Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Integrated Routing and Bridging

 

Understanding Integrated Routing and Bridging

To segment traffic on a LAN into separate broadcast domains, you create separate virtual LANs (VLANs). VLANs limit the amount of traffic flowing across the entire LAN, reducing the possible number of collisions and packet retransmissions within the LAN. For example, you might want to create a VLAN that includes the employees in a department and the resources that they use often, such as printers, servers, and so on.

Figure 1 illustrates a switch routing VLAN traffic between two access layer switches using one of these interfaces.

Figure 1: An IRB Interface or RVI on a Switch Providing Routing Between Two Access Switches
An IRB Interface or RVI on a
Switch Providing Routing Between Two Access Switches

Of course, you also want to allow these employees to communicate with people and resources in other VLANs. To forward packets between VLANs, you normally need a router that connects the VLANs. However, you can accomplish this forwarding on a switch without using a router by configuring an integrated routing and bridging (IRB) interface. (These interfaces are also called routed VLAN interfaces, or RVIs). Using this approach reduces complexity and avoids the costs associated with purchasing, installing, managing, powering, and cooling another device.

An IRB is a special type of Layer 3 virtual interface named vlan. Like normal Layer 3 interfaces, the vlan interface needs a logical unit number with an IP address. In fact, to be useful an IRB needs at least two logical units and two IP addresses—you must create units with addresses in each of the subnets associated with the VLANs between which you want traffic to be routed. That is, if you have two VLANs (for example, VLAN red and VLAN blue) with corresponding subnets, your IRB must have a logical unit with an address in the subnet for red and a logical unit with an address in the subnet for blue. The switch automatically creates direct routes to these subnets and uses these routes to forward traffic between VLANs. Packets arriving on a Layer 2 interface that are destined for the device’s MAC address are classified as Layer 3 traffic while packets that are not destined for the device’s MAC address are classified as Layer 2 traffic. Packets destined for the device’s MAC address are sent to the IRB interface. Packets from the device’s routing engine are sent out the IRB interface.

Note

If you specify a VLAN identifier list in the VLAN configuration, you cannot configure an IRB interface for the VLAN.

Note

If you are using a version of Junos OS that supports Enhanced Layer 2 Software (ELS), you can also create a Layer 3 virtual interface named irb instead of vlan—that is, both statements are supported by ELS

IRB interfaces supporting the Enhanced Layer 2 Software (ELS) configuration style and RVIs that support non-ELS switches provide the same functionality. Where the functionality for both features is the same, this topic uses the term these interfaces to refer collectively to both IRB interfaces and RVIs. Where differences exist between the two features, this topic calls out the IRB interfaces and RVIs separately.

Table 1 shows values you might use when configuring an IRB:

Table 1: Sample IRB Values

PropertySettings

VLAN names and tags (IDs)

blue, ID 100

red, ID 200

Subnets associated with VLANs

blue: 192.0.2.0/25 (addresses 192.0.2.1 through 192.0.2.126)

red: 192.0.2.128/25 (addresses 192.0.2.129 through 192.0.2.254)

IRB name

interface irb

IRB units and addresses

logical unit 100: 192.0.2.1/25

logical unit 200: 192.0.2.129/25

For the sake of consistency and to avoid confusion, Table 1 shows IRB logical unit numbers that match the IDs of the corresponding VLANs. However, you do not have to assign logical unit numbers that match the VLAN IDs—you can use any values for the units. To bind the logical units of the IRB to the appropriate VLANs, you use the l3-interface statement.

Because IRBs operate at Layer 3, you can use Layer 3 services such as firewall filters or CoS rewriting with them.

Table 2 shows the number of IRBs/RVIs that each QFX platform supports.

Table 2: Number of Supported IRBs/RVIs by Platform

PlatformNumber of Supported IRBs/RVIs

QFX3500

1200

QFX3000-G

1024

QFX3000-M

1024

IRB Interfaces on SRX Series Devices

On SRX1400, SRX1500, SRX3400, SRX3600, SRX4100, SRX4200, SRX4600, SRX5600, and SRX5800 devices, Juniper supports an IRB interface that allows you to terminate management connections in transparent mode. However, you cannot route traffic on that interface or terminate IPsec VPNs. (Platform support depends on the Junos OS release in your installation.)

Note

You can configure only one IRB logical interface for each VLAN.

On SRX300, SRX320, SRX340, SRX345 devices, and SRX550M on the IRB interface, the following features are not supported:

  • IS-IS (family ISO)

  • Encapsulations (Ether CCC, VLAN CCC, VPLS, PPPoE, and so on) on VLAN interfaces

  • CLNS

  • DVMRP

  • VLAN interface MAC change

  • G-ARP

  • Change VLAN-Id for VLAN interface

Note

Starting with Junos OS Release 15.1X49-D60 and Junos OS Release 17.3R1, interface statistics are supported on the IRB logical interface for SRX300, SRX320, SRX340, SRX345, and SRX550M devices.

