Configure Layer 2 Virtual Switches
SUMMARY
Understanding Layer 2 Virtual Switches
On MX Series routers only, you can group one or more bridge domains to form a virtual switch to isolate a LAN segment with its spanning-tree protocol instance and separate its VLAN ID space. A bridge domain consists of a set of logical ports that share the same flooding or broadcast characteristics. Like a virtual LAN, a bridge domain spans one or more ports of multiple devices. You can configure multiple virtual switches, each of which operates independently of the other virtual switches on the routing platform. Thus, each virtual switch can participate in a different Layer 2 network.
You can configure a virtual switch to participate only in Layer 2 bridging and optionally to perform Layer 3 routing. In addition, you can configure one of three Layer 2 control protocols—Spanning-Tree Protocol, Rapid Spanning-Tree Protocol (RSTP), or Multiple Spanning-Tree Protocol (MSTP)—to prevent forwarding loops. For more information about how to configure Layer 2 logical ports on an interface, see the Junos OS Network Interfaces Library for Routing Devices.
In Junos OS Release 9.2 and later, you can associate one or more logical interfaces configured as trunk interfaces with a virtual switch. A trunk interface, or Layer 2 trunk port, enables you to configure a logical interface to represent multiple VLANs on the physical interface. Packets received on a trunk interface are forwarded within a bridge domain that has same VLAN identifier. For more information about how to configure trunk interfaces, see the Junos OS Network Interfaces Library for Routing Devices.
You can also configure Layer 2 forwarding and learning properties for the virtual switch as well as any bridge domains that belong to a virtual switch. .
For more information about configuring a routing instance for Layer 2 VPN, see the Junos OS VPNs Library for Routing Devices. .
Configuring a Layer 2 Virtual Switch
A Layer 2 virtual switch, which isolates a LAN segment with its spanning-tree protocol instance and separates its VLAN ID space, filters and forwards traffic only at the data link layer. Layer 3 routing is not performed. Each bridge domain consists of a set of logical ports that participate in Layer 2 learning and forwarding. A virtual switch represents a Layer 2 network.
Two main types of interfaces are used in virtual switch hierarchies:
Layer 2 logical interface—This type of interface uses the VLAN-ID as a virtual circuit identifier and the scope of the VLAN-ID is local to the interface port. This type of interface is often used in service-provider-centric applications.
Access or trunk interface—This type of interface uses a VLAN-ID with global significance. The access or trunk interface is implicitly associated with bridge domains based on VLAN membership. Access or trunk interfaces are typically used in enterprise-centric applications.
Note:The difference between access interfaces and trunk interfaces is that access interfaces can be part of one VLAN only and the interface is normally attached to an end-user device (packets are implicitly associated with the configured VLAN). In contrast, trunk interfaces multiplex traffic from multiple VLANs and usually interconnect switches.
To configure a Layer 2 virtual switch, include the following statements:
[edit]
routing-instances {
routing-instance-name (
instance-type virtual-switch;
bridge-domains {
bridge-domain-name {
domain-type bridge;
interface interface-name;
vlan-id (all | none | number); # Cannot be used with ’vlan-tags’ statement
vlan-id-list [ vlan-id-numbers ];
vlan-tags outer number inner number; # Cannot be used with ’vlan-id’ statement
}
}
protocols {
mstp {
...mstp-configuration ...
}
}
}
}
To enable a virtual switch, you must specify virtual-switch as the instance-type.
For each bridge domain that you configure for the virtual switch,
specify a bridge-domain-name. You must
also specify the value bridge for the domain-type statement.
For the vlan-id statement, you can specify either
a valid VLAN identifier or the none or all options.
The all option is not supported with IRB.
You do not have to specify a VLAN identifier for a bridge domain. However, you cannot specify the same VLAN identifier for more than one bridge domain within a virtual switch. Each bridge domain within a virtual switch must have a unique VLAN identifier.
For a single bridge domain, you can include either the vlan-id statement or the vlan-tags statement, but
not both. The vlan-id statement, vlan-id-list statement, and vlan-tags statement are mutually exclusive.
The vlan-id-list statement allows you to automatically
create multiple bridge-domains for each vlan-id in the list.
To specify one or more logical interfaces to include in the
bridge domain, specify an interface-name for an Ethernet interface you configured at the [edit interfaces] hierarchy level. For more information, see the Junos OS Network Interfaces Library for Routing Devices.
