and VLANs:

Note:

For Ethernet, Fast Ethernet, Tri-Rate Ethernet copper, Gigabit Ethernet, 10-Gigabit Ethernet, and aggregated Ethernet interfaces supporting VPLS, the Junos OS supports a subset of the IEEE 802.1Q standard for channelizing an Ethernet interface into multiple logical interfaces, allowing many hosts to be connected to the same Gigabit Ethernet switch, but preventing them from being in the same routing or bridging domain.

Benefits of Using VLANs

In addition to reducing traffic and thereby speeding up the network, VLANs have the following advantages:

  • VLANs provide segmentation services traditionally provided by routers in LAN configurations, thereby reducing hardware equipment costs.

  • Packets coupled to a VLAN can be reliably identified and sorted into different domains. You can contain broadcasts within parts of the network, thereby freeing up network resources. For example, when a DHCP server is plugged into a switch and starts broadcasting its presence, you can prevent some hosts from accessing it by using VLANs to split up the network.

  • For security issues, VLANs provide granular control of the network because each VLAN is identified by a single IP subnetwork. All packets passing in and out of a VLAN are consistently tagged with the VLAN ID of that VLAN, thereby providing easy identification, because a VLAN ID on a packet cannot be altered. (For a switch that runs Junos OS that does not support ELS, we recommend that you avoid using 1 as a VLAN ID, because that ID is a default value.)

  • VLANs react quickly to host relocation—this is also due to the persistent VLAN tag on packets.

  • On an Ethernet LAN, all network nodes must be physically connected to the same network. In VLANs, the physical location of nodes is not important—you can group network devices in any way that makes sense for your organization, such as by department or business function, types of network nodes, or physical location.

History of VLANs

Ethernet LANs were originally designed for small, simple networks that primarily carried text. However, over time, the type of data carried by LANs grew to include voice, graphics, and video. This more complex data, when combined with the ever-increasing speed of transmission, eventually became too much of a load for the original Ethernet LAN design. Multiple packet collisions were significantly slowing down the larger LANs.

The IEEE 802.1D-2004 standard helped evolve Ethernet LANs to cope with the higher data and transmission requirements by defining the concept of transparent bridging (generally called simply bridging). Bridging divides a single physical LAN (now called a single broadcast domain) into two or more virtual LANs, or VLANs. Each VLAN is a collection of some of the LAN nodes grouped together to form individual broadcast domains.

When VLANs are grouped logically by function or organization, a significant percentage of data traffic stays within the VLAN. This relieves the load on the LAN because all traffic no longer has to be forwarded to all nodes on the LAN. A VLAN first transmits packets within the VLAN, thereby reducing the number of packets transmitted on the entire LAN. Because packets whose origin and destination are in the same VLAN are forwarded only within the local VLAN, packets that are not destined for the local VLAN are the only ones forwarded to other broadcast domains. This way, bridging and VLANs limit the amount of traffic flowing across the entire LAN by reducing the possible number of collisions and packet retransmissions within VLANs and on the LAN as a whole.

How Bridging of VLAN Traffic Works

Because the objective of the IEEE 802.1D-2004 standard was to reduce traffic and therefore reduce potential transmission collisions for Ethernet, a system was implemented to reuse information. Instead of having a switch go through a location process every time a frame is sent to a node, the transparent bridging protocol allows a switch to record the location of known nodes. When packets are sent to nodes, those destination node locations are stored in address-lookup tables called Ethernet switching tables. Before sending a packet, a switch using bridging first consults the switching tables to see if that node has already been located. If the location of a node is known, the frame is sent directly to that node.

Transparent bridging uses five mechanisms to create and maintain Ethernet switching tables on the switch:

  • Learning

  • Forwarding

  • Flooding

  • Filtering

  • Aging

The key bridging mechanism used by LANs and VLANs is learning. When a switch is first connected to an Ethernet LAN or VLAN, it has no information about other nodes on the network. As packets are sent, the switch learns the embedded MAC addresses of the sending nodes and stores them in the Ethernet switching table, along with two other pieces of information—the interface (or port) on which the traffic was received on the destination node and the time the address was learned.

Learning allows switches to then do forwarding. By consulting the Ethernet switching table to see whether the table already contains the frame’s destination MAC address, switches save time and resources when forwarding packets to the known MAC addresses. If the Ethernet switching table does not contain an entry for an address, the switch uses flooding to learn that address.

Flooding finds a particular destination MAC address without using the Ethernet switching table. When traffic originates on the switch and the Ethernet switching table does not yet contain the destination MAC address, the switch first floods the traffic to all other interfaces within the VLAN. When the destination node receives the flooded traffic, it can send an acknowledgment packet back to the switch, allowing it to learn the MAC address of the node and add the address to its Ethernet switching table.

Filtering, the fourth bridging mechanism, is how broadcast traffic is limited to the local VLAN whenever possible. As the number of entries in the Ethernet switching table grows, the switch pieces together an increasingly complete picture of the VLAN and the larger LAN—it learns which nodes are in the local VLAN and which are on other network segments. The switch uses this information to filter traffic. Specifically, for traffic whose source and destination MAC addresses are in the local VLAN, filtering prevents the switch from forwarding this traffic to other network segments.

To keep entries in the Ethernet switching table current, the switch uses a fifth bridging mechanism, aging. Aging is the reason that the Ethernet switching table entries include timestamps. Each time the switch detects traffic from a MAC address, it updates the timestamp. A timer on the switch periodically checks the timestamp, and if it is older than a user-configured value, the switch removes the node's MAC address from the Ethernet switching table. This aging process eventually flushes unavailable network nodes out of the Ethernet switching table.

Packets Are Either Tagged or Untagged

When an Ethernet LAN is divided into VLANs, each VLAN is identified by a unique 802.1Q ID. The number of available VLANs and VLAN IDs are listed below:

  • On a switch running ELS software, you can configure 4093 VLANs using VLAN IDs 1 through 4094, while VLAN IDs 0 and 4095 are reserved by Junos OS and cannot be assigned.

  • On a switch running non-ELS software, you can configure 4091 VLANs using VLAN IDs 1-4094.

Ethernet packets include a tag protocol identifier (TPID) EtherType field, which identifies the protocol being transported. When a device within a VLAN generates a packet, this field includes a value of 0x8100, which indicates that the packet is a VLAN-tagged packet. The packet also has a VLAN ID field that includes the unique 802.1Q ID, which identifies the VLAN to which the packet belongs.

Junos OS switches support the TPID value 0x9100 for Q-in-Q on switches. In addition to the TPID EtherType value of 0x8100, EX Series switches that do not support the Enhanced Layer 2 Software (ELS) configuration style also support values of 0x88a8 (Provider Bridging and Shortest Path Bridging) and 0x9100 (Q-inQ).

For a simple network that has only a single VLAN, all packets include a default 802.1Q tag, which is the only VLAN membership that does not mark the packet as tagged. These packets are untagged packets.

Note:

Q-in-Q tunnelling is not supported on NFX150 devices.

Switch Interface Modes—Access, Trunk, or Tagged Access

Ports, or interfaces, on a switch operate in one of three modes:

  • Access mode

  • Trunk mode

  • Tagged-access mode

Access Mode

An interface in access mode connects a switch to a single network device, such as a desktop computer, an IP telephone, a printer, a file server, or a security camera. Access interfaces accept only untagged packets.

By default, when you boot a switch that runs Junos OS that does not support ELS and use the factory default configuration, or when you boot such a switch and do not explicitly configure a port mode, all interfaces on the switch are in access mode and accept only untagged packets from the VLAN named default. You can optionally configure another VLAN and use that VLAN instead of default.

On a switch that supports ELS, the VLAN named default is not supported. Therefore, on such switches, you must explicitly configure at least one VLAN, even if your network is simple and you want only one broadcast domain to exist. After you assign an interface to a VLAN, the interface functions in access mode.

For switches that run either type of software, you can also configure a trunk port or interface to accept untagged packets from a user-configured VLAN. For details about this concept (native VLAN), see Trunk Mode and Native VLAN.

Trunk Mode

Trunk mode interfaces are generally used to connect switches to one another. Traffic sent between switches can then consist of packets from multiple VLANs, with those packets multiplexed so that they can be sent over the same physical connection. Trunk interfaces usually accept only tagged packets and use the VLAN ID tag to determine both the packets’ VLAN origin and VLAN destination.

On a switch that runs software that does not support ELS, an untagged packet is not recognized on a trunk port unless you configure additional settings on that port.

On a switch that runs Junos OS that supports ELS, a trunk port recognizes untagged control packets for protocols such as the Link Aggregation Control Protocol (LACP) and the Link Layer Discovery Protocol (LLDP). However, the trunk port does not recognize untagged data packets unless you configure additional settings on that port.

Note:

LACP is not supported on NFX150 devices.

In the rare case where you want untagged packets to be recognized by a trunk port on switches that run either type of software, you must configure the single VLAN on a trunk port as a native VLAN. For more information about native VLANs, see Trunk Mode and Native VLAN.

Trunk Mode and Native VLAN

On a switch that runs Junos OS that does not support ELS, a trunk port does not recognize packets that do not include VLAN tags, which are also known an untagged packets. On a switch that runs Junos OS that supports ELS, a trunk port recognizes untagged control packets, but it does not recognize untagged data packets. With native VLAN configured, untagged packets that a trunk port normally does not recognize are sent over the trunk interface. In a situation where packets pass from a device, such as an IP phone or printer, to a switch in access mode, and you want those packets sent from the switch over a trunk port, use native VLAN mode. Create a native VLAN by configuring a VLAN ID for it, and specify that the trunk port is a member of the native VLAN.

