Configuring Tagged VLANs

 

Creating a Series of Tagged VLANs

When you divide an Ethernet LAN into multiple VLANs, each VLAN is assigned a unique IEEE 802.1Q tag. This tag is associated with each frame in the VLAN, and the network nodes receiving the traffic can use the tag to identify which VLAN a frame is associated with.

Instead of configuring VLANs and 802.1Q tags one at a time for a trunk interface, you can configure a VLAN range to create a series of tagged VLANs.

When an Ethernet LAN is divided into VLANs, each VLAN is identified by a unique 802.1Q tag. The tag is applied to all frames so that the network nodes receiving the frames can detect which VLAN the frames belong to. Trunk ports, which multiplex traffic among a number of VLANs, use the tag to determine the origin of frames and where to forward them.

For example, you could configure the VLAN employee and specify a tag range of 10 through 12. This creates the following VLANs and tags:

  • VLAN employee-10, tag 10

  • VLAN employee-11, tag 11

  • VLAN employee-12, tag 12

Creating tagged VLANs in a series has the following limitations:

  • Layer 3 interfaces do not support this feature.

  • Because an access interface can only support one VLAN member, access interfaces also do not support this feature.

Note

This task uses Junos OS for QFX3500 and QFX3600 switches that does not support the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does support ELS, see Creating a Series of Tagged VLANs on Switches with ELS Support.

To configure a series of tagged VLANs using the CLI (here, the VLAN is employee):

  1. Configure the series (here, a VLAN series from 120 through 130):
    [edit]

    user@switch# set vlans employee vlan-range 120-130
  2. Associate a series of tagged VLANs when you configure an interface in one of two ways:
  • Include the name of the series:

    [edit interfaces]

    user@switch# set interfaces xe-0/0/22.0 family ethernet-switching vlanmembers employee
  • Include the VLAN range:

    [edit interfaces]

    user@switch# set interfaces xe-0/0/22.0 family ethernet-switching vlan members 120–130

Associating a series of tagged VLANS to an interface by name or by VLAN range has the same result: VLANs __employee_120__ through __employee_130__ are created.

Note

When a series of VLANs is created using the vlan-range command, the VLAN names are preceded and followed by a double underscore.

Creating a Series of Tagged VLANs on EX Series Switches (CLI Procedure)

To identify which VLAN traffic belongs to, all frames on an Ethernet VLAN are identified by a tag, as defined in the IEEE 802.1Q standard. These frames are tagged and are encapsulated with 802.1Q tags. For a simple network that has only a single VLAN, all traffic has the same 802.1Q tag.

Instead of configuring VLANS and 802.1Q tags one at a time for a trunk interface, you can configure a VLAN range to create a series of tagged VLANs.

When an Ethernet LAN is divided into VLANs, each VLAN is identified by a unique 802.1Q tag. The tag is applied to all frames so that the network nodes receiving the frames know which VLAN the frames belong to. Trunk ports, which multiplex traffic among a number of VLANs, use the tag to determine the origin of frames and where to forward them.

For example, you could configure the VLAN employee and specify a tag range of 10-12. This creates the following VLANs and tags:

  • VLAN employee-10, tag 10

  • VLAN employee-11, tag 11

  • VLAN employee-12, tag 12

Creating tagged VLANs in a series has the following limitations:

  • Layer 3 interfaces do not support this feature.

  • Because an access interface can only support one VLAN member, access interfaces also do not support this feature.

  • Voice over IP (VoIP) configurations do not support a range of tagged VLANs.

To configure a series of tagged VLANs using the CLI (here, the VLAN is employee):

  1. Configure the series (here, a VLAN series from 120 through 130):
    [edit]

    user@switch# set vlans employee vlan-range 120-130
  2. Associate a series of tagged VLANs when you configure an interface in one of two ways:
  • Include the name of the series:

    [edit interfaces]

    user@switch# set interfaces ge-0/0/22.0 family ethernet-switching vlan members employee
  • Include the VLAN range:

    [edit interfaces]

    user@switch# set interfaces ge-0/0/22.0 family ethernet-switching vlan members 120–130

Associating a series of tagged VLANS to an interface by name or by VLAN range have the same result: VLANs __employee_120__ through __employee_130__ are created.

Note

When a series of VLANs are created using the vlan-range command, the VLAN names are prefixed and suffixed with a double underscore.