Configuring a Virtual Switch Routing Instance on MX Series Routers
On MX Series routers only, use the virtual-switch routing instance type to isolate a LAN segment with its spanning-tree
instance and to separate its VLAN ID space. A bridge domain consists
of a set of ports that share the same flooding or broadcast characteristics.
Each virtual switch represents a Layer 2 network. You can optionally
configure a virtual switch to support Integrated Routing and Bridging
(IRB), which facilitates simultaneous Layer 2 bridging and Layer 3
IP routing on the same interface. You can also configure Layer 2
control protocols to provide loop resolution. Protocols supported
include the Spanning-Tree Protocol (STP), Rapid Spanning-Tree Protocols
(RSTP), Multiple Spanning-Tree Protocol (MSTP), and VLAN Spanning-Tree
Protocol (VSTP).
To create a routing instance for a virtual switch, include at least the following statements in the configuration:
[edit]
routing-instances {
routing-instance-name
instance-type virtual-switch;
bridge-domains {
bridge-domain-name {
domain-type bridge;
interface interface-name;
vlan-id (all | none | number);
vlan-tags outer number inner number;
}
}
protocols {
(rstp | mstp | vstp) {
...stp-configuration ...
}
}
}
}
For more information about configuring virtual switches, see Configuring a Layer 2 Virtual Switch .
Configuring VPLS Ports in a Virtual Switch
In Junos OS Release 9.3 and later, you can configure VPLS ports in a virtual switch so that the logical interfaces of the Layer 2 bridge domains in the virtual switch can handle VPLS routing instance traffic. VPLS configuration no longer requires a dedicated routing instance of type vpls. Packets received on a Layer 2 trunk interface are forwarded within a bridge domain that has the same VLAN identifier.
A trunk interface is implicitly associated with bridge domains based on VLAN membership. Whereas access interfaces can be part of one VLAN only, trunk interfaces multiplex traffic from multiple VLANs and usually interconnect switches. A Layer 2 trunk port also supports IRB.
To configure VPLS ports in a virtual switch, perform the following tasks:
To configure the Layer 2 trunk ports that you will associate with the bridge domains in the virtual switch, include the following statements in the configuration:
[edit] interfaces { interface-name { unit logical-unit-number { # Call this ’L2-trunk-port-A’ family bridge { interface-mode trunk; vlan-id-list [ vlan-id-numbers ] ; # Trunk mode VLAN membership for this interface } } } . . . interface-name { unit logical-unit-number { # Call this ’L2-trunk-port-B’ family bridge { interface-mode trunk; vlan-id-list [ vlan-id-numbers ] ; # Trunk mode VLAN membership for this interface } } } }To configure a logical interface as a trunk port, include the
interface-modestatement and the trunk option at the[edit interfaces interface-name unit logical-unit-number family bridge]hierarchy level.To configure all the VLAN identifiers to associate with a Layer 2 trunk port, include the
vlan-id-list [ vlan-id-numbers ]statement at the[edit interfaces interface-name unit logical-unit-number family bridge]hierarchy level.Each of the logical interfaces “L2-trunk-port-A” and “L2-trunk-port-B” accepts packets tagged with any VLAN ID specified in the respective
vlan-id-liststatements.To configure a virtual switch consisting of a set of bridge domains that are associated with one or more logical interfaces configured as a trunk ports, include the following statements in the configuration:
[edit] routing-instance { routing-instance-name instance-type virtual-switch; interface L2-trunk-port-A; # Include one trunk port interface L2-trunk-port-B; # Include the other trunk port bridge-domains { bridge-domain-name-0 { domain-type bridge; vlan-id number; } bridge-domain-name-1 { domain-type bridge; vlan-id number; } } protocols { vpls { vpls-id number; ... vpls-configuration ... } } } }To begin configuring a virtual switch, include the
instance-typestatement and the virtual-switch option at the[edit routing-instances routing-instance-name]hierarchy level.To configure a virtual switch consisting of a set of bridge domains that are associated with one or more logical interfaces configured as a trunk ports, you must identify each logical interface by including the
interface interface-namestatement at the[edit routing-instances routing-instance-name]hierarchy level.For each VLAN configured for a trunk port, you must configure a bridge-domain that includes the trunk port logical interface and uses a VLAN identifier within the range carried by that trunk interface. To configure, include the domain-type bridge, vlan-id number, and statements at the
[edit routing-instances routing-instance-name bridge-domain bridge-domain-name]hierarchy level.
