Example: Configuring Routing Between VLANs on One Switch
To segment traffic on a LAN into separate broadcast domains, you create separate virtual LANs (VLANs). For example, you might want to create a VLAN that includes the employees in a department and the resources that they use often, such as printers, servers, and so on.
Of course, you also want to allow these employees to communicate with people and resources in other VLANs. To forward packets between VLANs you normally you need a router that connects the VLANs. However, you can accomplish this on a Juniper Networks switch without using a router by configuring a routed VLAN interface (RVI). Using this approach reduces complexity and avoids the costs associated with purchasing, installing, managing, powering, and cooling another device.
Requirements
This example uses the following hardware and software components:
- One switch
- Junos OS Release 11.1 or later
Overview and Topology
This example uses an RVI to route traffic between two VLANs on the same switch. The topology is shown in Figure 1.
Figure 1: RVI with One Switch
This example shows a simple configuration to illustrate the basic steps for creating two VLANs on a single switch and configuring an RVI to enable routing between the VLANs. One VLAN, called blue, is for the sales and marketing group, and a second, called red, is for the customer support team. The sales and support groups each have their own file servers and wireless access points. Each VLAN must have a unique name, tag (VLAN ID), and distinct IP subnet. Table 1 lists the components of the sample topology.
Table 1: Components of the Multiple VLAN Topology
| Property | Settings |
|---|---|
VLAN names and tag IDs | blue, ID 100 |
Subnets associated with VLANs | blue: 192.0.2.0/25 (addresses 192.0.2.1 through 192.0.2.126) |
Interfaces in VLAN blue | Sales server port: xe-0/0/4 |
Interfaces in VLAN red | Support server port: xe-0/0/0 |
RVI name | interface vlan |
RVI units and addresses | logical unit 100: 192.0.2.1/25 logical unit 200: 192.0.2.129/25 |
This configuration example creates two IP subnets, one for the blue VLAN and the second for the red VLAN. The switch bridges traffic within the VLANs. For traffic passing between two VLANs, the switch routes the traffic using an RVI on which you have configured addresses in each IP subnet.
To keep the example simple, the configuration steps show only a few interfaces and VLANs. Use the same configuration procedure to add more interfaces and VLANs. By default, all interfaces are in access mode, so you do not have to configure the port mode.
Configure Layer 2 switching for two VLANs
CLI Quick Configuration
To quickly configure Layer 2 switching for the two VLANs (blue and red) and to quickly configure Layer 3 routing of traffic between the two VLANs, copy the following commands and paste them into the switch terminal window:
[edit]set interfaces xe-0/0/4 unit 0 description
“Sales server port” set interfaces xe-0/0/4 unit 0 family ethernet-switching
vlan members blueset interfaces xe-0/0/6 unit 0 description “Sales
wireless access point port”set interfaces xe-0/0/6 unit 0 family ethernet-switching
vlan members blueset interfaces xe-0/0/0 unit 0 description
“Support servers”set interfaces xe-0/0/0 unit 0 family ethernet-switching
vlan members redset interfaces xe-0/0/2 unit 0 description “Support
wireless access point port”set interfaces xe-0/0/2 unit 0 family ethernet-switching
vlan members redset interfaces vlan unit 100 family inet address
192.0.2.1/25 set interfaces vlan unit 200 family inet address
192.0.2.129/25 set vlans blue l3-interface vlan.100set vlans blue vlan-id 100 set vlans red vlan-id 200 set vlans red l3-interface vlan.200Step-by-Step Procedure
To configure the switch interfaces and the VLANs to which they belong:
- Configure the interface for the sales server in the blue
VLAN:
[edit interfaces xe-0/0/4 unit 0]
user@switch# set description “Sales server port”
user@switch# set family ethernet-switching vlan members blue - Configure the interface for the wireless access point
in the blue VLAN:
[edit interfaces xe-0/0/6 unit 0]
user@switch# set description “Sales wireless access point port”
user@switch# set family ethernet-switching vlan members blue - Configure the interface for the support server in the
red VLAN:
[edit interfaces xe-0/0/0 unit 0]
user@switch# set description “Support server port”
user@switch# set family ethernet-switching vlan members red - Configure the interface for the wireless access point
in the red VLAN:
[edit interfaces xe-0/0/2 unit 0]
user@switch# set description “Support wireless access point port”
user@switch# set family ethernet-switching vlan members red
Step-by-Step Procedure
Now create the VLANs and the RVI. The RVI will have logical units in the broadcast domains of both VLANs.
