ON THIS PAGE
Understanding Secondary VLAN Trunk Ports and Promiscuous Access Ports on PVLANs
Using 802.1X Authentication and Private VLANs Together on the Same Interface
Creating a Private VLAN on a Single Switch with ELS Support (CLI Procedure)
Creating a Private VLAN on a Single EX Series Switch (CLI Procedure)
Creating a Private VLAN Spanning Multiple QFX Series Switches
Creating a Private VLAN Spanning Multiple EX Series Switches with ELS Support (CLI Procedure)
Creating a Private VLAN Spanning Multiple EX Series Switches (CLI Procedure)
Example: Configuring a Private VLAN on a Single Switch with ELS Support
Example: Configuring a Private VLAN on a Single QFX Series Switch
Example: Configuring a Private VLAN on a Single EX Series Switch
Example: Configuring a Private VLAN Spanning Multiple QFX Switches
Example: Configuring a Private VLAN Spanning Multiple Switches With an IRB Interface
Example: Configuring a Private VLAN Spanning Multiple EX Series Switches
Private VLANs
Understanding Private VLANs
VLANs limit broadcasts to specified users. Private VLANs (PVLANs) take this concept a step further by limiting communication within a VLAN. PVLANs accomplish this by restricting traffic flows through their member switch ports (which are called private ports) so that these ports communicate only with a specified uplink trunk port or with specified ports within the same VLAN. The uplink trunk port or link aggregation group (LAG) is usually connected to a router, firewall, server, or provider network. Each PVLAN typically contains many private ports that communicate only with a single uplink port, thereby preventing the ports from communicating with each other.
PVLANs provide Layer 2 isolation between ports within a VLAN, splitting a broadcast domain into multiple discrete broadcast subdomains by creating secondary VLANs (community VLANs and an isolated VLAN) inside a primary VLAN. Ports within the same community VLAN can communicate with each other. Ports within an isolated VLAN can communicate only with a single uplink port.
Just like regular VLANs, PVLANs are isolated on Layer 2 and require one of the following options to route Layer 3 traffic among the secondary VLANs:
A promiscuous port connection with a router
A routed VLAN interface (RVI)
To route Layer 3 traffic among secondary VLANs, a PVLAN needs only one of the options mentioned above. If you use an RVI, you can still implement a promiscuous port connection to a router with the promiscuous port set up to handle only traffic that enters and exits the PVLAN.
PVLANs are useful for restricting the flow of broadcast and unknown unicast traffic and for limiting the communication between known hosts. Service providers use PVLANs to keep their customers isolated from each other. Another typical use for a PVLAN is to provide per-room Internet access in a hotel.
You can configure a PVLAN to span switches that support PVLANs.
This topic explains the following concepts regarding PVLANs on EX Series switches:
- Benefits of PVLANs
- Typical Structure and Primary Application of PVLANs
- Typical Structure and Primary Application of PVLANs on MX Series Routers
- Typical Structure and Primary Application of PVLANs on EX Series Switches
- Routing Between Isolated and Community VLANs
- PVLANs Use 802.1Q Tags to Identify Packets
- PVLANs Use IP Addresses Efficiently
- PVLAN Port Types and Forwarding Rules
- Creating a PVLAN
- Limitations of Private VLANs
Benefits of PVLANs
The need to segregate a single VLAN is particularly useful in the following deployment scenarios:
Server farms—A typical Internet service provider uses a server farm to provide Web hosting for numerous customers. Locating the various servers within a single server farm provides ease of management. Security concerns arise if all servers are in the same VLAN because Layer 2 broadcasts go to all servers in the VLAN.
Metropolitan Ethernet networks—A metro service provider offers Layer 2 Ethernet access to assorted homes, rental communities, and businesses. The traditional solution of deploying one VLAN per customer is not scalable and is difficult to manage, leading to potential waste of IP addresses. PVLANs provide a more secure and more efficient solution.
Typical Structure and Primary Application of PVLANs
A PVLAN can be configured on a single switch or can be configured to span multiple switches. The types of domains and ports are:
Primary VLAN—The primary VLAN of the PVLAN is defined with an 802.1Q tag (VLAN ID) for the complete PVLAN. The primary PVLAN can contain multiple secondary VLANs (one isolated VLAN and multiple community VLANs).
Isolated VLAN/isolated port—A primary VLAN can contain only one isolated VLAN. An interface within an isolated VLAN can forward packets only to a promiscuous port or the Inter-Switch Link (ISL) port. An isolated interface cannot forward packets to another isolated interface; and an isolated interface cannot receive packets from another isolated interface. If a customer device needs to have access only to a gateway router, the device must be attached to an isolated trunk port.
Community VLAN/community port—You can configure multiple community VLANs within a single PVLAN. An interface within a specific community VLAN can establish Layer 2 communications with any other interface that belongs to the same community VLAN. An interface within a community VLAN can also communicate with a promiscuous port or the ISL port. If you have, for example, two customer devices that you need to isolate from other customer devices but that must be able to communicate with one another, use community ports.
Promiscuous port—A promiscuous port has Layer 2 communications with all interfaces in the PVLAN, regardless of whether an interface belongs to an isolated VLAN or a community VLAN. A promiscuous port is a member of the primary VLAN but is not included within any secondary subdomain. Layer 3 gateways, DHCP servers, and other trusted devices that need to communicate with endpoint devices are typically connected to a promiscuous port.
Inter-Switch Link (ISL)—An ISL is a trunk port that connects multiple switches in a PVLAN and contains two or more VLANs. It is required only when a PVLAN spans multiple switches.
The configured PVLAN is the primary domain (primary VLAN). Within the PVLAN, you configure secondary VLANs, which become subdomains nested within the primary domain. A PVLAN can be configured on a single switch or can be configured to span multiple switches. The PVLAN shown in Figure 1 includes two switches, with a primary PVLAN domain and various subdomains.
As shown in Figure 3, a PVLAN has only one primary domain and multiple secondary domains. The types of domains are:
Primary VLAN—VLAN used to forward frames downstream to isolated and community VLANs. The primary VLAN of the PVLAN is defined with an 802.1Q tag (VLAN ID) for the complete PVLAN. The primary PVLAN can contain multiple secondary VLANs (one isolated VLAN and multiple community VLANs).
Secondary isolated VLAN—VLAN that receives packets only from the primary VLAN and forwards frames upstream to the primary VLAN. The isolated VLAN is a secondary VLAN nested within the primary VLAN. A primary VLAN can contain only one isolated VLAN. An interface within an isolated VLAN (isolated interface) can forward packets only to a promiscuous port or the PVLAN trunk port. An isolated interface cannot forward packets to another isolated interface; nor can an isolated interface receive packets from another isolated interface. If a customer device needs to have access only to a router, the device must be attached to an isolated trunk port.