The switch’s trunk port will then treat those packets differently than the other tagged packets. For example, if a trunk port has three VLANs, 10, 20, and 30, assigned to it with VLAN 10 being the native VLAN, packets on VLAN 10 that leave the trunk port on the other end have no 802.1Q header (tag).

There is another native VLAN option for switches that do not support ELS. You can have the switch add and remove tags for untagged packets. To do this, you first configure the single VLAN as a native VLAN on a port attached to a device on the edge. Then, assign a VLAN ID tag to the single native VLAN on the port connected to a device. Last, add the VLAN ID to the trunk port. Now, when the switch receives the untagged packet, it adds the ID you specified and sends and receives the tagged packets on the trunk port configured to accept that VLAN.

Tagged-Access Mode

Only switches that run Junos OS not using the ELS configuration style support tagged-access mode. Tagged-access mode accommodates cloud computing, specifically scenarios including virtual machines or virtual computers. Because several virtual computers can be included on one physical server, the packets generated by one server can contain an aggregation of VLAN packets from different virtual machines on that server. To accommodate this situation, tagged-access mode reflects packets back to the physical server on the same downstream port when the destination address of the packet was learned on that downstream port. Packets are also reflected back to the physical server on the downstream port when the destination has not yet been learned. Therefore, the third interface mode, tagged access, has some characteristics of access mode and some characteristics of trunk mode:

  • Like access mode, tagged-access mode connects the switch to an access layer device. Unlike access mode, tagged-access mode is capable of accepting VLAN tagged packets.

  • Like trunk mode, tagged-access mode accepts VLAN tagged packets from multiple VLANs. Unlike trunk port interfaces, which are connected at the core/distribution layer, tagged-access port interfaces connect devices at the access layer.

    Like trunk mode, tagged-access mode also supports native VLAN.

    Note:

    Control packets are never reflected back on the downstream port.

Maximum VLANs and VLAN Members Per Switch

Starting in Junos OS Release 17.3 on QFX10000 switches, the number of vmembers has increased to 256k for integrated routing and bridging interfaces and aggregated Ethernet interfaces.

The number of VLANs supported per switch varies for each switch. Use the configuration-mode command set vlans vlan-name vlan-id ? to determine the maximum number of VLANs allowed on a switch. You cannot exceed this VLAN limit because you have to assign a specific ID number when you create a VLAN—you could overwrite one of the numbers, but you cannot exceed the limit.

You can, however, exceed the recommended VLAN member maximum for a switch.

On a switch that runs Junos OS that does not support the ELS configuration style, the maximum number of VLAN members allowed on the switch is eight times the maximum number of VLANs that the switch supports (vmember limit = vlan max * 8). If the configuration of the switch exceeds the recommended VLAN member maximum, a warning message appears when you commit the configuration. If you commit the configuration despite the warning, the commit succeeds, but there is a risk of the Ethernet switching process (eswd) failing as a result of memory allocation failure.

On most switches running Junos OS that supports ELS, the maximum number of VLAN members allowed on the switch is 24 times the maximum number of VLANs that the switch supports (vmember limit = vlan max * 24). If the configuration of the switch exceeds the recommended VLAN member maximum, a warning message appears in the system log (syslog).

On an EX Series switch that runs Junos OS that supports ELS, the maximum number of VLAN members allowed on the switch is as follows:

  • EX4300—24 times the maximum number of VLANs that the switch supports (vmember limit = vlan max * 24)

  • EX3400—16 times the maximum number of VLANs that the switch supports (vmember limit = vlan max * 16)

  • EX2300—8 times the maximum number of VLANs that the switch supports (vmember limit = vlan max * 8)

A QFabric system supports up to 131,008 VLAN members (vmembers) on a single network node group, server node group, or redundant server node group. The number of vmembers is calculated by multiplying the maximum number of VLANs by 32.

For example, to calculate how many interfaces are required to support 4,000 VLANs, divide the maximum number of vmembers (128,000) by the number of configured VLANs (4,000). In this case, 32 interfaces are required.

On network Node groups and server Node groups, you can configure link aggregation groups (LAGs) across multiple interfaces. Each LAG and VLAN combination is considered a vmember.

Note:

LAG is not supported on NFX150 devices.

A Virtual Chassis Fabric supports up to 512,000 vmembers. The number of vmembers is based on the number of VLANs, and the number of interfaces configured in each VLAN.

A Default VLAN Is Configured on Most Switches

Some switches running Junos OS that do not support the ELS configuration style are preconfigured with a VLAN named default that does not tag packets and operates only with untagged packets. On these switches, each interface already belongs to the VLAN named default and all traffic uses this VLAN until you configure more VLANs and assign traffic to those VLANs.

EX Series switches that run Junos OS with the ELS configuration style do not support a default VLAN. The following EX Series switches running Junos OS not supporting the ELS configuration style are not preconfigured to belong to default or any other VLAN:

  • Modular switches, such as the EX8200 switches and EX6200 switches

  • Switches that are part of a Virtual Chassis

The reason that these switches are not preconfigured is that the physical configuration in both situations is flexible. There is no way of knowing which line cards have been inserted in either the EX8200 switch or EX6200 switch. There is also no way of knowing which switches are included in the Virtual Chassis. Switch interfaces in these two cases must first be defined as Ethernet switching interfaces. After an interface is defined as an Ethernet switching interface, the default VLAN appears in the output from the ? help and other commands.

Note:

When a Juniper Networks EX4500 Ethernet Switch, EX4200 Ethernet Switch, EX3300 Ethernet Switch, QFX3500 or QFX3600 switch is interconnected with other switches in a Virtual Chassis configuration, each individual switch that is included as a member of the configuration is identified with a member ID. The member ID functions as an FPC slot number. When you are configuring interfaces for a Virtual Chassis configuration, you specify the appropriate member ID (0 through 9) as the slot element of the interface name. The default factory settings for a Virtual Chassis configuration include FPC 0 as a member of the default VLAN because FPC 0 is configured as part of the ethernet-switching family. In order to include FPC 1 through FPC 9 in the default VLAN, add the ethernet-switching family to the configurations for those interfaces.

Note:

You cannot configure a default VLAN on NFX150 devices.

Assigning Traffic to VLANs

You can assign traffic on any switch to a particular VLAN by referencing either the interface port of the traffic or the MAC addresses of devices sending traffic.

Note:

Two logical interfaces that are configured on the same physical interface cannot be mapped to the same VLAN.

Assign VLAN Traffic According to the Interface Port Source

This method is most commonly used to assign traffic to VLANs. In this case, you specify that all traffic received on a particular switch interface is assigned to a specific VLAN. You configure this VLAN assignment when you configure the switch, by using either the VLAN number (called a VLAN ID) or by using the VLAN name, which the switch then translates into a numeric VLAN ID. This method is referred to simply as creating a VLAN because it is the most commonly used method.

Assign VLAN Traffic According to the Source MAC Address

In this case, all traffic received from a specific MAC address is forwarded to a specific egress interface (next hop) on the switch. MAC-based VLANs are either static (named MAC addresses configured one at a time) or dynamic (configured using a RADIUS server).

To configure a static MAC-based VLAN on a switch that supports ELS, see Adding a Static MAC Address Entry to the Ethernet Switching Table.To configure a static MAC-based VLAN on a switch that does not support ELS, see Adding a Static MAC Address Entry to the Ethernet Switching Table.

For information about using 802.1X authentication to authenticate end devices and allow access to dynamic VLANs configured on a RADIUS server, see Understanding Dynamic VLAN Assignment Using RADIUS Attributes. You can optionally implement this feature to offload the manual assignment of VLAN traffic to automated RADIUS server databases.

Forwarding VLAN Traffic

To pass traffic within a VLAN, the switch uses Layer 2 forwarding protocols, including IEEE 802.1Q spanning-tree protocols.

To pass traffic between two VLANs, the switch uses standard Layer 3 routing protocols, such as static routing, OSPF, and RIP. The same interfaces that support Layer 2 bridging protocols also support Layer 3 routing protocols, providing multilayer switching.

To pass traffic from a single device on an access port to a switch and then pass those packets on a trunk port, use the native mode configuration previously discussed under Trunk Mode.

VLANs Communicate with Integrated Routing and Bridging Interfaces or Routed VLAN Interfaces

Traditionally, switches sent traffic to hosts that were part of the same broadcast domain (VLAN) but routers were needed to route traffic from one broadcast domain to another. Also, only routers performed other Layer 3 functions such as traffic engineering.

Switches that run Junos OS that supports the ELS configuration style perform inter-VLAN routing functions using an integrated routing and bridging (IRB) interface named irb, while switches that run Junos OS that does not support ELS perform these functions using a routed VLAN interface (RVI) named vlan. These interfaces detect both MAC addresses and IP addresses and route data to Layer 3 interfaces, thereby frequently eliminating the need to have both a switch and a router.

VPLS Ports

You can configure VPLS ports in a virtual switch instead of a dedicated routing instance of type vpls so that the logical interfaces of the Layer 2 VLANs in the virtual switch can handle VPLS routing instance traffic. Packets received on a Layer 2 trunk interface are forwarded within a VLAN that has the same VLAN identifier.

Configuring VLANs on Switches with Enhanced Layer 2 Support

Switches use VLANs to make logical groupings of network nodes with their own broadcast domains. You can use VLANs to limit the traffic flowing across the entire LAN and reduce collisions and packet retransmissions.

Note:

This task supports the Enhanced Layer 2 Software (ELS) configuration style. For ELS details, see Using the Enhanced Layer 2 Software CLI. If your switch runs software that does not support ELS, see Configuring VLANs on Switches.

Note:

Starting with Junos OS Release 17.1R3, on QFX10000 switches, you cannot configure an interface with both family ethernet-switching and flexible-vlan-tagging. This configuration is not supported, and a warning will be issued if you try to commit this configuration.

