Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Private VLANs

Understanding Private VLANs

VLANs limit broadcasts to specified users. Private VLANs (PVLANs) take this concept a step further by limiting communication within a VLAN. PVLANs accomplish this by restricting traffic flows through their member switch ports (which are called private ports) so that these ports communicate only with a specified uplink trunk port or with specified ports within the same VLAN. The uplink trunk port or link aggregation group (LAG) is usually connected to a router, firewall, server, or provider network. Each PVLAN typically contains many private ports that communicate only with a single uplink port, thereby preventing the ports from communicating with each other.

PVLANs provide Layer 2 isolation between ports within a VLAN, splitting a broadcast domain into multiple discrete broadcast subdomains by creating secondary VLANs (community VLANs and an isolated VLAN) inside a primary VLAN. Ports within the same community VLAN can communicate with each other. Ports within an isolated VLAN can communicate only with a single uplink port.

Just like regular VLANs, PVLANs are isolated on Layer 2 and require one of the following options to route Layer 3 traffic among the secondary VLANs:

  • A promiscuous port connection with a router

  • A routed VLAN interface (RVI)

Note:

To route Layer 3 traffic among secondary VLANs, a PVLAN needs only one of the options mentioned above. If you use an RVI, you can still implement a promiscuous port connection to a router with the promiscuous port set up to handle only traffic that enters and exits the PVLAN.

PVLANs are useful for restricting the flow of broadcast and unknown unicast traffic and for limiting the communication between known hosts. Service providers use PVLANs to keep their customers isolated from each other. Another typical use for a PVLAN is to provide per-room Internet access in a hotel.

Note:

You can configure a PVLAN to span switches that support PVLANs.

This topic explains the following concepts regarding PVLANs on EX Series switches:

Benefits of PVLANs

The need to segregate a single VLAN is particularly useful in the following deployment scenarios:

  • Server farms—A typical Internet service provider uses a server farm to provide Web hosting for numerous customers. Locating the various servers within a single server farm provides ease of management. Security concerns arise if all servers are in the same VLAN because Layer 2 broadcasts go to all servers in the VLAN.

  • Metropolitan Ethernet networks—A metro service provider offers Layer 2 Ethernet access to assorted homes, rental communities, and businesses. The traditional solution of deploying one VLAN per customer is not scalable and is difficult to manage, leading to potential waste of IP addresses. PVLANs provide a more secure and more efficient solution.

Typical Structure and Primary Application of PVLANs

A PVLAN can be configured on a single switch or can be configured to span multiple switches. The types of domains and ports are:

  • Primary VLAN—The primary VLAN of the PVLAN is defined with an 802.1Q tag (VLAN ID) for the complete PVLAN. The primary PVLAN can contain multiple secondary VLANs (one isolated VLAN and multiple community VLANs).

  • Isolated VLAN/isolated port—A primary VLAN can contain only one isolated VLAN. An interface within an isolated VLAN can forward packets only to a promiscuous port or the Inter-Switch Link (ISL) port. An isolated interface cannot forward packets to another isolated interface; and an isolated interface cannot receive packets from another isolated interface. If a customer device needs to have access only to a gateway router, the device must be attached to an isolated trunk port.

  • Community VLAN/community port—You can configure multiple community VLANs within a single PVLAN. An interface within a specific community VLAN can establish Layer 2 communications with any other interface that belongs to the same community VLAN. An interface within a community VLAN can also communicate with a promiscuous port or the ISL port. If you have, for example, two customer devices that you need to isolate from other customer devices but that must be able to communicate with one another, use community ports.

  • Promiscuous port—A promiscuous port has Layer 2 communications with all interfaces in the PVLAN, regardless of whether an interface belongs to an isolated VLAN or a community VLAN. A promiscuous port is a member of the primary VLAN but is not included within any secondary subdomain. Layer 3 gateways, DHCP servers, and other trusted devices that need to communicate with endpoint devices are typically connected to a promiscuous port.

  • Inter-Switch Link (ISL)—An ISL is a trunk port that connects multiple switches in a PVLAN and contains two or more VLANs. It is required only when a PVLAN spans multiple switches.

The configured PVLAN is the primary domain (primary VLAN). Within the PVLAN, you configure secondary VLANs, which become subdomains nested within the primary domain. A PVLAN can be configured on a single switch or can be configured to span multiple switches. The PVLAN shown in Figure 1 includes two switches, with a primary PVLAN domain and various subdomains.

Figure 1: Subdomains in a PVLANSubdomains in a PVLAN

As shown in Figure 3, a PVLAN has only one primary domain and multiple secondary domains. The types of domains are:

  • Primary VLAN—VLAN used to forward frames downstream to isolated and community VLANs. The primary VLAN of the PVLAN is defined with an 802.1Q tag (VLAN ID) for the complete PVLAN. The primary PVLAN can contain multiple secondary VLANs (one isolated VLAN and multiple community VLANs).

  • Secondary isolated VLAN—VLAN that receives packets only from the primary VLAN and forwards frames upstream to the primary VLAN. The isolated VLAN is a secondary VLAN nested within the primary VLAN. A primary VLAN can contain only one isolated VLAN. An interface within an isolated VLAN (isolated interface) can forward packets only to a promiscuous port or the PVLAN trunk port. An isolated interface cannot forward packets to another isolated interface; nor can an isolated interface receive packets from another isolated interface. If a customer device needs to have access only to a router, the device must be attached to an isolated trunk port.

  • Secondary interswitch isolated VLAN—VLAN used to forward isolated VLAN traffic from one switch to another through PVLAN trunk ports. 802.1Q tags are required for interswitch isolated VLANs because IEEE 802.1Q uses an internal tagging mechanism by which a trunking device inserts a 4-byte VLAN frame identification tab into the packet header. An interswitch isolated VLAN is a secondary VLAN nested within the primary VLAN.

  • Secondary community VLAN—VLAN used to transport frames among members of a community (a subset of users within the VLAN) and to forward frames upstream to the primary VLAN. A community VLAN is a secondary VLAN nested within the primary VLAN. You can configure multiple community VLANs within a single PVLAN. An interface within a specific community VLAN can establish Layer 2 communications with any other interface that belongs to the same community VLAN. An interface within a community VLAN can also communicate with a promiscuous port or the PVLAN trunk port.

Figure 2 shows a PVLAN spanning multiple switches, where the primary VLAN (100) contains two community domains (300 and 400) and one interswitch isolated domain.

Figure 2: PVLAN Spanning Multiple SwitchesPVLAN Spanning Multiple Switches
Note:

Primary and secondary VLANs count against the limit of 4089 VLANs supported on the QFX Series. For example, each VLAN in Figure 2 counts against this limit.

Typical Structure and Primary Application of PVLANs on MX Series Routers

The configured PVLAN becomes the primary domain, and secondary VLANs become subdomains that are nested inside the primary domain. A PVLAN can be created on a single router. The PVLAN shown in Figure 3 includes one router, with one primary PVLAN domain and multiple secondary subdomains.

Figure 3: Subdomains in a PVLAN With One RouterSubdomains in a PVLAN With One Router

The types of domains are:

  • Primary VLAN—VLAN used to forward frames downstream to isolated and community VLANs.

  • Secondary isolated VLAN—VLAN that receives packets only from the primary VLAN and forwards frames upstream to the primary VLAN.

  • Secondary interswitch isolated VLAN—VLAN used to forward isolated VLAN traffic from one router to another through PVLAN trunk ports.

  • Secondary community VLAN—VLAN used to transport frames among members of a community, which is a subset of users within the VLAN, and to forward frames upstream to the primary VLAN.

Note:

PVLANs are supported on MX80 routers, on MX240, MX480, and MX960 routers with DPCs in enhanced LAN mode, on MX Series routers with MPC1, MPC2, and Adaptive Services PICs.

Typical Structure and Primary Application of PVLANs on EX Series Switches

Note:

The primary VLAN of the PVLAN is defined with an 802.1Q tag (VLAN ID) for the complete PVLAN. On EX9200 switches, each secondary VLAN must also be defined with its own separate VLAN ID.

Figure 4 shows a PVLAN on a single switch, where the primary VLAN (VLAN 100) contains two community VLANs (VLAN 300 and VLAN 400) and one isolated VLAN (VLAN 50).

Figure 4: Private VLAN on a Single EX SwitchPrivate VLAN on a Single EX Switch

Figure 5 shows a PVLAN spanning multiple switches, where the primary VLAN (VLAN 100) contains two community VLANs (VLAN 300 and VLAN 400) and one isolated VLAN (VLAN 200). It also shows that Switches 1 and 2 are connected through an interswitch link (PVLAN trunk link).

Figure 5: PVLAN Spanning Multiple EX Series SwitchesPVLAN Spanning Multiple EX Series Switches

Also, the PVLANs shown in Figure 4 and Figure 5 use a promiscuous port connected to a router as the means to route Layer 3 traffic among the community and isolated VLANs. Instead of using the promiscuous port connected to a router, you can configure an RVI on the switch in Figure 4 or one of the switches shown in Figure 5 (on some EX switches).

To route Layer 3 traffic between isolated and community VLANs, you must either connect a router to a promiscuous port, as shown in Figure 4 and Figure 5, or configure an RVI.

If you choose the RVI option, you must configure one RVI for the primary VLAN in the PVLAN domain. This RVI serves the entire PVLAN domain regardless of whether the domain includes one or more switches. After you configure the RVI, Layer 3 packets received by the secondary VLAN interfaces are mapped to and routed by the RVI.

When setting up the RVI, you must also enable proxy Address Resolution Protocol (ARP) so that the RVI can handle ARP requests received by the secondary VLAN interfaces.

For information about configuring PVLANs on a single switch and on multiple switches, see Creating a Private VLAN on a Single EX Series Switch (CLI Procedure). For information about configuring an RVI, see Configuring a Routed VLAN Interface in a Private VLAN on an EX Series Switch.

Routing Between Isolated and Community VLANs

To route Layer 3 traffic between isolated and community VLANs, you must connect an external router or switch to a trunk port of the primary VLAN. The trunk port of the primary VLAN is a promiscuous port; therefore, it can communicate with all the ports in the PVLAN.

PVLANs Use 802.1Q Tags to Identify Packets

When packets are marked with a customer-specific 802.1Q tag, that tag identifies ownership of the packets for any switch or router in the network. Sometimes, 802.1Q tags are needed within PVLANs to keep track of packets from different subdomains. Table 1 indicates when a VLAN 802.1Q tag is needed on the primary VLAN or on secondary VLANs.

Table 1: When VLANs in a PVLAN Need 802.1Q Tags
  On a Single Switch On Multiple Switches
Primary VLAN

Specify an 802.1Q tag by setting a VLAN ID.

Specify an 802.1Q tag by setting a VLAN ID.

Secondary VLAN

No tag needed on VLANs.

VLANs need 802.1Q tags:

  • Specify an 802.1Q tag for each community VLAN by setting a VLAN ID.

  • Specify the 802.1Q tag for an isolation VLAN ID by setting an isolation ID.

PVLANs Use IP Addresses Efficiently

PVLANs provide IP address conservation and efficient allocation of IP addresses. In a typical network, VLANs usually correspond to a single IP subnet. In PVLANs, the hosts in all secondary VLANs belong to the same IP subnet because the subnet is allocated to the primary VLAN. Hosts within the secondary VLAN are assigned IP addresses based on IP subnets associated with the primary VLAN, and their IP subnet masking information reflects that of the primary VLAN subnet. However, each secondary VLAN is a separate broadcast domain.

PVLAN Port Types and Forwarding Rules

PVLANs can use up to six different port types. The network depicted inFigure 2 uses a promiscuous port to transport information to the router, community ports to connect the finance and HR communities to their respective switches, isolated ports to connect the servers, and a PVLAN trunk port to connect the two switches. PVLAN ports have different restrictions:

  • Promiscuous trunk port—A promiscuous port has Layer 2 communications with all the interfaces that are in the PVLAN, regardless of whether the interface belongs to an isolated VLAN or a community VLAN. A promiscuous port is a member of the primary VLAN, but is not included within one of the secondary subdomains. Layer 3 gateways, DHCP servers, and other trusted devices that need to communicate with endpoint devices are typically connected to a promiscuous port.

  • PVLAN trunk link—The PVLAN trunk link, which is also known as the interswitch link, is required only when a PVLAN is configured to span multiple switches. The PVLAN trunk link connects the multiple switches that compose the PVLAN.

  • PVLAN trunk port—A PVLAN trunk port is required in multiswitch PVLAN configurations to span the switches. The PVLAN trunk port is a member of all VLANs within the PVLAN (that is, the primary VLAN, the community VLANs, and the interswitch isolated VLAN), and it carries traffic from the primary VLAN and all secondary VLANs. It can communicate with all ports other than the isolated ports.

    Communication between a PVLAN trunk port and an isolated port is usually unidirectional. A PVLAN trunk port’s membership in the interswitch isolated VLAN is egress-only, meaning that an isolated port can forward packets to a PVLAN trunk port, but a PVLAN trunk port does not forward packets to an isolated port (unless the packets ingressed on a promiscuous access port and are therefore being forwarded to all the secondary VLANs in the same primary VLAN as the promiscuous port).

  • Secondary VLAN trunk port (not shown)—Secondary trunk ports carry secondary VLAN traffic. For a given private VLAN, a secondary VLAN trunk port can carry traffic for only one secondary VLAN. However, a secondary VLAN trunk port can carry traffic for multiple secondary VLANs as long as each secondary VLAN is a member of a different primary VLAN. For example, a secondary VLAN trunk port can carry traffic for a community VLAN that is part of primary VLAN pvlan100 and also carry traffic for an isolated VLAN that is part of primary VLAN pvlan400.

  • Community port—Community ports communicate among themselves and with their promiscuous ports. Community ports serve only a select group of users. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.

  • Isolated access port—Isolated ports have Layer 2 connectivity only with promiscuous ports and PVLAN trunk ports—an isolated port cannot communicate with another isolated port even if these two ports are members of the same isolated VLAN (or interswitch isolated VLAN) domain. Typically, a server, such as a mail server or a backup server, is connected on an isolated port. In a hotel, each room would typically be connected on an isolated port, meaning that room-to-room communication is not possible, but each room can access the Internet on the promiscuous port.

  • Promiscuous access port (not shown)—These ports carry untagged traffic. Traffic that ingresses on a promiscuous access port is forwarded to all secondary VLAN ports on the device. If traffic ingresses into the device on a VLAN-enabled port and egresses on a promiscuous access port, the traffic is untagged on egress. If tagged traffic ingresses on a promiscuous access port, the traffic is discarded.