Secondary interswitch isolated VLAN—VLAN used to forward isolated VLAN traffic from one switch to another through PVLAN trunk ports. 802.1Q tags are required for interswitch isolated VLANs because IEEE 802.1Q uses an internal tagging mechanism by which a trunking device inserts a 4-byte VLAN frame identification tab into the packet header. An interswitch isolated VLAN is a secondary VLAN nested within the primary VLAN.
Secondary community VLAN—VLAN used to transport frames among members of a community (a subset of users within the VLAN) and to forward frames upstream to the primary VLAN. A community VLAN is a secondary VLAN nested within the primary VLAN. You can configure multiple community VLANs within a single PVLAN. An interface within a specific community VLAN can establish Layer 2 communications with any other interface that belongs to the same community VLAN. An interface within a community VLAN can also communicate with a promiscuous port or the PVLAN trunk port.
Figure 2 shows a PVLAN
spanning multiple switches, where the primary VLAN (100
) contains two community domains (300
and 400
) and one interswitch isolated domain.
Primary and secondary VLANs count against the limit of 4089 VLANs supported on the QFX Series. For example, each VLAN in Figure 2 counts against this limit.
Typical Structure and Primary Application of PVLANs on MX Series Routers
The configured PVLAN becomes the primary domain, and secondary VLANs become subdomains that are nested inside the primary domain. A PVLAN can be created on a single router. The PVLAN shown in Figure 3 includes one router, with one primary PVLAN domain and multiple secondary subdomains.
The types of domains are:
Primary VLAN—VLAN used to forward frames downstream to isolated and community VLANs.
Secondary isolated VLAN—VLAN that receives packets only from the primary VLAN and forwards frames upstream to the primary VLAN.
Secondary interswitch isolated VLAN—VLAN used to forward isolated VLAN traffic from one router to another through PVLAN trunk ports.
Secondary community VLAN—VLAN used to transport frames among members of a community, which is a subset of users within the VLAN, and to forward frames upstream to the primary VLAN.
PVLANs are supported on MX80 routers, on MX240, MX480, and MX960 routers with DPCs in enhanced LAN mode, on MX Series routers with MPC1, MPC2, and Adaptive Services PICs.
Typical Structure and Primary Application of PVLANs on EX Series Switches
The primary VLAN of the PVLAN is defined with an 802.1Q tag (VLAN ID) for the complete PVLAN. On EX9200 switches, each secondary VLAN must also be defined with its own separate VLAN ID.
Figure 4 shows a
PVLAN on a single switch, where the primary VLAN (VLAN 100
) contains two community VLANs (VLAN 300
and VLAN 400
) and one isolated VLAN (VLAN 50
).
Figure 5 shows a PVLAN
spanning multiple switches, where the primary VLAN (VLAN 100
) contains two community VLANs (VLAN 300
and VLAN 400
) and one isolated VLAN (VLAN 200). It also shows that Switches
1 and 2 are connected through an interswitch link (PVLAN trunk link).
Also, the PVLANs shown in Figure 4 and Figure 5 use a promiscuous port connected to a router as the means to route Layer 3 traffic among the community and isolated VLANs. Instead of using the promiscuous port connected to a router, you can configure an RVI on the switch in Figure 4 or one of the switches shown in Figure 5 (on some EX switches).
To route Layer 3 traffic between isolated and community VLANs, you must either connect a router to a promiscuous port, as shown in Figure 4 and Figure 5, or configure an RVI.
If you choose the RVI option, you must configure one RVI for the primary VLAN in the PVLAN domain. This RVI serves the entire PVLAN domain regardless of whether the domain includes one or more switches. After you configure the RVI, Layer 3 packets received by the secondary VLAN interfaces are mapped to and routed by the RVI.
When setting up the RVI, you must also enable proxy Address Resolution Protocol (ARP) so that the RVI can handle ARP requests received by the secondary VLAN interfaces.
For information about configuring PVLANs on a single switch and on multiple switches, see Creating a Private VLAN on a Single EX Series Switch (CLI Procedure). For information about configuring an RVI, see Configuring a Routed VLAN Interface in a Private VLAN on an EX Series Switch.
Routing Between Isolated and Community VLANs
To route Layer 3 traffic between isolated and community VLANs, you must connect an external router or switch to a trunk port of the primary VLAN. The trunk port of the primary VLAN is a promiscuous port; therefore, it can communicate with all the ports in the PVLAN.
PVLANs Use 802.1Q Tags to Identify Packets
When packets are marked with a customer-specific 802.1Q tag, that tag identifies ownership of the packets for any switch or router in the network. Sometimes, 802.1Q tags are needed within PVLANs to keep track of packets from different subdomains. Table 1 indicates when a VLAN 802.1Q tag is needed on the primary VLAN or on secondary VLANs.
On a Single Switch | On Multiple Switches | |
---|---|---|
Primary VLAN | Specify an 802.1Q tag by setting a VLAN ID. |
Specify an 802.1Q tag by setting a VLAN ID. |
Secondary VLAN | No tag needed on VLANs. |
VLANs need 802.1Q tags:
|
PVLANs Use IP Addresses Efficiently
PVLANs provide IP address conservation and efficient allocation of IP addresses. In a typical network, VLANs usually correspond to a single IP subnet. In PVLANs, the hosts in all secondary VLANs belong to the same IP subnet because the subnet is allocated to the primary VLAN. Hosts within the secondary VLAN are assigned IP addresses based on IP subnets associated with the primary VLAN, and their IP subnet masking information reflects that of the primary VLAN subnet. However, each secondary VLAN is a separate broadcast domain.
PVLAN Port Types and Forwarding Rules
PVLANs can use up to six different port types. The network depicted inFigure 2 uses a promiscuous port to transport information to the router, community ports to connect the finance and HR communities to their respective switches, isolated ports to connect the servers, and a PVLAN trunk port to connect the two switches. PVLAN ports have different restrictions:
Promiscuous trunk port—A promiscuous port has Layer 2 communications with all the interfaces that are in the PVLAN, regardless of whether the interface belongs to an isolated VLAN or a community VLAN. A promiscuous port is a member of the primary VLAN, but is not included within one of the secondary subdomains. Layer 3 gateways, DHCP servers, and other trusted devices that need to communicate with endpoint devices are typically connected to a promiscuous port.
PVLAN trunk link—The PVLAN trunk link, which is also known as the interswitch link, is required only when a PVLAN is configured to span multiple switches. The PVLAN trunk link connects the multiple switches that compose the PVLAN.
PVLAN trunk port—A PVLAN trunk port is required in multiswitch PVLAN configurations to span the switches. The PVLAN trunk port is a member of all VLANs within the PVLAN (that is, the primary VLAN, the community VLANs, and the interswitch isolated VLAN), and it carries traffic from the primary VLAN and all secondary VLANs. It can communicate with all ports other than the isolated ports.
Communication between a PVLAN trunk port and an isolated port is usually unidirectional. A PVLAN trunk port’s membership in the interswitch isolated VLAN is egress-only, meaning that an isolated port can forward packets to a PVLAN trunk port, but a PVLAN trunk port does not forward packets to an isolated port (unless the packets ingressed on a promiscuous access port and are therefore being forwarded to all the secondary VLANs in the same primary VLAN as the promiscuous port).
