Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Bridge Domains Setup in PVLANs on MX Series Routers

Bridge domain capabilities are used to support PVLANs on MX Series routers. Although this functionality is similar to the PVLAN mechanism on EX Series switches, the difference is that only one isolation VLAN can be configured for all isolated ports on MX routers instead of one isolation VLAN permissible per isolated port on EX Series switches.

Assume a sample deployment in which a primary VLAN named VP contains ports p1, p2, t1, t2, i1, i2, cx1, and cx2. The port types of these configured ports are as follows:

  • Promiscuous ports = p1, p2

  • ISL ports = t1, t2

  • Isolated ports = i1, i2

  • Community VLAN = Cx

  • Community ports = cx1, cx2

Bridge domains are provisioned for each of the VLANs, namely, Vp, Vi, and Vcx. Assume the bridge domains to be configured as follows:

Vp—BD_primary_Vp (ports contained are p1, t1, i1, i2, cx1, cx2)

Vi—BD_isolate_Vi (ports contained are p1, t1, *i1, *i2)

Vcx—BD_community_Vcx (ports contained are p1, t1, cx1, cx2)

The bridge domains for community, primary, and isolated VLANs are automatically created by the system internally when you configure a bridge domain with a trunk interface, access interface, or interswitch link. The bridge domains contain the same VLAN ID corresponding to the VLANs. To use bridge domains for PVLANs, you must configure the following additional attributes:

  • community-vlans option—This option is specified on all community vlans and for community BDs created internally.

  • isolated-vlan option—This option denotes the vlan tag to be used for isolation BD created internally for each PVLAN/BD. This setting is required.

  • inter-switch-link option with the interface-mode trunk statement at the [edit interfaces interface-name family bridge] or the [edit interfaces interface-name unit logical-unit-number family bridge] hierarchy level—This configuration specifies whether the particular interface assumes the role of interswitch link for the PVLAN domains of which it is a member.

You can use the vlan-id configuration statement for PVLAN ports to identify the port role. All the logical interfaces involved in PVLANs must be configured with a VLAN ID and the Layer 2 process uses this VLAN tag to classify a port role as promiscuous, isolated, or community port by comparing this value with the VLANs configured in the PVLAN bridge domain (using the bridge-domains statement at the [edit] hierarchy level). The ISL port role is identified by the inter-switch-link option. The VLAN ID for ISL port is required and must be set to to the primary VLAN ID. The ISL must be a trunk interface. A list of VLAN IDs is not needed because the Layer 2 process creates such a list internally based on PVLAN bridge domain configuration. For untagged promiscuous, isolated or community, logical interfaces or ports, access mode must be used as the interface mode. For tagged promiscuous, isolated, or community interfaces, trunk mode must be specified as the interface mode.

The bridge domain interface families are enhanced to include ingress-only and egress-only association. The association for the interface family bridge domain (IFBD) is created in the following manner:

  • For BD_primary_Vp, IFBD for i1, i2, cx1 and cx2 are egress only.

  • BD_isolate_Vi, IFBD for p1 will be egress only and for i1 and i2 are ingress only.

  • BD_community_Vcx , IFBD for p1 are egress only. VLAN translation rules ensure the following VLAN mappings to work properly:

    • VLAN mapping on promiscuous ports: On promiscuous ports, the Vlan Vi is mapped to Vlan Vp on egress interfaces. Similarly on promiscuous ports, Vcx is also be mapped to Vp.

    • VLAN mapping on isolation ports: On tagged isolated ports, the VLAN tag, Vp, is mapped to Vi on egress.

    • VLAN mapping on community ports: On tagged community ports, the VLAN tag, Vp, is mapped to Vcx on egress.

A management bridge domain for PVLAN that exists only in the Layer 2 address learning process called PBD to denote bridge domain for VLAN is used by the system. This bridge domain has the same name as the user-configured name. Under this bridge domain, one primary PVLAN bridge domain for the primary vlan, one isolation bridge domain for the isolation vlan, and one community bridge domain for each community vlan are programmed internally. You might find separate bridge domains for the PVLAN ports to be useful if you want to configure a policy for a specific community VLAN or isolation VLAN.

The management bridge domain maintains a list to include all internal bridge domains that belong to this PVLAN bridge domain. Isolation and community bridge domains contain a pointer or a flag to indicate that this bridge domain is for PVLANs and maintain the information about the primary bridge domain index and primary VLAN. All this information is available across the bridge domain interfaces that are mapped to this bridge domain. MAC learning occurs only in the primary bridge domain and the MAC forwarding entry is programmed into the primary bridge domain only. As a result, the isolation bridge domain and all community bridge domains share the same forwarding table as the primary bridge domain.

For the isolation bridge domain, BD_isolate_Vi, isolation port i1 and i2 function as a non-local-switch access port and the flood group for this bridge domain contains only the promiscuous port, p1, and ISL ports, t1 and t2.