  • Interswitch link port—An interswitch link (ISL) port is a trunk port that connects two routers when a PVLAN spans those routers. The ISL port is a member of all VLANs within the PVLAN (that is, the primary VLAN, the community VLANs, and the isolated VLAN).

    Communication between an ISL port and an isolated port is unidirectional. An ISL port’s membership in the interswitch isolated VLAN is egress-only, meaning that incoming traffic on the ISL port is never assigned to the isolated VLAN. An isolated port can forward packets to a PVLAN trunk port, but a PVLAN trunk port cannot forward packets to an isolated port. Table 3 summarizes whether Layer 2 connectivity exists between the different types of ports.

Table 2 summarizes Layer 2 connectivity between the different types of ports within a PVLAN on EX Series switches that support ELS.

Table 2: PVLAN Ports and Layer 2 Forwarding on EX Series switches that support ELS

From Port Type

To Isolated Ports?

To Promiscuous Ports?

To Community Ports?

To Inter-Switch Link Port?

Isolated

Deny

Permit

Deny

Permit

Promiscuous

Permit

Permit

Permit

Permit

Community 1

Deny

Permit

Permit

Permit

Table 3: PVLAN Ports and Layer 2 Connectivity

Port Type

Promiscuous Trunk

PVLAN Trunk

Secondary Trunk

Community

Isolated Access

Promiscuous access

Promiscuous trunk

Yes

Yes

Yes

Yes

Yes

Yes

PVLAN trunk

Yes

Yes

Yes

Yes—same community only

Yes

Yes

Secondary Trunk

Yes

Yes

No

Yes

No

Yes

Community

Yes

Yes

Yes

Yes—same community only

No

Yes

Isolated access

Yes

Yes—unidirectional only

No

No

No

Yes

Promiscuous access

Yes

Yes

Yes

Yes

Yes

No

Table 4 summarizes whether or not Layer 2 connectivity exists between the different types of ports within a PVLAN.

Table 4: PVLAN Ports and Layer 2 Connectivity on EX Series Switches without ELS Support

Port Type

To: →

From:↓

Promiscuous

Community

Isolated

PVLAN Trunk

RVI

Promiscuous

Yes

Yes

Yes

Yes

Yes

Community

Yes

Yes—same community only

No

Yes

Yes

Isolated

Yes

No

No

Yes

Note:

This communication is unidirectional.

Yes

PVLAN trunk

Yes

Yes—same community only

Yes

Note:

This communication is unidirectional.

Yes

Yes

RVI

Yes

Yes

Yes

Yes

Yes

As noted in Table 4, Layer 2 communication between an isolated port and a PVLAN trunk port is unidirectional. That is, an isolated port can only send packets to a PVLAN trunk port, and a PVLAN trunk port can only receive packets from an isolated port. Conversely, a PVLAN trunk port cannot send packets to an isolated port, and an isolated port cannot receive packets from a PVLAN trunk port.

Note:

If you enable no-mac-learning on a primary VLAN, all isolated VLANs (or the interswitch isolated VLAN) in the PVLAN inherit that setting. However, if you want to disable MAC address learning on any community VLANs, you must configure no-mac-learning on each of those VLANs.

Creating a PVLAN

The flowchart shown in Figure 6 gives you a general idea of the process for creating PVLANs. If you complete your configuration steps in the order shown, you will not violate these PVLAN rules. (In the PVLAN rules, configuring the PVLAN trunk port applies only to a PVLAN that spans multiple routers.)

  • The primary VLAN must be a tagged VLAN.

  • If you are going to configure a community VLAN ID, you must first configure the primary VLAN.

  • If you are going to configure an isolation VLAN ID, you must first configure the primary VLAN.

Note:

Configuring a voice over IP (VoIP) VLAN on PVLAN interfaces is not supported.

Configuring a VLAN on a single router is relatively simple, as shown in Figure 6.

Figure 6: Configuring a PVLAN on a Single SwitchConfiguring a PVLAN on a Single Switch

Configuring a primary VLAN consists of these steps:

  1. Configure the primary VLAN name and 802.1Q tag.

  2. Set no-local-switching on the primary VLAN.

  3. Configure the promiscuous trunk port and access ports.

  4. Make the promiscuous trunk and access ports members of the primary VLAN.

Within a primary VLAN, you can configure secondary community VLANs or secondary isolated VLANs or both. Configuring a secondary community VLAN consists of these steps:

  1. Configure a VLAN using the usual process.

  2. Configure access interfaces for the VLAN.

  3. Assign a primary VLAN to the community VLAN,

Isolated VLANs are created internally when the isolated VLAN has access interfaces as members and the option no-local-switching is enabled on the primary VLAN.

802.1Q tags are required for interswitch isolated VLANs because IEEE 802.1Q uses an internal tagging mechanism by which a trunking device inserts a 4-byte VLAN frame identification tab into the packet header.

Trunk ports are only needed for multirouter PVLAN configurations—the trunk port carries traffic from the primary VLAN and all secondary VLANs.

Limitations of Private VLANs

The following constraints apply to private VLAN configurations:

  • An access interface can belong to only one PVLAN domain, that is, it cannot participate in two different primary VLANs.

  • A trunk interface can be a member of two secondary VLANs as long as the secondary VLANs are in two different primary VLANs. A trunk interface cannot be a member of two secondary VLANs that are in the same primary VLAN.

  • A single region of Multiple Spanning Tree Protocol (MSTP) must be configured on all VLANs that are included within the PVLAN.

  • VLAN Spanning Tree Protocol (VSTP) is not supported.

  • IGMP snooping is not supported with private VLANs.

  • Routed VLAN interfaces are not supported on private VLANs

  • Routing between secondary VLANs in the same primary VLAN is not supported.

  • Some configuration statements cannot be specified on a secondary VLAN. You can configure the following statements at the [edit vlans vlan-name switch-options] hierarchy level only on the primary PVLAN.

  • If you want to change a primary VLAN to be a secondary VLAN, you must first change it to a normal VLAN and commit the change. For example, you would follow this procedure:

    1. Change the primary VLAN to be a normal VLAN.

    2. Commit the configuration.

    3. Change the normal VLAN to be a secondary VLAN.

    4. Commit the configuration.

    Follow the same sequence of commits if you want to change a secondary VLAN to be a primary VLAN. That is, make the secondary VLAN a normal VLAN and commit that change and then change the normal VLAN to be a primary VLAN.

The following features are not supported on PVLANs on Junos switches with support for the ELS configuration style:

  • Egress VLAN firewall filters

  • Ethernet ring protection (ERP)

  • Flexible VLAN tagging

  • global-mac-statistics

  • Integrated routing and bridging (IRB) interface

  • Multichassis link aggregation groups (MC-LAGs)

  • Port mirroring

  • Q-in-Q tunneling

  • VLAN Spanning Tree Protocol (VSTP)

  • Voice over IP (VoIP)

You can configure the following statements at the [edit vlans vlan-name switch-options] hierarchy level only on the primary PVLAN:

Understanding PVLAN Traffic Flows Across Multiple Switches

This topic illustrates and explains three different traffic flows on a sample multiswitch network configured with a private VLAN (PVLAN). PVLANs restrict traffic flows through their member switch ports (which are called “private ports”) so that they communicate only with a specific uplink trunk port or with specified ports within the same VLAN.

This topic describes:

Community VLAN Sending Untagged Traffic

In this example a member of Community-1 on Switch 1 sends untagged traffic on interface ge-0/0/12. The arrows in Figure 7 represent the resulting traffic flow.

Note:

In this example the community-1 members are assigned C-VLAN ID 100 that is mapped to P-VLAN ID 10.

Figure 7: Community VLAN Sends Untagged TrafficCommunity VLAN Sends Untagged Traffic

In this scenario, the following activity takes place on Switch 1:

  • Community-1 VLAN on interface ge-0/0/0 and ge-0/0/12: Learning

  • pvlan100 on interface ge-0/0/0 and ge-0/0/12: Replication

  • Community-1 VLAN on interface ge-0/0/12: Receives untagged traffic

  • Community-1 VLAN interface ge-0/0/0: Traffic exits untagged

  • PVLAN trunk port: Traffic exits from ge-1/0/2 and from ae0 with tag 10

  • Community-2: Interfaces receive no traffic

  • Isolated VLANs: Interfaces receive no traffic

In this scenario, this activity takes place on Switch 3:

  • Community-1 VLAN on interface ge-0/0/23 (PVLAN trunk): Learning

  • pvlan100 on interface ge-0/0/23: Replication

  • Community-1 VLAN on interfaces ge-0/0/9 and ge-0/0/16: Receive untagged traffic

  • Promiscuous trunk port: Traffic exits from ge-0/0/0 with tag 10

  • Community-2: Interfaces receive no traffic

  • Isolated VLANs: Interfaces receive no traffic

Isolated VLAN Sending Untagged Traffic

In this scenario, isolated VLAN1 on Switch 1 at interface ge-1/0/0 sends untagged traffic. The arrows in Figure 8 represent this traffic flow.

Figure 8: Isolated VLAN Sends Untagged TrafficIsolated VLAN Sends Untagged Traffic

In this scenario, the following activity takes place on Switch 1:

  • Isolated VLAN1 on interface ge-1/0/0: Learning

  • pvlan100 on interface ge-1/0/0: Replication

  • Traffic exits from pvlan-trunk ge-1/0/2 and ae0 with tag 50

  • Community-1 and Community-2: Interfaces receive no traffic

  • Isolated VLANs: Interfaces receive no traffic

In this scenario, this activity takes place on Switch 3:

  • VLAN on interface ge-0/0/23 (PVLAN trunk port): Learning

  • pvlan100 on interface ge0/0/23: Replication

  • Promiscuous trunk port: Traffic exits from ge-0/0/0 with tag 100

  • Community-1 and Community-2: Interfaces receive no traffic

  • Isolated VLANs: Receive no traffic

PVLAN Tagged Traffic Sent on a Promiscuous Port

In this scenario, PVLAN tagged traffic is sent on a promiscuous port. The arrows in Figure 9 represent this traffic flow.

Figure 9: PVLAN Tagged Traffic Sent on a Promiscuous PortPVLAN Tagged Traffic Sent on a Promiscuous Port

In this scenario, the following activity takes place on Switch 1:

  • pvlan100 VLAN on interface ae0 (PVLAN trunk): Learning

  • Community-1, Community-2, and all isolated VLANs on interface ae0: Replication

  • VLAN on interface ae0: Replication

  • Traffic exits from pvlan-trunk ge-1/0/2 with tag 100

  • Community-1 and Community-2: Interfaces receive traffic

  • Isolated VLANs: Receive traffic

In this scenario, this activity takes place on Switch 3:

  • pvlan100 on interface ge-0/0/0: Learning

  • Community-1, Community-2 and all isolated VLANs on interface ge-0/0/0: Replication

  • VLAN on interface ge-0/0/0: Replication

  • Community-1 and Community-2: Interfaces receive traffic

  • Isolated VLANs: Receive traffic

Understanding Secondary VLAN Trunk Ports and Promiscuous Access Ports on PVLANs

VLANs limit broadcasts to specified users. Private VLANs (PVLANs) take this concept a step further by splitting a VLAN into multiple broadcast subdomains and essentially putting secondary VLANs inside a primary VLAN. PVLANs restrict traffic flows through their member ports so that these ports communicate only with a specified uplink trunk port or with specified ports within the same VLAN. The uplink trunk port is usually connected to a router, firewall, server, or provider network. A PVLAN typically contains many private ports that communicate only with a single uplink, thereby preventing the ports from communicating with each other.

Secondary trunk ports and promiscuous access ports extend the functionality of PVLANs for use in complex deployments, such as:

  • Enterprise VMWare Infrastructure environments

  • Multitenant cloud services with VM management

  • Web hosting services for multiple customers

For example, you can use secondary VLAN trunk ports to connect QFX devices to VMware servers that are configured with private VLANs. You can use promiscuous access ports to connect QFX devices to systems that do not support trunk ports but do need to participate in private VLANs.

This topic explains the following concepts regarding PVLANs on the QFX Series:

PVLAN Port Types

PVLANs can use the following different port types:

  • Promiscuous trunk port—A promiscuous port is an upstream trunk port connected to a router, firewall, server, or provider network. A promiscuous trunk port can communicate with all interfaces, including the isolated and community ports within a PVLAN.

  • PVLAN trunk port—A PVLAN trunk port is required in multiswitch PVLAN configurations to span the switches. The PVLAN trunk port is a member of all VLANs within the PVLAN (that is, the primary VLAN, the community VLANs, and the interswitch isolated VLAN), and it carries traffic from the primary VLAN and all secondary VLANs. It can communicate with all ports.

    Communication between a PVLAN trunk port and an isolated port is usually unidirectional. A PVLAN trunk port’s membership in the interswitch isolated VLAN is egress-only, meaning that an isolated port can forward packets to a PVLAN trunk port, but a PVLAN trunk port does not forward packets to an isolated port (unless the packets ingressed on a promiscuous access port and are therefore being forwarded to all the secondary VLANs in the same primary VLAN as the promiscuous port).

  • Secondary VLAN trunk port—Secondary VLAN trunk ports carry secondary VLAN traffic. For a given private (primary) VLAN, a secondary VLAN trunk port can carry traffic for only one secondary VLAN. However, a secondary VLAN trunk port can carry traffic for multiple secondary VLANs as long as each secondary VLAN is a member of a different primary VLAN. For example, a secondary VLAN trunk port can carry traffic for a community VLAN that is part of primary VLAN pvlan100 and also carry traffic for an isolated VLAN that is part of primary VLAN pvlan400.

    Note:

    When traffic egresses from a secondary VLAN trunk port, it normally carries the tag of the primary VLAN that the secondary port is a member of. If you want traffic that egresses from a secondary VLAN trunk port to retain its secondary VLAN tag, use the extend-secondary-vlan-id statement.

  • Community port—Community ports communicate among themselves and with their promiscuous ports. Community ports serve only a select group of users. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.

  • Isolated access port—Isolated ports have Layer 2 connectivity only with promiscuous ports and PVLAN trunk ports. An isolated access port cannot communicate with another isolated port even if these two ports are members of the same isolated VLAN.

  • Promiscuous access port—These ports carry untagged traffic and can be a member of only one primary VLAN. Traffic that ingresses on a promiscuous access port is forwarded to the ports of the secondary VLANs that are members of the primary VLAN that the promiscuous access port is a member of. In this case, the traffic carries the appropriate secondary VLAN tag when it egresses from the secondary VLAN port if the secondary VLAN port is a trunk port. If traffic ingresses on a secondary VLAN port and egresses on a promiscuous access port, the traffic is untagged on egress. If tagged traffic ingresses on a promiscuous access port, the traffic is discarded.