Secondary VLAN trunk port (not shown)—Secondary trunk ports carry secondary VLAN traffic. For a given private VLAN, a secondary VLAN trunk port can carry traffic for only one secondary VLAN. However, a secondary VLAN trunk port can carry traffic for multiple secondary VLANs as long as each secondary VLAN is a member of a different primary VLAN. For example, a secondary VLAN trunk port can carry traffic for a community VLAN that is part of primary VLAN pvlan100 and also carry traffic for an isolated VLAN that is part of primary VLAN pvlan400.
Community port—Community ports communicate among themselves and with their promiscuous ports. Community ports serve only a select group of users. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.
Isolated access port—Isolated ports have Layer 2 connectivity only with promiscuous ports and PVLAN trunk ports—an isolated port cannot communicate with another isolated port even if these two ports are members of the same isolated VLAN (or interswitch isolated VLAN) domain. Typically, a server, such as a mail server or a backup server, is connected on an isolated port. In a hotel, each room would typically be connected on an isolated port, meaning that room-to-room communication is not possible, but each room can access the Internet on the promiscuous port.
Promiscuous access port (not shown)—These ports carry untagged traffic. Traffic that ingresses on a promiscuous access port is forwarded to all secondary VLAN ports on the device. If traffic ingresses into the device on a VLAN-enabled port and egresses on a promiscuous access port, the traffic is untagged on egress. If tagged traffic ingresses on a promiscuous access port, the traffic is discarded.
Interswitch link port—An interswitch link (ISL) port is a trunk port that connects two routers when a PVLAN spans those routers. The ISL port is a member of all VLANs within the PVLAN (that is, the primary VLAN, the community VLANs, and the isolated VLAN).
Communication between an ISL port and an isolated port is unidirectional. An ISL port’s membership in the interswitch isolated VLAN is egress-only, meaning that incoming traffic on the ISL port is never assigned to the isolated VLAN. An isolated port can forward packets to a PVLAN trunk port, but a PVLAN trunk port cannot forward packets to an isolated port. Table 3 summarizes whether Layer 2 connectivity exists between the different types of ports.
Table 2 summarizes Layer 2 connectivity between the different types of ports within a PVLAN on EX Series switches that support ELS.
From Port Type |
To Isolated Ports? |
To Promiscuous Ports? |
To Community Ports? |
To Inter-Switch Link Port? |
---|---|---|---|---|
Isolated |
Deny |
Permit |
Deny |
Permit |
Promiscuous |
Permit |
Permit |
Permit |
Permit |
Community 1 |
Deny |
Permit |
Permit |
Permit |
Port Type |
Promiscuous Trunk |
PVLAN Trunk |
Secondary Trunk |
Community |
Isolated Access |
Promiscuous access |
---|---|---|---|---|---|---|
Promiscuous trunk |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
PVLAN trunk |
Yes |
Yes |
Yes |
Yes—same community only |
Yes |
Yes |
Secondary Trunk |
Yes |
Yes |
No |
Yes |
No |
Yes |
Community |
Yes |
Yes |
Yes |
Yes—same community only |
No |
Yes |
Isolated access |
Yes |
Yes—unidirectional only |
No |
No |
No |
Yes |
Promiscuous access |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Table 4 summarizes whether or not Layer 2 connectivity exists between the different types of ports within a PVLAN.
Port Type To: → From:↓ |
Promiscuous |
Community |
Isolated |
PVLAN Trunk |
RVI |
---|---|---|---|---|---|
Promiscuous |
Yes |
Yes |
Yes |
Yes |
Yes |
Community |
Yes |
Yes—same community only |
No |
Yes |
Yes |
Isolated |
Yes |
No |
No |
Yes Note:
This communication is unidirectional. |
Yes |
PVLAN trunk |
Yes |
Yes—same community only |
Yes Note:
This communication is unidirectional. |
Yes |
Yes |
RVI |
Yes |
Yes |
Yes |
Yes |
Yes |
As noted in Table 4, Layer 2 communication between an isolated port and a PVLAN trunk port is unidirectional. That is, an isolated port can only send packets to a PVLAN trunk port, and a PVLAN trunk port can only receive packets from an isolated port. Conversely, a PVLAN trunk port cannot send packets to an isolated port, and an isolated port cannot receive packets from a PVLAN trunk port.
If you enable no-mac-learning
on a primary
VLAN, all isolated VLANs (or the interswitch isolated VLAN) in the
PVLAN inherit that setting. However, if you want to disable MAC address
learning on any community VLANs, you must configure no-mac-learning
on each of those VLANs.
Creating a PVLAN
The flowchart shown in Figure 6 gives you a general idea of the process for creating PVLANs. If you complete your configuration steps in the order shown, you will not violate these PVLAN rules. (In the PVLAN rules, configuring the PVLAN trunk port applies only to a PVLAN that spans multiple routers.)
The primary VLAN must be a tagged VLAN.
If you are going to configure a community VLAN ID, you must first configure the primary VLAN.
If you are going to configure an isolation VLAN ID, you must first configure the primary VLAN.
Configuring a voice over IP (VoIP) VLAN on PVLAN interfaces is not supported.
Configuring a VLAN on a single router is relatively simple, as shown in Figure 6.
Configuring a primary VLAN consists of these steps:
Configure the primary VLAN name and 802.1Q tag.
Set no-local-switching on the primary VLAN.
Configure the promiscuous trunk port and access ports.
Make the promiscuous trunk and access ports members of the primary VLAN.
Within a primary VLAN, you can configure secondary community VLANs or secondary isolated VLANs or both. Configuring a secondary community VLAN consists of these steps:
Configure a VLAN using the usual process.
Configure access interfaces for the VLAN.
Assign a primary VLAN to the community VLAN,
Isolated VLANs are created internally when the isolated VLAN has access interfaces as members and the option no-local-switching is enabled on the primary VLAN.
802.1Q tags are required for interswitch isolated VLANs because IEEE 802.1Q uses an internal tagging mechanism by which a trunking device inserts a 4-byte VLAN frame identification tab into the packet header.
Trunk ports are only needed for multirouter PVLAN configurations—the trunk port carries traffic from the primary VLAN and all secondary VLANs.
Limitations of Private VLANs
The following constraints apply to private VLAN configurations:
An access interface can belong to only one PVLAN domain, that is, it cannot participate in two different primary VLANs.
A trunk interface can be a member of two secondary VLANs as long as the secondary VLANs are in two different primary VLANs. A trunk interface cannot be a member of two secondary VLANs that are in the same primary VLAN.
A single region of Multiple Spanning Tree Protocol (MSTP) must be configured on all VLANs that are included within the PVLAN.
VLAN Spanning Tree Protocol (VSTP) is not supported.
IGMP snooping is not supported with private VLANs.
Routed VLAN interfaces are not supported on private VLANs
Routing between secondary VLANs in the same primary VLAN is not supported.