Configuring a Layer 2 Virtual Switch with a Layer 2 Trunk Port
You can associate one or more Layer 2 trunk interfaces with a virtual switch. A Layer 2 trunk interface enables you to configure a logical interface to represent multiple VLANs on the physical interface. Within the virtual switch, you configure a bridge domain and VLAN identifier for each VLAN identifier configured on the trunk interfaces. Packets received on a trunk interface are forwarded within a bridge domain that has the same VLAN identifier. Each virtual switch you configure operates independently and can participate in a different Layer 2 network.
A virtual switch configured with a Layer 2 trunk port also
supports IRB within a bridge domain. IRB provides simultaneous support
for Layer 2 bridging and Layer 3 IP routing on the same
interface. Only an interface configured with the interface-mode
(access | trunk) statement can be associated with a virtual
switch. An access interface enables you to accept packets with no
VLAN identifier. For more information about configuring trunk and
access interfaces, see the Junos OS Network Interfaces Library for Routing Devices.
In addition, you can configure Layer 2 learning and forwarding properties for the virtual switch.
To configure a virtual switch with a Layer 2 trunk interface, include the following statements:
[edit]
routing-instances {
routing-instance-name {
instance-type virtual-switch;
interface interface-name;
bridge-domains {
bridge-domain-name {
vlan-id number;
}
}
}
}
You must configure a bridge domain and VLAN identifier for each VLAN identifier configured for the trunk interface.
Layer 2 trunk ports are used in two distinct types of virtual switch configuration. One method is called service provider style and the other is called enterprise style. The two methods can be confusing because both methods involve configuring interfaces known as trunk interfaces. However, both types of configuration are distinct.
Service provider style and enterprise style each have benefits and drawbacks.
Service provider style—Offers more control, but requires more care in configuration. Service providers can use all bridging features in any shape or size, but for large bridged designs, customization requirements quickly grow.
Enterprise style—Offers a single Layer 2 network connected by simple bridges. Easier to use, but more limited in function. Configuration is simple and straightforward and condensed.
The terms “service provider style” and “enterprise style” do not imply any limitations based on organization type or size. Any large enterprise may use service-provider-style configurations and a small regional service provider is free to use enterprise style. The differences apply only to the configuration styles.
The easiest way to understand the differences in configuration of the two styles is to compare them using the same interfaces and VLAN IDs.
You can configure multiple bridge domains between the same pair
of Ethernet interfaces, for example, xe-0/0/1 and xe-0/0/2. If there are two bridge domains needed, you can configure
one bridge domain as VLAN-100 and the other as VLAN-200. However, the configuration requirements are different when implementing
service provider style or enterprise style. Here is a look at both
styles using the same interfaces and VLANs.
Service provider style involves configuring the values for three main parameters, plus the bridge domains to connect them:
VLAN tagging—Configure the bridged physical interfaces with
vlan-taggingto allow them to operate in IEEE 802.1Q mode, also known as a trunk interface.Extended VLAN Bridge—Configure the physical interface with the encapsulation statement type
extended-vlan-bridgeto allow bridging on each logical interface.Logical unit—Configure a logical unit for each bridged VLAN ID. In most cases, you configure the unit number to be the same as the VLAN ID (that is, unit 100 = VLAN ID 100).
Bridge domains—Configure the VLAN bridge domains to associate the logical interfaces with the correct VLAN IDs.
Here is the service provider style configuration showing two interfaces used for bridging across two bridge domains, VLAN ID 100 and 200.
[edit]
interfaces {
xe-0/0/1 {
vlan-tagging;
encapsulation extended-vlan-bridge;
unit 100 {
vlan-id 100;
}
unit 200 {
vlan-id 200;
}
}
xe-0/0/2 {
vlan-tagging;
encapsulation extended-vlan-bridge;
unit 100 {
vlan-id 100;
}
unit 200 {
vlan-id 200;
}
}
}
bridge-domains {
VLAN-100 {
vlan-id 100;
interface xe-0/0/1.100;
interface xe-0/0/2.100;
}
VLAN-200 {
vlan-id 200;
interface xe-0/0/1.200;
interface xe-0/0/2.200;
}
}
Note that each physical interface has VLAN tagging enabled as well as extended VLAN bridge encapsulation. There are many more parameters that can be configured in service provider style.