Secondary VLAN Trunk Port Details

When using a secondary VLAN trunk port, be aware of the following:

  • You must configure an isolation VLAN ID for each primary VLAN that the secondary VLAN trunk port will participate in. This is true even if the secondary VLANs that the secondary VLAN trunk port will carry are confined to a single device.

  • If you configure a port to be a secondary VLAN trunk port for a given primary VLAN, you can also configure the same physical port to be any of the following:

    • Secondary VLAN trunk port for another primary VLAN

    • PVLAN trunk for another primary VLAN

    • Promiscuous trunk port

    • Access port for a non-private VLAN

  • Traffic that ingresses on a secondary VLAN trunk port (with a secondary VLAN tag) and egresses on a PVLAN trunk port retains the secondary VLAN tag on egress.

  • Traffic that ingresses on a secondary VLAN trunk port and egresses on a promiscuous trunk port has the appropriate primary VLAN tag on egress.

  • Traffic that ingresses on a secondary VLAN trunk port and egresses on a promiscuous access port is untagged on egress.

  • Traffic that ingresses on a promiscuous trunk port with a primary VLAN tag and egresses on a secondary VLAN trunk port carries the appropriate secondary VLAN tag on egress. For example, assume that you have configured the following on a switch:

    • Primary VLAN 100

    • Community VLAN 200 as part of the primary VLAN

    • Promiscuous trunk port

    • Secondary trunk port that carries community VLAN 200

    If a packet ingresses on the promiscuous trunk port with primary VLAN tag 100 and egresses on the secondary VLAN trunk port, it carries tag 200 on egress.

Use Cases

On the same physical interface, you can configure multiple secondary VLAN trunk ports (in different primary VLANs) or combine a secondary VLAN trunk port with other types of VLAN ports. The following use cases provide examples of doing this and show how traffic would flow in each case:

Secondary VLAN Trunks In Two Primary VLANS

For this use case, assume you have two switches with the following configuration:

  • Primary VLAN pvlan100 with tag 100.

    • Isolated VLAN isolated200 with tag 200 is a member of pvlan100.

    • Community VLAN comm300 with tag 300 is a member of pvlan100.

  • Primary VLAN pvlan400 with tag 400.

    • Isolated VLAN isolated500 with tag 500 is a member of pvlan400.

    • Community VLAN comm600 with tag 600 is a member of pvlan400.

  • Interface xe-0/0/0 on Switch 1 connects to a VMware server (not shown) that is configured with the private VLANs used in this example. This interface is configured with secondary VLAN trunk ports to carry traffic for secondary VLAN comm600 and the isolated VLAN (tag 200) that is a member of pvlan100.

  • Interface xe-0/0/0 on Switch 2 is shown configured as a promiscuous trunk port or promiscuous access port. In the latter case, you can assume that it connects to a system (not shown) that does not support trunk ports but is configured with the private VLANs used in this example.

  • On Switch 1, xe-0/0/6 is a member of comm600 and is configured as a trunk port.

  • On Switch 2, xe-0/0/6 is a member of comm600 and is configured as an access port.

Figure 10 shows this topology and how traffic for isolated200 and comm600 would flow after ingressing on xe-0/0/0 on Switch 1. Note that traffic would flow only where the arrows indicate. For example, there are no arrows for interfaces xe-0/0/2, xe-0/0/3, and xe-0/0/5 on Switch 1 because no packets would egress on those interfaces.

Figure 10: Two Secondary VLAN Trunk Ports on One InterfaceTwo Secondary VLAN Trunk Ports on One Interface

Here is the traffic flow for VLAN isolated200:

  1. After traffic for isolated200 ingresses on the secondary VLAN trunk port on Switch 1, it egresses on the PVLAN trunk port because the PVLAN trunk port is a member of all the VLANs. The packets keep the secondary VLAN tag (200) when egressing.
  2. After traffic for isolated200 ingresses on the secondary VLAN trunk port on Switch 2, it egresses on xe-0/0/0, which is configured as a promiscuous trunk port or promiscuous access port.
    • If xe-0/0/0 on Switch 2 is configured as a promiscuous trunk port, the packets egress on this port with the primary VLAN tag (100).

    • If xe-0/0/0 on Switch 2 is configured as a promiscuous access port, the packets egress on this port untagged.

Note that traffic for VLAN isolated200 does not egress on isolated access port xe-0/0/2 on Switch 1 or secondary VLAN trunk port xe-0/0/2 on Switch 2 even though these two ports are members of the same isolated VLAN.

Here is the traffic flow for VLAN comm600:

  1. After traffic for comm600 ingresses on the secondary VLAN trunk port on Switch 1, it egresses on the PVLAN trunk port because the PVLAN trunk port is a member of all the VLANs. The packets keep the secondary VLAN tag (600) when egressing.

  2. Traffic for comm600 also egresses on community port xe-0/0/6 on Switch 1. The traffic is tagged because the port is configured as a trunk.

  3. After traffic for comm600 ingresses on the PVLAN trunk port on Switch 2, it egresses on xe-0/0/0, if this interface is configured as a promiscuous trunk port.

    Note:

    If xe-0/0/0 on Switch 2 is configured as a promiscuous access port, the port can participate in only one primary VLAN. In this case, the promiscuous access port is part of pvlan100, so traffic for comm600 does not egress from it

  4. Traffic for comm600 also egresses on community port xe-0/0/6 on Switch 2. In this case, the traffic is untagged because the port mode is access.

Secondary VLAN Trunk and Promiscuous Trunk

For this use case, assume you have two switches configured with the same ports and VLANs as in the previous use case, with one exception: In this case, xe-0/0/0 on Switch 1 is configured as a secondary VLAN trunk port for VLAN pvlan100 and is also configured as a promiscuous trunk port for pvlan400.

Figure 11 shows this topology and how traffic for isolated200 (member of pvlan100) and comm600 (member of pvlan400) would flow after ingressing on Switch 1.

Figure 11: Secondary VLAN Trunk and Promiscuous Trunk on One InterfaceSecondary VLAN Trunk and Promiscuous Trunk on One Interface

The traffic flow for VLAN isolated200 is the same as in the previous use case, but the flow for comm600 is different. Here is the traffic flow for VLAN comm600:

  1. After traffic for comm600 ingresses on community VLAN port xe-0/0/6 on Switch 1, it egresses on promiscuous trunk port xe-0/0/0 on Switch 1. In this case it carries the primary VLAN tag (400).
  2. Traffic for comm600 also egresses on the PVLAN trunk port because the PVLAN trunk port is a member of all the VLANs. The packets keep the secondary VLAN tag (600) when egressing.
  3. After traffic for comm600 ingresses on the PVLAN trunk port on Switch 2, it egresses on xe-0/0/0, if this interface is configured as a promiscuous trunk port.

    It does not egress on xe-0/0/0 if this interface is configured as a promiscuous access port because the port can participate only in pvlan100.

  4. Traffic for comm600 also egresses on community port xe-0/0/6 on Switch 2.

Secondary VLAN Trunk and PVLAN Trunk

For this use case, assume you have two switches configured with the same ports and VLANs as in the previous use cases except that xe-0/0/0 on Switch 1 is configured as a secondary VLAN trunk port for VLAN pvlan100 and is also configured as a PVLAN trunk port for pvlan400.

Figure 12 shows this topology and how traffic for comm300 (member of pvlan100) and comm600 (member of pvlan400) would flow after ingressing on Switch 1.

Figure 12: Secondary VLAN Trunk and PVLAN Trunk on One InterfaceSecondary VLAN Trunk and PVLAN Trunk on One Interface

Here is the traffic flow for VLAN comm300:

  1. After traffic for comm300 ingresses on community port xe-0/0/3 on Switch 1, it egresses on PVLAN trunk port xe-0/0/1 because that PVLAN trunk port is a member of all the VLANs. The packets keep the secondary VLAN tag (300) when egressing.
    Note:

    Traffic for comm300 does not egress on xe-0/0/0 because the secondary VLAN trunk port on this interface carries isolated200, not comm300.

  2. After traffic for comm300 ingresses on the PVLAN trunk port on Switch 2, it egresses on xe-0/0/0, which is configured as a promiscuous trunk port or promiscuous access port.
    • If xe-0/0/0 on Switch 2 is configured as a promiscuous trunk port, the packets egress on this port with the primary VLAN tag (100).

    • If xe-0/0/0 on Switch 2 is configured as a promiscuous access port, the packets egress on this port untagged.

  3. Traffic for comm300 also egresses on community port xe-0/0/3 on Switch 2.

Here is the traffic flow for VLAN comm600:

  1. After traffic for comm600 ingresses on the PVLAN port xe-0/0/0 on Switch 1, it egresses on the community port xe-0/0/6 on Switch 1. The packets keep the secondary VLAN tag (600) when egressing because xe-0/0/6 is a trunk port.

  2. Traffic for comm600 also egresses on PVLAN trunk port xe-0/0/1 because that PVLAN trunk port is a member of all the VLANs. The packets keep the secondary VLAN tag (600) when egressing.

  3. After traffic for comm600 ingresses on the PVLAN trunk port on Switch 2, it egresses on xe-0/0/0, if this interface is configured as a promiscuous trunk port.

    It does not egress on xe-0/0/0 if this interface is configured as a promiscuous access port because the port can participate only in pvlan100.

  4. Traffic for comm600 also egresses on community port xe-0/0/6 on Switch 2. This traffic is untagged on egress because xe-0/0/6 is an access port.

Secondary VLAN Trunk and Non-Private VLAN Interface

For this use case, assume you have two switches configured with the same ports and VLANs as in the previous use cases except for these differences:

  • Configuration for xe-0/0/0 on Switch 1:

    • Secondary VLAN trunk port for VLAN pvlan100

    • Access port for vlan700

  • Port xe-0/0/6 on both switches is an access port for vlan700.

Figure 13 shows this topology and how traffic for isolated200 (member of pvlan100) and vlan700 would flow after ingressing on Switch 1.

Figure 13: Secondary VLAN Trunk and Non-Private VLAN Port on One InterfaceSecondary VLAN Trunk and Non-Private VLAN Port on One Interface

Here is the traffic flow for VLAN isolated200:

  1. After traffic for isolated200 ingresses on the secondary VLAN trunk port on Switch 1, it egresses on the PVLAN trunk port. The packets keep the secondary VLAN tag (200) when egressing.
  2. After traffic for isolated200 ingresses on the PVLAN trunk port on Switch 2, it egresses on xe-0/0/0, which is configured as a promiscuous trunk port or promiscuous access port.
    • If xe-0/0/0 on Switch 2 is configured as a promiscuous trunk port, the packets egress on this port with the primary VLAN tag (100).

    • If xe-0/0/0 on Switch 2 is configured as a promiscuous access port, the packets egress on this port untagged.

Note that traffic for VLAN isolated200 does not egress on isolated access port xe-0/0/2 on Switch 1 or secondary VLAN trunk port xe-0/0/2 on Switch 2 even though these two ports are members of the same isolated VLAN.

After traffic for vlan700 ingresses on the access port configured on xe-0/0/0 on Switch 1, it egresses on access port xe-0/0/6 because that port is a member of the same VLAN. Traffic for vlan700 is not forwarded to Switch 2 (even though xe-0/0/6 on Switch 2 is a member of vlan700) because the PVLAN trunk on xe-0/0/1 does not carry this VLAN.

Traffic Ingressing on Promiscuous Access Port

For this use case, assume you have two switches configured with the same ports and VLANs as in the previous use case except that xe-0/0/0 on Switch 1 is configured as a promiscuous access port and is a member of pvlan100. Figure 14 shows this topology and how untagged traffic would flow after ingressing through this interface on Switch 1.

Figure 14: Traffic Ingressing on Promiscuous Access PortTraffic Ingressing on Promiscuous Access Port

As the figure shows, untagged traffic that ingresses on a promiscuous access port is forwarded to all the secondary VLAN ports that are members of the same primary VLAN that the promiscuous access port is a member of. The traffic is untagged when it egresses from access ports and tagged on egress from a trunk port (xe-0/0/2 on Switch 2).

Using 802.1X Authentication and Private VLANs Together on the Same Interface

Understanding Using 802.1X Authentication and PVLANs Together on the Same Interface

You can now configure both 802.1X authentication and private VLANs (PVLANs) on the same interface.

IEEE 802.1X authentication provides network edge security, protecting Ethernet LANs from unauthorized user access by blocking all traffic to and from a supplicant (client) at the interface until the supplicant's credentials are presented and matched on the authentication server (a RADIUS server).

Private VLANs (PVLANs) provide Layer 2 isolation between ports within a VLAN, splitting a broadcast domain into multiple discrete broadcast subdomains by creating secondary VLANs. PVLANs are useful for restricting the flow of broadcast and unknown unicast traffic and for limiting the communication between known hosts.

On a switch that is configured with both 802.1X authentication and PVLANs, when a new device is attached to the PVLAN network, the device is authenticated and then is assigned to a secondary VLAN based on the PVLAN configuration or RADIUS profile. The device then obtains an IP address and is given access to the PVLAN network.

Note:

This document does not provide detailed information about 802.1X authentication or private VLANs. For those details, see the feature documentation that is specific to those individual features. For 802.1X, see User Access and Authentication User Guide. For PVLANs, see Ethernet Switching User Guide.

Configuration Guidelines for Combining 802.1X Authentication with PVLANs

Keep the following guidelines and limitations in mind for configuring these two features on the same interface:

  • You cannot configure an 802.1X-enabled interface as a promiscuous interface (an interface that is a member of the primary VLAN by configuration) or as an interswitch-link (ISL) interface.

  • Multiple users cannot be authenticated over different VLANs belonging to the same PVLAN domain on a logical interface—for example, if interface ge-0/0/0 is configured as supplicant multiple and clients C1 and C2 are authenticated and are added to dynamic VLANs V1 and V2, respectively, then V1 and V2 must belong to different PVLAN domains.

  • If the VoIP VLAN and the data VLAN are different, those two VLANs must be in different PVLAN domains.

  • When PVLAN membership is changed (that is, an interface is reconfigured in a different PVLAN), clients must be reauthenticated.

Example: Configuring 802.1X Authentication with Private VLANs in One Configuration

Requirements

  • Junos OS Release 18.2R1 or later

  • EX2300, EX3400, or EX4300 switch

Before you begin, specify the RADIUS server or servers to be used as the authentication server. See Specifying RADIUS Server Connections on Switches (CLI Procedure).

Overview

The following configuration section shows the access profile configuration, the 802.1X authentication configuration, and finally the VLANs (including PVLANs) configuration.