To verify the IRB logical interface statistics, enter the show interfaces irb.<index> extensive and show interfaces irb.<index>statistics commands.

When Should I Use an IRB Interface or RVI?

Configure an IRB interface or an RVI for a VLAN if you need to:

  • Allow traffic to be routed between VLANs.

  • Provide Layer 3 IP connectivity to the switch.

  • Monitor individual VLANs for billing purposes. Service providers often need to monitor traffic for this purpose, but this capability can be useful for enterprises where various groups share the cost of the network.

How Does an IRB Interface or RVI Work?

For an IRB interface, the switch provides the name irb, and for an RVI, the switch provides the name vlan. Like all Layer 3 interfaces, these interfaces require a logical unit number with an IP address assigned to it. In fact, to be useful, the implementation of these interfaces in an enterprise with multiple VLANs requires at least two logical units and two IP addresses—you must create units with addresses in each of the subnets associated with the VLANs between which you want traffic to be routed. That is, if you have two VLANs (for example, VLAN red and VLAN blue) with corresponding subnets, your interfaces must have a logical unit with an address in the subnet for red and a logical unit with an address in the subnet for blue. The switch automatically creates direct routes to these subnets and uses these routes to forward traffic between VLANs.

The interface on the switch detects both MAC addresses and IP addresses, then routes data to other Layer 3 interfaces on routers or other switches. These interfaces detect both IPv4 and IPv6 unicast and multicast virtual routing and forwarding (VRF) traffic. Each logical interface can belong to only one routing instance and is further subdivided into logical interfaces, each with a logical interface number appended as a suffix to the names irb and vlan—for example, irb.10 and vlan.10.

Creating an IRB Interface or RVI

You create an IRB logical interface in a similar manner as a Layer 3 interface, but the IRB interface does not support traffic forwarding or routing. The IRB interface cannot be assigned to a security zone; however, you can configure certain services on a per-zone basis to allow host-inbound traffic for management of the device. This allows you to control the type of traffic that can reach the device from interfaces bound to a specific zone.

There are four basic steps in creating an IRB interface or RVI as shown in Figure 2.

Figure 2: Creating an IRB Interface or RVI
Creating an IRB Interface or
RVI

The following explanations correspond to the four steps for creating a VLAN, as depicted in Figure 2.

  • Configure VLANs—Virtual LANs are groups of hosts that communicate as if they were attached to the same broadcast stream. VLANs are created with software and do not require a physical router to forward traffic. VLANs are Layer 2 constructs.

  • Create IRB interfaces or RVIs for the VLANs—The switch’s IRB interfaces and RVIs use Layer 3 logical interfaces (unlike routers, which can use either physical or logical interfaces).

  • Assign an IP address to each VLAN—An IRB interface or RVI cannot be activated unless it is associated with a physical interface.

  • Bind the VLANs to the logical interfaces—There is a one-to-one mapping between a VLAN and an IRB interface or RVI, which means that only one of these interfaces can be mapped to a VLAN.

For specific instructions for creating an IRB interface, see Configuring Integrated Routing and Bridging Interfaces on Switches (CLI Procedure), and for an RVI, see Configuring Routed VLAN Interfaces on Switches (CLI Procedure).

Viewing IRB Interface and RVI Statistics

Some switches automatically track IRB interface and RVI traffic statistics. Other switches allow you to configure tracking. Table 3 illustrates the IRB interface- and RVI-tracking capability on various switches.

Table 3: Tracking IRB Interface and RVI Usage

Switch

Input (ingress)

Output (Egress)

EX4300

Automatic

Automatic

EX3200, EX4200

Automatic

EX8200

Configurable

Automatic

EX2200, EX3300, EX4500, EX6200

You can view input (ingress) and output (egress) totals with the following commands:

  • For IRB interfaces, use the show interfaces irb extensive command. Look at the input and output values in the Transit Statistics field for IRB interface activity values.

  • For RVI, use the show interfaces vlan extensive command. Look at the input and output values in the Logical Interface Transit Statistics field for RVI activity values.

IRB Interfaces and RVI Functions and Other Technologies

IRB interfaces and RVIs are similar to switch virtual interfaces (SVIs) and bridge-group virtual interfaces (BVIs), which are supported on other vendors’ devices. They can also be combined with other functions:

  • VRF is often used in conjunction with Layer 3 subinterfaces, allowing traffic on a single physical interface to be differentiated and associated with multiple virtual routers. For more information about VRF, see Understanding Virtual Routing Instances on EX Series Switches .

  • For redundancy, you can combine an IRB interface or RVI with implementations of the Virtual Router Redundancy Protocol (VRRP) in both bridging and virtual private LAN service (VPLS) environments. For more information about VRRP, see Understanding VRRP.

Configuring IRB Interfaces on Switches

Integrated routing and bridging (IRB) interfaces enable a switch to recognize which packets are being sent to local addresses so that they are bridged whenever possible and are routed only when needed. Whenever packets can be switched instead of routed, several layers of processing are eliminated. Switching also reduces the number of address look-ups.

Note

In versions of Junos OS that do not support Enhanced Layer 2 Software (ELS), this type of interface is called a routed VLAN interface (RVI).

Note

When you upgrade from Junos OS Release 15.1X53 to Junos OS Release 17.3R1, you must define an IRB interface at both the [edit vlans l3-interface] and [edit interfaces irb] hierarchies, otherwise there will be a commit error.

To configure the routed VLAN interface:

  1. Create the VLAN by assigning it a name and a VLAN ID:
    [edit]

    user@switch# set vlans support vlan-id 111
  2. Assign an interface to the VLAN by specifying the logical interface (with the unit statement) and specifying the VLAN name as the member:
    [edit]

    user@switch# set interfaces ge-0/0/18 unit 0 family ethernet-switching vlan members support
  3. Create the subnet for the VLAN’s broadcast domain:
    [edit]

    user@switch# set interfaces irb unit 111 family inet address 10.0.0.X/8

    Where the value of X can be any number between the range 1 to 254.

  4. Bind a Layer 3 interface with the VLAN:
    [edit]

    user@switch# set vlans support l3-interface irb.111
    Note

    If you are using a version of Junos OS that does not support ELS, you create a Layer 3 virtual interface named vlan

Note

Layer 3 interfaces on trunk ports allow the interface to transfer traffic between multiple VLANs. Within a VLAN, traffic is bridged, while across VLANs, traffic is routed.

You can display the configuration settings:

user@switch> show interfaces irb terse
user@switch> show vlans

Configuring Integrated Routing and Bridging for VLANs

Integrated routing and bridging (IRB) provides simultaneous support for Layer 2 bridging and Layer 3 routing on the same interface. IRB enables you to route packets to another routed interface or to another VLAN that has an IRB interface configured. You configure a logical routing interface by specifying irb as an interface name at the [edit interfaces] hierarchy level and including that interface in the VLAN.

Note

You can include only one Layer 3 interface in a VLAN.

To configure a VLAN with IRB support, include the following statements:

For each VLAN that you configure, specify a vlan-name. You must also specify the value bridge for the domain-type statement.

For the vlan-id statement, you can specify either a valid VLAN identifier or the none option.

Note

If you configure a Layer 3 interface to support IRB in a VLAN, you cannot use the all option for the vlan-id statement.

The vlan-tags statement enables you to specify a pair of VLAN identifiers; an outer tag and an inner tag.

Note

For a single VLAN, you can include either the vlan-id statement or the vlan-tags statement, but not both.

To include one or more logical interfaces in the VLAN, specify the interface-name for each Ethernet interface to include that you configured at the [edit interfaces] hierarchy level.

Note

A maximum of 4096 active logical interfaces are supported for a VLAN or on each mesh group in a VPLS routing instance configured for Layer 2 bridging.

To associate a Layer 3 interface with a VLAN, include the l3-interface interface-name statement and specify an interface-name you configured at the [edit interfaces irb] hierarchy level. You can configure only one Layer 3 interface for each VLAN.

IRB interfaces are supported for multicast snooping.

In multihomed VPLS configurations, you can configure VPLS to keep a VPLS connection up if only an IRB interface is available by configuring the irb option for the connectivity-type statement at the [edit routing-instances routing-instance-name protocols vpls] hierarchy level. The connectivity-type statement has the ce and irb options. The ce option is the default and specifies that a CE interface is required to maintain the VPLS connection. By default, if only an IRB interface is available, the VPLS connection is brought down.

Note

When you configure IRB interfaces in more than one logical system on a device, all of the IRB logical interfaces share the same MAC address.

Configuring Integrated Routing and Bridging Interfaces on Switches (CLI Procedure)

Integrated routing and bridging (IRB) interfaces allow a switch to recognize packets that are being sent to local addresses so that they are bridged (switched) whenever possible and are routed only when necessary. Whenever packets can be switched instead of routed, several layers of processing are eliminated.

An interface named irb functions as a logical router on which you can configure a Layer 3 logical interface for each virtual LAN (VLAN). For redundancy, you can combine an IRB interface with implementations of the Virtual Router Redundancy Protocol (VRRP) in both bridging and virtual private LAN service (VPLS) environments.

Jumbo frames of up to 9216 bytes are supported on an IRB interface. To route jumbo data packets on the IRB interface, you must configure the jumbo MTU size on the member physical interfaces of the VLAN that you have associated with the IRB interface, as well as on the IRB interface itself (the interface named irb).