In contrast, enterprise style involves configuring the values for three different parameters, plus the bridge domains to connect them:
Family— Configure each bridged physical interface with the family type
bridge.Interface mode—Configure logical interface so that the physical interface operates as either an untagged access port (not shown in this topic) or as an IEEE 801Q
trunk.VLAN ID—Configure each logical interface with a VLAN ID to determine with which bridge the interface belongs.
Bridge domain—Configure the VLAN bridge domains to associate with the correct VLAN IDs.
Enterprise style is simpler than the service provider style. Enterprise style automatically places interfaces in bridge domains when the configuration is committed.
Here is the enterprise style configuration showing the same two interfaces used for bridging across the same two bridge domains, VLAN ID 100 and 200.
[edit]
interfaces {
xe-0/0/1 {
unit 0 {
family bridge {
interface-mode trunk;
vlan-id-list [ 100 200 ];
}
}
}
xe-0/0/2 {
unit 0 {
family bridge {
interface-mode trunk;
vlan-id-list [ 100 200 ];
}
}
}
}
bridge-domains {
VLAN-100 {
vlan-id 100;
}
VLAN-200 {
vlan-id 200;
}
}
In exchange for simplicity, enterprise style does not allow you to configure VLAN tagging options or encapsulation type. You do not create a separate logical interface for each VLAN ID.
You can configure more parameters in each style. These further parameters are beyond the scope of this basic configuration topic.
Configuring Integrated Routing and Bridging for a Bridge Domain in a Layer 2 Virtual Switch
Integrated routing and bridging (IRB) provides simultaneous
support for Layer 2 bridging and Layer 3 IP routing on the
same interface. IRB enables you to route local packets to another
routed interface or to another bridge domain that has a Layer 3
protocol configured. You configure a logical routing interface by
including the irb statement at [edit interfaces] hierarchy level and include that interface in the bridge domain.
For more information about how to configure a routing interface, see
the Junos OS Network Interfaces Library for Routing Devices.
You can include only one routing interface in a bridge domain.
To configure a virtual switch with IRB support, include the following statements:
[edit]
routing-instances {
routing-instance-name {
instance-type virtual-switch;
bridge-domains {
bridge-domain-name {
domain-type bridge;
interface interface-name;
routing-interface routing-interface-name;
vlan-id (none | number);
vlan-tags outer number inner number;
}
}
}
}
To enable a virtual switch, you must specify virtual-switch as the instance-type. The instance-type virtual-switch statement is not supported at the [edit logical-systems logical-system-name] hierarchy level.
For each bridge domain that you configure for the virtual switch,
specify a bridge-domain-name. You must
also specify the value bridge for the domain-type statement.
For the vlan-id statement, you can specify either
a valid VLAN identifier or the none option.
For a single bridge domain, you can include either the vlan-id statement or the vlan-tags statement, but
not both.
To include one or more logical interfaces in the bridge domain,
specify the interface-name for each
Ethernet interface to include that you configured at the [edit
interfaces irb] hierarchy level.
To associate a routing interface with a bridge domain, include
the routing-interface routing-interface-name statement and specify a routing-interface-name you configured at the [edit interfaces irb] hierarchy
level. You can configure only one routing interface for each bridge
domain. For more information about how to configure logical and routing
interfaces, see the Junos OS Network Interfaces Library for Routing Devices.
If you configure a routing interface to support IRB in
a bridge domain, you cannot use the all option for the vlan-id statement.
Configuring Integrated Routing and Bridging in ACX Series
Integrated routing and bridging (IRB) provides simultaneous
support for Layer 2 bridging and Layer 3 routing on the
same interface. IRB enables you to route packets to another routed
interface or to another bridge domain that has an IRB interface configured.
You configure a logical routing interface by including the irb statement at the [edit interfaces] hierarchy level and
include that interface in the bridge domain. For more information
about how to configure a routing interface, see the Junos OS Network Interfaces Library for Routing Devices.
You can include only one routing interface in a bridge domain.
