Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configuring VLAN Tagging

Virtual LANs (VLANs) allow network architects to segment LANs into different broadcast domains based on logical groupings. The topic below describes the configuration of these tagged VLANs, VLAN IDs, and supported Ethernet interface types on SRX Series Firewalls.

Understanding Virtual LANs

A LAN is a single broadcast domain. When traffic is broadcast, all hosts within the LAN receive the broadcast traffic. A LAN is determined by the physical connectivity of devices within the domain.

Within a traditional LAN, hosts are connected by a hub or repeater that propagates any incoming traffic throughout the network. Each host and its connecting hubs or repeaters make up a LAN segment. LAN segments are connected through switches and bridges to form the broadcast domain of the LAN. Figure 1 shows a typical LAN topology.

Figure 1: Typical LANTypical LAN

Virtual LANs (VLANs) allow network architects to segment LANs into different broadcast domains based on logical groupings. Because the groupings are logical, the broadcast domains are not determined by the physical connectivity of the devices in the network. Hosts can be grouped according to a logical function, to limit the traffic broadcast within the VLAN to only the devices for which the traffic is intended.

Suppose a corporate network has three major organizations: engineering, sales, and support. Using VLAN tagging, hosts within each organization can be tagged with a different VLAN identifier. Traffic sent to the broadcast domain is then checked against the VLAN identifier and broadcast to only the devices in the appropriate VLAN. Figure 2 shows a typical VLAN topology.

Figure 2: Typical VLANTypical VLAN

See Also

VLAN IDs and Ethernet Interface Types Supported on the SRX Series Devices

Table 1 lists VLAN ID range by interface type supported on SRX Series Firewalls:

Table 1: VLAN ID Range by Interface Type Supported on the SRX Series Devices

Interface Type

Interface Type VLAN ID Range

2-Port 10-Gigabit Ethernet

1 through 4094

10-Gigabit Ethernet

1 through 4094

16-Port Gigabit Ethernet

1 through 4094

24-Port Gigabit Ethernet

1 through 4094

Aggregated Ethernet for Fast Ethernet

1 through 1023

Aggregate Ethernet for Gigabit Ethernet

1 through 4094

Gigabit Ethernet

1 through 4094

Management and internal Ethernet interfaces

1 through 1023
Note:

On SRX210, SRX220, SRX240, SRX320, and SRX340 devices, on 1-GE SFP Mini-PIM, the VLAN ID 4093 falls under the reserved VLAN address range. (Platform support depends on the Junos OS release in your installation.) Because of this, you will not be able to configure VLAN ID from this range.

See Also

Configuring VLAN Tagging

You can configure SRX300, SRX320, SRX340, SRX345, SRX380, and SRX550HM devices to receive and forward single-tag frames, dual-tag frames, or a mixture of single-tag and dual-tag frames.

See Table 2 for flexible VLANs.

Table 2: Flexible VLANs
Number of Tags VLAN ID

0 (Untagged)

Native

1 (Tagged)

Single

2 (Dual tagged)

Dual

This topic includes the following sections:

Configuring Single-Tag Framing

To configure a device to receive and forward single-tag frames with 802.1Q VLAN tags, include the vlan-tagging statement at the [edit interfaces interface-name] hierarchy level:

Note:

SRX5400, SRX5600, and SRX5800 only support single-tag framing.

Configuring Dual Tagging

To configure the device to receive and forward dual-tag frames with 802.1Q VLAN tags, include the flexible-vlan-tagging statement at the [edit interfaces interface-name] hierarchy level:

Configuring Mixed Tagging

Mixed tagging is supported on ethernet interfaces of SRX300, SRX320, SRX340, SRX345, SRX380, and SRX550HM devices. Mixed tagging lets you configure two logical interfaces on the same Ethernet port, one with single-tag framing and one with dual-tag framing.

To configure mixed tagging, include the flexible-vlan-tagging statement at the [edit interfaces ge-fpc/pic/port ] hierarchy level. You must also include the vlan-tags statement with inner and outer options or the vlan-id statement at the [edit interfaces ge-fpc/pic/port unit logical-unit-number] hierarchy level:

Note:

When you configure the physical interface MTU for mixed tagging, you must increase the MTU to 4 bytes more than the MTU value you would configure for a standard VLAN-tagged interface.

For example, if the MTU value is configured to be 1018 on a VLAN-tagged interface, then the MTU value on a flexible VLAN tagged interface must be 1022—4 bytes more. The additional 4 bytes accommodates the future addition of a stacked VLAN tag configuration on the same physical interface.

The following example configures mixed tagging. Dual-tag and single-tag logical interfaces are under the same physical interface:

Configuring Mixed Tagging Support for Untagged Packets

You can configure mixed tagging support for untagged packets on a port. Untagged packets are accepted on the same mixed VLAN-tagged port. To accept untagged packets, include the native-vlan-id statement and the flexible-vlan-tagging statement at the [edit interfaces interface-name] hierarchy level:

Note:

The flexible-vlan-tagging is supported only with either no encapsulation or VPLS VLAN encapsulation.

The logical interface on which untagged packets are to be received must be configured with the same native VLAN ID as that configured on the physical interface. To configure the logical interface, include the vlan-id statement (matching the native-vlan-id statement on the physical interface) at the [edit interfaces interface-name unit logical-unit-number] hierarchy level.

The following example configures untagged packets to be mapped to logical unit number 0: