Ethernet Port VLANs in Switching Mode on Security Devices
Understanding VLAN Retagging on Security Devices
VLAN retagging is not supported from Junos OS Release 15.1X49-D40 to Junos OS Release 15.1X49-D60.
Starting in Junos OS Release 15.1X49-D70, VLAN retagging in switching mode is supported on SRX300, SRX320, SRX340, SRX345, and SRX550M devices.
Starting in Junos OS Release 15.1X49-D80, VLAN retagging in switching mode is supported on SRX1500 devices.
To support VLAN retagging on SRX Series devices, configure vlan-rewrite in transparent mode and configure swap in switching mode.
The VLAN identifier in packets arriving on a Layer 2 trunk port can be rewritten or retagged with a different internal VLAN identifier. VLAN retagging is a symmetric operation; upon exiting the same trunk port, the retagged VLAN identifier is replaced with the original VLAN identifier. VLAN retagging provides a way to selectively screen incoming packets and redirect them to a firewall or other security device without affecting other VLAN traffic.
VLAN retagging can be applied only to interfaces configured as Layer 2 trunk interfaces. These interfaces can include redundant Ethernet interfaces in a Layer 2 transparent mode within a chassis cluster configuration.
If a trunk port is configured for VLAN retagging, untagged packets received on the port are not assigned a VLAN identifier with the VLAN retagging configuration. To configure a VLAN identifier for untagged packets received on the physical interface, use the native-vlan-id statement.
To configure VLAN retagging for a Layer 2 trunk interface, specify a one-to-one mapping of the following:
Incoming VLAN identifier—VLAN identifier of the incoming packet that is to be retagged. This VLAN identifier must not be the same VLAN identifier configured with the native-vlan-id statement for the trunk port.
Internal VLAN identifier—VLAN identifier for the retagged packet. This VLAN identifier must be in the VLAN identifier list for the trunk port and must not be the same VLAN identifier configured with the native-vlan-id statement for the trunk port.
Configuring VLAN Retagging on a Layer 2 Trunk Interface of a Security Device
VLAN retagging is a feature that works on IEEE standard 802.1Q virtual LAN tagging (VLAN tagging. VLAN retagging for SRX1500 devices is an enterprise style of VLAN retagging, in which a single command is sufficient on top of normal trunk configuration.
- Create a Layer 2 trunk interface.
user@host# set interfaces ge-3/0/0 unit 0 family ethernet-switching interface-mode trunk vlan members 1–10
- Configure VLAN retagging.
user@host# set interfaces ge-3/0/0 unit 0 family ethernet-switching vlan-rewrite translate 11 2
Example: Configuring a Guest VLAN on a Security Device
This example shows how to configure a guest VLAN for limited network access or for Internet-only access to avoid compromising a company’s security.
Guest VLANs are not supported from Junos OS Release 15.1X49-D40 to Junos OS Release 15.1X49-D60.
Before you begin, verify that the interfaces that will be used are in switch mode. See Example: Configuring Switching Modes on Security Devices and Understanding Switching Modes on Security Devices.
In this example, you configure a VLAN called visitor-vlan with a VLAN ID of 300. Then you set protocols and configure visitor-vlan as the guest VLAN.
To configure a guest VLAN:
- Configure a VLAN.user@host# set vlans visitor-vlan vlan-id 300
- Specify the guest VLAN.user@host# set protocols dot1x authenticator interface all guest-vlan visitor-vlan
- If you are done configuring the device, commit the configuration.user@host# commit
To verify the configuration is working properly, enter the show vlans and show protocols dot1x commands.