Configuring 802.1X Authentication with Private VLANs in One Configuration

Procedure
CLI Quick Configuration
Step-by-Step Procedure

To configure 802.1X authentication and PVLANs in one configuration:

  1. Configure the access profile:

    Note:

    The configured VoIP VLAN cannot be a PVLAN (primary, community, or isolated).

  2. Configure the 802.1X settings:

    Note:

    The configured data VLAN could also be a community VLAN or an isolated VLAN.

  3. Configure the VLANs (including the PVLANs):

Results

From configuration mode, confirm your configuration by entering the following show commands on the switch. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Verification

Verify That Client MAC Addresses Are Learned on the Primary VLAN
Purpose

Show that a client MAC address has been learned on the primary VLAN.

Action
Verify That the Primary VLAN Is an Authenticated VLAN
Purpose

Show that the primary VLAN is shown as an authenticated VLAN.

Action

Putting Access Port Security on Private VLANs

Understanding Access Port Security on PVLANs

You can now enable access port security features, such as DHCP snooping, on private VLANs (PVLANs).

For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and to even limit the communication between known hosts. The PVLAN feature allows you to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a VLAN inside a VLAN.

Ethernet LANs are vulnerable to attacks such as address spoofing (forging) and Layer 2 denial of service (DoS) on network devices. The following access port security features help protect your device against losses of information and productivity that such attacks can cause, and you can now configure these security features on a PVLAN:

  • DHCP snooping—Filters and blocks ingress DHCP server messages on untrusted ports. DHCP snooping builds and maintains a database of DHCP lease information, which is called the DHCP snooping database.

  • DHCPv6 snooping—DHCP snooping for IPv6.

  • DHCP option 82—Also known as the DHCP Relay Agent Information option. Helps protect the switch against attacks such as spoofing of IP addresses and MAC addresses and DHCP IP address starvation. Option 82 provides information about the network location of a DHCP client. The DHCP server uses this information to implement IP addresses or other parameters for the client.

  • DHCPv6 options:

    • Option 37—Remote ID option for DHCPv6; inserts information about the network location of the remote host into DHCPv6 packets.

    • Option 18—Circuit ID option for DHCPv6; inserts information about the client port into DHCPv6 packets.

    • Option 16—Vendor ID option for DHCPv6; inserts information about the vendor of the client hardware into DHCPv6 packets.

  • Dynamic ARP inspection (DAI)—Prevents Address Resolution Protocol (ARP) spoofing attacks. ARP requests and replies are compared against entries in the DHCP snooping database, and filtering decisions are made on the basis of the results of those comparisons.

  • IP source guard—Mitigates the effects of IP address spoofing attacks on the Ethernet LAN; validates the source IP address in the packet sent from an untrusted access interface against the DHCP snooping database. If the packet cannot be validated, it is discarded.

  • IPv6 source guard—IP source guard for IPv6.

  • IPv6 neighbor discovery inspection—Prevents IPv6 address spoofing attacks; compares neighbor discovery requests and replies against entries in the DHCPv6 snooping database, and filtering decisions are made on the basis of the results of those comparisons.

Note:

This document does not provide detailed information about access port security features or PVLANs. For those details, see the feature documentation that is specific to those individual features. For access port security, see Security Services Administration Guide. For PVLANs, see Ethernet Switching User Guide.

Configuration Guidelines for Putting Access Port Security Features on PVLANs

Keep the following guidelines and limitations in mind for configuring access port security features on PVLANs:

  • You must apply the same access port security features on both the primary vlan and all its secondary VLANs.

  • A PVLAN can have only one integrated routing and bridging (IRB) interface, and the IRB interface must be on the primary VLAN.

  • Limitations on access port security configurations on PVLANs are the same as those for access port security features configurations that are not in PVLANs. See the access port security documentation at Security Services Administration Guide.

Example: Configuring Access Port Security on a PVLAN

Requirements

  • Junos OS Release 18.2R1 or later

  • EX4300 switch

Overview

The following configuration section shows:

  • Configuration of a private VLAN, with the primary VLAN (vlan-pri) and its three secondary VLANs—community VLANs (vlan-hr and vlan-finance) and isolated VLAN (vlan-iso).

  • Configuration of the interfaces that are used to send communications between the interfaces on those VLANs.

  • Configuration of access security features on the primary and secondary VLANs that make up the PVLAN.

Figure 15: Topology Topology

Table 5 lists the settings for the example topology.

Table 5: Components of the Topology for Configuring a PVLAN with Access Port Security Features
Interface Description

ge-0/0/0.0

Primary VLAN (vlan1-pri) trunk interface

ge-0/0/11.0

User 1, HR Community (vlan-hr)

ge-0/0/12.0

User 2, HR Community (vlan-hr)

ge-0/0/13.0

User 3, Finance Community (vlan-finance)

ge-0/0/14.0

User 4, Finance Community (vlan-finance)

ge-0/0/15.0

Mail server, Isolated (vlan-iso)

ge-0/0/16.0

Backup server, Isolated (vlan-iso)

ge-1/0/0.0

Primary VLAN (vlan-pri) trunk interface

Configuring Access Port Security on a PVLAN

Procedure
CLI Quick Configuration
Step-by-Step Procedure

To configure a private VLAN (PVLAN) and then configure access port security features on that PVLAN:

  1. Configure the PVLAN—Create the primary VLAN and its secondary VLANs and assign VLAN IDs to them. Associate interfaces with the VLANs. (For details on configuring VLANs, see Configuring VLANs for EX Series Switches with ELS Support (CLI Procedure).)

  2. Configure access port security features on the primary VLAN and all its secondary VLANs:

    Note:

    When you configure ARP inspection, IP source guard, IPv6 source guard, neighbor discovery inspection, DHCP option 82, or DHCPv6 options, then DHCP snooping and DHCPv6 snooping are automatically configured.

Results

From configuration mode, confirm your configuration by entering the following show commands on the switch. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Verification

Verify That Access Security Features Are Working as Expected
Purpose

Verify that the access port security features that you configured on your PVLAN are working as expected.

Action

Use the show dhcp-security and the clear dhcp-security CLI commands to verify that the features are working as expected. See details about those commands in Security Services Administration Guide.

Creating a Private VLAN on a Single Switch with ELS Support (CLI Procedure)

Note:

This task uses Junos OS for switches with support for the Enhanced Layer 2 Software (ELS) configuration style. If your EX Series switch runs software that does not support ELS, see Creating a Private VLAN on a Single EX Series Switch (CLI Procedure). For ELS details, see Using the Enhanced Layer 2 Software CLI.

Note:

Private VLANs are not supported on QFX5100 switches and QFX10002 switches running Junos OS Release 15.1X53.

For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic or limit the communication between known hosts. Private VLANs (PVLANs) enable you to split a broadcast domain (primary VLAN) into multiple isolated broadcast subdomains (secondary VLANs), essentially putting a VLAN inside a VLAN. This procedure describes how to create a PVLAN on a single switch.

Note:

You must specify a VLAN ID for each secondary VLAN even if the PVLAN is configured on a single switch.

You do not need to preconfigure the primary VLAN. This topic shows the primary VLAN being configured as part of this PVLAN configuration procedure.

For a list of guidelines on configuring PVLANs, see Understanding Private VLANs.

To configure a private VLAN on a single switch:

  1. Set the VLAN ID for the primary VLAN:
  2. Configure at least one interface within the primary VLAN so that it communicates with all the subdomains of the PVLAN. This interface functions as a promiscuous port. It can be either a trunk port or an access port.
  3. Configure another promiscuous interface of the primary VLAN as a trunk port to connect the PVLAN to the external router or switch:
  4. Create an isolated VLAN by selecting the isolated option for private-vlan, and setting a VLAN ID for the isolated VLAN:
    Note:

    You can create only one isolated VLAN within a private VLAN. Setting the VLAN name for the isolated VLAN is optional. Configuring the VLAN ID is required.

  5. Create a community VLAN by selecting the community option for private-vlan, and setting a VLAN ID for this community VLAN:
    Note:

    To create additional community VLANs, repeat this step and specify a different name for the community VLAN. Setting the VLAN name for the community VLAN is optional. Configuring the VLAN ID is required.

  6. Associate the isolated VLAN with the primary VLAN:
  7. Associate each community VLAN with the primary VLAN:
  8. If you have not already done so, configure at least one interface of the isolated VLAN.
  9. If you have not already done so, configure at least one interface of the community VLAN.
    Note:

    Repeat the same step on other community VLANs that you want to include in the PVLAN.

Creating a Private VLAN on a Single QFX Switch

For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and to even limit the communication between known hosts. The private VLAN (PVLAN) feature allows you to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a secondary VLAN inside a primary VLAN. This topic describes how to configure a PVLAN on a single switch.

Before you begin, configure names for all secondary VLANs that will be part of the primary VLAN. (You do not need to preconfigure the primary VLAN—it is configured as part of this procedure.) You do not need to create VLAN IDs (tags) for the secondary VLANs. It does not impair functioning if you tag the secondary VLANS, but tags are not used when secondary VLANs are configured on a single switch.

Keep these rules in mind when configuring a PVLAN:

  • The primary VLAN must be a tagged VLAN.

  • If you are going to configure a community VLAN, you must first configure the primary VLAN and the PVLAN trunk port. You must also configure the primary VLAN to be private using the pvlan statement.

  • If you are going to configure an isolated VLAN, you must first configure the primary VLAN and the PVLAN trunk port.

If you complete your configuration steps in the order shown, you will not violate these PVLAN rules. To configure a private VLAN on a single switch:

  1. Set the name and VLAN ID (802.1Q tag) for the primary VLAN:
  2. Configure the VLAN to be private:
  3. Configure the trunk interfaces for the primary VLAN:
  4. Add the trunk interfaces to the primary VLAN:
  5. Configure the access interfaces for the community (secondary) VLANs:
  6. Add the access interfaces to the community VLANs:
  7. For each community VLAN, set the primary VLAN:
  8. Configure isolated ports:

Creating a Private VLAN on a Single EX Series Switch (CLI Procedure)

For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and to even limit the communication between known hosts. The private VLAN (PVLAN) feature on EX Series switches enables you to split a broadcast domain, also known as a primary VLAN, into multiple isolated broadcast subdomains, also known as secondary VLANs. Splitting the primary VLAN into secondary VLANs essentially nests a VLAN inside another VLAN. This topic describes how to configure a PVLAN on a single switch.

Before you begin, configure names for all secondary VLANs that will be part of the primary VLAN. (Unlike the secondary VLANs, you do not need to preconfigure the primary VLAN—this procedure provides the complete configuration of the primary VLAN.) Although tags are not needed when a secondary VLAN is configured on a single switch, configuring a secondary VLAN as tagged does not adversely affect its functionality. For instructions on configuring the secondary VLANs, see Configuring VLANs for EX Series Switches.

Keep these rules in mind when configuring a PVLAN on a single switch:

  • The primary VLAN must be a tagged VLAN.

  • Configuring a VoIP VLAN on PVLAN interfaces is not supported.

To configure a private VLAN on a single switch:

  1. Set the VLAN ID for the primary VLAN:
  2. Set the interfaces and port modes:
  3. Configure the access ports in the primary VLAN to not forward packets to one another:
  4. For each community VLAN, configure access interfaces:
  5. For each community VLAN, set the primary VLAN:

Isolated VLANs are not configured as part of this process. Instead, they are created internally if no-local-switching is enabled on the primary VLAN and the isolated VLAN has access interfaces as members.

To optionally enable routing between isolated and community VLANs by using a routed VLAN interface (RVI) instead of a promiscuous port connected to a router, see Configuring a Routed VLAN Interface in a Private VLAN on an EX Series Switch.

Note:

Only an EX8200 switch or EX8200 Virtual Chassis support the use of an RVI to route Layer 3 traffic between isolated and community VLANs in a PVLAN domain.

Creating a Private VLAN Spanning Multiple QFX Series Switches

For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and to even limit the communication between known hosts. The private VLAN (PVLAN) feature allows you to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a secondary VLAN inside a primary VLAN. This topic describes how to configure a PVLAN to span multiple switches.

Before you begin, configure names for all secondary VLANs that will be part of the primary VLAN. (You do not need to preconfigure the primary VLAN—it is configured as part of this procedure.) You do not need to create VLAN IDs (tags) for the secondary VLANs. It does not impair functioning if you tag the secondary VLANS, but tags are not used when secondary VLANs are configured on a single switch.

The following rules apply to creating PVLANs:

  • The primary VLAN must be a tagged VLAN.

  • If you are going to configure a community VLAN, you must first configure the primary VLAN and the PVLAN trunk port. You must also configure the primary VLAN to be private using the pvlan statement.

  • If you are going to configure an isolated VLAN, you must first configure the primary VLAN and the PVLAN trunk port.

If you complete your configuration steps in the order shown, you will not violate these PVLAN rules. To configure a private VLAN to span multiple switches:

  1. Set the name and VLAN ID (802.1Q tag) for the primary VLAN:
  2. Configure the VLAN to be private:
  3. Configure the trunk interfaces for the primary VLAN:
  4. Add the trunk interfaces to the primary VLAN:
  5. Configure the access interfaces for the community (secondary) VLANs:
  6. Add the access interfaces to the community VLANs:
  7. For each community VLAN, set the primary VLAN:
  8. Configure an isolated VLAN ID to create an interswitch isolated domain that spans the switches:
  9. Configure isolated ports:

Creating a Private VLAN Spanning Multiple EX Series Switches with ELS Support (CLI Procedure)

Note:

This task uses Junos OS for EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style If your switch runs software that does not support ELS, see Creating a Private VLAN Spanning Multiple EX Series Switches (CLI Procedure). For ELS details, see Using the Enhanced Layer 2 Software CLI.

Note:

Private VLANs are not supported on QFX5100 switches and QFX10002 switches running Junos OS Release 15.1X53.

For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic or limit the communication between known hosts. Private VLANs (PVLANs) enable you to split a broadcast domain (primary VLAN) into multiple isolated broadcast subdomains (secondary VLANs), essentially putting a VLAN inside a VLAN. This procedure describes how to configure a PVLAN to span multiple switches.

For a list of guidelines on configuring PVLANs, see Understanding Private VLANs.

To configure a PVLAN to span multiple switches, perform the following procedure on all the switches that will participate in the PVLAN::

  1. Create the primary VLAN by setting the unique VLAN name and specify an 802.1Q tag for the VLAN:
  2. On the switch that will connect to a router, configure a promiscuous interface as a trunk port to connect the PVLAN to the router:
  3. On all the switches, configure a trunk interface as the Inter-Switch Link (ISL) that will be used to connect the switches to each other:
  4. Create an isolated VLAN within the primary VLAN by selecting the isolated option for private-vlan, and setting a VLAN ID for the isolated VLAN:
    Note:

    You can create only one isolated VLAN within a private VLAN. The isolated VLAN can contain member interfaces from the multiple switches that compose the PVLAN. Setting the VLAN name for the isolated VLAN is optional. Configuring the VLAN ID is required.