Some configuration statements cannot be specified on a secondary VLAN. You can configure the following statements at the
[edit vlans vlan-name switch-options]
hierarchy level only on the primary PVLAN.If you want to change a primary VLAN to be a secondary VLAN, you must first change it to a normal VLAN and commit the change. For example, you would follow this procedure:
Change the primary VLAN to be a normal VLAN.
Commit the configuration.
Change the normal VLAN to be a secondary VLAN.
Commit the configuration.
Follow the same sequence of commits if you want to change a secondary VLAN to be a primary VLAN. That is, make the secondary VLAN a normal VLAN and commit that change and then change the normal VLAN to be a primary VLAN.
The following features are not supported on PVLANs on Junos switches with support for the ELS configuration style:
Egress VLAN firewall filters
Ethernet ring protection (ERP)
Flexible VLAN tagging
Integrated routing and bridging (IRB) interface
Multichassis link aggregation groups (MC-LAGs)
Port mirroring
Q-in-Q tunneling
VLAN Spanning Tree Protocol (VSTP)
Voice over IP (VoIP)
You can configure the following statements at the [edit
vlans vlan-name switch-options]
hierarchy
level only on the primary PVLAN:
Understanding PVLAN Traffic Flows Across Multiple Switches
This topic illustrates and explains three different traffic flows on a sample multiswitch network configured with a private VLAN (PVLAN). PVLANs restrict traffic flows through their member switch ports (which are called “private ports”) so that they communicate only with a specific uplink trunk port or with specified ports within the same VLAN.
This topic describes:
- Community VLAN Sending Untagged Traffic
- Isolated VLAN Sending Untagged Traffic
- PVLAN Tagged Traffic Sent on a Promiscuous Port
Community VLAN Sending Untagged Traffic
In this example a member of Community-1 on Switch 1 sends untagged traffic on interface ge-0/0/12. The arrows in Figure 7 represent the resulting traffic flow.
In this example the community-1 members are assigned C-VLAN ID 100 that is mapped to P-VLAN ID 10.
In this scenario, the following activity takes place on Switch 1:
-
Community-1 VLAN on interface ge-0/0/0 and ge-0/0/12: Learning
-
pvlan100 on interface ge-0/0/0 and ge-0/0/12: Replication
-
Community-1 VLAN on interface ge-0/0/12: Receives untagged traffic
-
Community-1 VLAN interface ge-0/0/0: Traffic exits untagged
-
PVLAN trunk port: Traffic exits from ge-1/0/2 and from ae0 with tag 10
-
Community-2: Interfaces receive no traffic
-
Isolated VLANs: Interfaces receive no traffic
In this scenario, this activity takes place on Switch 3:
-
Community-1 VLAN on interface ge-0/0/23 (PVLAN trunk): Learning
-
pvlan100 on interface ge-0/0/23: Replication
-
Community-1 VLAN on interfaces ge-0/0/9 and ge-0/0/16: Receive untagged traffic
-
Promiscuous trunk port: Traffic exits from ge-0/0/0 with tag 10
-
Community-2: Interfaces receive no traffic
-
Isolated VLANs: Interfaces receive no traffic
Isolated VLAN Sending Untagged Traffic
In this scenario, isolated VLAN1 on Switch 1 at interface ge-1/0/0 sends untagged traffic. The arrows in Figure 8 represent this traffic flow.
In this scenario, the following activity takes place on Switch 1:
Isolated VLAN1 on interface ge-1/0/0: Learning
pvlan100 on interface ge-1/0/0: Replication
Traffic exits from pvlan-trunk ge-1/0/2 and ae0 with tag 50
Community-1 and Community-2: Interfaces receive no traffic
Isolated VLANs: Interfaces receive no traffic
In this scenario, this activity takes place on Switch 3:
VLAN on interface ge-0/0/23 (PVLAN trunk port): Learning
pvlan100 on interface ge0/0/23: Replication
Promiscuous trunk port: Traffic exits from ge-0/0/0 with tag 100
Community-1 and Community-2: Interfaces receive no traffic
Isolated VLANs: Receive no traffic
PVLAN Tagged Traffic Sent on a Promiscuous Port
In this scenario, PVLAN tagged traffic is sent on a promiscuous port. The arrows in Figure 9 represent this traffic flow.
In this scenario, the following activity takes place on Switch 1:
pvlan100 VLAN on interface ae0 (PVLAN trunk): Learning
Community-1, Community-2, and all isolated VLANs on interface ae0: Replication
VLAN on interface ae0: Replication
Traffic exits from pvlan-trunk ge-1/0/2 with tag 100
Community-1 and Community-2: Interfaces receive traffic
Isolated VLANs: Receive traffic
In this scenario, this activity takes place on Switch 3:
pvlan100 on interface ge-0/0/0: Learning
Community-1, Community-2 and all isolated VLANs on interface ge-0/0/0: Replication
VLAN on interface ge-0/0/0: Replication
Community-1 and Community-2: Interfaces receive traffic
Isolated VLANs: Receive traffic
Understanding Secondary VLAN Trunk Ports and Promiscuous Access Ports on PVLANs
VLANs limit broadcasts to specified users. Private VLANs (PVLANs) take this concept a step further by splitting a VLAN into multiple broadcast subdomains and essentially putting secondary VLANs inside a primary VLAN. PVLANs restrict traffic flows through their member ports so that these ports communicate only with a specified uplink trunk port or with specified ports within the same VLAN. The uplink trunk port is usually connected to a router, firewall, server, or provider network. A PVLAN typically contains many private ports that communicate only with a single uplink, thereby preventing the ports from communicating with each other.
Secondary trunk ports and promiscuous access ports extend the functionality of PVLANs for use in complex deployments, such as:
Enterprise VMWare Infrastructure environments
Multitenant cloud services with VM management
Web hosting services for multiple customers
For example, you can use secondary VLAN trunk ports to connect QFX devices to VMware servers that are configured with private VLANs. You can use promiscuous access ports to connect QFX devices to systems that do not support trunk ports but do need to participate in private VLANs.
This topic explains the following concepts regarding PVLANs on the QFX Series:
PVLAN Port Types
PVLANs can use the following different port types:
Promiscuous trunk port—A promiscuous port is an upstream trunk port connected to a router, firewall, server, or provider network. A promiscuous trunk port can communicate with all interfaces, including the isolated and community ports within a PVLAN.
PVLAN trunk port—A PVLAN trunk port is required in multiswitch PVLAN configurations to span the switches. The PVLAN trunk port is a member of all VLANs within the PVLAN (that is, the primary VLAN, the community VLANs, and the interswitch isolated VLAN), and it carries traffic from the primary VLAN and all secondary VLANs. It can communicate with all ports.
Communication between a PVLAN trunk port and an isolated port is usually unidirectional. A PVLAN trunk port’s membership in the interswitch isolated VLAN is egress-only, meaning that an isolated port can forward packets to a PVLAN trunk port, but a PVLAN trunk port does not forward packets to an isolated port (unless the packets ingressed on a promiscuous access port and are therefore being forwarded to all the secondary VLANs in the same primary VLAN as the promiscuous port).
