Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Understanding Bridge Domains
The packets that are forwarded within a bridge domain are determined by the VLAN ID of the packets and the VLAN ID of the bridge domain. Only the packets with VLAN IDs that match the VLAN ID configured for a bridge domain are forwarded within the bridge domain.
When configuring bridge domains, you can specify either a single VLAN ID or a list of specific VLAN IDs. If you specify a list of VLAN IDs, a bridge domain is created for each VLAN ID in the list. Certain bridge domain properties, such as the integrated routing and bridging interface (IRB), are not configurable if bridge domains are created in this manner (see Understanding Integrated Routing and Bridging Interfaces).
Each Layer 2 logical interface configured on the device is implicitly assigned to a bridge domain based on the VLAN ID of the packets accepted by the interface (see Understanding Layer 2 Interfaces). You do not need to explicitly define the logical interfaces when configuring a bridge domain.
You can configure one or more static MAC addresses for a logical interface in a bridge domain; this is only applicable if you specified a single VLAN ID when creating the bridge domain.
 | Note: If a static MAC address you configure for a logical interface appears on a different logical interface, packets sent to that interface are dropped. |
You can configure the following properties that apply to all bridge domains on the SRX Series device:
- Disable or enable Layer 2 address learning. Layer 2 address learning is enabled by default. A bridge domain learns unicast media access control (MAC) addresses to avoid flooding packets to all interfaces in the bridge domain. Each bridge domain creates a source MAC entry in its forwarding tables for each source MAC address learned from packets received on interfaces that belong to the bridge domain. When you disable MAC learning, source MAC addresses are not dynamically learned, and any packets sent to these source addresses are flooded into a bridge domain.
- Maximum number of MAC addresses learned from all logical interfaces on the SRX Series device. After the MAC address limit is reached, the default is for any incoming packets with a new source MAC address to be forwarded. You can specify that the packets be dropped instead. The default limit is 131,071 MAC addresses. The range that you can configure is 16 through 131,071.
- Timeout interval for MAC table entries. By default, the timeout interval for MAC table entries is 300 seconds. The minimum you can configure is 10 seconds and the maximum is 64,000 seconds. The timeout interval applies only to dynamically learned MAC addresses. This value does not apply to configured static MAC addresses, which never time out.
Layer 2 Bridging Exceptions on SRX Series Devices
The bridging functions on the SRX3400, SRX3600, SRX5600, and SRX5800 devices are similar to the bridging features on Juniper Networks MX Series routers. However, the following Layer 2 networking features on MX Series routers are not supported on SRX Series devices:
- Layer 2 control protocols—These protocols are used on MX Series routers for Rapid Spanning Tree Protocol (RSTP) or Multiple Spanning Tree Protocol (MSTP) in customer edge interfaces of a VPLS routing instance.
- Virtual switch routing instance—The virtual switching routing instance is used on MX Series routers to group one or more bridge domains.
- Virtual private LAN services (VPLS) routing instance—The VPLS routing instance is used on MX Series routers for point-to-multipoint LAN implementations between a set of sites in a VPN.
In addition, the SRX Series devices do not support the following Layer 2 features:
- Spanning Tree Protocol (STP), RSTP, or MSTP—It is the user’s responsibility to ensure that no flooding loops exist in the network topology.
- Internet Group Management Protocol (IGMP) snooping
- Double-tagged VLANs, or IEEE 802.1Q VLAN identifiers encapsulated within 802.1Q packets (also called “Q in Q” VLAN tagging)—Only untagged or single-tagged VLAN identifiers are supported on SRX Series devices.
- Nonqualified VLAN learning, where only the MAC address is used for learning within the bridge domain—VLAN learning on SRX Series devices is qualified; that is, both the VLAN identifier and MAC address are used.
Layer 2 Bridging Terms
Before configuring Layer 2 bridge domains, become familiar with the terms defined in Table 18.
Table 18: Layer 2 Bridging Terms
Term | Definition |
|---|---|
Access interface | Logical Layer 2 interface configured to accept untagged packets and to assign a specified VLAN ID to the packets. |
Bridge | A network component defined by the IEEE that forwards frames from one LAN segment or VLAN to another. This bridging function can be contained in a router, LAN switch, or other specialized device. |
Bridge domain | A set of logical interfaces that share the same flooding or broadcast characteristics. As in a VLAN, a bridge domain spans one or more ports of multiple devices. By default, each bridge domain maintains its own forwarding database of MAC addresses learned from packets received on interfaces that belong to that bridge domain. |
Forwarding Information Base (FIB) | Junos OS forwarding information base (also called the forwarding table). The Junos OS routing protocol process installs active routes from its routing tables into the Routing Engine forwarding table. The kernel copies this forwarding table into the Packet Forwarding Engine, which determines the interface that transmits the packets. |
Integrated routing and bridging (IRB) interface | Pseudointerface that contains both routing domain and bridge domain and facilitates simultaneous Layer 2 bridging and Layer 3 routing within the same bridge domain. Packets arriving on an interface of the bridge domain are switched or routed based on the destination MAC address. Packets addressed to the router’s MAC address are routed to other Layer 3 interfaces. |
Learning domain | A MAC address database in the bridge domain where the MAC addresses are added based on VLAN tags. |
Trunk interface | Logical Layer 2 interface that accepts any packets tagged with a VLAN ID that matches a specified list of VLAN IDs. |
VLAN | Defines a broadcast domain, a set of logical ports that share flooding or broadcast characteristics. VLANs span one or more ports on multiple devices. By default, each VLAN maintains its own Layer 2 forwarding database containing MAC addresses learned from packets received on ports belonging to the VLAN. |