  5. Create a community VLAN within the primary VLAN by selecting the community option for private-vlan, and setting a VLAN ID for this community VLAN::
    Note:

    To create additional community VLANs, repeat this step and specify a different name for the community VLAN. Setting the VLAN name for the community VLAN is optional. Configuring the VLAN ID is required.

  6. Associate the isolated VLAN with the primary VLAN:
  7. Associate each community VLAN with the primary VLAN:
  8. If you have not already done so, configure at least one access interface to be a member of the isolated VLAN.
  9. If you have not already done so, configure at least one access interface to be a member of the community VLAN.
    Note:

    Repeat this step for the other community VLANs that you are including in the PVLAN.

Creating a Private VLAN Spanning Multiple EX Series Switches (CLI Procedure)

For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and to even limit the communication between known hosts. The private VLAN (PVLAN) feature on EX Series switches enables an administrator to split a broadcast domain, also known as a primary VLAN, into multiple isolated broadcast subdomains, also known as secondary VLANs. Splitting the primary VLAN into secondary VLANs essentially nests a VLAN inside another VLAN. This topic describes how to configure a PVLAN to span multiple switches.

Before you begin, configure names for all secondary VLANs that will be part of the primary VLAN. (Unlike the secondary VLANs, you do not need to preconfigure the primary VLAN—this procedure provides the complete configuration of the primary VLAN.) For instructions on configuring the secondary VLANs, see Configuring VLANs for EX Series Switches.

The following rules apply to creating PVLANs:

  • The primary VLAN must be a tagged VLAN.

  • You must configure the primary VLAN and the PVLAN trunk port before configuring the secondary VLANs.

  • Configuring a VoIP VLAN on PVLAN interfaces is not supported.

  • If the Multiple VLAN Registration Protocol (MVRP) is configured on the PVLAN trunk port, the configuration of secondary VLANs and the PVLAN trunk port must be committed with the same commit operation.

To configure a private VLAN to span multiple switches:

  1. Configure a name and an 802.1Q tag for the primary VLAN:.
  2. Set the primary VLAN to have no local switching:
  3. Set the PVLAN trunk interface that will connect the primary VLAN to the neighboring switch:
  4. Configure a name and 802.1Q tag for a community VLAN that spans the switches:
  5. Add access interfaces to the community VLAN:
  6. Specify the primary VLAN of the specified community VLAN:
  7. Add the isolated interface to the specified primary VLAN:
    Note:

    To configure an isolated interface, include it as one of the members of the primary VLAN, but do not configure it as belonging to one of the community VLANs.

  8. Set the 802.1Q tag of the interswitch isolated VLAN:

    802.1Q tags are required for interswitch isolated VLANs because IEEE 802.1Q uses an internal tagging mechanism by which a trunking device inserts a 4-byte VLAN frame identification tab into the packet header.

To optionally enable routing between isolated and community VLANs by using a routed VLAN interface (RVI) instead of a promiscuous port connected to a router, see Configuring a Routed VLAN Interface in a Private VLAN on an EX Series Switch.

Note:

Only an EX8200 switch or EX8200 Virtual Chassis support the use of an RVI to route Layer 3 traffic between isolated and community VLANs in a PVLAN domain.

Example: Configuring a Private VLAN on a Single Switch with ELS Support

Note:

This example uses Junos OS for switches with support for the Enhanced Layer 2 Software (ELS) configuration style. If your EX switch runs software that does not support ELS, see Example: Configuring a Private VLAN on a Single EX Series Switch. For ELS details, see Using the Enhanced Layer 2 Software CLI.

Note:

Private VLANs are not supported on QFX5100 switches and QFX10002 switches running Junos OS Release 15.1X53.

For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic or limit the communication between known hosts. Private VLANs (PVLANs) enable you to split a broadcast domain (primary VLAN) into multiple isolated broadcast subdomains (secondary VLANs), essentially putting a VLAN inside a VLAN.

This example describes how to create a PVLAN on a single switch:

Requirements

This example uses the following hardware and software components:

  • One Junos OS switch

  • Junos OS Release 14.1X53-D10 or later for EX Series switches

    Junos OS Release 14.1X53-D15 or later for QFX Series switches

Overview and Topology

You can isolate groups of subscribers for improved security and efficiency. This configuration example uses a simple topology to illustrate how to create a PVLAN with one primary VLAN and three secondary VLANs (one isolated VLAN, and two community VLANs).

Table 6 lists the interfaces of the topology used in the example.

Table 6: Interfaces of the Topology for Configuring a PVLAN
Interface Description

ge-0/0/0

ge-1/0/0

Promiscuous member ports

ge-0/0/11ge-0/0/12

HR community VLAN member ports

ge-0/0/13ge-0/0/14

Finance community VLAN member ports

ge-0/0/15ge-0/0/16

Isolated member ports

Table 7 lists the VLAN IDs of the topology used in the example.

Table 7: VLAN IDs in the Topology for Configuring a PVLAN
VLAN ID Description

100

Primary VLAN

200

HR community VLAN

300

Finance community VLAN

400

Isolated VLAN

Figure 16 shows the topology for this example.

Figure 16: Topology of a Private VLAN on a Single EX Series SwitchTopology of a Private VLAN on a Single EX Series Switch

Configuration

You can use an existing VLAN as the basis for your private PVLAN and create subdomains within it. This example creates a primary VLAN—using the VLAN name vlan-pri—as part of the procedure.

To configure a PVLAN, perform these tasks:

CLI Quick Configuration

To quickly create and configure a PVLAN, copy the following commands and paste them into the switch terminal window:

Procedure

Step-by-Step Procedure

To configure the PVLAN:

  1. Create the primary VLAN (in this example, the name is vlan-pri) of the private VLAN:

  2. Create an isolated VLAN and assign it a VLAN ID:

  3. Create the HR community VLAN and assign it a VLAN ID:

  4. Create the finance community VLAN and assign it a VLAN ID:

  5. Associate the secondary VLANs with the primary VLAN:

  6. Set the interfaces to the appropriate interface modes:

  7. Configure a promiscuous trunk interface of the primary VLAN. This interface is used by the primary VLAN to communicate with the secondary VLANs.

  8. Configure another trunk interface (it is also a promiscuous interface) of the primary VLAN, connecting the PVLAN to the router.

Example: Configuring a Private VLAN on a Single QFX Series Switch

For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and even to limit the communication between known hosts. The private VLAN (PVLAN) feature allows an administrator to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a VLAN inside a VLAN.

This example describes how to create a PVLAN on a single switch:

Requirements

This example uses the following hardware and software components:

  • One QFX3500 device

  • Junos OS Release 12.1 or later for the QFX Series

Before you begin configuring a PVLAN, make sure you have created and configured the necessary VLANs. See Configuring VLANs on Switches.

Overview and Topology

In a large office with multiple buildings and VLANs, you might need to isolate some workgroups or other endpoints for security reasons or to partition the broadcast domain. This configuration example shows a simple topology to illustrate how to create a PVLAN with one primary VLAN and two community VLANs, one for HR and one for finance, as well as two isolated ports—one for the mail server and the other for the backup server.

Table 8 lists the settings for the sample topology.

Table 8: Components of the Topology for Configuring a PVLAN
Interface Description

ge-0/0/0.0

Primary VLAN (pvlan100) trunk interface

ge-0/0/11.0

User 1, HR Community (hr-comm)

ge-0/0/12.0

User 2, HR Community (hr-comm)

ge-0/0/13.0

User 3, Finance Community (finance-comm)

ge-0/0/14.0

User 4, Finance Community (finance-comm)

ge-0/0/15.0

Mail server, Isolated (isolated)

ge-0/0/16.0

Backup server, Isolated (isolated)

ge-1/0/0.0

Primary VLAN (pvlan100) trunk interface

Configuration

CLI Quick Configuration

To quickly create and configure a PVLAN, copy the following commands and paste them into the switch terminal window:

Procedure

Step-by-Step Procedure

To configure the PVLAN:

  1. Set the VLAN ID for the primary VLAN:

  2. Set the interfaces and port modes:

  3. Set the primary VLAN to have no local switching:

    Note:

    The primary VLAN must be a tagged VLAN.

  4. Add the trunk interfaces to the primary VLAN:

  5. For each secondary VLAN, configure access interfaces:

    Note:

    We recommend that the secondary VLANs be untagged VLANs. It does not impair functioning if you tag the secondary VLANS. However, the tags are not used when a secondary VLAN is configured on a single switch.

  6. For each community VLAN, set the primary VLAN:

  7. Configure the isolated interfaces in the primary VLAN:

Results

Check the results of the configuration:

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying That the Private VLAN and Secondary VLANs Were Created

Purpose

Verify that the primary VLAN and secondary VLANs were properly created on the switch.

Action

Use the show vlans command:

Meaning

The output shows that the primary VLAN was created and identifies the interfaces and secondary VLANs associated with it.

Example: Configuring a Private VLAN on a Single EX Series Switch

For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and to even limit the communication between known hosts. The private VLAN (PVLAN) feature on EX Series switches allows an administrator to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a VLAN inside a VLAN.

This example describes how to create a PVLAN on a single EX Series switch:

Note:

Configuring a voice over IP (VoIP) VLAN on PVLAN interfaces is not supported.

Requirements

This example uses the following hardware and software components:

  • One EX Series switch

  • Junos OS Release 9.3 or later for EX Series switches

Before you begin configuring a PVLAN, make sure you have created and configured the necessary VLANs. See Configuring VLANs for EX Series Switches.

Overview and Topology

In a large office with multiple buildings and VLANs, you might need to isolate some workgroups or other endpoints for security reasons or to partition the broadcast domain. This configuration example shows a simple topology to illustrate how to create a PVLAN with one primary VLAN and two community VLANs, one for HR and one for finance, as well as two isolated ports—one for the mail server and the other for the backup server.

Table 9 lists the settings for the example topology.

Table 9: Components of the Topology for Configuring a PVLAN
Interface Description

ge-0/0/0.0

Primary VLAN (vlan1) trunk interface

ge-0/0/11.0

User 1, HR Community (hr-comm)

ge-0/0/12.0

User 2, HR Community (hr-comm)

ge-0/0/13.0

User 3, Finance Community (finance-comm)

ge-0/0/14.0

User 4, Finance Community (finance-comm)

ge-0/0/15.0

Mail server, Isolated (isolated)

ge-0/0/16.0

Backup server, Isolated (isolated)

ge-1/0/0.0

Primary VLAN ( pvlan) trunk interface

Figure 17 shows the topology for this example.

Figure 17: Topology of a Private VLAN on a Single EX Series SwitchTopology of a Private VLAN on a Single EX Series Switch

Configuration

To configure a PVLAN, perform these tasks:

CLI Quick Configuration

To quickly create and configure a PVLAN, copy the following commands and paste them into the switch terminal window:

Procedure

Step-by-Step Procedure

To configure the PVLAN:

  1. Set the VLAN ID for the primary VLAN:

  2. Set the interfaces and port modes:

  3. Set the primary VLAN to have no local switching:

    Note:

    The primary VLAN must be a tagged VLAN.

  4. Add the trunk interfaces to the primary VLAN:

  5. For each secondary VLAN, configure the VLAN IDs and the access interfaces:

    Note:

    We recommend that the secondary VLANs be untagged VLANs. It does not impair functioning if you tag the secondary VLANS. However, the tags are not used when a secondary VLAN is configured on a single switch.

  6. For each community VLAN, set the primary VLAN:

  7. Add each isolated interface to the primary VLAN:

Results

Check the results of the configuration:

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying That the Private VLAN and Secondary VLANs Were Created

Purpose

Verify that the primary VLAN and secondary VLANs were properly created on the switch.

Action

Use the show vlans command:

Meaning

The output shows that the primary VLAN was created and identifies the interfaces and secondary VLANs associated with it.

Example: Configuring a Private VLAN Spanning Multiple QFX Switches

For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and even to limit the communication between known hosts. The private VLAN (PVLAN) feature allows an administrator to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a VLAN inside a VLAN. A PVLAN can span multiple switches.

This example describes how to create a PVLAN spanning multiple switches. The example creates one primary PVLAN containing multiple secondary VLANs:

Requirements

This example uses the following hardware and software components:

  • Three QFX3500 devices

  • Junos OS Release 12.1 or later for the QFX Series

Before you begin configuring a PVLAN, make sure you have created and configured the necessary VLANs. See Configuring VLANs on Switches.

Overview and Topology

In a large office with multiple buildings and VLANs, you might need to isolate some workgroups or other endpoints for security reasons or to partition the broadcast domain. This configuration example shows how to create a PVLAN spanning multiple QFX devices, with one primary VLAN containing two community VLANs (one for HR and one for Finance), and an interswitch isolated VLAN (for the mail server, the backup server, and the CVS server). The PVLAN comprises three switches, two access switches and one distribution switch. The PVLAN is connected to a router through a promiscuous port, which is configured on the distribution switch.

Note:

The isolated ports on Switch 1 and on Switch 2 do not have Layer 2 connectivity with one another even though they are included within the same domain. See Understanding Private VLANs.

Figure 18 shows the topology for this example—two access switches connecting to a distribution switch, which has a connection (through a promiscuous port) to the router.

Figure 18: PVLAN Topology Spanning Multiple SwitchesPVLAN Topology Spanning Multiple Switches

Table 10, Table 11, and Table 12 list the settings for the example topology.