Note:

Two logical interfaces that are configured on the same physical interface cannot be mapped to the same VLAN.

For each endpoint on the VLAN, configure the following VLAN parameters on the corresponding interface:

  1. Specify the description of the VLAN:
  2. Specify the unique name of the VLAN:
    Note:

    Switches that run Junos OS with the ELS configuration style do not support a default VLAN. Therefore, on such switches, you must explicitly configure at least one VLAN, even if your network is simple and you want only one broadcast domain to exist.

    Note:

    On QFX5100 switches running Junos OS Release 14.1X53-D46 or earlier, when you configure an interface under a VLAN but do not specify the name of the VLAN, the system will not issue a commit error.

  3. Create the subnet for the VLAN:
    Note:

    The family inet option is not supported on NFX150 devices.

  4. Configure the VLAN tag ID or VLAN ID list for the VLAN:

    or

  5. Specify a VLAN firewall filter to be applied to incoming or outgoing packets:

Configuring a VLAN

A VLAN must include a set of logical interfaces that participate in Layer 2 learning and forwarding. You can optionally configure a VLAN identifier and a Layer 3 interface for the VLAN to also support Layer 3 IP routing.

To enable a VLAN, include the following statements:

You cannot use the slash (/) character in VLAN names. If you do, the configuration does not commit and an error is generated.

For the vlan-id statement, you can specify either a valid VLAN identifier or the none or all options.

To include one or more logical interfaces in the VLAN, specify an interface-name for an Ethernet interface you configured at the [edit interfaces] hierarchy level.

Note:

A maximum of 4096 active logical interfaces are supported for a VLAN or on each mesh group in a virtual private LAN service (VPLS) instance configured for Layer 2 bridging.

By default, each VLAN maintains a Layer 2 forwarding database that contains media access control (MAC) addresses learned from packets received on the ports that belong to the VLAN. You can modify Layer 2 forwarding properties, for example, disabling MAC learning for the entire system or a VLAN, adding static MAC addresses for specific logical interfaces, and limiting the number of MAC addresses learned by the entire system, the VLAN, or a logical interface.

You can also configure spanning tree protocols to prevent forwarding loops.

Configuring VLANs on Switches

Switches use VLANs to make logical groupings of network nodes with their own broadcast domains. You can use VLANs to limit the traffic flowing across the entire LAN and reduce collisions and packet retransmissions.

Note:

This task uses Junos OS for the QFX Series that does not support the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that supports ELS, see Configuring VLANs on Switches with Enhanced Layer 2 Support.

For each endpoint on the VLAN, configure the following VLAN parameters on the corresponding interface:

  1. Specify the description of the VLAN:
  2. Specify the unique name of the VLAN:
    Note:

    In a QFabric system, do not configure “default” as the name of a VLAN. Though the QFabric system will allow you to configure and commit a VLAN with the name “default” in the current software with no commit errors, it will not work. Junos OS 12.2 and onwards will not allow you to commit a VLAN with the name “default.”

  3. Create the subnet for the VLAN:
  4. Configure the VLAN tag ID or VLAN ID range for the VLAN:

    or

  5. Specify a VLAN firewall filter to be applied to incoming or outgoing packets:

Configuring VLANs for EX Series Switches

Note:

This task uses Junos OS for EX Series switches that do not support the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that supports ELS, see Configuring VLANs for EX Series Switches with ELS Support (CLI Procedure). For ELS details, see Using the Enhanced Layer 2 Software CLI.

EX Series switches use VLANs to make logical groupings of network nodes with their own broadcast domains. VLANs limit the traffic flowing across the entire LAN and reduce collisions and packet retransmissions.

Why Create a VLAN?

Some reasons to create VLANs are:

  • A LAN has more than 200 devices.

  • A LAN has a large amount of broadcast traffic.

  • A group of clients requires that a higher-than-average level of security be applied to traffic entering or exiting the group's devices.

  • A group of clients requires that the group's devices receive less broadcast traffic than they are currently receiving, so that data speed across the group is increased.

Create a VLAN Using the Minimum Procedure

Two steps are required to create a VLAN:

  • Uniquely identify the VLAN. You do this by assigning either a name or an ID (or both) to the VLAN. When you assign just a VLAN name, an ID is generated by Junos OS.

  • Assign at least one switch port interface to the VLAN for communication. All interfaces in a single VLAN are in a single broadcast domain, even if the interfaces are on different switches. You can assign traffic on any switch to a particular VLAN by referencing either the interface sending traffic or the MAC addresses of devices sending traffic.

The following example creates a VLAN using only the two required steps. The VLAN is created with the name employee-vlan. Then, three interfaces are assigned to that VLAN so that the traffic is transmitted among these interfaces.

Note:

In this example, you could alternatively assign an ID number to the VLAN. The requirement is that the VLAN have a unique ID.

In the example, all users connected to the interfaces ge-0/0/1, ge-0/0/2, and ge-0/0/3 can communicate with each other, but not with users on other interfaces in this network. To configure communication between VLANs, you must configure a routed VLAN interface (RVI). See Configuring Routed VLAN Interfaces on Switches (CLI Procedure).

Create a VLAN Using All of the Options

To configure a VLAN, follow these steps:

  1. In configuration mode, create the VLAN by setting the unique VLAN name:
  2. Configure the VLAN tag ID or VLAN ID range for the VLAN. (If you assigned a VLAN name, you do not have to do this, because a VLAN ID is assigned automatically, thereby associating the name of the VLAN to an ID number. However, if you want to control the ID numbers, you can assign both a name and an ID.)

    or

  3. Assign at least one interface to the VLAN:
    Note:

    You can also specify that a trunk interface is a member of all the VLANs that are configured on this switch. When a new VLAN is configured on the switch, this trunk interface automatically becomes a member of the VLAN.

  4. (Optional) Create a subnet for the VLAN because all computers that belong to a subnet are addressed with a common, identical, most-significant-bit group in their IP address. This makes it easy to identify VLAN members by their IP addresses. To create the subnet for the VLAN:
  5. (Optional) Specify the description of the VLAN:
  6. (Optional) To avoid exceeding the maximum number of members allowed in a VLAN, specify the maximum time that an entry can remain in the forwarding table before it ages out:
  7. (Optional) For security purposes, specify a VLAN firewall filter to be applied to incoming or outgoing packets:
  8. (Optional) For accounting purposes, enable a counter to track the number of times this VLAN is accessed:
  9. (Optional) For Virtual Chassis bandwidth management purposes, enable VLAN Pruning to ensure all broadcast, multicast, and unknown unicast traffic entering the Virtual Chassis on the VLAN uses the shortest possible path through the Virtual Chassis:

Configuration Guidelines for VLANs

Two steps are required to create a VLAN. You must uniquely identify the VLAN and you must assign at least one switch port interface to the VLAN for communication.

After creating a VLAN, all users all users connected to the interfaces assigned to the VLAN can communicate with each other but not with users on other interfaces in the network. To configure communication between VLANs, you must configure a routed VLAN interface (RVI). See Configuring Routed VLAN Interfaces on Switches (CLI Procedure) to create an RVI.

The number of VLANs supported per switch varies for each switch type. Use the command set vlans id vlan-id ? to discover the maximum number of VLANs allowed on a switch. You cannot exceed this VLAN limit because each VLAN is assigned an ID number when it is created. You can, however, exceed the recommended VLAN member maximum . To determine the maximum number of VLAN members allowed on a switch, multiply the VLAN maximum obtained using set vlans id vlan-id ? times 8.

If a switch configuration exceeds the recommended VLAN member maximum, you see a warning message when you commit the configuration. If you ignore the warning and commit such a configuration, the configuration succeeds but you run the risk of crashing the Ethernet switching process (eswd) due to memory allocation failure.

Note:

When EX2300 and EX3400 ERPS switches have a VLAN-ID configured with a name under an interface hierarchy, a commit error occurs. Avoid this by configuring VLAN-IDs using numbers when they are under an interface hierarchy with ERPS configured in the switch.

Example: Configuring VLANs on Security Devices

This example shows you how to configure a VLAN.

Requirements

Before you begin:

Overview

In this example, you create a new VLAN and then configure its attributes. You can configure one or more VLANs to perform Layer 2 switching. The Layer 2 switching functions include integrated routing and bridging (IRB) for support for Layer 2 switching and Layer 3 IP routing on the same interface. SRX Series Firewalls can function as Layer 2 switches, each with multiple switching or broadcast domains that participate in the same Layer 2 network.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a VLAN:

  1. Configure a Gigabit Ethernet interface or a 10-Gigabit Ethernet interface as a access interface:

  2. Assign an interface to the VLAN by specifying the logical interface (with the unit statement) and specifying the VLAN name as the member.

  3. Create the VLAN by setting the unique VLAN name and configuring the VLAN ID.

  4. Bind a Layer 3 interface with the VLAN.

  5. Create the subnet for the VLAN’s broadcast domain.

Results

From configuration mode, confirm your configuration by entering the show vlans command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying VLANs

Purpose

Verify that VLANs are configured and assigned to the interfaces.

Action

From operational mode, enter the show vlans command.

Meaning

The output shows the VLAN is configured and assigned to the interface.

Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch with ELS Support

Note:

This example uses Junos OS for EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs Junos OS that does not support ELS, see Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch. For ELS details, see Using the Enhanced Layer 2 Software CLI.

EX Series switches use bridging and virtual LANs (VLANs) to connect network devices in a LAN—desktop computers or laptops, IP telephones, printers, file servers, wireless access points, and others—and to segment the LAN into smaller broadcast domains.