Creating a Series of Tagged VLANs on Switches with ELS Support

When you divide an Ethernet LAN into multiple VLANs, each VLAN is assigned a unique IEEE 802.1Q tag. This tag is associated with each frame in the VLAN, and the network nodes receiving the traffic can use the tag to identify which VLAN a frame is associated with.

Instead of configuring VLANs and 802.1Q tags one at a time for a trunk interface, you can configure a VLAN range to create a series of tagged VLANs.

When an Ethernet LAN is divided into VLANs, each VLAN is identified by a unique 802.1Q tag. The tag is applied to all frames so that the network nodes receiving the frames can detect which VLAN the frames belong to. Trunk ports, which multiplex traffic among a number of VLANs, use the tag to determine the origin of frames and where to forward them.

For example, you could configure the VLAN employee and specify a tag range of 10 through 12. This creates the following VLANs and tags:

  • VLAN employee-10, tag 10

  • VLAN employee-11, tag 11

  • VLAN employee-12, tag 12

Creating tagged VLANs in a series has the following limitations:

  • Layer 3 interfaces do not support this feature.

  • Because an access interface can only support one VLAN member, access interfaces also do not support this feature.

Note

This task uses Junos OS for Junos OS for QFX3500 and QFX3600 switches with support for the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see Creating a Series of Tagged VLANs. For ELS details, see Using the Enhanced Layer 2 Software CLI.

To configure a series of tagged VLANs using the CLI (here, the VLAN is employee):

  1. Configure the series (here, a VLAN series from 120 through 130):
    [edit]

    user@switch# set vlans employee vlan-id-list [ 120-130 ]
  2. Associate a series of tagged VLANs when you configure an interface in one of two ways:
  • Include the name of the series:

    [edit interfaces]

    user@switch# set interfaces xe-0/0/22.0 family ethernet-switching vlanmembers employee
  • Include the VLAN range:

    [edit interfaces]

    user@switch# set interfaces xe-0/0/22.0 family ethernet-switching vlan members 120–130

Associating a series of tagged VLANS to an interface by name or by VLAN range the same result: VLANs __employee_120__ through __employee_130__ are created.

Note

When a series of VLANs is created using the vlan-id-list command, the VLAN names are preceded and followed by a double underscore.

Verifying That a Series of Tagged VLANs Has Been Created

Purpose

Verify that a series of tagged VLANs has been created on the switch.

Action

  1. Display the VLANs in the ascending order of their VLAN ID:
    user@switch> show vlans sort-by tag
  2. Display the VLANs by the alphabetical order of the VLAN name:
    user@switch> show vlans sort-by name
  3. Display the VLANs by specifying the VLAN range name (here, the VLAN range name is employee):
    user@switch> show vlans employee

Meaning

The sample output shows the VLANs configured on the switch. The series of tagged VLANs is displayed: __employee__120__ through __employee_130__. Each of the tagged VLANs is configured on the trunk interface xe-0/0/22.0. The asterisk (*) next to the interface name indicates that the interface is UP.

When a series of VLANs is created using the vlan-range statement, the VLAN names are preceded and followed by a double underscore.

Verifying That a Series of Tagged VLANs Has Been Created on an EX Series Switch

Purpose

Verify that a series of tagged VLANs is created on the switch.

Action

Display the VLANs in the ascending order of their VLAN ID:

user@switch> show vlans sort-by tag

Display the VLANs by the alphabetical order of the VLAN name:

user@switch> show vlans sort-by name

Display the VLANs by specifying the VLAN-range name (here, the VLAN-range name is employee):

user@switch> show vlans employee

Meaning

The sample output shows the VLANs configured on the switch. The series of tagged VLANs is displayed: __employee__120__ through __employee_130__. Each of the tagged VLANs is configured on the trunk interface ge-0/0/22.0. The asterisk (*) beside the interface name indicates that the interface is UP.

When a series of VLANs is created using the vlan-range statement, the VLAN names are prefixed and suffixed with a double underscore.

Configuring Double-Tagged VLANs on Layer 3 Logical Interfaces

Junos OS supports a subset of the IEEE 802.1Q standard for channelizing an Ethernet interface into multiple logical interfaces, allowing many hosts to be connected to the same switch but preventing them from being in the same routing or bridging domain. When an Ethernet LAN is divided into VLANs, each VLAN is identified by a unique 802.1Q tag. The tag is applied to all frames so that network nodes receiving the frames can detect which VLAN the frames belong to.