Secondary VLAN trunk port—Secondary VLAN trunk ports carry secondary VLAN traffic. For a given private (primary) VLAN, a secondary VLAN trunk port can carry traffic for only one secondary VLAN. However, a secondary VLAN trunk port can carry traffic for multiple secondary VLANs as long as each secondary VLAN is a member of a different primary VLAN. For example, a secondary VLAN trunk port can carry traffic for a community VLAN that is part of primary VLAN pvlan100 and also carry traffic for an isolated VLAN that is part of primary VLAN pvlan400.
Note:When traffic egresses from a secondary VLAN trunk port, it normally carries the tag of the primary VLAN that the secondary port is a member of. If you want traffic that egresses from a secondary VLAN trunk port to retain its secondary VLAN tag, use the extend-secondary-vlan-id statement.
Community port—Community ports communicate among themselves and with their promiscuous ports. Community ports serve only a select group of users. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.
Isolated access port—Isolated ports have Layer 2 connectivity only with promiscuous ports and PVLAN trunk ports. An isolated access port cannot communicate with another isolated port even if these two ports are members of the same isolated VLAN.
Promiscuous access port—These ports carry untagged traffic and can be a member of only one primary VLAN. Traffic that ingresses on a promiscuous access port is forwarded to the ports of the secondary VLANs that are members of the primary VLAN that the promiscuous access port is a member of. In this case, the traffic carries the appropriate secondary VLAN tag when it egresses from the secondary VLAN port if the secondary VLAN port is a trunk port. If traffic ingresses on a secondary VLAN port and egresses on a promiscuous access port, the traffic is untagged on egress. If tagged traffic ingresses on a promiscuous access port, the traffic is discarded.
Secondary VLAN Trunk Port Details
When using a secondary VLAN trunk port, be aware of the following:
You must configure an isolation VLAN ID for each primary VLAN that the secondary VLAN trunk port will participate in. This is true even if the secondary VLANs that the secondary VLAN trunk port will carry are confined to a single device.
If you configure a port to be a secondary VLAN trunk port for a given primary VLAN, you can also configure the same physical port to be any of the following:
Secondary VLAN trunk port for another primary VLAN
PVLAN trunk for another primary VLAN
Promiscuous trunk port
Access port for a non-private VLAN
Traffic that ingresses on a secondary VLAN trunk port (with a secondary VLAN tag) and egresses on a PVLAN trunk port retains the secondary VLAN tag on egress.
Traffic that ingresses on a secondary VLAN trunk port and egresses on a promiscuous trunk port has the appropriate primary VLAN tag on egress.
Traffic that ingresses on a secondary VLAN trunk port and egresses on a promiscuous access port is untagged on egress.
Traffic that ingresses on a promiscuous trunk port with a primary VLAN tag and egresses on a secondary VLAN trunk port carries the appropriate secondary VLAN tag on egress. For example, assume that you have configured the following on a switch:
Primary VLAN 100
Community VLAN 200 as part of the primary VLAN
Promiscuous trunk port
Secondary trunk port that carries community VLAN 200
If a packet ingresses on the promiscuous trunk port with primary VLAN tag 100 and egresses on the secondary VLAN trunk port, it carries tag 200 on egress.
Use Cases
On the same physical interface, you can configure multiple secondary VLAN trunk ports (in different primary VLANs) or combine a secondary VLAN trunk port with other types of VLAN ports. The following use cases provide examples of doing this and show how traffic would flow in each case:
- Secondary VLAN Trunks In Two Primary VLANS
- Secondary VLAN Trunk and Promiscuous Trunk
- Secondary VLAN Trunk and PVLAN Trunk
- Secondary VLAN Trunk and Non-Private VLAN Interface
- Traffic Ingressing on Promiscuous Access Port
Secondary VLAN Trunks In Two Primary VLANS
For this use case, assume you have two switches with the following configuration:
Primary VLAN pvlan100 with tag 100.
Isolated VLAN isolated200 with tag 200 is a member of pvlan100.
Community VLAN comm300 with tag 300 is a member of pvlan100.
Primary VLAN pvlan400 with tag 400.
Isolated VLAN isolated500 with tag 500 is a member of pvlan400.
Community VLAN comm600 with tag 600 is a member of pvlan400.
Interface xe-0/0/0 on Switch 1 connects to a VMware server (not shown) that is configured with the private VLANs used in this example. This interface is configured with secondary VLAN trunk ports to carry traffic for secondary VLAN comm600 and the isolated VLAN (tag 200) that is a member of pvlan100.
Interface xe-0/0/0 on Switch 2 is shown configured as a promiscuous trunk port or promiscuous access port. In the latter case, you can assume that it connects to a system (not shown) that does not support trunk ports but is configured with the private VLANs used in this example.
On Switch 1, xe-0/0/6 is a member of comm600 and is configured as a trunk port.
On Switch 2, xe-0/0/6 is a member of comm600 and is configured as an access port.
Figure 10 shows this topology and how traffic for isolated200 and comm600 would flow after ingressing on xe-0/0/0 on Switch 1. Note that traffic would flow only where the arrows indicate. For example, there are no arrows for interfaces xe-0/0/2, xe-0/0/3, and xe-0/0/5 on Switch 1 because no packets would egress on those interfaces.
Here is the traffic flow for VLAN isolated200:
Note that traffic for VLAN isolated200 does not egress on isolated access port xe-0/0/2 on Switch 1 or secondary VLAN trunk port xe-0/0/2 on Switch 2 even though these two ports are members of the same isolated VLAN.
Here is the traffic flow for VLAN comm600:
After traffic for comm600 ingresses on the secondary VLAN trunk port on Switch 1, it egresses on the PVLAN trunk port because the PVLAN trunk port is a member of all the VLANs. The packets keep the secondary VLAN tag (600) when egressing.
Traffic for comm600 also egresses on community port xe-0/0/6 on Switch 1. The traffic is tagged because the port is configured as a trunk.
After traffic for comm600 ingresses on the PVLAN trunk port on Switch 2, it egresses on xe-0/0/0, if this interface is configured as a promiscuous trunk port.
Note:If xe-0/0/0 on Switch 2 is configured as a promiscuous access port, the port can participate in only one primary VLAN. In this case, the promiscuous access port is part of pvlan100, so traffic for comm600 does not egress from it
Traffic for comm600 also egresses on community port xe-0/0/6 on Switch 2. In this case, the traffic is untagged because the port mode is access.
Secondary VLAN Trunk and Promiscuous Trunk
For this use case, assume you have two switches configured with the same ports and VLANs as in the previous use case, with one exception: In this case, xe-0/0/0 on Switch 1 is configured as a secondary VLAN trunk port for VLAN pvlan100 and is also configured as a promiscuous trunk port for pvlan400.
Figure 11 shows this topology and how traffic for isolated200 (member of pvlan100) and comm600 (member of pvlan400) would flow after ingressing on Switch 1.