This example describes how to configure basic bridging and a VLAN on an EX Series switch:

Requirements

This example uses the following hardware and software components:

  • One EX Series switch

  • Junos OS Release 13.2X50-D10 or later for EX Series switches

Before you set up bridging and a VLAN, be sure you have:

Overview and Topology

EX Series switches connect network devices in an office LAN or a data center LAN to provide sharing of common resources such as printers and file servers and to enable wireless devices to connect to the LAN through wireless access points. Without bridging and VLANs, all devices on the Ethernet LAN are in a single broadcast domain, and all the devices detect all the packets on the LAN. Bridging creates separate broadcast domains on the LAN, creating VLANs, which are independent logical networks that group together related devices into separate network segments. The grouping of devices on a VLAN is independent of where the devices are physically located in the LAN.

To use an EX Series switch to connect network devices on a LAN, you must, at a minimum, explicitly configure at least one VLAN, even if your network is simple and you want only one broadcast domain to exist, as is the case with this example. You must also assign all needed interfaces to the VLAN, after which the interfaces function in access mode. After the VLAN is configured, you can plug access devices—such as desktop or laptop computers, IP telephones, file servers, printers, and wireless access points—into the switch, and they are joined immediately into the VLAN, and the LAN is up and running.

The topology used in this example consists of one EX4300-24P switch, which has a total of 24 ports. All ports support Power over Ethernet (PoE), which means they provide both network connectivity and electric power for the device connecting to the port. To these ports, you can plug in devices requiring PoE, such as Avaya VoIP telephones, wireless access points, and some IP cameras. (Avaya phones have a built-in hub that allows you to connect a desktop PC to the phone, so the desktop and phone in a single office require only one port on the switch.) Table 1 details the topology used in this configuration example.

Table 1: Components of the Basic Bridging Configuration Topology
Property Settings

Switch hardware

EX4300-24P switch, with 24 Gigabit Ethernet ports: in this example, 8 ports are used as PoE ports (ge-0/0/0 through ge-0/0/7 ) and 16 ports used as non-PoE ports (ge-0/0/8 through ge-0/0/23)

VLAN name

employee-vlan

VLAN ID

10

Connection to wireless access point (requires PoE)

ge-0/0/0

Connections to Avaya IP telephone—with integrated hub, to connect phone and desktop PC to a single port (requires PoE)

ge-0/0/1 through ge-0/0/7

Direct connections to desktop PCs and laptops (no PoE required)

ge-0/0/8 through ge-0/0/12

Connections to file servers (no PoE required)

ge-0/0/17 and ge-0/0/18

Connections to integrated printer/fax/copier machines (no PoE required)

ge-0/0/19 through ge-0/0/20

Unused ports (for future expansion)

ge-0/0/13 through ge-0/0/16, and ge-0/0/21 through ge-0/0/23

Topology

Configuration

To set up basic bridging and a VLAN:

Procedure

CLI Quick Configuration

To quickly configure a VLAN, copy the following commands and paste them into the switch terminal window:

You must then plug the wireless access point into PoE-enabled port ge-0/0/0 and the Avaya IP phones into the PoE-enabled ports ge-0/0/1 through ge-0/0/7. Also, plug the PCs, file servers, and printers into ports ge-0/0/8 through ge-0/0/12 and ge-0/0/17 through ge-0/0/20.

Step-by-Step Procedure

To set up basic bridging and a VLAN:

  1. Create a VLAN named employee-vlan and specify the VLAN ID of 10 for it:

  2. Assign interfaces ge-0/0/0 through ge-0/0/12, and ge-0/0/17 through ge-0/0/20 to the employee-vlan VLAN:

  3. Connect the wireless access point to switch port ge-0/0/0.

  4. Connect the seven Avaya phones to switch ports ge-0/0/1 through ge-0/0/7.

  5. Connect the five PCs to ports ge-0/0/8 through ge-0/0/12.

  6. Connect the two file servers to ports ge-0/0/17 and ge-0/0/18.

  7. Connect the two printers to ports ge-0/0/19 and ge-0/0/20.

Results

Check the results of the configuration:

Verification

To verify that switching is operational and that employee-vlan has been created, perform these tasks:

Verifying That the VLAN Has Been Created

Purpose

Verify that the VLAN named employee-vlan has been created on the switch.

Action

List all VLANs configured on the switch:

Meaning

The show vlans command lists the VLANs configured on the switch. This output shows that the VLAN employee-vlan has been created.

Verifying That Interfaces Are Associated with the Proper VLANs

Purpose

Verify that Ethernet switching is enabled on switch interfaces and that all interfaces are included in the VLAN.

Action

List all interfaces on which switching is enabled:

Meaning

The show ethernet-switching interfaces command lists all interfaces on which switching is enabled (in the Logical interface column), along with the VLANs that are active on the interfaces (in the VLAN members column). The output in this example shows all the connected interfaces, ge-0/0/0 through ge-0/0/12 and ge-0/0/17 through ge-0/0/20 and that they are all part of VLAN employee-vlan. Notice that the interfaces listed are the logical interfaces, not the physical interfaces. For example, the output shows ge-0/0/0.0 instead of ge-0/0/0. This is because Junos OS creates VLANs on logical interfaces, not directly on physical interfaces.

Example: Setting Up Basic Bridging and a VLAN on Switches

The QFX Series products use bridging and virtual LANs (VLANs) to connect network devices—storage devices, file servers, and other LAN components—in a LAN and to segment the LAN into smaller bridging domains.

To segment traffic on a LAN into separate broadcast domains, you create separate virtual LANs (VLANs) on a switch. Each VLAN is a collection of network nodes. When you use VLANs, frames whose origin and destination are in the same VLAN are forwarded only within the local VLAN, and only frames not destined for the local VLAN are forwarded to other broadcast domains. VLANs thus limit the amount of traffic flowing across the entire LAN, reducing the possible number of collisions and packet retransmissions within the LAN.

Note:

You cannot configure more than one logical interface that belongs to the same physical interface in the same bridge domain.

This example describes how to configure basic bridging and VLANs for the QFX Series:

Requirements

This example uses the following software and hardware components:

  • Junos OS Release 11.1 or later for the QFX Series

  • A configured and provisioned QFX Series product

Overview and Topology

To use a switch to connect network devices on a LAN, you must at a minimum configure bridging and VLANs. By default, bridging is enabled on all switch interfaces, all interfaces are in access mode, and all interfaces belong to a VLAN called employee-vlan, which is automatically configured. When you plug in access devices—such as desktop computers, file servers, and printers—they are joined immediately into the employee-vlan VLAN, and the LAN is up and running.

The topology used in this example consists of a single QFX3500 switch, with a total of 48 10-Gbps Ethernet ports. (For the purposes of this example, the QSFP+ ports Q0-Q3, which are ports xe-0/1/0 through xe-0/1/15, are excluded.) You use the ports to connect devices that have their own power sources. Table 1 details the topology used in this configuration example.

Table 2: Components of the Basic Bridging Configuration Topology

Property

Settings

Switch hardware

QFX3500 switch, with 48 10-Gbps Ethernet ports

VLAN name

employee-vlan

VLAN ID

10

Connections to file servers

xe-0/0/17 and xe-0/0/18

Direct connections to desktop PCs and laptops

xe-0/0/0 through xe-0/0/16

Connections to integrated printer/fax/copier machines

xe-0/0/19 through xe-0/0/40

Unused ports

xe-0/0/41 through xe-0/0/47

Topology

Configuration

Procedure

CLI Quick Configuration

To quickly configure a VLAN, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

To set up basic bridging and a VLAN:

  1. Create a VLAN named employee-vlan and specify the VLAN ID of 10 for it:

  2. Assign interfaces xe-0/0/0 through xe-0/0/40 to the employee-vlan VLAN:

  3. Connect the two file servers to ports xe-0/0/17 and xe-0/0/18.

  4. Connect the desktop PCs and laptops to ports xe-0/0/0 through xe-0/0/16.

  5. Connect the integrated printer/fax/copier machines to ports xe-0/0/19 through xe-0/0/40.

Results

Check the results of the configuration:

Verification

To verify that switching is operational and that employee-vlan has been created, perform these tasks:

Verifying That the VLAN Has Been Created

Purpose

Verify that the VLAN named employee-vlan has been created on the switch.

Action

List all VLANs configured on the switch:

Meaning

The show vlans command lists the VLANs configured on the switch. This output shows that the VLAN employee-vlan has been created.

Verifying That Interfaces Are Associated with the Proper VLANs

Purpose

Verify that Ethernet switching is enabled on switch interfaces and that all interfaces are included in the VLAN.

Action

List all interfaces on which switching is enabled:

Meaning

The show ethernet-switching interfaces command lists all interfaces on which switching is enabled (in the Logical interface column), along with the VLANs that are active on the interfaces (in the VLAN members column). The output in this example shows all the connected interfaces, xe-0/0/0 through xe-0/0/40, are all part of VLAN employee-vlan. Notice that the interfaces listed are the logical interfaces, not the physical interfaces. For example, the output shows xe-0/0/0.0 instead of xe-0/0/0. This is because Junos OS creates VLANs on logical interfaces, not directly on physical interfaces.

Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch

Note:

This example uses Junos OS for EX Series switches that does not support the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that supports ELS, see Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch with ELS Support . For ELS details, see Using the Enhanced Layer 2 Software CLI

EX Series switches use bridging and virtual LANs (VLANs) to connect network devices in a LAN—desktop computers, IP telephones, printers, file servers, wireless access points, and others—and to segment the LAN into smaller bridging domains. The switch's default configuration provides a quick setup of bridging and a single VLAN.