Table 10: Components of Switch 1 in the Topology for Configuring a PVLAN Spanning Multiple Devices
Property Settings

VLAN names and tag IDs

primary-vlan, tag 100

isolation-vlan-id, tag 50finance-comm, tag 300hr-comm, tag 400

PVLAN trunk interfaces

ge-0/0/0.0, connects Switch 1 to Switch 3

ge-0/0/5.0, connects Switch 1 to Switch 2

Isolated Interfaces in primary VLAN

ge-0/0/15.0, mail server

ge-0/0/16.0, backup server

Interfaces in VLAN finance-com

ge-0/0/11.0

ge-0/0/12.0

Interfaces in VLAN hr-comm

ge-0/0/13.0

ge-0/0/14.0

Table 11: Components of Switch 2 in the Topology for Configuring a PVLAN Spanning Multiple Devices
Property Settings

VLAN names and tag IDs

primary-vlan, tag 100

isolation-vlan-id, tag 50finance-comm, tag 300hr-comm, tag 400

PVLAN trunk interfaces

ge-0/0/0.0, connects Switch 2 to Switch 3

ge-0/0/5.0, connects Switch 2 to Switch 1

Isolated Interface in primary VLAN

ge-0/0/17.0, CVS server

Interfaces in VLAN finance-com

ge-0/0/11.0

ge-0/0/12.0

Interfaces in VLAN hr-comm

ge-0/0/13.0

ge-0/0/14.0

Table 12: Components of Switch 3 in the Topology for Configuring a PVLAN Spanning Multiple Devices
Property Settings

VLAN names and tag IDs

primary-vlan, tag 100

isolation-vlan-id, tag 50finance-comm, tag 300hr-comm, tag 400

PVLAN trunk interfaces

ge-0/0/0.0, connects Switch 3 to Switch 1

ge-0/0/1.0, connects Switch 3 to Switch 2

Promiscuous port

ge-0/0/2, connects the PVLAN to the router

Note:

You must configure the trunk port that connects the PVLAN to another switch or router outside the PVLAN as a member of the PVLAN, which implicitly configures it as a promiscuous port.

Topology

Configuring a PVLAN on Switch 1

When configuring a PVLAN on multiple switches, these rules apply:

  • The primary VLAN must be a tagged VLAN. We recommend that you configure the primary VLAN first.

  • If you are going to configure a community VLAN ID, you must first configure the primary VLAN and the PVLAN trunk port. You must also configure the primary VLAN to be private using the pvlan statement.

  • If you are going to configure an isolation VLAN ID, you must first configure the primary VLAN and the PVLAN trunk port.

CLI Quick Configuration

To quickly create and configure a PVLAN spanning multiple switches, copy the following commands and paste them into the terminal window of Switch 1:

Procedure

Step-by-Step Procedure
  1. Set the VLAN ID for the primary VLAN:

  2. Set the PVLAN trunk interfaces to connect this VLAN across neighboring switches:

  3. Set the primary VLAN to be private and have no local switching:

  4. Set the VLAN ID for the finance-comm community VLAN that spans the switches:

  5. Configure access interfaces for the finance-comm VLAN:

  6. Set the primary VLAN of this secondary community VLAN, finance-comm :

  7. Set the VLAN ID for the HR community VLAN that spans the switches.

  8. Configure access interfaces for the hr-comm VLAN:

  9. Set the primary VLAN of this secondary community VLAN, hr-comm:

  10. Set the interswitch isolated ID to create an interswitch isolated domain that spans the switches:

  11. Configure the isolated interfaces in the primary VLAN:

    Note:

    When you configure an isolated port, include it as a member of the primary VLAN, but do not configure it as a member of any community VLAN.

Results

Check the results of the configuration:

Configuring a PVLAN on Switch 2

CLI Quick Configuration

To quickly create and configure a private VLAN spanning multiple switches, copy the following commands and paste them into the terminal window of Switch 2:

Note:

The configuration of Switch 2 is the same as the configuration of Switch 1 except for the interface in the interswitch isolated domain. For Switch 2, the interface is ge-0/0/17.0.

Procedure

Step-by-Step Procedure

To configure a PVLAN on Switch 2 that will span multiple switches:

  1. Set the VLAN ID for the finance-comm community VLAN that spans the switches:

  2. Configure access interfaces for the finance-comm VLAN:

  3. Set the primary VLAN of this secondary community VLAN, finance-comm:

  4. Set the VLAN ID for the HR community VLAN that spans the switches.

  5. Configure access interfaces for the hr-comm VLAN:

  6. Set the primary VLAN of this secondary community VLAN, hr-comm:

  7. Set the VLAN ID for the primary VLAN:

  8. Set the PVLAN trunk interfaces that will connect this VLAN across neighboring switches:

  9. Set the primary VLAN to be private and have no local switching:

  10. Set the interswitch isolated ID to create an interswitch isolated domain that spans the switches:

    Note:

    To configure an isolated port, include it as one of the members of the primary VLAN, but do not configure it as belonging to one of the community VLANs.

  11. Configure the isolated interface in the primary VLAN:

Results

Check the results of the configuration:

Configuring a PVLAN on Switch 3

CLI Quick Configuration

To quickly configure Switch 3 to function as the distribution switch of this PVLAN, copy the following commands and paste them into the terminal window of Switch 3:

Note:

Interface ge-0/0/2.0 is a trunk port connecting the PVLAN to a router.

Procedure

Step-by-Step Procedure

To configure Switch 3 to function as the distribution switch for this PVLAN, use the following procedure:

  1. Set the VLAN ID for the finance-comm community VLAN that spans the switches:

  2. Set the primary VLAN of this secondary community VLAN, finance-comm:

  3. Set the VLAN ID for the HR community VLAN that spans the switches:

  4. Set the primary VLAN of this secondary community VLAN, hr-comm:

  5. Set the VLAN ID for the primary VLAN:

  6. Set the PVLAN trunk interfaces that will connect this VLAN across neighboring switches:

  7. Set the primary VLAN to be private and have no local switching:

  8. Set the interswitch isolated ID to create an interswitch isolated domain that spans the switches:

    Note:

    To configure an isolated port, include it as one of the members of the primary VLAN, but do not configure it as belonging to one of the community VLANs.

Results

Check the results of the configuration:

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 1

Purpose

Verify that the PVLAN configuration spanning multiple switches is working properly on Switch 1:

Action

Use the show vlans extensive command:

Meaning

The output shows that a PVLAN was created on Switch 1 and shows that it includes two isolated VLANs, two community VLANs, and an interswitch isolated VLAN. The presence of the pvlan-trunk and Inter-switch-isolated fields indicates that this PVLAN is spanning more than one switch.

Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 2

Purpose

Verify that the PVLAN configuration spanning multiple switches is working properly on Switch 2:

Action

Use the show vlans extensive command:

Meaning

The output shows that a PVLAN was created on Switch 2 and shows that it includes one isolated VLAN, two community VLANs, and an interswitch isolated VLAN. The presence of the pvlan-trunk and Inter-switch-isolated fields indicates that this PVLAN is spanning more than one switch. When you compare this output to the output of Switch 1, you can see that both switches belong to the same PVLAN (pvlan100).

Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 3

Purpose

Verify that the PVLAN configuration spanning multiple switches is working properly on Switch 3:

Action

Use the show vlans extensive command:

Meaning

The output shows that the PVLAN (pvlan100) is configured on Switch 3 and that it includes no isolated VLANs, two community VLANs, and an interswitch isolated VLAN. But Switch 3 is functioning as a distribution switch, so the output does not include access interfaces within the PVLAN. It shows only the pvlan-trunk interfaces that connect pvlan100 from Switch 3 to the other switches (Switch 1 and Switch 2) in the same PVLAN.

Example: Configuring a Private VLAN Spanning Multiple Switches With an IRB Interface

For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and even to limit the communication between known hosts. The private VLAN (PVLAN) feature allows an administrator to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a VLAN inside a VLAN. A PVLAN can span multiple switches. This example describes how to create a PVLAN spanning multiple switches. The example creates one primary PVLAN, containing multiple secondary VLANs.

Just like regular VLANs, PVLANs are isolated at Layer 2 and normally require that a Layer 3 device be used if you want to route traffic. Starting with Junos OS 14.1X53-D30, you can use an integrated routing and bridging (IRB) interface to route Layer 3 traffic between devices connected to a PVLAN. Using an IRB interface in this way can also allow the devices in the PVLAN to communicate at Layer 3 with devices in other community or isolated VLANs or with devices outside the PVLAN. This example also demonstrates how to include an IRB interface in a PVLAN configuration.

Requirements

This example uses the following hardware and software components:

  • Three QFX Series or EX4600 switches

  • Junos OS release with PVLAN for QFX Series or EX4600

Overview and Topology

In a large office with multiple buildings and VLANs, you might need to isolate some workgroups or other endpoints for security reasons or to partition the broadcast domain. This configuration example shows how to create a PVLAN spanning multiple switches, with one primary VLAN containing two community VLANs (one for HR and one for Finance), and an interswitch isolated VLAN (for the mail server, the backup server, and the CVS server). The PVLAN comprises three switches—two access switches and one distribution switch. The devices in the PVLAN are connected at Layer 3 to each other and to devices outside the PVLAN through an IRB interface configured on the distribution switch.

Note:

The isolated ports on Switch 1 and on Switch 2 do not have Layer 2 connectivity with one another even though they are included within the same domain. See Understanding Private VLANs.

Figure 19 shows the topology for this example.

Figure 19: PVLAN Topology Spanning Multiple Switches with an IRB InterfacePVLAN Topology Spanning Multiple Switches with an IRB Interface

Table 13, Table 14, and Table 15 list the settings for the example topology.

Table 13: Components of Switch 1 in the Topology for Configuring a PVLAN Spanning Multiple Devices
Property Settings

VLAN names and tag IDs

primary-vlan, tag 100

isolated-vlan-id, tag 50finance-comm, tag 300hr-comm, tag 400

Interswitch link interfaces

xe-0/0/0.0, connects Switch 1 to Switch 3

xe-0/0/5.0, connects Switch 1 to Switch 2

Isolated Interfaces in primary VLAN

xe-0/0/15.0, mail server

xe-0/0/16.0, backup server

Interfaces in VLAN finance-com

xe-0/0/11.0

xe-0/0/12.0

Interfaces in VLAN hr-comm

xe-0/0/13.0

xe-0/0/14.0

Table 14: Components of Switch 2 in the Topology for Configuring a PVLAN Spanning Multiple Devices
Property Settings

VLAN names and tag IDs

primary-vlan, tag 100

isolated-vlan-id, tag 50finance-comm, tag 300hr-comm, tag 400

Interswitch link interfaces

xe-0/0/0.0, connects Switch 2 to Switch 3

xe-0/0/5.0, connects Switch 2 to Switch 1

Isolated Interface in primary VLAN

xe-0/0/17.0, CVS server

Interfaces in VLAN finance-com

xe-0/0/11.0

xe-0/0/12.0

Interfaces in VLAN hr-comm

xe-0/0/13.0

xe-0/0/14.0

Table 15: Components of Switch 3 in the Topology for Configuring a PVLAN Spanning Multiple Devices
Property Settings

VLAN names and tag IDs

primary-vlan, tag 100

isolated-vlan-id, tag 50finance-comm, tag 300hr-comm, tag 400

Interswitch link interfaces

xe-0/0/0.0, connects Switch 3 to Switch 1.

xe-0/0/1.0, connects Switch 3 to Switch 2.

Promiscuous port

xe-0/0/2, connects the PVLAN to another network.

Note:

You must configure the trunk port that connects the PVLAN to another switch or router outside the PVLAN as a member of the PVLAN, which implicitly configures it as a promiscuous port.

IRB interface

xe-0/0/0

xe-0/0/1

Configure unrestricted proxy ARP on the IRB interface to allow ARP resolution to occur so that devices that use IPv4 can communicate at Layer 3. For IPv6 traffic, you must explicitly map an IRB address to the destination address to allow ARP resolution.

Topology

Configuration Overview

When configuring a PVLAN on multiple switches, the following rules apply:

  • The primary VLAN must be a tagged VLAN.

  • The primary VLAN is the only VLAN that can be a member of an interswitch link interface.

When configuring an IRB interface in a PVLAN, these rules apply:

  • You can create only one IRB interface in a PVLAN, regardless of how many switches participate in the PVLAN.

  • The IRB interface must be a member of the primary VLAN in the PVLAN.

  • Each host device that you want to connect at Layer 3 must use an IP address of the IRB as its default gateway address.

Configuring a PVLAN on Switch 1

CLI Quick Configuration

To quickly create and configure a PVLAN spanning multiple switches, copy the following commands and paste them into the terminal window of Switch 1:

Procedure

Step-by-Step Procedure
  1. Configure interface xe-0/0/0 to be a trunk:

  2. Configure interface xe-0/0/0 to be an interswitch link that carries all the VLANs:

  3. Configure pvlan100 (the primary VLAN) to be a member of interface xe-0/0/0:

  4. Configure interface xe-0/0/5 to be a trunk:

  5. Configure interface xe-0/0/5 to be an interswitch link that carries all the VLANs:

  6. Configure pvlan100 to be a member of interface xe-0/0/5:

  7. Create the community VLAN for the finance organization:

  8. Create the community VLAN for the HR organization:

  9. Create the isolated VLAN for the mail and backup servers:

  10. Create the primary VLAN and make the community and isolated VLANs members of it:

  11. Configure VLAN 300 (the a community VLAN) to be a member of interface xe-0/0/11:

  12. Configure VLAN 300 (a community VLAN) to be a member of interface xe-0/0/12:

  13. Configure VLAN 400 (a community VLAN) to be a member of interface xe-0/0/13:

  14. Configure VLAN 400 (a community VLAN) to be a member of interface xe-0/0/14:

  15. Configure VLAN 50 (the isolated VLAN) to be a member of interface xe-0/0/15:

  16. Configure VLAN 50 (the isolated VLAN) to be a member of interface xe-0/0/16:

Results

Check the results of the configuration:

Configuring a PVLAN on Switch 2

CLI Quick Configuration

To quickly create and configure a private VLAN spanning multiple switches, copy the following commands and paste them into the terminal window of Switch 2:

Note:

The configuration of Switch 2 is the same as the configuration of Switch 1 except for the isolated VLAN. For Switch 2, the isolated VLAN interface is xe-0/0/17.0 .

Procedure

Step-by-Step Procedure
  1. Configure interface xe-0/0/0 to be a trunk:

  2. Configure interface xe-0/0/0 to be an interswitch link that carries all the VLANs:

  3. Configure pvlan100 (the primary VLAN) to be a member of interface xe-0/0/0:

  4. Configure interface xe-0/0/5 to be a trunk:

  5. Configure interface xe-0/0/5 to be an interswitch link that carries all the VLANs:

  6. Configure pvlan100 to be a member of interface xe-0/0/5:

  7. Create the community VLAN for the finance organization:

  8. Create the community VLAN for the HR organization:

  9. Create the isolated VLAN for the mail and backup servers:

  10. Create the primary VLAN and make the community and isolated VLANs members of it:

  11. Configure VLAN 300 (the a community VLAN) to be a member of interface xe-0/0/11:

  12. Configure VLAN 300 (a community VLAN) to be a member of interface xe-0/0/12:

  13. Configure VLAN 400 (a community VLAN) to be a member of interface xe-0/0/13:

  14. Configure VLAN 400 (a community VLAN) to be a member of interface xe-0/0/14:

  15. Configure VLAN 50 (the isolated VLAN) to be a member of interface xe-0/0/17:

Results

Check the results of the configuration:

Configuring a PVLAN on Switch 3

CLI Quick Configuration

To quickly configure Switch 3 to function as the distribution switch of this PVLAN, copy the following commands and paste them into the terminal window of Switch 3:

Note:

Interface xe-0/0/2.0 is a trunk port connecting the PVLAN to another network.