The traffic flow for VLAN isolated200 is the same as in the previous use case, but the flow for comm600 is different. Here is the traffic flow for VLAN comm600:
Secondary VLAN Trunk and PVLAN Trunk
For this use case, assume you have two switches configured with the same ports and VLANs as in the previous use cases except that xe-0/0/0 on Switch 1 is configured as a secondary VLAN trunk port for VLAN pvlan100 and is also configured as a PVLAN trunk port for pvlan400.
Figure 12 shows this topology and how traffic for comm300 (member of pvlan100) and comm600 (member of pvlan400) would flow after ingressing on Switch 1.
Here is the traffic flow for VLAN comm300:
Here is the traffic flow for VLAN comm600:
After traffic for comm600 ingresses on the PVLAN port xe-0/0/0 on Switch 1, it egresses on the community port xe-0/0/6 on Switch 1. The packets keep the secondary VLAN tag (600) when egressing because xe-0/0/6 is a trunk port.
Traffic for comm600 also egresses on PVLAN trunk port xe-0/0/1 because that PVLAN trunk port is a member of all the VLANs. The packets keep the secondary VLAN tag (600) when egressing.
After traffic for comm600 ingresses on the PVLAN trunk port on Switch 2, it egresses on xe-0/0/0, if this interface is configured as a promiscuous trunk port.
It does not egress on xe-0/0/0 if this interface is configured as a promiscuous access port because the port can participate only in pvlan100.
Traffic for comm600 also egresses on community port xe-0/0/6 on Switch 2. This traffic is untagged on egress because xe-0/0/6 is an access port.
Secondary VLAN Trunk and Non-Private VLAN Interface
For this use case, assume you have two switches configured with the same ports and VLANs as in the previous use cases except for these differences:
Configuration for xe-0/0/0 on Switch 1:
Secondary VLAN trunk port for VLAN pvlan100
Access port for vlan700
Port xe-0/0/6 on both switches is an access port for vlan700.
Figure 13 shows this topology and how traffic for isolated200 (member of pvlan100) and vlan700 would flow after ingressing on Switch 1.
Here is the traffic flow for VLAN isolated200:
Note that traffic for VLAN isolated200 does not egress on isolated access port xe-0/0/2 on Switch 1 or secondary VLAN trunk port xe-0/0/2 on Switch 2 even though these two ports are members of the same isolated VLAN.
After traffic for vlan700 ingresses on the access port configured on xe-0/0/0 on Switch 1, it egresses on access port xe-0/0/6 because that port is a member of the same VLAN. Traffic for vlan700 is not forwarded to Switch 2 (even though xe-0/0/6 on Switch 2 is a member of vlan700) because the PVLAN trunk on xe-0/0/1 does not carry this VLAN.
Traffic Ingressing on Promiscuous Access Port
For this use case, assume you have two switches configured with the same ports and VLANs as in the previous use case except that xe-0/0/0 on Switch 1 is configured as a promiscuous access port and is a member of pvlan100. Figure 14 shows this topology and how untagged traffic would flow after ingressing through this interface on Switch 1.
As the figure shows, untagged traffic that ingresses on a promiscuous access port is forwarded to all the secondary VLAN ports that are members of the same primary VLAN that the promiscuous access port is a member of. The traffic is untagged when it egresses from access ports and tagged on egress from a trunk port (xe-0/0/2 on Switch 2).
Using 802.1X Authentication and Private VLANs Together on the Same Interface
- Understanding Using 802.1X Authentication and PVLANs Together on the Same Interface
- Configuration Guidelines for Combining 802.1X Authentication with PVLANs
- Example: Configuring 802.1X Authentication with Private VLANs in One Configuration
Understanding Using 802.1X Authentication and PVLANs Together on the Same Interface
You can now configure both 802.1X authentication and private VLANs (PVLANs) on the same interface.
IEEE 802.1X authentication provides network edge security, protecting Ethernet LANs from unauthorized user access by blocking all traffic to and from a supplicant (client) at the interface until the supplicant's credentials are presented and matched on the authentication server (a RADIUS server).
Private VLANs (PVLANs) provide Layer 2 isolation between ports within a VLAN, splitting a broadcast domain into multiple discrete broadcast subdomains by creating secondary VLANs. PVLANs are useful for restricting the flow of broadcast and unknown unicast traffic and for limiting the communication between known hosts.
On a switch that is configured with both 802.1X authentication and PVLANs, when a new device is attached to the PVLAN network, the device is authenticated and then is assigned to a secondary VLAN based on the PVLAN configuration or RADIUS profile. The device then obtains an IP address and is given access to the PVLAN network.
This document does not provide detailed information about 802.1X authentication or private VLANs. For those details, see the feature documentation that is specific to those individual features. For 802.1X, see User Access and Authentication User Guide. For PVLANs, see Ethernet Switching User Guide.
Configuration Guidelines for Combining 802.1X Authentication with PVLANs
Keep the following guidelines and limitations in mind for configuring these two features on the same interface:
You cannot configure an 802.1X-enabled interface as a promiscuous interface (an interface that is a member of the primary VLAN by configuration) or as an interswitch-link (ISL) interface.
Multiple users cannot be authenticated over different VLANs belonging to the same PVLAN domain on a logical interface—for example, if interface ge-0/0/0 is configured as
supplicant multiple
and clients C1 and C2 are authenticated and are added to dynamic VLANs V1 and V2, respectively, then V1 and V2 must belong to different PVLAN domains.If the VoIP VLAN and the data VLAN are different, those two VLANs must be in different PVLAN domains.
When PVLAN membership is changed (that is, an interface is reconfigured in a different PVLAN), clients must be reauthenticated.
Example: Configuring 802.1X Authentication with Private VLANs in One Configuration
- Requirements
- Overview
- Configuring 802.1X Authentication with Private VLANs in One Configuration
- Verification
Requirements
Junos OS Release 18.2R1 or later
EX2300, EX3400, or EX4300 switch
Before you begin, specify the RADIUS server or servers to be used as the authentication server. See Specifying RADIUS Server Connections on Switches (CLI Procedure).
Overview
The following configuration section shows the access profile configuration, the 802.1X authentication configuration, and finally the VLANs (including PVLANs) configuration.