This example describes how to configure basic bridging and VLANs for an EX Series switch:

Requirements

This example uses the following software and hardware components:

  • Junos OS Release 9.0 or later for EX Series switches

  • One EX4200 Virtual Chassis switch

Before you set up bridging and a VLAN, be sure you have:

Overview and Topology

EX Series switches connect network devices in an office LAN or a data center LAN to provide sharing of common resources such as printers and file servers and to enable wireless devices to connect to the LAN through wireless access points. Without bridging and VLANs, all devices on the Ethernet LAN are in a single broadcast domain, and all the devices detect all the packets on the LAN. Bridging creates separate broadcast domains on the LAN, creating VLANs, which are independent logical networks that group together related devices into separate network segments. The grouping of devices on a VLAN is independent of where the devices are physically located in the LAN.

To use an EX Series switch to connect network devices on a LAN, you must, at a minimum, configure bridging and VLANs. If you simply power on the switch and perform the initial switch configuration using the factory-default settings, bridging is enabled on all the switch's interfaces, all interfaces are in access mode, and all interfaces belong to a VLAN called default, which is automatically configured. When you plug access devices—such as desktop computers, Avaya IP telephones, file servers, printers, and wireless access points—into the switch, they are joined immediately into the default VLAN and the LAN is up and running.

The topology used in this example consists of one EX4200-24T switch, which has a total of 24 ports. Eight of the ports support Power over Ethernet (PoE), which means they provide both network connectivity and electric power for the device connecting to the port. To these ports, you can plug in devices requiring PoE, such as Avaya VoIP telephones, wireless access points, and some IP cameras. (Avaya phones have a built-in hub that allows you to connect a desktop PC to the phone, so the desktop and phone in a single office require only one port on the switch.) The remaining 16 ports provide only network connectivity. You use them to connect devices that have their own power sources, such as desktop and laptop computers, printers, and servers. Table 3 details the topology used in this configuration example.

Table 3: Components of the Basic Bridging Configuration Topology
Property Settings

Switch hardware

EX4200-24T switch, with 24 Gigabit Ethernet ports: 8 PoE ports (ge-0/0/0 through ge-0/0/7) and 16 non-PoE ports (ge-0/0/8 through ge-0/0/23)

VLAN name

default

Connection to wireless access point (requires PoE)

ge-0/0/0

Connections to Avaya IP telephone—with integrated hub, to connect phone and desktop PC to a single port (requires PoE)

ge-0/0/1 through ge-0/0/7

Direct connections to desktop PCs (no PoE required)

ge-0/0/8 through ge-0/0/12

Connections to file servers (no PoE required)

ge-0/0/17 and ge-0/0/18

Connections to integrated printer/fax/copier machines (no PoE required)

ge-0/0/19 through ge-0/0/20

Unused ports (for future expansion)

ge-0/0/13 through ge-0/0/16, and ge-0/0/21 through ge-0/0/23

Topology

Configuration

Procedure

CLI Quick Configuration

By default, after you perform the initial configuration on the EX4200 switch, switching is enabled on all interfaces, a VLAN named default is created, and all interfaces are placed into this VLAN. You do not need to perform any other configuration on the switch to set up bridging and VLANs. To use the switch, simply plug the Avaya IP phones into the PoE-enabled ports ge-0/0/1 through ge-0/0/7, and plug in the PCs, file servers, and printers to the non-PoE ports, ge-0/0/8 through ge-0/0/12 and ge-0/0/17 through ge-0/0/20.

Step-by-Step Procedure

To configure bridging and VLANs:

  1. Make sure the switch is powered on.

  2. Connect the wireless access point to switch port ge-0/0/0.

  3. Connect the seven Avaya phones to switch ports ge-0/0/1 through ge-0/0/7.

  4. Connect the five PCs to ports ge-0/0/8 through ge-0/0/12.

  5. Connect the two file servers to ports ge-0/0/17 and ge-0/0/18.

  6. Connect the two printers to ports ge-0/0/19 and ge-0/0/20.

Results

Check the results of the configuration:

Verification

To verify that switching is operational and that a VLAN has been created, perform these tasks:

Verifying That the VLAN Has Been Created

Purpose

Verify that the VLAN named default has been created on the switch.

Action

List all VLANs configured on the switch:

Meaning

The show vlans command lists the VLANs configured on the switch. This output shows that the VLAN default has been created.

Verifying That Interfaces Are Associated with the Proper VLANs

Purpose

Verify that Ethernet switching is enabled on switch interfaces and that all interfaces are included in the VLAN.

Action

List all interfaces on which switching is enabled:

Meaning

The show ethernet-switching interfaces command lists all interfaces on which switching is enabled (in the Interfaces column), along with the VLANs that are active on the interfaces (in the VLAN members column). The output in this example shows all the connected interfaces, ge-0/0/0 through ge-0/0/12 and ge-0/0/17 through ge-0/0/20 and that they are all part of VLAN default. Notice that the interfaces listed are the logical interfaces, not the physical interfaces. For example, the output shows ge-0/0/0.0 instead of ge-0/0/0. This is because Junos OS creates VLANs on logical interfaces, not directly on physical interfaces.

Example: Setting Up Bridging with Multiple VLANs

The QFX Series products use bridging and virtual LANs (VLANs) to connect network devices in a LAN—storage devices, file servers, and other network components—and to segment the LAN into smaller bridging domains.

To segment traffic on a LAN into separate broadcast domains, you create separate virtual LANs (VLANs) on a switch. Each VLAN is a collection of network nodes. When you use VLANs, frames whose origin and destination are in the same VLAN are forwarded only within the local VLAN, and only frames not destined for the local VLAN are forwarded to other broadcast domains. VLANs thus limit the amount of traffic flowing across the entire LAN, reducing the possible number of collisions and packet retransmissions within the LAN.

Note:

This task uses Junos OS for QFX3500 and QFX3600 switches does not support the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that supports ELS, see Example: Setting Up Bridging with Multiple VLANs on Switches.

This example describes how to configure bridging for the QFX Series and how to create two VLANs to segment the LAN:

Requirements

This example uses the following hardware and software components:

  • A configured and provisioned QFX3500 switch

  • Junos OS Release 11.1 or later for the QFX Series

Overview and Topology

Switches connect all devices in an office or data center into a single LAN to provide sharing of common resources such as file servers. The default configuration creates a single VLAN, and all traffic on the switch is part of that broadcast domain. Creating separate network segments reduces the span of the broadcast domain and enables you to group related users and network resources without being limited by physical cabling or by the location of a network device in the building or on the LAN.

This example shows a simple configuration to illustrate the basic steps for creating two VLANs on a single switch. One VLAN, called sales, is for the sales and marketing group, and a second, called support, is for the customer support team. The sales and support groups each have their own dedicated file servers and other resources. For the switch ports to be segmented across the two VLANs, each VLAN must have its own broadcast domain, identified by a unique name and tag (VLAN ID). In addition, each VLAN must be on its own distinct IP subnet.

Topology

The topology used in this example consists of a single QFX3500 switch, with a total of 48 10-Gbps Ethernet ports. (For the purposes of this example, the QSFP+ ports Q0-Q3, which are ports xe-0/1/0 through xe-0/1/15, are excluded.)

Table 4: Components of the Multiple VLAN Topology

Property

Settings

Switch hardware

QFX3500 switch configured with 48 10-Gbps Ethernet ports (xe-0/0/0 through xe-0/0/47)

VLAN names and tag IDs

sales, tag 100 support, tag 200

VLAN subnets

sales: 192.0.2.0/25 (addresses 192.0.2.1 through 192.0.2.126) support: 192.0.2.128/25 (addresses 192.0.2.129 through 192.0.2.254)

Interfaces in VLAN sales

File servers: xe-0/0/20 and xe-0/0/21

Interfaces in VLAN support

File servers: xe-0/0/46 and xe-0/0/47

Unused interfaces

xe-0/0/2 and xe-0/0/25

This configuration example creates two IP subnets, one for the sales VLAN and the second for the support VLAN. The switch bridges traffic within a VLAN. For traffic passing between two VLANs, the switch routes the traffic using a Layer 3 routing interface on which you have configured the address of the IP subnet.

To keep the example simple, the configuration steps show only a few devices in each of the VLANs. Use the same configuration procedure to add more LAN devices.

Configuration

Procedure

CLI Quick Configuration

To quickly configure Layer 2 switching for the two VLANs (sales and support) and to quickly configure Layer 3 routing of traffic between the two VLANs, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

Configure the switch interfaces and the VLANs to which they belong. By default, all interfaces are in access mode, so you do not have to configure the port mode.

  1. Configure the interface for the file server in the sales VLAN:

  2. Configure the interface for the file server in the support VLAN:

  3. Create the subnet for the sales broadcast domain:

  4. Create the subnet for the support broadcast domain:

  5. Configure the VLAN tag IDs for the sales and support VLANs:

  6. To route traffic between the sales and support VLANs, define the interfaces that are members of each VLAN and associate a Layer 3 interface:

Results

Display the results of the configuration:

Tip:

To quickly configure the sales and support VLAN interfaces, issue the load merge terminal command. Then copy the hierarchy and paste it into the switch terminal window.

Verification

Verify that the sales and support VLANs have been created and are operating properly, perform these tasks:

Verifying That the VLANs Have Been Created and Associated with the Correct Interfaces

Purpose

Verify that the sales and support VLANs have been created on the switch and that all connected interfaces on the switch are members of the correct VLAN.

Action

To list all VLANs configured on the switch, use the show vlans command:

Meaning

The show vlans command lists all VLANs configured on the switch and which interfaces are members of each VLAN. This command output shows that the sales and support VLANs have been created. The sales VLAN has a tag ID of 100 and is associated with interfaces xe-0/0/0.0, xe-0/0/3.0, xe-0/0/20.0, and xe-0/0/22.0. VLAN support has a tag ID of 200 and is associated with interfaces xe-0/0/24.0, xe-0/0/26.0, xe-0/0/44.0, and xe-0/0/46.0.

Verifying That Traffic Is Being Routed Between the Two VLANs

Purpose

Verify routing between the two VLANs.