Caution

Setting or deleting the jumbo MTU size on the IRB interface (the interface named irb) while the switch is transmitting packets might result in dropped packets.

To configure the IRB interface:

  1. Create a Layer 2 VLAN by assigning it a name and a VLAN ID:
    [edit]

    user@switch# set vlans vlan-name vlan-id vlan-id
  2. Assign an interface to the VLAN by naming the VLAN as a trunk member on the logical interface, thereby making the interface part of the VLAN’s broadcast domain:
    [edit]

    user@switch# set interfaces interface-name unit logical-unit-number family ethernet-switching vlan members vlan-name
  3. Create a logical Layer 3 IRB interface (its name will be irb.logical-interface-number, where the value for logical-interface-number is the value you supplied for vlan-id in Step 1; in the following command, it is the logical-unit-number) on a subnet for the VLAN’s broadcast domain:
    [edit]

    user@switch# set interfaces irb unit logical-unit-number family inet address inet-address
  4. Link the Layer 2 VLAN to the logical Layer 3 IRB interface:
    [edit]

    user@switch# set vlans vlan-name l3-interface irb.logical-interface-number
    Note

    Layer 3 interfaces on trunk ports allow the interface to transfer traffic between multiple Layer 2 VLANs. Within a VLAN, traffic is switched, while across VLANs, traffic is routed.

Using an IRB Interface in a Private VLAN on a Switch

VLANs limit broadcasts to specified users. Private VLANs (PVLANs) take this concept a step further by splitting the broadcast domain into multiple isolated broadcast subdomains and essentially putting secondary VLANs inside a primary VLAN. PVLANs restrict traffic flows through their member switch ports (called “private ports”) so that these ports communicate only with a specified uplink trunk port or with specified ports within the same VLAN. PVLANs are useful for restricting the flow of broadcast and unknown unicast traffic and for limiting the communication between known hosts. Service providers use PVLANs to keep their customers isolated from one another.

Just like regular VLANs, PVLANs are isolated at Layer 2 and normally require that a Layer 3 device be used if you want to route traffic. Starting with Junos OS 14.1X53-D30, you can use an integrated routing and bridging (IRB) interface to route Layer 3 traffic between devices connected to a PVLAN. Using an IRB interface in this way can also allow the devices in the PVLAN to communicate at Layer 3 with devices outside the PVLAN.

Configuring an IRB Interface in a Private VLAN

Use the following guidelines when configuring an IRB interface in a PVLAN:

  • You can create only one IRB interface in a PVLAN, regardless of how many switches participate in the PVLAN.

  • The IRB interface must be a member of the primary VLAN in the PVLAN.

  • Each host device that you want to connect at Layer 3 must use the IP address of the IRB as its default gateway address.

  • • Because the host devices are isolated at Layer 2, you must configure the following statement for the IRB interface to allow ARP resolution to occur:

    set interfaces irb unit unit-number proxy-arp unrestricted

IRB Interface Limitation in a PVLAN

If your PVLAN includes multiple switches, an issue can occur if the Ethernet switching table is cleared on a switch that does not have an IRB interface. If a Layer 3 packet transits the switch before its destination MAC address is learned again, it is broadcast to all the Layer 3 hosts connected to the PVLAN.

Example: Configuring Routing Between VLANs on One Switch Using an IRB Interface

To segment traffic on a LAN into separate broadcast domains, you create separate virtual LANs (VLANs). For example, you might want to create a VLAN that includes the employees in a department and the resources that they use often, such as printers, servers, and so on.

Of course, you also want to allow these employees to communicate with people and resources in other VLANs. To forward packets between VLANs you normally you need a router that connects the VLANs. However, you can accomplish this on a Juniper Networks switch without using a router by configuring an integrated routing and bridging (IRB) interface (also known as a routed VLAN interface—or RVI—in versions of Junos OS that do not support Enhanced Layer 2 Software). Using this approach reduces complexity and avoids the costs associated with purchasing, installing, managing, powering, and cooling another device.

Requirements

This example uses the following hardware and software components:

  • One switch

  • Junos OS Release 11.1 or later

Overview and Topology

This example uses an IRB to route traffic between two VLANs on the same switch. The topology is shown in Figure 3.

Figure 3: IRB with One Switch
IRB with One Switch

This example shows a simple configuration to illustrate the basic steps for creating two VLANs on a single switch and configuring an IRB to enable routing between the VLANs. One VLAN, called blue, is for the sales and marketing group, and a second, called red, is for the customer support team. The sales and support groups each have their own file servers and wireless access points. Each VLAN must have a unique name, tag (VLAN ID), and distinct IP subnet. Table 4 lists the components of the sample topology.