The following are the list of features supported for IRB:
Family
inet,inet6, andisoare supported on an IRB interface.Routing protocols supported on an IRB interface are BGP, ISIS, OSPF, RIP, IGMP, and PIM.
DHCP Relay with option 82 is supported on an IRB interface.
IRB can be added in a VRF routing instance.
VRRP is supported on an IRB inteface.
Bidirectional Forwarding Detection (BFD) protocol is supported on an IRB interface.
The following Class-of-Service configurations are supported on an IRB interface:
-
Fixed classifier can be applied on an IRB logical interface.
-
Firewall filters (multifield filter) can be used to assign forwarding class and loss priority. You should define a family inet or inet6 filter and apply it as the input filter on an IRB logical interface under family inet.
Note:physical-interface-filteris not supported for family inet6 filter on IRB logical interface. -
dscp, inet-precedence, ieee-802.1, and ieee-802.1ad values can be rewritten.
-
ACX routers do not support MPLS families on IRB.
IRB can be configured under the following hierarchies:
[
edit intefaces irb interface_type] hierarchy leveldisable—Disables the interface
gratuitous-arp-reply—Enables gratuitous ARP reply
hold-time—Hold time for link up and link down
mtu—Maximum transmit packet size (256..9192)
no-gratuitous-arp-reply—Does not enable gratuitous ARP reply
no-gratuitous-arp-request—Ignores gratuitous ARP request
[
edit interfaces irb.unit family (inet | inet6 | iso)] hierarchy level[
edit bridge-domains routing-interface interface irb.unit] hierarchy level[
edit routing-instances instance-type vrf] hierarchy level[
edit protocols (bgp | isis | ospf | rip | igmp | pim) interface irb.unit] hierarchy level[
edit class-of-service interfaces irb]] hierarchy level
In ACX5048 and ACX5096 routers, you can configure IRB at the [edit vlans vlan-name] l3-interface irb.unit; level.
The Layer 2 CLI configurations and show commands for ACX5048 and ACX5096 routers differ compared to other ACX Series routers. For more information, see Layer 2 Next Generation Mode for ACX Series.
To configure a bridge domain with IRB support, include the following statements:
[edit] bridge-domains { bridge-domain-name { domain-type bridge; interface interface-name; routing-interface routing-interface-name; vlan-id (none | number); vlan-tags outer number inner number; } }
For each bridge domain that you configure, specify a bridge-domain-name. You must also specify the value bridge for the domain-type statement.
For the vlan-id statement, you can specify either
a valid VLAN identifier or the none option.
The vlan-tags statement enables you to specify a
pair of VLAN identifiers; an outer tag and an inner tag.
For a single bridge domain, you can include either the vlan-id statement or the vlan-tags statement, but
not both.
To include one or more logical interfaces in the bridge domain,
specify the interface-name for each
Ethernet interface to include that you configured at the [edit
interfaces] hierarchy level.
A maximum of 4000 active logical interfaces are supported on a bridge domain configured for Layer 2 bridging.
To associate a routing interface with a bridge domain, include
the routing-interface routing-interface-name statement and specify a routing-interface-name you configured at the [edit interfaces irb] hierarchy
level. You can configure only one routing interface for each bridge
domain. For more information about how to configure logical and routing
interfaces, see the Junos OS Network Interfaces Library for Routing Devices.
In Junos OS Release 9.0 and later, IRB interfaces are supported for multicast snooping. For more information about multicast snooping, see the Junos OS Multicast Protocols User Guide.
When you configure multiple IRB logical interfaces, all the IRB logical interfaces share the same MAC address.
The following is a sample configuration for IRB over bridge domain:
[edit]
interfaces {
ge-1/0/0 {
encapsulation flexible-ethernet-services;
flexible-vlan-tagging;
unit 0 {
encapsulation vlan-bridge;
vlan-id 100;
}
}
}
ge-1/0/1 {
encapsulation flexible-ethernet-services;
flexible-vlan-tagging;
unit 0 {
encapsulation vlan-bridge;
vlan-id 100;
}
}
}
irb {
unit 0 {
family inet {
address 10.0.1.2/24 {
}
}
}
}
bridge-domains {
bd {
domain-type bridge;
vlan-id none;
interface ge-1/0/0.0;
interface ge-1/0/1.0;
routing-interface irb.0;
}
}