You can configure double VLAN tags (that is, an inner and an outer tag) on a Layer 3 logical interface (sometimes called a “Layer 3 subinterface”).

Support for double-tagging VLANs on Layer 3 logical interfaces includes:

  • Configuration of an IPv4, an IPv6, or an mpls family on the logical interface

  • Configuration over an aggregated Ethernet interface

  • Configuration of multiple logical interfaces on a single physical interface

Note

This feature does not include support for the following:

  • VLAN rewrite (input-vlan-map or output-vlan-map)

  • TPID configuration (on physical or logical interfaces)

  • native-inner-vlan-id; outer-vlan-id-list; inner-vlan-id-list; or vlan-id-range

To configure a double-tagged Layer 3 logical interface:

  1. Apply flexible VLAN tagging to the physical interface:
    [edit]
    user@switch# set interfaces interface-name flexible-vlan-tagging
  2. Configure inner and outer VLAN tags on the logical interface:
    [edit]
    user@switch# set interfaces interface-name unit logical-unit-number vlan-tags outer vlan-id
    user@switch# set interfaces interface-name unit logical-unit-number vlan-tags inner vlan-id
  3. Set the family type and, if needed, the address on the logical interface:
    [edit]
    user@switch# set interfaces interface-name unit logical-unit-number family family-type address address

Stacking a VLAN Tag

To stack a VLAN tag on all tagged frames entering or exiting the interface, include the push, vlan-id, and tag-protocol-id statements in the input VLAN map or the output VLAN map:

You can include these statements at the following hierarchy levels:

  • [edit interfaces interface-name unit logical-unit-number]

  • [edit interfaces interface-name unit logical-unit-number]

  • [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

  • [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

The VLAN IDs you define in the input VLAN maps are stacked on top of the VLAN ID bound to the logical interface.

All TPIDs you include in input and output VLAN maps must be among those you specify at the [edit interfaces interface-name ether-options ethernet-switch-profile tag-protocol-id [ tpids ]] hierarchy level.

Rewriting a VLAN Tag and Adding a New Tag

On Ethernet IQ, IQ2 and IQ2-E interfaces, on MX Series router Gigabit Ethernet, Tri-Rate Ethernet copper, and 10-Gigabit Ethernet interfaces, on aggregated Ethernet interfaces using Gigabit Ethernet IQ2 and IQ2-E or 10-Gigabit Ethernet PICs on MX Series routers, and on Gigabit Ethernet and 10-Gigabit Ethernet interfaces on EX Series switches, to replace the outer VLAN tag of the incoming frame with a user-specified VLAN tag value, include the swap-push statement in the input VLAN map or output VLAN map:

A user-specified outer VLAN tag is pushed in front. The outer tag becomes an inner tag in the final frame. The stacked and rewriting Gigabit-Ethernet VLAN Tags are also referred to as Q-in-Q tunneling.

You can include this statement at the following hierarchy levels:

See Rewrite Operations and Statement Usage for Input VLAN Maps and Rewrite Operations and Statement Usage for Output VLAN Maps for information about configuring inner and outer VLAN ID values and inner and outer TPID values required for VLAN maps.

Rewriting the Inner and Outer VLAN Tags

On Ethernet IQ, IQ2 and IQ2-E interfaces, on MX Series router Gigabit Ethernet, Tri-Rate Ethernet copper, and 10-Gigabit Ethernet interfaces, and on aggregated Ethernet interfaces using Gigabit Ethernet IQ2 and IQ2-E or 10-Gigabit Ethernet PICs on MX Series routers, to replace both the inner and the outer VLAN tags of the incoming frame with a user-specified VLAN tag value, include the swap-swap statement in the input VLAN map or output VLAN map: The stacked and rewriting Gigabit-Ethernet VLAN Tags are also referred to as Q-in-Q tunneling.

You can include this statement at the following hierarchy levels:

See Rewrite Operations and Statement Usage for Input VLAN Maps and Rewrite Operations and Statement Usage for Output VLAN Maps for information about configuring inner and outer VLAN ID values and inner and outer TPID values required for VLAN maps.