Configuring 802.1X Authentication with Private VLANs in One Configuration
Procedure
CLI Quick Configuration
[edit] set access radius-server 10.20.9.199 port 1812 set access radius-server 10.20.9.199 secret "$9$Lqa7dsaZjP5F245Fn/0OX7-V24JGDkmf" set access profile dot1x-auth authentication-order radius set access profile authp authentication-order radius set access profile authp radius authentication-server 10.204.96.165 set switch-options voip interface ge-0/0/8.0 vlan voip set interfaces ge-0/0/8 unit 0 family ethernet-switching interface-mode access set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members data set protocols dot1x authenticator authentication-profile-name authp set protocols dot1x authenticator interface ge-0/0/8.0 supplicant multiple set protocols dot1x authenticator interface ge-0/0/8.0 mac-radius set vlans community vlan-id 20 set vlans community private-vlan community set vlans community-one vlan-id 30 set vlans community-one private-vlan community set vlans isolated vlan-id 200 set vlans isolated private-vlan isolated set vlans pvlan vlan-id 2000 set vlans pvlan isolated-vlan isolated set vlans pvlan community-vlans [community community-one] set vlans data vlan-id 43 set vlans voip vlan-id 33
Step-by-Step Procedure
To configure 802.1X authentication and PVLANs in one configuration:
Configure the access profile:
[edit access] set radius-server 10.20.9.199 port 1812 set radius-server 10.20.9.199 secret "$9$Lqa7dsaZjP5F245Fn/0OX7-V24JGDkmf" set profile dot1x-auth authentication-order radius set profile authp authentication-order radius set profile authp radius authentication-server 10.204.96.165 [edit switch-options] set voip interface ge-0/0/8.0 vlan voip
Note:The configured VoIP VLAN cannot be a PVLAN (primary, community, or isolated).
Configure the 802.1X settings:
[edit interfaces] set ge-0/0/8 unit 0 family ethernet-switching interface-mode access set ge-0/0/8 unit 0 family ethernet-switching vlan members data [edit protocols] set dot1x authenticator authentication-profile-name authp set dot1x authenticator interface ge-0/0/8.0 supplicant multiple set dot1x authenticator interface ge-0/0/8.0 mac-radius
Note:The configured data VLAN could also be a community VLAN or an isolated VLAN.
Configure the VLANs (including the PVLANs):
[edit vlans] set community vlan-id 20 set community private-vlan community set community-one vlan-id 30 set community-one private-vlan community set isolated vlan-id 200 set isolated private-vlan isolated set pvlan vlan-id 2000 set pvlan isolated-vlan isolated set pvlan community-vlans [community community-one] set data vlan-id 43 set voip vlan-id 33
Results
From configuration mode, confirm your configuration by entering
the following show
commands on the switch. If the output
does not display the intended configuration, repeat the instructions
in this example to correct the configuration.
user@switch# show access radius-server { 10.20.9.199 { port 1812; secret "$9$Lqa7dsaZjP5F245Fn/0OX7-V24JGDkmf"; ## SECRET-DATA } } profile dot1x-auth { authentication-order radius; } profile authp { authentication-order radius; radius { authentication-server 10.204.96.165; } } user@switch# show interfaces ge-0/0/8 { unit 0 { family ethernet-switching { interface-mode access; vlan { members data; } } } } user@switch# show protocols dot1x { authenticator { authentication-profile-name authp; interface { ge-0/0/8.0 { supplicant multiple; mac-radius; } } } } user@switch# show switch-options voip { interface ge-0/0/8.0 { vlan voip; } } user@switch# show vlans community { vlan-id 20; private-vlan community; } community-one { vlan-id 30; private-vlan community; } data { vlan-id 43; } isolated { vlan-id 200; private-vlan isolated; } pvlan { vlan-id 2000; isolated-vlan isolated; community-vlans [community community-one]; } voip { vlan-id 33; }
Verification
- Verify That Client MAC Addresses Are Learned on the Primary VLAN
- Verify That the Primary VLAN Is an Authenticated VLAN
Verify That Client MAC Addresses Are Learned on the Primary VLAN
Purpose
Show that a client MAC address has been learned on the primary VLAN.
Action
user@switch> show ethernet-switching table MAC flags (S - static MAC, D - dynamic MAC, L - locally learned, P - Persistent static, C - Control MAC, SE - statistics enabled, NM - non configured MAC, R - remote PE MAC, O - ovsdb MAC) Ethernet switching table : 1 entries, 1 learned Routing instance : default-switch Vlan MAC MAC Age Logical NH RTR name address flags interface Index ID pvlan 00:30:48:8C:66:BD D - ge-0/0/8.0 0 0
Verify That the Primary VLAN Is an Authenticated VLAN
Purpose
Show that the primary VLAN is shown as an authenticated VLAN.
Action
user@switch> show dot1x interface ge-0/0/8.0 detail ge-0/0/8.0 Role: Authenticator Administrative state: Auto Supplicant mode: Multiple Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Enabled Mac Radius Strict: Disabled Reauthentication: Enabled Reauthentication interval: 40 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 1 Guest VLAN member: <not configured> Number of connected supplicants: 1 Supplicant: user5, 00:30:48:8C:66:BD Operational state: Authenticated Authentication method: Radius Authenticated VLAN: pvlan Reauthentication due in 17 seconds
Putting Access Port Security on Private VLANs
- Understanding Access Port Security on PVLANs
- Configuration Guidelines for Putting Access Port Security Features on PVLANs
- Example: Configuring Access Port Security on a PVLAN
Understanding Access Port Security on PVLANs
You can now enable access port security features, such as DHCP snooping, on private VLANs (PVLANs).
For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and to even limit the communication between known hosts. The PVLAN feature allows you to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a VLAN inside a VLAN.
Ethernet LANs are vulnerable to attacks such as address spoofing (forging) and Layer 2 denial of service (DoS) on network devices. The following access port security features help protect your device against losses of information and productivity that such attacks can cause, and you can now configure these security features on a PVLAN:
DHCP snooping—Filters and blocks ingress DHCP server messages on untrusted ports. DHCP snooping builds and maintains a database of DHCP lease information, which is called the DHCP snooping database.
DHCPv6 snooping—DHCP snooping for IPv6.
DHCP option 82—Also known as the DHCP Relay Agent Information option. Helps protect the switch against attacks such as spoofing of IP addresses and MAC addresses and DHCP IP address starvation. Option 82 provides information about the network location of a DHCP client. The DHCP server uses this information to implement IP addresses or other parameters for the client.
DHCPv6 options:
Option 37—Remote ID option for DHCPv6; inserts information about the network location of the remote host into DHCPv6 packets.
Option 18—Circuit ID option for DHCPv6; inserts information about the client port into DHCPv6 packets.
Option 16—Vendor ID option for DHCPv6; inserts information about the vendor of the client hardware into DHCPv6 packets.
Dynamic ARP inspection (DAI)—Prevents Address Resolution Protocol (ARP) spoofing attacks. ARP requests and replies are compared against entries in the DHCP snooping database, and filtering decisions are made on the basis of the results of those comparisons.
IP source guard—Mitigates the effects of IP address spoofing attacks on the Ethernet LAN; validates the source IP address in the packet sent from an untrusted access interface against the DHCP snooping database. If the packet cannot be validated, it is discarded.
IPv6 source guard—IP source guard for IPv6.
IPv6 neighbor discovery inspection—Prevents IPv6 address spoofing attacks; compares neighbor discovery requests and replies against entries in the DHCPv6 snooping database, and filtering decisions are made on the basis of the results of those comparisons.
This document does not provide detailed information about access port security features or PVLANs. For those details, see the feature documentation that is specific to those individual features. For access port security, see Security Services Administration Guide. For PVLANs, see Ethernet Switching User Guide.