Action

List the Layer 3 routes in the switch Address Resolution Protocol (ARP) table:

Meaning

Sending IP packets on a multiaccess network requires mapping from an IP address to a MAC address (the physical or hardware address). The ARP table displays the mapping between the IP address and MAC address for both vlan.0 (associated with sales) and vlan.1 (associated with support). These VLANs can route traffic to each other.

Verifying That Traffic Is Being Switched Between the Two VLANs

Purpose

Verify that learned entries are being added to the Ethernet switching table.

Action

List the contents of the Ethernet switching table:

Meaning

The output shows that learned entries for the sales and support VLANs have been added to the Ethernet switching table, and are associated with interfaces xe-0/0/0.0 and xe-0/0/46.0. Even though the VLANs were associated with more than one interface in the configuration, these interfaces are the only ones that are currently operating.

Example: Setting Up Bridging with Multiple VLANs on Switches

The QFX Series products use bridging and virtual LANs (VLANs) to connect network devices in a LAN—storage devices, file servers, and other network components—and to segment the LAN into smaller bridging domains.

To segment traffic on a LAN into separate broadcast domains, you create separate virtual LANs (VLANs) on a switch. Each VLAN is a collection of network nodes. When you use VLANs, frames whose origin and destination are in the same VLAN are forwarded only within the local VLAN, and only frames not destined for the local VLAN are forwarded to other broadcast domains. VLANs thus limit the amount of traffic flowing across the entire LAN, reducing the possible number of collisions and packet retransmissions within the LAN.

This example describes how to configure bridging for the QFX Series and how to create two VLANs to segment the LAN:

Note:

This task supports the Enhanced Layer 2 Software (ELS) configuration style. For ELS details, see Using the Enhanced Layer 2 Software CLI. If your switch runs software that does not supports ELS, see Example: Setting Up Bridging with Multiple VLANs.

Requirements

This example uses the following hardware and software components:

  • A configured and provisioned QFX3500 switch

  • Junos OS Release 13.2X50-D15 or later for the QFX Series

Overview and Topology

Switches connect all devices in an office or data center into a single LAN to provide sharing of common resources such as file servers. The default configuration creates a single VLAN, and all traffic on the switch is part of that broadcast domain. Creating separate network segments reduces the span of the broadcast domain and enables you to group related users and network resources without being limited by physical cabling or by the location of a network device in the building or on the LAN.

This example shows a simple configuration to illustrate the basic steps for creating two VLANs on a single switch. One VLAN, called sales, is for the sales and marketing group, and a second, called support, is for the customer support team. The sales and support groups each have their own dedicated file servers and other resources. For the switch ports to be segmented across the two VLANs, each VLAN must have its own broadcast domain, identified by a unique name and tag (VLAN ID). In addition, each VLAN must be on its own distinct IP subnet.

Topology

The topology used in this example consists of a single QFX3500 switch, with a total of 48 10-Gbps Ethernet ports. (For the purposes of this example, the QSFP+ ports Q0-Q3, which are ports xe-0/1/0 through xe-0/1/15, are excluded.)

Table 5: Components of the Multiple VLAN Topology

Property

Settings

Switch hardware

QFX3500 switch configured with 48 10-Gbps Ethernet ports (xe-0/0/0 through xe-0/0/47)

VLAN names and tag IDs

sales, tag 100 support, tag 200

VLAN subnets

sales: 192.0.2.0/25 (addresses 192.0.2.1 through 192.0.2.126) support: 192.0.2.128/25 (addresses 192.0.2.129 through 192.0.2.254)

Interfaces in VLAN sales

File servers: xe-0/0/20 and xe-0/0/21

Interfaces in VLAN support

File servers: xe-0/0/46 and xe-0/0/47

Unused interfaces

xe-0/0/2 and xe-0/0/25

This configuration example creates two IP subnets, one for the sales VLAN and the second for the support VLAN. The switch bridges traffic within a VLAN. For traffic passing between two VLANs, the switch routes the traffic using a Layer 3 routing interface on which you have configured the address of the IP subnet.

To keep the example simple, the configuration steps show only a few devices in each of the VLANs. Use the same configuration procedure to add more LAN devices.

Configuration

Procedure

CLI Quick Configuration

To quickly configure Layer 2 switching for the two VLANs (sales and support) and to quickly configure Layer 3 routing of traffic between the two VLANs, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

Configure the switch interfaces and the VLANs to which they belong. By default, all interfaces are in access mode, so you do not have to configure the port mode.

  1. Configure the interface for the file server in the sales VLAN:

  2. Configure the interface for the file server in the support VLAN:

  3. Create the subnet for the sales broadcast domain:

  4. Create the subnet for the support broadcast domain:

  5. Configure the VLAN tag IDs for the sales and support VLANs:

  6. To route traffic between the sales and support VLANs, define the interfaces that are members of each VLAN and associate a Layer 3 interface:

Configuration Results

Display the results of the configuration:

Tip:

To quickly configure the sales and support VLAN interfaces, issue the load merge terminal command. Then copy the hierarchy and paste it into the switch terminal window.

Verification

Verify that the sales and support VLANs have been created and are operating properly, perform these tasks:

Verifying That the VLANs Have Been Created and Associated with the Correct Interfaces

Purpose

Verify that the sales and support VLANs have been created on the switch and that all connected interfaces on the switch are members of the correct VLAN.

Action

To list all VLANs configured on the switch, use the show vlans command:

Meaning

The show vlans command lists all VLANs configured on the switch and which interfaces are members of each VLAN. This command output shows that the sales and support VLANs have been created. The sales VLAN has a tag ID of 100 and is associated with interfaces xe-0/0/0.0, xe-0/0/3.0, xe-0/0/20.0, and xe-0/0/22.0. VLAN support has a tag ID of 200 and is associated with interfaces xe-0/0/24.0, xe-0/0/26.0, xe-0/0/44.0, and xe-0/0/46.0.

Verifying That Traffic Is Being Routed Between the Two VLANs

Purpose

Verify routing between the two VLANs.

Action

List the Layer 3 routes in the switch Address Resolution Protocol (ARP) table:

Meaning

Sending IP packets on a multiaccess network requires mapping from an IP address to a MAC address (the physical or hardware address). The ARP table displays the mapping between the IP address and MAC address for both vlan.0 (associated with sales) and vlan.1 (associated with support). These VLANs can route traffic to each other.

Verifying That Traffic Is Being Switched Between the Two VLANs

Purpose

Verify that learned entries are being added to the Ethernet switching table.

Action

List the contents of the Ethernet switching table:

Meaning

The output shows that learned entries for the sales and support VLANs have been added to the Ethernet switching table, and are associated with interfaces xe-0/0/0.0 and xe-0/0/46.0. Even though the VLANs were associated with more than one interface in the configuration, these interfaces are the only ones that are currently operating.

Example: Connecting Access Switches with ELS Support to a Distribution Switch with ELS Support

Note:

This example uses Junos OS for EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style. For ELS details, see Using the Enhanced Layer 2 Software CLI.

In large local area networks (LANs), you commonly need to aggregate traffic from a number of access switches into a distribution switch.

This example describes how to connect access switches to a distribution switch:

Requirements

This example uses the following hardware and software components:

  • Three EX Series access switches.

  • One EX Series distribution switch.

    Note:

    In an access switch-distribution switch topology, you can connect EX Series switches that run a version of Junos OS that supports ELS with EX Series switches that do not run a version of Junos OS that supports ELS. However, this example uses switches running ELS only to show how to configure this topology using the ELS CLI.

  • Junos OS Release 12.3R2 or later that supports ELS for EX Series switches.

Before you connect an access switch to a distribution switch, be sure you have:

Overview and Topology

In a large office that is spread across several floors or buildings, or in a data center, you commonly aggregate traffic from a number of access switches into a distribution switch. This configuration example shows a simple topology to illustrate how to connect three access switches to a distribution switch.

In the topology, the LAN is segmented into two VLANs, one for the sales department and the second for the support team. One 1-Gigabit Ethernet port on one of the access switch's uplink modules connects to the distribution switch, to one 1-Gigabit Ethernet port on the distribution switch.

Figure 1 shows an EX9200 distribution switch that is connected to three EX4300 access switches.

Figure 1: Sample Access Switch-Distribution Switch Topology Sample Access Switch-Distribution Switch Topology

Topology

Table 6 describes the components of the example topology. The example shows how to configure one of the three access switches. The other access switches could be configured in the same manner.

Table 6: Components of the Topology for Connecting an Access Switch to a Distribution Switch
Property Settings

Access switch hardware

Three EX4300 switches, each with an uplink module with 1-Gigabit Ethernet ports..

Distribution switch hardware

One EX9208 with up to three EX9200-40T line cards installed, which at full duplex, can provide up to 240 1-Gigabit ports.

VLAN names and tag IDs

sales, tag 100support, tag 200

VLAN subnets

sales: 192.0.2.0/25 (addresses 192.0.2.1 through 192.0.2.126)support: 192.0.2.128/25 (addresses 192.0.2.129 through 192.0.2.254)

Trunk port interfaces

On the access switch: ge-0/2/0On the distribution switch: ge-0/0/0

Access port interfaces in VLAN sales (on access switch)

Avaya IP telephones: ge-0/0/3 through ge-0/0/19Wireless access points: ge-0/0/0 and ge-0/0/1Printers: ge-0/0/22 and ge-0/0/23File servers: ge-0/0/20 and ge-0/0/21

Access port interfaces in VLAN support (on access switch)

Avaya IP telephones: ge-0/0/25 through ge-0/0/43Wireless access points: ge-0/0/24Printers: ge-0/0/44 and ge-0/0/45File servers: ge-0/0/46 and ge-0/0/47

Configuring the Access Switch

To configure the access switch:

Procedure

CLI Quick Configuration

To quickly configure the access switch, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

To configure the access switch:

  1. Configure the 1-Gigabit Ethernet interface on the uplink module to be the trunk port that connects to the distribution switch:

  2. Specify the VLANs to be aggregated on the trunk port:

  3. To handle untagged packets that are received on the trunk port, create a native VLAN by configuring a VLAN ID and specifying that the trunk port is a member of the native VLAN:

  4. Configure the sales VLAN:

  5. Configure the support VLAN:

  6. Create the subnet for the sales VLAN:

  7. Create the subnet for the support VLAN:

  8. Configure the interfaces in the sales VLAN:

  9. Configure the interfaces in the support VLAN:

Results

Display the results of the configuration:

Tip:

To quickly configure the access switch, issue the load merge terminal command, then copy the hierarchy and paste it into the switch terminal window.