Rewriting the VLAN Tag on Tagged Frames

To rewrite the VLAN tag on all tagged frames entering the interface to a specified VLAN ID and TPID, include the swap, tag-protocol-id, and vlan-id statements in the input VLAN map:

To rewrite the VLAN tag on all tagged frames exiting the interface to a specified VLAN ID and TPID, include the swap and tag-protocol-id statements in the output VLAN map:

You can include these statements at the following hierarchy levels:

  • [edit interfaces interface-name unit logical-unit-number input-vlan-map]

  • [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number input-vlan-map]

You cannot include both the swap statement and the vlan-id statement in the output VLAN map configuration. If you include the swap statement in the configuration, the VLAN ID in outgoing frames is rewritten to the VLAN ID bound to the logical interface. For more information about binding a VLAN ID to the logical interface, see 802.1Q VLANs Overview.

The swap operation works on the outer tag only, whether or not you include the stacked-vlan-tagging statement in the configuration. For more information, see Examples: Stacking and Rewriting Gigabit Ethernet IQ VLAN Tags.

Configuring VLAN Translation with a VLAN ID List

In many cases, the VLAN identifiers on the frames of an interface’s packets are not correct. VLAN translation, or VLAN rewrite, allows you to configure bidirectional VLAN identifier translation with a list on frames arriving on and leaving from a logical interface. This lets you use unique VLAN identifiers internally and maintain legacy VLAN identifiers on logical interfaces.

To perform VLAN translation on the packets on a trunk interface, insert the vlan-rewrite statement at the [edit interfaces interface-name unit unit-number] hierarchy level. You must also include the interface-mode trunk statement within the [edit interfaces interface-name unit unit-number family ethernet-switching] hierarchy because VLAN translation is only supported on trunk interfaces. The reverse translation takes place on traffic exiting the interface. In other words, if VLAN 200 is translated to 500 on traffic entering the interface, VLAN 500 is translated to VLAN 200 on traffic leaving the interface.

Note

You can configure either flexible VLAN tagging or trunk mode on interfaces. VLAN translation does not support both. Additionally, the inner-vlan-id-list statement is supported only on interfaces with VLAN tagging (VLAN IDs).

The following example translates incoming trunk packets from VLAN identifier 200 to 500 and 201 to 501 (other valid VLAN identifiers are not affected):

Note

This example also translates frame VLANs from 500 to 200 and 501 to 201 on egress.

Configuring VLAN Translation on Security Devices

VLAN translation allow service providers to create a Layer 2 Ethernet connection between two customer sites. Providers can segregate different customers’ VLAN traffic on a link (for example, if the customers use overlapping VLAN IDs) or bundle different customer VLANs into a single service VLAN. Data centers can use Q-in-Q tunneling to isolate customer traffic within a single site or when customer traffic flows between cloud data centers in different geographic locations.

Before you begin configuring VLAN translation, make sure you have created and configured the necessary customer VLANs on the neighboring switches. See Configuring VLANs.

VLAN translation can be done in two ways:

  • To configure VLAN translation in VLAN retagging, an enterprise provider style of VLAN translation can be achieved by following CLI configuration:

    [edit]
    user@host#set interfaces intf-name unit 0 family ethernet-switching interface-mode trunk
    user@host#set interfaces intf-name unit 0 family ethernet-switching vlan members v1000
    user@host#set interfaces intf-name unit 0 family ethernet-switching vlan-rewrite translate 500 1000
  • To configure VLAN translation in Q-in-Q, a service provider style of VLAN translation can be achieved by following CLI configuration:

    [edit]
    user@host#set interfaces intf-name flexible-vlan-tagging
    user@host#set interfaces intf-name encapsulation extended-vlan-bridge
    user@host#set interfaces intf-name unit 100 vlan-id 500
    user@host#set interfaces intf-name unit 100 input-vlan-map swap
    user@host#set interfaces intf-name unit 100 input-vlan-map tag-protocol-id 0x8100
    user@host#set interfaces intf-name unit 100 output-vlan-map swap
    user@host#set interfaces intf-name unit 100 family ethernet-switching vlan members v1000

Example: Configuring VLAN Retagging for Layer 2 Transparent Mode on a Security Device

This example shows how to configure VLAN retagging on a Layer 2 trunk interface to selectively screen incoming packets and redirect them to a security device without affecting other VLAN traffic.

Requirements

Before you begin, determine the mapping you want to include for the VLAN retagging. See Understanding VLAN Retagging on Security Devices.