Table 4: Components of the Multiple VLAN Topology

PropertySettings

VLAN names and tag IDs

blue, ID 100

red, ID 200

Subnets associated with VLANs

blue: 192.0.2.0/25 (addresses 192.0.2.1 through 192.0.2.126)

red: 192.0.2.128/25 (addresses 192.0.2.129 through 192.0.2.254)

Interfaces in VLAN blue

Sales server port: xe-0/0/4

Sales wireless access points: xe-0/0/6

Interfaces in VLAN red

Support server port: xe-0/0/0

Support wireless access points: xe-0/0/2

IRB name

interface irb

IRB units and addresses

logical unit 100: 192.0.2.1/25

logical unit 200: 192.0.2.129/25

This configuration example creates two IP subnets, one for the blue VLAN and the second for the red VLAN. The switch bridges traffic within the VLANs. For traffic passing between two VLANs, the switch routes the traffic using an IRB on which you have configured addresses in each IP subnet.

To keep the example simple, the configuration steps show only a few interfaces and VLANs. Use the same configuration procedure to add more interfaces and VLANs. By default, all interfaces are in access mode, so you do not have to configure the port mode.

Configure Layer 2 switching for two VLANs

CLI Quick Configuration

To quickly configure Layer 2 switching for the two VLANs (blue and red) and to quickly configure Layer 3 routing of traffic between the two VLANs, copy the following commands and paste them into the switch terminal window:

Note

The following example uses a version of Junos OS that supports Enhanced Layer 2 Software (ELS). When you use ELS, you create a Layer 3 virtual interface named irb. If you are using a version of Junos OS that does not support ELS, you create a Layer 3 virtual interface named vlan.

[edit]
set interfaces xe-0/0/4 unit 0 description “Sales server port”
set interfaces xe-0/0/4 unit 0 family ethernet-switching vlan members blue
set interfaces xe-0/0/6 unit 0 description “Sales wireless access point port”
set interfaces xe-0/0/6 unit 0 family ethernet-switching vlan members blue
set interfaces xe-0/0/0 unit 0 description “Support servers”
set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members red
set interfaces xe-0/0/2 unit 0 description “Support wireless access point port”
set interfaces xe-0/0/2 unit 0 family ethernet-switching vlan members red
set interfaces irb unit 100 family inet address 192.0.2.1/25
set interfaces irb unit 200 family inet address 192.0.2.129/25
set vlans blue l3-interface irb.100
set vlans blue vlan-id 100
set vlans red vlan-id 200
set vlans red l3-interface irb.200

Step-by-Step Procedure

To configure the switch interfaces and the VLANs to which they belong:

  1. Configure the interface for the sales server in the blue VLAN:
    [edit interfaces xe-0/0/4 unit 0]

    user@switch# set description “Sales server port”

    user@switch# set family ethernet-switching vlan members blue
  2. Configure the interface for the wireless access point in the blue VLAN:
    [edit interfaces xe-0/0/6 unit 0]

    user@switch# set description “Sales wireless access point port”

    user@switch# set family ethernet-switching vlan members blue
  3. Configure the interface for the support server in the red VLAN:
    [edit interfaces xe-0/0/0 unit 0]

    user@switch# set description “Support server port”

    user@switch# set family ethernet-switching vlan members red
  4. Configure the interface for the wireless access point in the red VLAN:
    [edit interfaces xe-0/0/2 unit 0]

    user@switch# set description “Support wireless access point port”

    user@switch# set family ethernet-switching vlan members red

Step-by-Step Procedure

Now create the VLANs and the IRB. The IRB will have logical units in the broadcast domains of both VLANs.

  1. Create the red and blue VLANs by configuring the VLAN IDs for them:
    [edit vlans]

    user@switch# set blue vlan-id 100

    user@switch# set red vlan-id 200
  2. Create the interface named irb with a logical unit in the sales broadcast domain (blue VLAN):
    [edit interfaces]

    user@switch# set irb unit 100 family inet address 192.0.2.1/25

    The unit number is arbitrary and does not have to match the VLAN tag ID. However, configuring the unit number to match the VLAN ID can help avoid confusion.

  3. Add a logical unit in the support broadcast domain (red VLAN) to the irb interface:
    [edit interfaces]

    user@switch# set irb unit 200 family inet address 192.0.2.129/25
  4. Complete the IRB configuration by binding the red and blue VLANs (Layer 2) with the appropriate logical units of the irb interface (Layer 3):
    [edit vlans]

    user@switch# set blue l3-interface irb.100

    user@switch# set red l3-interface irb.200

Configuration Results

Display the results of the configuration:

Tip

To quickly configure the blue and red VLAN interfaces, issue the load merge terminal command, copy the hierarchy, and paste it into the switch terminal window.

Verification

To verify that the blue and redVLANs have been created and are operating properly, perform these tasks:

Verifying That the VLANs Have Been Created and Associated with the Correct Interfaces

Purpose

Verify that the VLANs blue and red have been created on the switch and that all connected interfaces on the switch are members of the correct VLAN.