Configuring the Distribution Switch

To configure the distribution switch:

Procedure

CLI Quick Configuration

To quickly configure the distribution switch, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

To configure the distribution switch:

  1. Configure the interface on the switch to be the trunk port that connects to the access switch:

  2. Specify the VLANs to be aggregated on the trunk port:

  3. To handle untagged packets that are received on the trunk port, create a native VLAN by configuring a VLAN ID and specifying that the trunk port is a member of the native VLAN:

  4. Configure the sales VLAN:

    The VLAN configuration for the distribution switch includes the set l3-interface irb.0 command to route traffic between the sales and support VLANs. The VLAN configuration for the access switch does not include this statement because the access switch is not monitoring IP addresses. Instead, the access switch is passing the IP addresses to the distribution switch for interpretation.

  5. Configure the support VLAN:

    The VLAN configuration for the distribution switch includes the set l3-interface irb.1 command to route traffic between the sales and support VLANs. The VLAN configuration for the access switch does not include this statement because the access switch is not monitoring IP addresses. Instead, the access switch is passing the IP addresses to the distribution switch for interpretation.

  6. Create the subnet for the sales VLAN:

  7. Create the subnet for the support VLAN:

Results

Display the results of the configuration:

Tip:

To quickly configure the distribution switch, issue the load merge terminal command, then copy the hierarchy and paste it into the switch terminal window.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying the VLAN Members and Interfaces on the Access Switch

Purpose

Verify that the sales and support VLANs have been created on the switch.

Action

List all VLANs configured on the switch:

Meaning

The output shows the sales and support VLANs and the interfaces that are configured as members of the respective VLANs.

Verifying the VLAN Members and Interfaces on the Distribution Switch

Purpose

Verify that the sales and support VLANs have been created on the switch.

Action

List all VLANs configured on the switch:

Meaning

The output shows the sales and support VLANs and the interface (ge-0/0/0.0) that is configured as a member of both VLANs. Interface ge-0/0/0.0 is also the trunk interface connected to the access switch.

Example: Setting Up Bridging with Multiple VLANs for EX Series Switches

To segment traffic on a LAN into separate broadcast domains, you create separate virtual LANs (VLANs) on an EX Series switch. Each VLAN is a collection of network nodes. When you use VLANs, frames whose origin and destination are in the same VLAN are forwarded only within the local VLAN, and only frames not destined for the local VLAN are forwarded to other broadcast domains. VLANs thus limit the amount of traffic flowing across the entire LAN, reducing the possible number of collisions and packet retransmissions within the LAN.

This example describes how to configure bridging for an EX Series switch and how to create two VLANs to segment the LAN:

Requirements

This example uses the following hardware and software components:

  • One EX4200-48P Virtual Chassis switch

  • Junos OS Release 9.0 or later for EX Series switches

Before you set up bridging and VLANs, be sure you have:

Overview and Topology

EX Series switches connect all devices in an office or data center into a single LAN to provide sharing of common resources such as printers and file servers and to enable wireless devices to connect to the LAN through wireless access points. The default configuration creates a single VLAN, and all traffic on the switch is part of that broadcast domain. Creating separate network segments reduces the span of the broadcast domain and allows you to group related users and network resources without being limited by physical cabling or by the location of a network device in the building or on the LAN.

This example shows a simple configuration to illustrate the basic steps for creating two VLANs on a single switch. One VLAN, called sales, is for the sales and marketing group, and a second, called support, is for the customer support team. The sales and support groups each have their own dedicated file servers, printers, and wireless access points. For the switch ports to be segmented across the two VLANs, each VLAN must have its own broadcast domain, identified by a unique name and tag (VLAN ID). In addition, each VLAN must be on its own distinct IP subnet.

Topology

The topology for this example consists of one EX4200-48P switch, which has a total of 48 Gigabit Ethernet ports, all of which support Power over Ethernet (PoE). Most of the switch ports connect to Avaya IP telephones. The remainder of the ports connect to wireless access points, file servers, and printers. Table 7 explains the components of the example topology.

Table 7: Components of the Multiple VLAN Topology
Property Settings

Switch hardware

EX4200-48P, 48 Gigabit Ethernet ports, all PoE-enabled (ge-0/0/0 through ge-0/0/47)

VLAN names and tag IDs

sales, tag 100 support, tag 200

VLAN subnets

sales: 192.0.2.0/25 (addresses 192.0.2.1 through 192.0.2.126) support: 192.0.2.128/25 (addresses 192.0.2.129 through 192.0.2.254)

Interfaces in VLAN sales

Avaya IP telephones: ge-0/0/3 through ge-0/0/19Wireless access points: ge-0/0/0 and ge-0/0/1Printers: ge-0/0/22 and ge-0/0/23File servers: ge-0/0/20 and ge-0/0/21

Interfaces in VLAN support

Avaya IP telephones: ge-0/0/25 through ge-0/0/43Wireless access points: ge-0/0/24Printers: ge-0/0/44 and ge-0/0/45File servers: ge-0/0/46 and ge-0/0/47

Unused interfaces

ge-0/0/2 and ge-0/0/25

This configuration example creates two IP subnets, one for the sales VLAN and the second for the support VLAN. The switch bridges traffic within a VLAN. For traffic passing between two VLANs, the switch routes the traffic using a Layer 3 routing interface on which you have configured the address of the IP subnet.

To keep the example simple, the configuration steps show only a few devices in each of the VLANs. Use the same configuration procedure to add more LAN devices.

Configuration

Configure Layer 2 switching for two VLANs:

Procedure

CLI Quick Configuration

To quickly configure Layer 2 switching for the two VLANs (sales and support) and to quickly configure Layer 3 routing of traffic between the two VLANs, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

Configure the switch interfaces and the VLANs to which they belong. By default, all interfaces are in access mode, so you do not have to configure the port mode.

  1. Configure the interface for the wireless access point in the sales VLAN:

  2. Configure the interface for the Avaya IP phone in the sales VLAN:

  3. Configure the interface for the printer in the sales VLAN:

  4. Configure the interface for the file server in the sales VLAN:

  5. Configure the interface for the wireless access point in the support VLAN:

  6. Configure the interface for the Avaya IP phone in the support VLAN:

  7. Configure the interface for the printer in the support VLAN:

  8. Configure the interface for the file server in the support VLAN:

  9. Create the subnet for the sales broadcast domain:

  10. Create the subnet for the support broadcast domain:

  11. Configure the VLAN tag IDs for the sales and support VLANs:

  12. To route traffic between the sales and support VLANs, define the interfaces that are members of each VLAN and associate a Layer 3 interface:

Results

Display the results of the configuration:

Tip:

To quickly configure the sales and support VLAN interfaces, issue the load merge terminal command, then copy the hierarchy and paste it into the switch terminal window.

Verification

To verify that the “sales” and “support” VLANs have been created and are operating properly, perform these tasks:

Verifying That the VLANs Have Been Created and Associated to the Correct Interfaces

Purpose

Verify that the VLANs sales and support have been created on the switch and that all connected interfaces on the switch are members of the correct VLAN.

Action

List all VLANs configured on the switch:

Use the operational mode commands:

Meaning

The show vlans command lists all VLANs configured on the switch and which interfaces are members of each VLAN. This command output shows that the sales and support VLANs have been created. The sales VLAN has a tag ID of 100 and is associated with interfaces ge-0/0/0.0, ge-0/0/3.0, ge-0/0/20.0, and ge-0/0/22.0. VLAN support has a tag ID of 200 and is associated with interfaces ge-0/0/24.0, ge-0/0/26.0, ge-0/0/44.0, and ge-0/0/46.0.

Verifying That Traffic Is Being Routed Between the Two VLANs

Purpose

Verify routing between the two VLANs.

Action

List the Layer 3 routes in the switch's Address Resolution Protocol (ARP) table:

Meaning

Sending IP packets on a multiaccess network requires mapping from an IP address to a MAC address (the physical or hardware address). The ARP table displays the mapping between the IP address and MAC address for both vlan.0 (associated with sales) and vlan.1 (associated with support). These VLANs can route traffic to each other.

Verifying That Traffic Is Being Switched Between the Two VLANs

Purpose

Verify that learned entries are being added to the Ethernet switching table.

Action

List the contents of the Ethernet switching table:

Meaning

The output shows that learned entries for the sales and support VLANs have been added to the Ethernet switching table, and are associated with interfaces ge-0/0/0.0 and ge-0/0/46.0. Even though the VLANs were associated with more than one interface in the configuration, these interfaces are the only ones that are currently operating.

Example: Connecting an Access Switch to a Distribution Switch

In large local area networks (LANs), you commonly need to aggregate traffic from a number of access switches into a distribution switch.

