You can configure integrated routing and bridging (IRB)
interfaces in a private VLAN (PVLAN) on a single MX router to span
multiple MX routers. PVLANs limit the communication within a VLAN
by restricting traffic flows through their member switch ports (which
are called “private ports”) so that these ports communicate
only with a specified uplink trunk port or with specified ports within
the same VLAN. IRB provides simultaneous support for Layer 2 bridging
and Layer 3 routing on the same interface. IRB enables you to route
packets to another routed interface or to another bridge domain that
has an IRB interface configured. You configure a logical routing interface
and include that interface in the virtual switch instance that contains
the bridge domain. You can specify the secondary VLANs as isolated
or community VLANs in the bridge domain.
Before you begin configuring a PVLAN, make
sure you have:
Created and configured the necessary VLANs. See Configuring VLAN and Extended VLAN Encapsulation and Enabling VLAN Tagging.
Configured MX240, MX480, and MX960 routers to function
in enhanced LAN mode by entering the network-services lan statement at the [edit chassis] hierarchy level.
You must reboot the router when you configure or delete the
enhanced LAN mode on the router. Configuring the network-services
lan option implies that the system is running in the enhanced
IP mode. When you configure a device to function in MX-LAN mode, only
the supported configuration statements and operational show commands
that are available for enabling or viewing in this mode are displayed
in the CLI interface.
If your system contains parameters that are not supported in
MX-LAN mode in a configuration file, you cannot commit those unsupported
attributes. You must remove the settings that are not supported and
then commit the configuration. After the successful CLI commit, a
system reboot is required for the attributes to become effective.
Similarly, if you remove the network-services lan statement,
the system does not run in MX-LAN mode. Therefore, all of the settings
that are supported outside of the MX-LAN mode are displayed and are
available for definition in the CLI interface. If your configuration
file contains settings that are supported only in MX-LAN mode, you
must remove those attributes before you commit the configuration.
After the successful CLI commit, a system reboot is required for the
CLI parameters to take effect. The Layer 2 Next-Generation CLI configuration
settings are supported in MX-LAN mode. As a result, the typical format
of CLI configurations might differ in MX-LAN mode.
To configure an IRB interface in a PVLAN bridge domain
associated with a virtual switch instance:
- Create a promiscuous port for the PVLAN.
[edit interfaces]
user@host# set interface interface-name unit logical-unit-number family bridge interface-mode trunk
user@host# set interface interface-name unit logical-unit-number family bridge vlan-id vlan-id
- Create the interswitch link (ISL) trunk port for the PVLAN.
[edit interfaces]
user@host# set interface interface-name unit logical-unit-number family bridge interface-mode trunk inter-switch-link
user@host# set interface interface-name unit logical-unit-number family bridge vlan-id vlan-id
- Create the isolated port for the PVLAN. The port is identified
as an isolated port or a community port, based on the VLAN ID or the
list of VLAN IDs to which the interface corresponds. For example,
if you configure a port with a VLAN ID of 50, and if you specify a
VLAN ID of 50 as the isolated VLAN or tag in the bridge domain, the
port is considered as an isolation port.
[edit interfaces]
user@host# set interface interface-name unit logical-unit-number family bridge interface-mode access
user@host# set interface interface-name unit logical-unit-number family bridge vlan-id vlan-id
- Create the community port for the PVLAN. The port is
identified as an isolated port or a community port, based on the VLAN
ID or the list of VLAN IDs to which the interface corresponds. For
example, if you configure a port with a VLAN ID of 50, and if you
specify a VLAN ID of 50 as the community VLAN or tag in the bridge
domain, the port is considered as a community port.
[edit interfaces]
user@host# set interface interface-name unit logical-unit-number family bridge interface-mode access
user@host# set interface interface-name unit logical-unit-number family bridge vlan-id vlan-id
- Create a virtual switch instance with a bridge domain
and associate the logical interfaces.
[edit routing-instances]
user@host# set routing-instance-name instance-type virtual-switch
user@host# set routing-instance-name interface interface-name unit logical-unit-number
user@host# set routing-instance-name bridge-domains bridge-domain-name
- Create an IRB interface and specify the IRB interface
in the bridge domain associated with the virtual switch instance.
IRB provides simultaneous support for Layer 2 bridging and Layer 3
IP routing on the same interface. IRB enables you to route local packets
to another routed interface or to another bridge domain that has a
Layer 3 protocol configured.
[edit]
user@host# set interfaces irb unit logical-unit-number family family-name address ip-address
[edit routing-instances instance-name bridge-domains bridge-domain-name]
user@host# set routing-interface irb unit logical-unit-number
- Specify the primary, isolated, and community VLAN IDs,
and associate the VLANs with the bridge domain.
[edit routing-instances instance-name bridge-domains bridge-domain-name]
user@host# set vlan-id vlan-id
user@host# set isolated-vlan vlan-id
user@host# set community-vlans [ number number-number ]