Action

List all VLANs configured on the switch:

user@switch> show vlans

Meaning

The show vlans command lists all VLANs configured on the switch and which interfaces are members of each VLAN. This command output shows that the blue and red VLANs have been created. The blue VLAN has a tag ID of 100 and is associated with interfaces xe-0/0/4.0 and xe-0/0/6.0. VLAN red has a tag ID of 200 and is associated with interfaces xe-0/0/0.0 and xe-0/0/2.0.

Verifying That Traffic Can Be Routed Between the Two VLANs

Purpose

Verify routing between the two VLANs.

Action

Verify that the IRB logical units are up:

user@switch> show interfaces terse
Note

At least one port (access or trunk) with an appropriate VLAN assigned to it must be up for the irb interface to be up.

Verify that switch has created routes that use the IRB logical units:

user@switch> show route

List the Layer 3 routes in the switch's Address Resolution Protocol (ARP) table:

user@switch> show arp

Meaning

The output of the show interfaces and show route commands show that the Layer 3 IRB logical units are working and the switch has used them to create direct routes that it will use to forward traffic between the VLAN subnets. The show arp command displays the mappings between the IP addresses and MAC addresses for devices on both irb.100 (associated with VLAN blue) and irb.200 (associated with VLAN red).These two devices can communicate.

Example: Configuring an IRB Interface on a Security Device

This example shows how to configure an IRB interface so it can act as a Layer 3 routing interface for a VLAN.

Requirements

Before you begin, configure a VLAN with a single VLAN identifier. See Example: Configuring VLANs on Security Devices.

Overview

In this example, you configure the IRB logical interface unit 0 with the family type inet and IP address 10.1.1.1/24, and then reference the IRB interface irb.10 in the vlan10 configuration. Then you enable Web authentication on the IRB interface and activate the webserver on the device.

Note

To complete the Web authentication configuration, you must perform the following tasks:

  • Define the access profile and password for a Web authentication client.

  • Define the security policy that enables Web authentication for the client.

Either a local database or an external authentication server can be used as the Web authentication server.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure an IRB interface:

  1. Create a Layer 2 trunk interface.
  2. Create an IRB logical interface.
  3. Create a Layer 2 VLAN.
  4. Associate the IRB interface with the VLAN.
  5. Activate the webserver.
  6. If you are done configuring the device, commit the configuration.

Verification

To verify the configuration is working properly, enter the show interface irb , and show vlans commands.

Example: Configuring IRB and VLAN with Members Across Two Nodes on a Security Device

Requirements

No special configuration beyond device initialization is required before configuring this feature.

Overview

This example shows the configuration of integrated routing and bridging (IRB) and configuration of a VLAN with members across node 0 and node 1.

Configuration

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

To configure IRB and a VLAN:

  1. Configure Ethernet switching on the node0 interface.
  2. Configure Ethernet switching on the node1 interface.
  3. Create VLAN vlan100 with vlan-id 100.
  4. Add interfaces from both nodes to the VLAN.
  5. Create an IRB logical interface.
  6. Associate an IRB interface with the VLAN.
  7. If you are done configuring the device, commit the configuration.

Results

From configuration mode, confirm your configuration by entering the show vlans and show interfaces commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct the configuration.

Verification

Verifying VLAN and IRB

Purpose

Verify that the configurations of VLAN and IRB are working properly.

Action

From operational mode, enter the show interfaces terse ge-0/0/3 command to view the node 0 interface.

From operational mode, enter the show interfaces terse ge-0/0/4 command to view the node 0 interface.

From operational mode, enter the show interfaces terse ge-7/0/5 command to view the node1 interface.

From operational mode, enter the show vlans command to view the VLAN interface.

From operational mode, enter the show ethernet-switching interface command to view the information about Ethernet switching interfaces.

Meaning

The output shows the VLAN and IRB are configured and working fine.

Example: Configuring IRB Interfaces on QFX5100 Switches over an MPLS Core Network

Starting with Junos OS Release 14.1X53-D40 and Junos OS Release 17.1R1, QFX5100 switches support integrated routing and bridging (IRB) interfaces over an MPLS core network. An IRB interface is a logical Layer 3 VLAN interface used to route traffic between VLANs.

By definition, VLANs divide a LAN’s broadcast environment into isolated virtual broadcast domains, thereby limiting the amount of traffic flowing across the entire LAN and reducing the possible number of collisions and packet retransmissions within the LAN. To forward packets between different VLANs, you traditionally needed a router that connects the VLANs. However, using the Junos OS you can accomplish this inter-VLAN forwarding without using a router by simply configuring an IRB interface on the switch.