Overview

In this example, you create a Layer 2 trunk interface called ge-3/0/0 and configure it to receive packets with VLAN identifiers 1 through 10. Packets that arrive on the interface with VLAN identifier 11 are retagged with VLAN identifier 2. Before exiting the trunk interface, VLAN identifier 2 in the retagged packets is replaced with VLAN identifier 11. All VLAN identifiers in the retagged packets change back when you exit the trunk interface.

Configuration

Step-by-Step Procedure

To configure VLAN retagging on a Layer 2 trunk interface:

  1. Create a Layer 2 trunk interface.
  2. Configure VLAN retagging.
  3. If you are done configuring the device, commit the configuration.

Verification

To verify the configuration is working properly, enter the show interfaces ge-3/0/0 command.

Configuring Inner and Outer TPIDs and VLAN IDs

For some rewrite operations, you must configure the inner or outer TPID values and inner or outer VLAN ID values. These values can be applied to either the input VLAN map or the output VLAN map.

On Ethernet IQ, IQ2, and IQ2-E interfaces; on MX Series router Gigabit Ethernet, Tri-Rate Ethernet copper, and 10-Gigabit Ethernet interfaces; and on aggregated Ethernet interfaces using Gigabit Ethernet IQ2 and IQ2-E or 10-Gigabit Ethernet PICs on MX Series routers, to configure the inner TPID, include the inner-tag-protocol-id statement:

You can include this statement at the following hierarchy levels:

For the inner VLAN ID, include the inner-vlan-id statement. For the outer TPID, include the tag-protocol-id statement. For the outer VLAN ID, include the vlan-id statement:

For aggregated Ethernet interfaces using Gigabit Ethernet IQ interfaces, include the tag-protocol-id statement for the outer TPID. For the outer VLAN ID, include the vlan-id statement:

You can include these statements at the following hierarchy levels:

  • [edit interfaces interface-name unit logical-unit-number]

  • [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

The VLAN IDs you define in the input VLAN maps are stacked on top of the VLAN ID bound to the logical interface. For more information about binding a VLAN ID to the logical interface, see 802.1Q VLANs Overview.

All TPIDs you include in input and output VLAN maps must be among those you specify at the [edit interfaces interface-name ether-options ethernet-switch-profile tag-protocol-id [ tpids ]] hierarchy level.

Table 1 and Table 2 specify when these statements are required. Table 1 indicates valid statement combinations for rewrite operations for the input VLAN map. “No” means the statement must not be included in the input VLAN map for the rewrite operation. “Optional” means the statement may be optionally specified for the rewrite operation in the input VLAN map. “Any” means that you must include the vlan-id statement, tag-protocol-id statement, inner-vlan-id statement, or inner-tag-protocol-id statement.

Table 1: Rewrite Operations and Statement Usage for Input VLAN Maps

 

Input VLAN Map Statements

Rewrite Operationvlan-idtag-protocol-idinner-vlan-idinner-tag-protocol-id
push

Optional

Optional

No

No

pop

No

No

No

No

swap

Any

Any

No

No

push-push

Optional

Optional

Optional

optional

swap-push

Optional

Optional

Any

Any

swap-swap

Optional

Optional

Any

Any

pop-swap

No

No

Any

Any

pop-pop

No

No

No

No

Table 2 indicates valid statement combinations for rewrite operations for the output VLAN map. “No” means the statement must not be included in the output VLAN map for the rewrite operation. “Optional” means the statement may be optionally specified for the rewrite operation in the output VLAN map.

Table 2: Rewrite Operations and Statement Usage for Output VLAN Maps

 

Output VLAN Map Statements

Rewrite Operationvlan-idtag-protocol-idinner-vlan-idinner-tag-protocol-id
push

No

Optional

No

No

pop

No

No

No

No

swap

No

Optional

No

No

push-push

No

Optional

No

Optional

swap-push

No

Optional

No

Optional

swap-swap

No

Optional

No

Optional

pop-swap

No

No

No

Optional

pop-pop

No

No

No

No

The following examples use Table 1 and Table 2 and show how the pop-swap operation can be configured in an input VLAN map and an output VLAN map:

Input VLAN Map with inner-vlan-id Statement, Output VLAN Map with Optional inner-tag-protocol-id Statement

Input VLAN Map with inner-tag-protocol-id Statement, Output VLAN Map with Optional inner-tag-protocol-id Statement

Input VLAN Map with inner-tag-protocol-id and inner-vlan-id Statements