Procedure

Step-by-Step Procedure

To configure Switch 3 to function as the distribution switch for this PVLAN, use the following procedure:

  1. Configure interface xe-0/0/0 to be a trunk:

  2. Configure interface xe-0/0/0 to be an interswitch link that carries all the VLANs:

  3. Configure pvlan100 (the primary VLAN) to be a member of interface xe-0/0/0:

  4. Configure interface xe-0/0/5 to be a trunk:

  5. Configure interface xe-0/0/5 to be an interswitch link that carries all the VLANs:

  6. Configure pvlan100 to be a member of interface xe-0/0/5:

  7. Configure interface xe-0/0/2 (the promiscuous interface) to be a trunk:

  8. Configure pvlan100 to be a member of interface xe-0/0/2:

  9. Create the primary VLAN:

  10. Create the IRB interface irb and assign it an address in the subnet used by the devices attached to Switches 1 and 2:

    Note:

    Each host device that you want to connect at Layer 3 must be in the same subnet as the IRB interface and use the IP address of the IRB interface as its default gateway address.

  11. Complete the IRB interface configuration by binding the interface to the primary VLAN pvlan100:

  12. Configure unrestricted proxy ARP for each unit of the IRB interface so that ARP resolution works for IPv4 traffic:

    Note:

    Because the devices in the community and isolated VLANs are isolated at Layer 2, this step is required to allow ARP resolution to occur between the VLANs so that devices using IPv4 can communicate at Layer 3. (For IPv6 traffic, you must explicitly map an IRB address to the destination address to allow ARP resolution.)

Results

Check the results of the configuration:

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 1

Purpose

Verify that the PVLAN configuration spanning multiple switches is working properly on Switch 1:

Action

Use the show vlans extensive command:

Meaning

The output shows that a PVLAN was created on Switch 1 and shows that it includes two isolated VLANs, two community VLANs, and an interswitch isolated VLAN. The presence of the trunk and Inter-switch-isolated fields indicates that this PVLAN is spanning more than one switch.

Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 2

Purpose

Verify that the PVLAN configuration spanning multiple switches is working properly on Switch 2:

Action

Use the show vlans extensive command:

Meaning

The output shows that a PVLAN was created on Switch 2 and shows that it includes one isolated VLAN, two community VLANs, and an interswitch isolated VLAN. The presence of the trunk and Inter-switch-isolated fields indicates that this PVLAN is spanning more than one switch. When you compare this output to the output of Switch 1, you can see that both switches belong to the same PVLAN (pvlan100).

Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 3

Purpose

Verify that the PVLAN configuration spanning multiple switches is working properly on Switch 3:

Action

Use the show vlans extensive command:

Meaning

The output shows that the PVLAN (pvlan100) is configured on Switch 3 and that it includes no isolated VLANs, two community VLANs, and an interswitch isolated VLAN. But Switch 3 is functioning as a distribution switch, so the output does not include access interfaces within the PVLAN. It shows only the trunk interfaces that connect pvlan100 from Switch 3 to the other switches (Switch 1 and Switch 2) in the same PVLAN.

Example: Configuring a Private VLAN Spanning Multiple EX Series Switches

For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and to even limit the communication between known hosts. The private VLAN (PVLAN) feature on EX Series switches allows an administrator to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a VLAN inside a VLAN. A PVLAN can span multiple switches.

This example describes how to create a PVLAN spanning multiple EX Series switches. The example creates one primary PVLAN, containing multiple secondary VLANs:

Note:

Configuring a voice over IP (VoIP) VLAN on PVLAN interfaces is not supported.

Requirements

This example uses the following hardware and software components:

  • Three EX Series switches

  • Junos OS Release 10.4 or later for EX Series switches

Before you begin configuring a PVLAN, make sure you have created and configured the necessary VLANs. See Configuring VLANs for EX Series Switches.

Overview and Topology

In a large office with multiple buildings and VLANs, you might need to isolate some workgroups or other endpoints for security reasons or to partition the broadcast domain. This configuration example shows how to create a PVLAN spanning multiple EX Series switches, with one primary VLAN containing two community VLANs (one for HR and one for Finance), and an Interswitch isolated VLAN (for the mail server, the backup server, and the CVS server). The PVLAN comprises three switches, two access switches and one distribution switch. The PVLAN is connected to a router through a promiscuous port, which is configured on the distribution switch.

Note:

The isolated ports on Switch 1 and on Switch 2 do not have Layer 2 connectivity with each other even though they are included within the same domain. See Understanding Private VLANs.

Figure 20 shows the topology for this example—two access switches connecting to a distribution switch, which has a connection (through a promiscuous port) to the router.

Figure 20: PVLAN Topology Spanning Multiple SwitchesPVLAN Topology Spanning Multiple Switches

Table 16, Table 17, and Table 18 list the settings for the example topology.

Table 16: Components of Switch 1 in the Topology for Configuring a PVLAN Spanning Multiple EX Series Switches
Property Settings

VLAN names and tag IDs

primary-vlan, tag 100

isolation-id, tag 50finance-comm, tag 300hr-comm, tag 400

PVLAN trunk interfaces

ge-0/0/0.0, Connects Switch 1 to Switch 3

ge-0/0/5.0, Connects Switch 1 to Switch 2

Interfaces in VLAN isolation

ge-0/0/15.0, Mail server

ge-0/0/16.0, Backup server

Interfaces in VLAN finance-com

ge-0/0/11.0

ge-0/0/12.0

Interfaces in VLAN hr-comm

ge-0/0/13.0

ge-0/0/14.0

Table 17: Components of Switch 2 in the Topology for Configuring a PVLAN Spanning Multiple EX Series Switches
Property Settings

VLAN names and tag IDs

primary-vlan, tag 100

isolation-id, tag 50finance-comm, tag 300hr-comm, tag 400

PVLAN trunk interfaces

ge-0/0/0.0, Connects Switch 2 to Switch 3

ge-0/0/5.0, Connects Switch 2 to Switch 1

Interfaces in VLAN isolation

ge-0/0/17.0,CVS server

Interfaces in VLAN finance-com

ge-0/0/11.0

ge-0/0/12.0

Interfaces in VLAN hr-comm

ge-0/0/13.0

ge-0/0/14.0

Table 18: Components of Switch 3 in the Topology for Configuring a PVLAN Spanning Multiple EX Series Switches
Property Settings

VLAN names and tag IDs

primary-vlan, tag 100

isolation-id, tag 50finance-comm, tag 300hr-comm, tag 400

PVLAN trunk interfaces

ge-0/0/0.0, Connects Switch 3 to Switch 1

ge-0/0/1.0, Connects Switch 3 to Switch 2

Promiscuous port

ge-0/0/2, Connects the PVLAN to the router

Note:

You must configure the trunk port that connects the PVLAN to another switch or router outside the PVLAN as a member of the PVLAN, which implicitly configures it as a promiscuous port.

Topology

Configuring a PVLAN on Switch 1

CLI Quick Configuration

When configuring a PVLAN on multiple switches, these rules apply:

  • The primary VLAN must be a tagged VLAN. We recommend that you configure the primary VLAN first.

  • Configuring a voice over IP (VoIP) VLAN on PVLAN interfaces is not supported.

  • If you are going to configure a community VLAN ID, you must first configure the primary VLAN and the PVLAN trunk port.

  • If you are going to configure an isolation VLAN ID, you must first configure the primary VLAN and the PVLAN trunk port.

  • Secondary VLANs and the PVLAN trunk port must be committed on a single commit if MVRP is configured on the PVLAN trunk port.

To quickly create and configure a PVLAN spanning multiple switches, copy the following commands and paste them into the terminal window of Switch 1:

Procedure

Step-by-Step Procedure

Complete the configuration steps below in the order shown—also, complete all steps before committing the configuration in a single commit. This is the easiest way to avoid error messages triggered by violating any of these three rules:

  • If you are going to configure a community VLAN ID, you must first configure the primary VLAN and the PVLAN trunk port.

  • If you are going to configure an isolation VLAN ID, you must first configure the primary VLAN and the PVLAN trunk port.

  • Secondary vlans and a PVLAN trunk must be committed on a single commit.

To configure a PVLAN on Switch 1 that will span multiple switches:

  1. Set the VLAN ID for the primary VLAN:

  2. Set the PVLAN trunk interfaces that will connect this VLAN across neighboring switches:

  3. Set the primary VLAN to have no local switching:

  4. Set the VLAN ID for the finance-comm community VLAN that spans the switches:

  5. Configure access interfaces for the finance-comm VLAN:

  6. Set the primary VLAN of this secondary community VLAN, finance-comm :

  7. Set the VLAN ID for the HR community VLAN that spans the switches.

  8. Configure access interfaces for the hr-comm VLAN:

  9. Set the primary VLAN of this secondary community VLAN, hr-comm :

  10. Set the inter-switch isolated ID to create an inter-switch isolated domain that spans the switches:

    Note:

    To configure an isolated port, include it as one of the members of the primary VLAN but do not configure it as belonging to one of the community VLANs.

Results

Check the results of the configuration:

Configuring a PVLAN on Switch 2

CLI Quick Configuration

To quickly create and configure a private VLAN spanning multiple switches, copy the following commands and paste them into the terminal window of Switch 2:

Note:

The configuration of Switch 2 is the same as the configuration of Switch 1 except for the interface in the inter-switch isolated domain. For Switch 2, the interface is ge-0/0/17.0.

Procedure

Step-by-Step Procedure

To configure a PVLAN on Switch 2 that will span multiple switches:

  1. Set the VLAN ID for the finance-comm community VLAN that spans the switches:

  2. Configure access interfaces for the finance-comm VLAN:

  3. Set the primary VLAN of this secondary community VLAN, finance-comm :

  4. Set the VLAN ID for the HR community VLAN that spans the switches.

  5. Configure access interfaces for the hr-comm VLAN:

  6. Set the primary VLAN of this secondary community VLAN, hr-comm :

  7. Set the VLAN ID for the primary VLAN:

  8. Set the PVLAN trunk interfaces that will connect this VLAN across neighboring switches:

  9. Set the primary VLAN to have no local switching:

  10. Set the inter-switch isolated ID to create an inter-switch isolated domain that spans the switches:

    Note:

    To configure an isolated port, include it as one of the members of the primary VLAN but do not configure it as belonging to one of the community VLANs.

Results

Check the results of the configuration:

Configuring a PVLAN on Switch 3

CLI Quick Configuration

To quickly configure Switch 3 to function as the distribution switch of this PVLAN, copy the following commands and paste them into the terminal window of Switch 3:

Note:

Interface ge-0/0/2.0 is a trunk port connecting the PVLAN to a router.

Procedure

Step-by-Step Procedure

To configure Switch 3 to function as the distribution switch for this PVLAN, use the following procedure:

  1. Set the VLAN ID for the finance-comm community VLAN that spans the switches:

  2. Set the primary VLAN of this secondary community VLAN, finance-comm:

  3. Set the VLAN ID for the HR community VLAN that spans the switches:

  4. Set the primary VLAN of this secondary community VLAN, hr-comm:

  5. Set the VLAN ID for the primary VLAN:

  6. Set the PVLAN trunk interfaces that will connect this VLAN across neighboring switches:

  7. Set the primary VLAN to have no local switching:

  8. Set the inter-switch isolated ID to create an inter-switch isolated domain that spans the switches:

    Note:

    To configure an isolated port, include it as one of the members of the primary VLAN but do not configure it as belonging to one of the community VLANs.

Results

Check the results of the configuration:

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 1

Purpose

Verify that the PVLAN configuration spanning multiple switches is working properly on Switch 1:

Action

Use the show vlans extensive command:

Meaning

The output shows that a PVLAN was created on Switch 1 and shows that it includes two isolated VLANs, two community VLANs, and an interswitch isolated VLAN. The presence of the pvlan-trunk and Inter-switch-isolated fields indicates that this PVLAN is spanning more than one switch.

Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 2

Purpose

Verify that the PVLAN configuration spanning multiple switches is working properly on Switch 2:

Action

Use the show vlans extensive command:

Meaning

The output shows that a PVLAN was created on Switch 1 and shows that it includes two isolated VLANs, two community VLANs, and an interswitch isolated VLAN. The presence of the pvlan-trunk and Inter-switch-isolated fields indicates that this is PVLAN spanning more than one switch. When you compare this output to the output of Switch 1, you can see that both switches belong to the same PVLAN (pvlan100).

Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 3

Purpose

Verify that the PVLAN configuration spanning multiple switches is working properly on Switch 3:

Action

Use the show vlans extensive command:

Meaning

The output shows that the PVLAN (pvlan100) is configured on Switch 3 and that it includes two isolated VLANs, two community VLANs, and an interswitch isolated VLAN. But Switch 3 is functioning as a distribution switch, so the output does not include access interfaces within the PVLAN. It shows only the pvlan-trunk interfaces that connect pvlan100 from Switch 3 to the other switches (Switch 1 and Switch 2) in the same PVLAN.

Example: Configuring PVLANs with Secondary VLAN Trunk Ports and Promiscuous Access Ports on a QFX Series Switch

This example shows how to configure secondary VLAN trunk ports and promiscuous access ports as part of a private VLAN configuration. Secondary VLAN trunk ports carry secondary VLAN traffic.

Note:

This example uses Junos OS for switches that do not support the Enhanced Layer 2 Software (ELS) configuration style. For more about ELS, see Using the Enhanced Layer 2 Software CLI.

For a given private VLAN, a secondary VLAN trunk port can carry traffic for only one secondary VLAN. However, a secondary VLAN trunk port can carry traffic for multiple secondary VLANs as long as each secondary VLAN is a member of a different private (primary) VLAN. For example, a secondary VLAN trunk port can carry traffic for a community VLAN that is part of primary VLAN pvlan100 and also carry traffic for an isolated VLAN that is part of primary VLAN pvlan400.

To configure a trunk port to carry secondary VLAN traffic, use the isolated and interface statements, as shown in steps 12 and 13 of the example configuration for Switch 1.

Note:

When traffic egresses from a secondary VLAN trunk port, it normally carries the tag of the primary VLAN that the secondary port is a member of. If you want traffic that egresses from a secondary VLAN trunk port to retain its secondary VLAN tag, use the extend-secondary-vlan-id statement.