The IRB interface functions as a logical switch on which you can configure a Layer 3 logical interface for each VLAN. The switch relies on its Layer 3 capabilities to provide this basic routing between VLANs. With an IRB interface, you can configure label-switched paths (LSPs) to enable the switch to recognize which packets are being sent to local addresses, so that they are bridged (switched) whenever possible and are routed only when necessary. Whenever packets can be switched instead of routed, several layers of processing are eliminated.

This example shows how to configure an IRB interface over an MPLS core network using QFX5100 switches.

Requirements

This example uses the following hardware and software components:

  • Three QFX5100 switches

  • Junos OS Release 14.1X53-D40 or later

Before you begin, be sure you have:

Overview and Topology

Figure 4 illustrates a sample topology for configuring IRB over an MPLS core network. In this example, an LSP is established between the ingress provider edge switch (PE1) and the provider edge egress switch (PE2). An IRB Layer 3 interface (irb.0) is configured on switches P and PE2, and associated to VLAN 100. In this configuration, the P switch replaces (swaps) the label at the top of the label stack with a new label, adds the VLAN identifier 100 to the MPLS packet, and then sends the packet out the IRB interface. PE2 receives this vlan-tagged MPLS packet, removes (pops) the label from the top of the label stack, performs a regular IP route lookup, and then forwards the packet with its IP header to the next-hop address.

Figure 4: IRB Topology over an MPLS Core Network
IRB Topology over an MPLS Core Network

Configuration

To configure the topology in this example, perform these tasks:

Configuring the Local Ingress PE Switch

CLI Quick Configuration

To quickly configure the local ingress PE switch (PE1), copy and paste the following commands into the switch terminal window of switch PE1:

Step-by-Step Procedure

To configure the ingress PE switch (PE1):

  1. Configure the interfaces.
  2. Configure the router ID and autonomous system (AS) number.Note

    We recommend that you explicitly configure the router identifier under the [edit routing-options] hierarchy level to prevent unpredictable behavior if the interface address on a loopback interface changes.

  3. Configure and apply an export routing policy to the forwarding table for per-packet load balancing.
  4. Create an OSPF area and set the loopback address to be passive.
  5. Enable MPLS on all interfaces.
  6. Configure LDP on the provider-facing and loopback interfaces.

Results

Display the results of the PE1 switch configuration:

Configuring the Provider Switch

CLI Quick Configuration

To quickly configure the provider switch (P), copy and paste the following commands into the switch terminal window of the P switch:

Step-by-Step Procedure

To configure the provider switch (P):

  1. Configure the physical and loopback interfaces.
  2. Configure an IRB interface.
  3. Configure the router ID and AS number.Note

    We recommend that you explicitly configure the router identifier under the [edit routing-options] hierarchy level to avoid unpredictable behavior if the interface address on a loopback interface changes.

  4. Configure and apply an export routing policy to the forwarding table for per-packet load balancing.
  5. Enable OSPF and set the loopback address to passive.
  6. Enable MPLS on all interfaces.
  7. Configure LDP to include all interfaces.

  8. Create the VLAN and associate the IRB interface to it.
    Note

    Layer 3 interfaces on trunk ports allow the interface to transfer traffic between multiple VLANs. Within a VLAN, traffic is switched, while across VLANs, traffic is routed.

Results

Display the results of the provider switch configuration:

Configuring the Remote Egress PE Switch

CLI Quick Configuration

To quickly configure the remote egress PE switch (PE2), copy and paste the following commands into the switch terminal window of PE2:

Step-by-Step Procedure

To configure the remote PE switch (PE2):

  1. Configure the physical and loopback interfaces.
  2. Configure an IRB interface.
  3. Configure the the router ID and AS number.
  4. Configure and apply an export routing policy to the forwarding table for per-packet load balancing.
  5. Enable OSPF.
  6. Enable MPLS on all interfaces.
  7. Configure LDP to include all interfaces.
  8. Create the VLAN and associate the IRB interface to it.

Results

Display the results of the PE2 switch configuration:

Example: Configuring a Large Delay Buffer on a Security Device IRB Interface

This example shows how to configure a large delay buffer on an IRB interface to help slower interfaces avoid congestion and packet dropping when they receive large bursts of traffic.

Requirements

Before you begin, enable the large buffer feature on the IRB interface and then configure a buffer size for each queue in the CoS scheduler. See Scheduler Buffer Size Overview.

Overview

On devices, you can configure large delay buffers on an irb interfaces.

In this example, you configure scheduler map to associate schedulers to a defined forwarding class be-class, ef-class , af-class, and nc-class using scheduler map large-buf-sched-map. You apply scheduler maps to irb interface, and define per-unit scheduler for the IRB interface.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from the configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a large delay buffer on a channelized T1 interface:

  1. Configure the scheduler map to associate schedulers with defined forwarding classes.
  2. Apply the scheduler map to the IRB interface.
  3. Define the per-unit scheduler for the irb interface.

