Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Ethernet Port VLANs in Switching Mode on Security Devices

 

Understanding VLAN Retagging on Security Devices

VLAN retagging is not supported from Junos OS Release 15.1X49-D40 to Junos OS Release 15.1X49-D60.

Starting in Junos OS Release 15.1X49-D70, VLAN retagging in switching mode is supported on SRX300, SRX320, SRX340, SRX345, and SRX550M devices.

Starting in Junos OS Release 15.1X49-D80, VLAN retagging in switching mode is supported on SRX1500 devices.

To support VLAN retagging on SRX Series devices, configure vlan-rewrite in transparent mode and configure swap in switching mode.

The VLAN identifier in packets arriving on a Layer 2 trunk port can be rewritten or retagged with a different internal VLAN identifier. VLAN retagging is a symmetric operation; upon exiting the same trunk port, the retagged VLAN identifier is replaced with the original VLAN identifier. VLAN retagging provides a way to selectively screen incoming packets and redirect them to a firewall or other security device without affecting other VLAN traffic.

VLAN retagging can be applied only to interfaces configured as Layer 2 trunk interfaces. These interfaces can include redundant Ethernet interfaces in a Layer 2 transparent mode within a chassis cluster configuration.

Note

If a trunk port is configured for VLAN retagging, untagged packets received on the port are not assigned a VLAN identifier with the VLAN retagging configuration. To configure a VLAN identifier for untagged packets received on the physical interface, use the native-vlan-id statement.

To configure VLAN retagging for a Layer 2 trunk interface, specify a one-to-one mapping of the following:

  • Incoming VLAN identifier—VLAN identifier of the incoming packet that is to be retagged. This VLAN identifier must not be the same VLAN identifier configured with the native-vlan-id statement for the trunk port.

  • Internal VLAN identifier—VLAN identifier for the retagged packet. This VLAN identifier must be in the VLAN identifier list for the trunk port and must not be the same VLAN identifier configured with the native-vlan-id statement for the trunk port.

Configuring VLAN Retagging on a Layer 2 Trunk Interface of a Security Device

VLAN retagging is a feature that works on IEEE standard 802.1Q virtual LAN tagging (VLAN tagging. VLAN retagging for SRX1500 devices is an enterprise style of VLAN retagging, in which a single command is sufficient on top of normal trunk configuration.

  1. Create a Layer 2 trunk interface.
    [edit]
    user@host# set interfaces ge-3/0/0 unit 0 family ethernet-switching interface-mode trunk vlan members 1–10
  2. Configure VLAN retagging.
    [edit]
    user@host# set interfaces ge-3/0/0 unit 0 family ethernet-switching vlan-rewrite translate 11 2

Example: Configuring a Guest VLAN on a Security Device

This example shows how to configure a guest VLAN for limited network access or for Internet-only access to avoid compromising a company’s security.

Guest VLANs are not supported from Junos OS Release 15.1X49-D40 to Junos OS Release 15.1X49-D60.

Requirements

Before you begin, verify that the interfaces that will be used are in switch mode. See Example: Configuring Switching Modes on Security Devices and Understanding Switching Modes on Security Devices.

Overview

In this example, you configure a VLAN called visitor-vlan with a VLAN ID of 300. Then you set protocols and configure visitor-vlan as the guest VLAN.

Configuration

Step-by-Step Procedure

To configure a guest VLAN:

  1. Configure a VLAN.
  2. Specify the guest VLAN.
  3. If you are done configuring the device, commit the configuration.

Verification

To verify the configuration is working properly, enter the show vlans and show protocols dot1x commands.