A promiscuous access port carries untagged traffic and can be a member of only one primary VLAN. Traffic that ingresses on a promiscuous access port is forwarded to the ports of the secondary VLANs that are members of the primary VLAN that the promiscuous access port is a member of. This traffic carries the appropriate secondary VLAN tags when it egresses from the secondary VLAN ports if the secondary VLAN port is a trunk port.

To configure an access port to be promiscuous, use the promiscuous statement, as shown in step 12 of the example configuration for Switch 2.

If traffic ingresses on a secondary VLAN port and egresses on a promiscuous access port, the traffic is untagged on egress. If tagged traffic ingresses on a promiscuous access port, the traffic is discarded.

Requirements

This example uses the following hardware and software components:

  • Two QFX devices

  • Junos OS Release 12.2 or later for the QFX Series

Overview and Topology

Figure 21 shows the topology used in this example. Switch 1 includes several primary and secondary private VLANs and also includes two secondary VLAN trunk ports configured to carry secondary VLANs that are members of primary VLANs pvlan100 and pvlan400.

Switch 2 includes the same private VLANs. The figure shows xe-0/0/0 on Switch 2 as configured with promiscuous access ports or promiscuous trunk ports. The example configuration included here configures this port as a promiscuous access port.

The figure also shows how traffic would flow after ingressing on the secondary VLAN trunk ports on Switch 1.

Figure 21: PVLAN Topology with Secondary VLAN Trunk Ports and Promiscuous Access PortPVLAN Topology with Secondary VLAN Trunk Ports and Promiscuous Access Port

Table 19 and Table 20 list the settings for the example topology on both switches.

Table 19: Components of the Topology for Configuring a Secondary VLAN Trunk on Switch 1
Component Description

pvlan100, ID 100

Primary VLAN

pvlan400, ID 400

Primary VLAN

comm300, ID 300

Community VLAN, member of pvlan100

comm600, ID 600

Community VLAN, member of pvlan400

isolation-vlan-id 200

VLAN ID for isolated VLAN, member of pvlan100

isolation–vlan-id 500

VLAN ID for isolated VLAN, member of pvlan400

xe-0/0/0.0

Secondary VLAN trunk port for primary VLANs pvlan100 and pvlan400

xe-0/0/1.0

PVLAN trunk port for primary VLANs pvlan100 and pvlan400

xe-0/0/2.0

Isolated access port for pvlan100

xe-0/0/3.0

Community access port for comm300

xe-0/0/5.0

Isolated access port for pvlan400

xe-0/0/6.0

Community trunk port for comm600

Table 20: Components of the Topology for Configuring a Secondary VLAN Trunk on Switch 2
Component Description

pvlan100, ID 100

Primary VLAN

pvlan400, ID 400

Primary VLAN

comm300, ID 300

Community VLAN, member of pvlan100

comm600, ID 600

Community VLAN, member of pvlan400

isolation-vlan-id 200

VLAN ID for isolated VLAN, member of pvlan100

isolation–vlan-id 500

VLAN ID for isolated VLAN, member of pvlan400

xe-0/0/0.0

Promiscuous access port for primary VLANs pvlan100

xe-0/0/1.0

PVLAN trunk port for primary VLANs pvlan100 and pvlan400

xe-0/0/2.0

Secondary trunk port for isolated VLAN, member of pvlan100

xe-0/0/3.0

Community access port for comm300

xe-0/0/5.0

Isolated access port for pvlan400

xe-0/0/6.0

Community access port for comm600

Configuring the PVLANs on Switch 1

CLI Quick Configuration

To quickly create and configure the PVLANs on Switch 1, copy the following commands and paste them into a switch terminal window:

Procedure

Step-by-Step Procedure

To configure the private VLANs and secondary VLAN trunk ports:

  1. Configure the interfaces and port modes:

  2. Create the primary VLANs:

    Note:

    Primary VLANs must always be tagged VLANs, even if they exist on only one device.

  3. Configure the primary VLANs to be private:

  4. Configure the PVLAN trunk port to carry the private VLAN traffic between the switches:

  5. Create secondary VLAN comm300 with VLAN ID 300:

  6. Configure the primary VLAN for comm300:

  7. Configure the interface for comm300:

  8. Create secondary VLAN comm600 with VLAN ID 600:

  9. Configure the primary VLAN for comm600:

  10. Configure the interface for comm600:

  11. Configure the interswitch isolated VLANs:

    Note:

    When you configure a secondary VLAN trunk port to carry an isolated VLAN, you must also configure an isolation-vlan-id. This is true even if the isolated VLAN exists only on one switch.

  12. Enable trunk port xe-0/0/0 to carry secondary VLANs for the primary VLANs:

  13. Configure trunk port xe-0/0/0 to carry comm600 (member of pvlan400):

    Note:

    You do not need to explicitly configure xe-0/0/0 to carry the isolated VLAN traffic (tags 200 and 500) because all the isolated ports in pvlan100 and pvlan400–including xe-0/0/0.0–are automatically included in the isolated VLANs created when you configured isolation-vlan-id 200 and isolation-vlan-id 500.

  14. Configure xe-0/0/2 and xe-0/0/6 to be isolated:

Results

Check the results of the configuration on Switch 1:

Configuring the PVLANs on Switch 2

The configuration for Switch 2 is almost identical to the configuration for Switch 1. The most significant difference is that xe-0/0/0 on Switch 2 is configured as a promiscuous trunk port or a promiscuous access port, as Figure 21 shows. In the following configuration, xe-0/0/0 is configured as a promiscuous access port for primary VLAN pvlan100.

If traffic ingresses on VLAN-enabled port and egresses on a promiscuous access port, the VLAN tags are dropped on egress and the traffic is untagged at that point. For example, traffic for comm600 ingresses on the secondary VLAN trunk port configured on xe-0/0/0.0 on Switch 1 and carries tag 600 as it is forwarded through the secondary VLAN. When it egresses from xe-0/0/0.0 on Switch 2, it will be untagged if you configure xe-0/0/0.0 as a promiscuous access port as shown in this example. If you instead configure xe-0/0/0.0 as a promiscuous trunk port (port-mode trunk), the traffic for comm600 carries its primary VLAN tag (400) when it egresses.

CLI Quick Configuration

To quickly create and configure the PVLANs on Switch 2, copy the following commands and paste them into a switch terminal window:

Procedure

Step-by-Step Procedure

To configure the private VLANs and secondary VLAN trunk ports:

  1. Configure the interfaces and port modes:

  2. Create the primary VLANs:

  3. Configure the primary VLANs to be private:

  4. Configure the PVLAN trunk port to carry the private VLAN traffic between the switches:

  5. Create secondary VLAN comm300 with VLAN ID 300:

  6. Configure the primary VLAN for comm300:

  7. Configure the interface for comm300:

  8. Create secondary VLAN comm600 with VLAN ID 600:

  9. Configure the primary VLAN for comm600:

  10. Configure the interface for comm600:

  11. Configuring the PVLANs on Switch 1

    Configure the interswitch isolated VLANs:

  12. Configure access port xe-0/0/0 to be promiscuous for pvlan100:

    Note:

    A promiscuous access port can be a member of only one primary VLAN.

  13. Configure xe-0/0/2 and xe-0/0/6 to be isolated:

Results

Check the results of the configuration on Switch 2:

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying That the Private VLAN and Secondary VLANs Were Created

Purpose

Verify that the primary VLAN and secondary VLANs were properly created on Switch 1.

Action

Use the show vlans command:

Meaning

The output shows that the private VLANs were created and identifies the interfaces and secondary VLANs associated with them.

Verifying The Ethernet Switching Table Entries

Purpose

Verify that the Ethernet switching table entries were created for primary VLAN pvlan100.

Action

Show the Ethernet switching table entries for pvlan100.

Verifying That a Private VLAN Is Working on a Switch

Purpose

After creating and configuring private VLANs (PVLANs), verify that they are set up properly.

Action

  1. To determine whether you successfully created the primary and secondary VLAN configurations:

    • For a PVLAN on a single switch, use the show configuration vlans command:

    • For a PVLAN spanning multiple switches, use the show vlans extensive command:

  2. Use the show vlans extensive command to view VLAN information and link status for a PVLAN on a single switch or for a PVLAN spanning multiple switches.

    • For a PVLAN on a single switch:

    • For a PVLAN spanning multiple switches:

  3. Use the show ethernet-switching table command to view logs for MAC learning on the VLANs:

Note:

If you have configured a PVLAN spanning multiple switches, you can use the same command on all the switches to check the logs for MAC learning on those switches.

Meaning

In the output displays for a PVLAN on a single switch, you can see that the primary VLAN contains two community domains (community1 and community2), two isolated ports, and two trunk ports. The PVLAN on a single switch has only one tag (1000), which is for the primary VLAN.

The PVLAN that spans multiple switches contains multiple tags:

  • The community domain COM1 is identified with tag 100.

  • The community domain community2 is identified with tag 20.

  • The interswitch isolated domain is identified with tag 50.

  • The primary VLAN primary is identified with tag 10.

Also, for the PVLAN that spans multiple switches, the trunk interfaces are identified as pvlan-trunk.

Troubleshooting Private VLANs on QFX Switches

Use the following information to troubleshoot a private VLAN configuration.

Limitations of Private VLANs

The following constraints apply to private VLAN configurations:

  • IGMP snooping is not supported with private VLANs.

  • Routed VLAN interfaces are not supported on private VLANs

  • Routing between secondary VLANs in the same primary VLAN is not supported.

  • If you want to change a primary VLAN to be a secondary VLAN, you must first change it to a normal VLAN and commit the change. For example, you would follow this procedure:

    1. Change the primary VLAN to be a normal VLAN.

    2. Commit the configuration.

    3. Change the normal VLAN to be a secondary VLAN.

    4. Commit the configuration.

    Follow the same sequence of commits if you want to change a secondary VLAN to be a primary VLAN. That is, make the secondary VLAN a normal VLAN and commit that change and then change the normal VLAN to be a primary VLAN.

Forwarding with Private VLANs

Problem

Description
  • When isolated VLAN or community VLAN tagged traffic is received on a PVLAN trunk port, MAC addresses are learned from the primary VLAN. This means that output from the show ethernet-switching table command shows that MAC addresses are learned from the primary VLAN and replicated to secondary VLANs. This behavior has no effect on forwarding decisions.

  • If a packet with a secondary VLAN tag is received on a promiscuous port, it is accepted and forwarded.

  • If a packet is received on a PVLAN trunk port and meets both of the conditions listed below, it is dropped.

    • The packet has a community VLAN tag.

    • The packet is destined to a unicast MAC address or multicast group MAC address that was learned on an isolated VLAN.

  • If a packet is received on a PVLAN trunk port and meets both of the conditions listed below, it is dropped.

    • The packet has an isolated VLAN tag.

    • The packet is destined to a unicast MAC address or multicast group MAC address that was learned on a community VLAN.

  • If a packet with a primary VLAN tag is received by a secondary (isolated or community) VLAN port, the secondary port forwards the packet.

  • If you configure a community VLAN on one device and configure another community VLAN on a second device and both community VLANs use the same VLAN ID, traffic for one of the VLANs can be forwarded to the other VLAN. For example, assume the following configuration:

    • Community VLAN comm1 on switch 1 has VLAN ID 50 and is a member of primary VLAN pvlan100.

    • Community VLAN comm2 on switch 2 also has VLAN ID 50 and is a member of primary VLAN pvlan200.

    • Primary VLAN pvlan100 exists on both switches.

    If traffic for comm1 is sent from switch 1 to switch 2, it will be sent to the ports participating in comm2. (The traffic will also be forwarded to the ports in comm1, as you would expect.)

Solution

These are expected behaviors.

Egress Firewall Filters with Private VLANs

Problem

Description

If you apply a firewall filter in the output direction to a primary VLAN, the filter also applies to the secondary VLANs that are members of the primary VLAN when the traffic egresses with the primary VLAN tag or isolated VLAN tag, as listed below:

  • Traffic forwarded from a secondary VLAN trunk port to a promiscuous port (trunk or access)

  • Traffic forwarded from a secondary VLAN trunk port that carries an isolated VLAN to a PVLAN trunk port.

  • Traffic forwarded from a promiscuous port (trunk or access) to a secondary VLAN trunk port

  • Traffic forwarded from a PVLAN trunk port. to a secondary VLAN trunk port

  • Traffic forwarded from a community port to a promiscuous port (trunk or access)

If you apply a firewall filter in the output direction to a primary VLAN, the filter does not apply to traffic that egresses with a community VLAN tag, as listed below:

  • Traffic forwarded from a community trunk port to a PVLAN trunk port

  • Traffic forwarded from a secondary VLAN trunk port that carries a community VLAN to a PVLAN trunk port

  • Traffic forwarded from a promiscuous port (trunk or access) to a community trunk port

  • Traffic forwarded from a PVLAN trunk port. to a community trunk port

If you apply a firewall filter in the output direction to a community VLAN, the following behaviors apply:

  • The filter is applied to traffic forwarded from a promiscuous port (trunk or access) to a community trunk port (because the traffic egresses with the community VLAN tag).

  • The filter is applied to traffic forwarded from a community port to a PVLAN trunk port (because the traffic egresses with the community VLAN tag).

  • The filter is not applied to traffic forwarded from a community port to a promiscuous port (because the traffic egresses with the primary VLAN tag or untagged).

Solution

These are expected behaviors. They occur only if you apply a firewall filter to a private VLAN in the output direction and do not occur if you apply a firewall filter to a private VLAN in the input direction.

Egress Port Mirroring with Private VLANs

Problem

Description

If you create a port-mirroring configuration that mirrors private VLAN (PVLAN) traffic on egress, the mirrored traffic (the traffic that is sent to the analyzer system) has the VLAN tag of the ingress VLAN instead of the egress VLAN. For example, assume the following PVLAN configuration:

  • Promiscuous trunk port that carries primary VLANs pvlan100 and pvlan400.

  • Isolated access port that carries secondary VLAN isolated200. This VLAN is a member of primary VLAN pvlan100.

  • Community port that carries secondary VLAN comm300. This VLAN is also a member of primary VLAN pvlan100.

  • Output interface (monitor interface) that connects to the analyzer system. This interface forwards the mirrored traffic to the analyzer.

If a packet for pvlan100 enters on the promiscuous trunk port and exits on the isolated access port, the original packet is untagged on egress because it is exiting on an access port. However, the mirror copy retains the tag for pvlan100 when it is sent to the analyzer.

Here is another example: If a packet for comm300 ingresses on the community port and egresses on the promiscuous trunk port, the original packet carries the tag for pvlan100 on egress, as expected. However, the mirrored copy retains the tag for comm300 when it is sent to the analyzer.

Solution

This is expected behavior.