Results

From configuration mode, confirm your configuration by entering the show class-of-service and show chassis commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Large Delay Buffers Configuration

Purpose

Verify that the large delay buffers are configured properly.

Action

From configuration mode, enter the show class-of-service interface irb command.

user@host> show class-of-service interface irb

Meaning

The large delay buffers are configured on IRB interface as expected.

Configuring a Set of VLANs to Act as a Switch for a Layer 2 Trunk Port

You can configure a set of VLANs that are associated with a Layer 2 trunk port. The set of VLANs function as a switch. Packets received on a trunk interface are forwarded within a VLAN that has the same VLAN identifier. A trunk interface also provides support for IRB, which provides support for Layer 2 bridging and Layer 3 IP routing on the same interface.

To configure a Layer 2 trunk port and set of VLANs, include the following statements:

You must configure a VLAN and VLAN identifier for each VLAN associated with the trunk interface. You can configure one or more trunk or access interfaces at the [edit interfaces] hierarchy level. An access interface enables you to accept packets with no VLAN identifier.

Excluding an IRB Interface from State Calculations on a QFX Series Switch

IRB interfaces are used to bind specific VLANs to Layer 3 interfaces, enabling a switch to forward packets between those VLANs— without having to configure another device, such as a router, to connect VLANs. Because an IRB interface often has multiple ports in a single VLAN, the state calculation for a VLAN member might include a port that is down, possibly resulting in traffic loss.

Starting with Junos OS Release 14.1X53-D40 and Junos OS Release 17.3R1 on QFX5100 switches, this feature enables you to exclude a trunk or access interface from the state calculation, which means that as soon as the port assigned to a member VLAN goes down, the IRB interface for the VLAN is also marked as down. In a typical scenario, one port on the interface is assigned to a single VLAN, while a second port on that interface is assigned to a trunk interface that carries traffic between multiple VLANs. A third port is often also assigned to an access interface to connect the VLAN to network devices.

Before you begin:

To exclude an access or 802.1Q trunk interface from the state calculations for an IRB interface:

  1. Configure a trunk or access interface.

    For example, configure interface xe-0/1/0.0 as a trunk interface:

  2. Assign VLAN members to the access or trunk interface.

    For example, assign all VLAN members configured on the device to the trunk interface xe-0/1/0:

  3. Exclude an access or trunk interface from state calculations for the IRB interfaces for member VLANs.

    For example, exclude the trunk interface xe-0/1/0 from state calculations for the IRB interfaces for member VLANs:

  4. To confirm your configuration, from configuration mode, enter the show interfaces xe-0/1/0 command. If your output does not display the intended configuration, repeat steps 1 through 4 to correct the configuration.
  5. After you commit the configuration, issue the show ethernet-switching interface xe-0/1/0.0 to verify that the logical interface is enabled with autostate-exclude.
    user@switch> show ethernet-switching interface xe-0/1/0.0

    The AS in the Logical interface flags field indicates that autostate-exclude is enabled and that this interface will be excluded from the state calculations for the IRB interfaces for the member VLANs.

Verifying Integrated Routing and Bridging Interface Status and Statistics on EX Series Switches

Purpose

Determine status information and traffic statistics for integrated routing and bridging (IRB) interfaces.

Action

Display IRB interfaces and their current states:

user@switch> show interfaces irb terse

Display Layer 2 VLANs, including any tags assigned to the VLANs and the interfaces associated with the VLANs:

user@switch> show vlans

Display Ethernet switching table entries for the VLAN that is attached to the IRB interface:

Display the ingress-counting statistics of an IRB interface with either the show interfaces irb detail command or the show interfaces irb extensive command. Ingress counting is displayed as Input bytes and Input packets and egress counting is displayed as Output bytes and Output packets under Transit Statistics.

user@switch> show interfaces irb .111 detail

Meaning

  • show interfaces irb terse displays a list of interfaces, including IRB interfaces, and their current states (up, down).

  • show vlans displays a list of VLANs, including any tags assigned to the VLANs and the interfaces associated with the VLANs.

  • show ethernet-switching table displays the Ethernet switching table entries, including VLANs attached to the IRB interface.

  • show interfaces irb detail displays IRB interface ingress counting as Input Bytes and Input Packets under Transit Statistics.

Release History Table
Release
Description
Starting with Junos OS Release 14.1X53-D40 and Junos OS Release 17.1R1, QFX5100 switches support integrated routing and bridging (IRB) interfaces over an MPLS core network.
Starting with Junos OS Release 14.1X53-D40 and Junos OS Release 17.3R1 on QFX5100 switches, this feature enables you to exclude a trunk or access interface from the state calculation, which means that as soon as the port assigned to a member VLAN goes down, the IRB interface for the VLAN is also marked as down.