- Create the red and blue VLANs by configuring the VLAN
IDs for them:
[edit vlans]
user@switch# set blue vlan-id 100
user@switch# set red vlan-id 200 - Create the interface named vlan with a logical
unit in the sales broadcast domain (blue VLAN):
[edit interfaces]
user@switch# set vlan unit 100 family inet address 192.0.2.1/25The unit number is arbitrary and does not have to match the VLAN tag ID. However, configuring the unit number to match the VLAN ID can help avoid confusion.
- Add a logical unit in the support broadcast domain (red
VLAN) to the vlan interface:
[edit interfaces]
user@switch# set vlan unit 200 family inet address 192.0.2.129/25 - Complete the RVI configuration by binding the red and
blue VLANs (Layer 2) with the appropriate logical units of the vlan interface (Layer 3):
[edit vlans]
user@switch# set blue l3-interface vlan.100
user@switch# set red l3-interface vlan.200
Display the results of the configuration:
 | Tip: To quickly configure the blue and red VLAN interfaces, issue the load merge terminal command, copy the hierarchy, and paste it into the switch terminal window. |
Verification
To verify that the blue and redVLANs have been created and are operating properly, perform these tasks:
- Verifying That the VLANs Have Been Created and Associated with the Correct Interfaces
- Verifying That Traffic Can Be Routed Between the Two VLANs
Verifying That the VLANs Have Been Created and Associated with the Correct Interfaces
Purpose
Verify that the VLANs blue and red have been created on the switch and that all connected interfaces on the switch are members of the correct VLAN.
Action
List all VLANs configured on the switch:
user@switch> show vlansName Tag Interfaces default xe-0/0/0.0, xe-0/0/2.0, xe-0/0/4.0, xe-0/0/6.0, blue 100 xe-0/0/4.0, xe-0/0/6, red 200 xe-0/0/0.0, xe-0/0/2.0, * mgmt me0.0*
Meaning
The show vlans command lists all VLANs configured on the switch and which interfaces are members of each VLAN. This command output shows that the blue and red VLANs have been created. The blue VLAN has a tag ID of 100 and is associated with interfaces xe-0/0/4.0 and xe-0/0/6.0. VLAN red has a tag ID of 200 and is associated with interfaces xe-0/0/0.0 and xe-0/0/2.0.
Verifying That Traffic Can Be Routed Between the Two VLANs
Purpose
Verify routing between the two VLANs.
Action
Verify that the RVI logical units are up:
user@switch> show interfaces tersevlan.100 up up inet 192.0.2.1/25
vlan.200 up up inet 192.0.2.129/25
 | Note: At least one port (access or trunk) with an appropriate VLAN assigned to it must be up for the vlan interface to be up. |
Verify that switch has created routes that use the RVI logical units:
user@switch> show route192.0.2.0/25 *[Direct/0] 1d 03:26:45
> via vlan.100
192.0.2.1/32 *[Local/0] 1d 03:26:45
Local via vlan.100
192.0.2.128/25 *[Direct/0] 1d 03:26:45
> via vlan.200
192.0.2.129/32 *[Local/0] 1d 03:26:45
Local via vlan.200List the Layer 3 routes in the switch's Address Resolution Protocol (ARP) table:
user@switch> show arp
MAC Address Address Name Flags 00:00:0c:06:2c:0d 192.0.2.7 vlan.100 None 00:13:e2:50:62:e0 192.0.2.132 vlan.200 None
Meaning
The output of the show interfaces and show route commands show that the Layer 3 RVI logical units are working and the switch has used them to create direct routes that it will use to forward traffic between the VLAN subnets. The show arp command displays the mappings between the IP addresses and MAC addresses for devices on both vlan.100 (associated with VLAN blue) and vlan.200 (associated with VLAN red).These two devices can communicate.