This example describes how to connect an access switch to a distribution switch:

Requirements

This example uses the following hardware and software components:

  • For the distribution switch, one EX 4200-24F switch. This model is designed to be used as a distribution switch for aggregation or collapsed core network topologies and in space-constrained data centers. It has twenty-four 1-Gigabit Ethernet fiber SFP ports and an EX-UM-2XFP uplink module with two 10-Gigabit Ethernet XFP ports.

  • For the access switch, one EX 3200-24P, which has twenty-four 1-Gigabit Ethernet ports, all of which support Power over Ethernet (PoE), and an uplink module with four 1-Gigabit Ethernet ports.

  • Junos OS Release 11.1 or later for the QFX Series

Overview and Topology

In a large office that is spread across several floors or buildings, or in a data center, you commonly aggregate traffic from a number of access switches into a distribution switch. This configuration example shows a simple topology to illustrate how to connect a single access switch to a distribution switch.

In the topology, the LAN is segmented into two VLANs, one for the sales department and the second for the support team. One 1-Gigabit Ethernet port on the access switch's uplink module connects to the distribution switch, to one 1-Gigabit Ethernet port on the distribution switch.

Topology

Table 8 explains the components of the example topology. The example shows how to configure one of the three access switches. The other access switches could be configured in the same manner.

Table 8: Components of the Topology for Connecting an Access Switch to a Distribution Switch
Property Settings

Access switch hardware

EX 3200-24P, 24 1-Gigabit Ethernet ports, all PoE-enabled (ge-0/0/0 through ge-0/0/23); one 4-port 1–Gigabit Ethernet uplink module (EX-UM-4SFP)

Distribution switch hardware

EX 4200-24F, 24 1-Gigabit Ethernet fiber SFP ports (ge-0/0/0 through ge-0/0/23); one 2–port 10–Gigabit Ethernet XFP uplink module (EX-UM-4SFP)

VLAN names and tag IDs

sales, tag 100support, tag 200

VLAN subnets

sales: 192.0.2.0/25 (addresses 192.0.2.1 through 192.0.2.126)support: 192.0.2.128/25 (addresses 192.0.2.129 through 192.0.2.254)

Trunk port interfaces

On the access switch: ge-0/1/0On the distribution switch: ge-0/0/0

Access port interfaces in VLAN sales (on access switch)

Avaya IP telephones: ge-0/0/3 through ge-0/0/19Wireless access points: ge-0/0/0 and ge-0/0/1Printers: ge-0/0/22 and ge-0/0/23File servers: ge-0/0/20 and ge-0/0/21

Access port interfaces in VLAN support (on access switch)

Avaya IP telephones: ge-0/0/25 through ge-0/0/43Wireless access points: ge-0/0/24Printers: ge-0/0/44 and ge-0/0/45File servers: ge-0/0/46 and ge-0/0/47

Unused interfaces on access switch

ge-0/0/2 and ge-0/0/25

Configuring the Access Switch

To configure the access switch:

Procedure

CLI Quick Configuration

To quickly configure the access switch, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

To configure the access switch:

  1. Configure the 1-Gigabit Ethernet interface on the uplink module to be the trunk port that connects to the distribution switch:

  2. Specify the VLANs to be aggregated on the trunk port:

  3. Configure the VLAN ID to use for packets that are received with no dot1q tag (untagged packets):

  4. Configure the sales VLAN:

  5. Configure the support VLAN:

  6. Create the subnet for the sales broadcast domain:

  7. Create the subnet for the support broadcast domain:

  8. Configure the interfaces in the sales VLAN:

  9. Configure the interfaces in the support VLAN:

  10. Configure descriptions and VLAN tag IDs for the sales and support VLANs:

  11. To route traffic between the sales and support VLANs and associate a Layer 3 interface with each VLAN:

Results

Display the results of the configuration:

Tip:

To quickly configure the distribution switch, issue the load merge terminal command, then copy the hierarchy and paste it into the switch terminal window.

Configuring the Distribution Switch

To configure the distribution switch:

Procedure

CLI Quick Configuration

To quickly configure the distribution switch, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

To configure the distribution switch:

  1. Configure the interface on the switch to be the trunk port that connects to the access switch:

  2. Specify the VLANs to be aggregated on the trunk port:

  3. Configure the VLAN ID to use for packets that are received with no dot1q tag (untagged packets):

  4. Configure the sales VLAN:

  5. Configure the support VLAN:

  6. Create the subnet for the sales broadcast domain:

  7. Create the subnet for the support broadcast domain:

Results

Display the results of the configuration:

Tip:

To quickly configure the distribution switch, issue the load merge terminal command, then copy the hierarchy and paste it into the switch terminal window.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying the VLAN Members and Interfaces on the Access Switch

Purpose

Verify that the sales and support have been created on the switch.

Action

List all VLANs configured on the switch:

Meaning

The output shows the sales and support VLANs and the interfaces associated with them.

Verifying the VLAN Members and Interfaces on the Distribution Switch

Purpose

Verify that the sales and support have been created on the switch.

Action

List all VLANs configured on the switch:

Meaning

The output shows the sales and support VLANs associated to interface ge-0/0/0.0. Interface ge-0/0/0.0 is the trunk interface connected to the access switch.

Configuring a Logical Interface for Access Mode

Enterprise network administrators can configure a single logical interface to accept untagged packets and forward the packets within a specified VLAN. A logical interface configured to accept untagged packets is called an access interface or access port.

You can include this statement at the following hierarchy levels:

  • [edit interfaces interface-name unit logical-unit-number family ethernet-switching]

  • [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family ethernet-switching]

When an untagged or tagged packet is received on an access interface, the packet is accepted, the VLAN ID is added to the packet, and the packet is forwarded within the VLAN that is configured with the matching VLAN ID.

The following example configures a logical interface as an access port with a VLAN ID of 20 on routers and switches that support the enhanced Layer 2 software:

Configuring the Native VLAN Identifier

Note:

This task uses Junos OS for EX Series switches and Junos OS for QFX3500 and QFX3600 switches that does not support the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that supports ELS, see Configuring the Native VLAN Identifier on Switches With ELS Support. For ELS details, see Using the Enhanced Layer 2 Software CLI.

EX Series switches support receiving and forwarding routed or bridged Ethernet frames with 802.1Q VLAN tags. The logical interface on which untagged packets are to be received must be configured with the same native VLAN ID as that configured on the physical interface.

To configure the native VLAN ID using the CLI:

  1. Configure the port mode so that the interface is in multiple VLANs and can multiplex traffic between different VLANs. Trunk interfaces typically connect to other switches and to routers on the LAN. Configure the port mode as trunk:
  2. Configure the native VLAN ID:

Configuring the Native VLAN Identifier on Switches With ELS Support

Note:

This task uses Junos OS for EX Series switches and Junos OS for QFX3500 and QFX3600 switches with support for the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see Configuring the Native VLAN Identifier. For ELS details, see Using the Enhanced Layer 2 Software CLI.

Switches can receive and forward routed or bridged Ethernet frames with 802.1Q VLAN tags. Typically, trunk ports, which connect switches to each other, accept untagged control packets but do not accept untagged data packets. You can enable a trunk port to accept untagged data packets by configuring a native VLAN ID on the interface on which you want the untagged data packets to be received. The logical interface on which untagged packets are to be received must be configured with the same VLAN ID as the native VLAN ID configured on the physical interface.

To configure the native VLAN ID by using the command-line interface (CLI):

  1. On the interface on which you want untagged data packets to be received, set the interface mode to trunk, which specifies that the interface is in multiple VLANs and can multiplex traffic between different VLANs.:
  2. Configure the native VLAN ID:
  3. Specify that the logical interface that will receive the untagged data packets is a member of the native VLAN:

Configuring VLAN Encapsulation

To configure encapsulation on an interface, enter the encapsulation statement at the [edit interfaces interface-name] hierarchy level:

The following list contains important notes regarding encapsulation:

  • Ethernet interfaces in VLAN mode can have multiple logical interfaces. In CCC and VPLS modes, VLAN IDs from 1 through 511 are reserved for normal VLANs, and VLAN IDs 512 through 4094 are reserved for CCC or VPLS VLANs. For 4-port Fast Ethernet interfaces, you can use VLAN IDs 512 through 1024 for CCC or VPLS VLANs.

  • For encapsulation type flexible-ethernet-services, all VLAN IDs are valid.

  • For some encapsulation types, including flexible Ethernet services, Ethernet VLAN CCC, and VLAN VPLS, you can also configure the encapsulation type that is used inside the VLAN circuit itself. To do this, include the encapsulation statement:

    You can include this statement at the following hierarchy levels:

    • [edit interfaces interface-name unit logical-unit-number]

    • [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

  • You cannot configure a logical interface with VLAN CCC or VLAN VPLS encapsulation unless you also configure the physical device with the same encapsulation or with flexible Ethernet services encapsulation. In general, the logical interface must have a VLAN ID of 512 or higher; if the VLAN ID is 511 or lower, it will be subject to the normal destination filter lookups in addition to source address filtering. However if you configure flexible Ethernet services encapsulation, this VLAN ID restriction is removed.

In general, you configure an interface’s encapsulation at the [edit interfaces interface-name] hierarchy level.

Example: Configuring VLAN Encapsulation on a Gigabit Ethernet Interface

Configure VLAN CCC encapsulation on a Gigabit Ethernet interface:

Example: Configuring VLAN Encapsulation on an Aggregated Ethernet Interface

Configure VLAN CCC encapsulation on an aggregated Gigabit Ethernet interface:

Release History Table
Release
Description
17.3R1
Starting in Junos OS Release 17.3 on QFX10000 switches, the number of vmembers has increased to 256k for integrated routing and bridging interfaces and aggregated Ethernet interfaces.
17.1R3
Starting with Junos OS Release 17.1R3, on QFX10000 switches, you cannot configure an interface with both family ethernet-switching and flexible-vlan-tagging.