Configuration Guidelines for Putting Access Port Security Features on PVLANs
Keep the following guidelines and limitations in mind for configuring access port security features on PVLANs:
You must apply the same access port security features on both the primary vlan and all its secondary VLANs.
A PVLAN can have only one integrated routing and bridging (IRB) interface, and the IRB interface must be on the primary VLAN.
Limitations on access port security configurations on PVLANs are the same as those for access port security features configurations that are not in PVLANs. See the access port security documentation at Security Services Administration Guide.
Example: Configuring Access Port Security on a PVLAN
Requirements
Junos OS Release 18.2R1 or later
EX4300 switch
Overview
The following configuration section shows:
Configuration of a private VLAN, with the primary VLAN (
vlan-pri
) and its three secondary VLANs—community VLANs (vlan-hr
andvlan-finance
) and isolated VLAN (vlan-iso
).Configuration of the interfaces that are used to send communications between the interfaces on those VLANs.
Configuration of access security features on the primary and secondary VLANs that make up the PVLAN.
Table 5 lists the settings for the example topology.
Interface | Description |
---|---|
ge-0/0/0.0 |
Primary VLAN (vlan1-pri) trunk interface |
ge-0/0/11.0 |
User 1, HR Community (vlan-hr) |
ge-0/0/12.0 |
User 2, HR Community (vlan-hr) |
ge-0/0/13.0 |
User 3, Finance Community (vlan-finance) |
ge-0/0/14.0 |
User 4, Finance Community (vlan-finance) |
ge-0/0/15.0 |
Mail server, Isolated (vlan-iso) |
ge-0/0/16.0 |
Backup server, Isolated (vlan-iso) |
ge-1/0/0.0 |
Primary VLAN (vlan-pri) trunk interface |
Configuring Access Port Security on a PVLAN
Procedure
CLI Quick Configuration
set vlans vlan-pri vlan-id 100 set vlans vlan-hr private-vlan community vlan-id 200 set vlans vlan-finance private-vlan community vlan-id 300 set vlans vlan-iso private-vlan isolated vlan-id 400 set vlans vlan-pri community-vlan vlan-hr set vlans vlan-pri community-vlan vlan-finance set vlans vlan-pri isolated-vlan vlan-iso set interfaces ge-0/0/11 unit 0 family ethernet-switching interface-mode access vlan members vlan-hr set interfaces ge-0/0/12 unit 0 family ethernet-switching interface-mode trunk vlan members vlan-hr set interfaces ge-0/0/13 unit 0 family ethernet-switching interface-mode access vlan members vlan-finance set interfaces ge-0/0/14 unit 0 family ethernet-switching interface-mode trunk vlan members vlan-finance set interfaces ge-0/0/15 unit 0 family ethernet-switching interface-mode access vlan members vlan-iso set interfaces ge-0/0/16 unit 0 family ethernet-switching interface-mode access vlan members vlan-iso set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode trunk vlan members vlan-pri set interfaces ge-1/0/0 unit 0 family ethernet-switching interface-mode trunk vlan members vlan-pri set vlans vlan-pri forwarding-options dhcp-security arp-inspection set vlans vlan-pri forwarding-options dhcp-security ip-source-guard set vlans vlan-pri forwarding-options dhcp-security ipv6-source-guard set vlans vlan-pri forwarding-options dhcp-security neighbor-discovery-inspection set vlans vlan-pri forwarding-options dhcp-security option-82 set vlans vlan-pri forwarding-options dhcp-security dhcpv6-options option-16 set vlans vlan-pri forwarding-options dhcp-security dhcpv6-options light-weight-dhcpv6-relay set vlans vlan-hr forwarding-options dhcp-security arp-inspection set vlans vlan-hr forwarding-options dhcp-security ip-source-guard set vlans vlan-hr forwarding-options dhcp-security ipv6-source-guard set vlans vlan-hr forwarding-options dhcp-security neighbor-discovery-inspection set vlans vlan-hr forwarding-options dhcp-security option-82 set vlans vlan-hr forwarding-options dhcp-security dhcpv6-options option-16 set vlans vlan-hr forwarding-options dhcp-security dhcpv6-options light-weight-dhcpv6-relay set vlans vlan-finance forwarding-options dhcp-security arp-inspection set vlans vlan-finance forwarding-options dhcp-security ip-source-guard set vlans vlan-finance forwarding-options dhcp-security ipv6-source-guard set vlans vlan-finance forwarding-options dhcp-security neighbor-discovery-inspection set vlans vlan-finance forwarding-options dhcp-security option-82 set vlans vlan-finance forwarding-options dhcp-security dhcpv6-options option-16 set vlans vlan-finance forwarding-options dhcp-security dhcpv6-options light-weight-dhcpv6-relay set vlans vlan-iso forwarding-options dhcp-security arp-inspection set vlans vlan-iso forwarding-options dhcp-security ip-source-guard set vlans vlan-iso forwarding-options dhcp-security ipv6-source-guard set vlans vlan-iso forwarding-options dhcp-security neighbor-discovery-inspection set vlans vlan-iso forwarding-options dhcp-security option-82 set vlans vlan-iso forwarding-options dhcp-security dhcpv6-options option-16 set vlans vlan-iso forwarding-options dhcp-security dhcpv6-options light-weight-dhcpv6-relay
Step-by-Step Procedure
To configure a private VLAN (PVLAN) and then configure access port security features on that PVLAN:
Configure the PVLAN—Create the primary VLAN and its secondary VLANs and assign VLAN IDs to them. Associate interfaces with the VLANs. (For details on configuring VLANs, see Configuring VLANs for EX Series Switches with ELS Support (CLI Procedure).)
[edit vlans] user@switch# set vlan-pri vlan-id 100 user@switch# set vlan-hr private-vlan community vlan-id 200 user@switch# set vlan-finance private-vlan community vlan-id 300 user@switch# set vlan-iso private-vlan isolated vlan-id 400 user@switch# set vlan-pri community-vlan vlan-hr user@switch# set vlan-pri community-vlan vlan-finance user@switch# set vlan-pri isolated-vlan vlan-iso
[edit interfaces] user@switch# set ge-0/0/11 unit 0 family ethernet-switching interface-mode access vlan members vlan-hr user@switch# set ge-0/0/12 unit 0 family ethernet-switching interface-mode trunk vlan members vlan-hr user@switch# set ge-0/0/13 unit 0 family ethernet-switching interface-mode access vlan members vlan-finance user@switch# set ge-0/0/14 unit 0 family ethernet-switching interface-mode trunk vlan members vlan-finance user@switch# set ge-0/0/15 unit 0 family ethernet-switching interface-mode access vlan members vlan-iso user@switch# set ge-0/0/16 unit 0 family ethernet-switching interface-mode access vlan members vlan-iso user@switch# set ge-0/0/0 unit 0 family ethernet-switching interface-mode trunk vlan members vlan-pri user@switch# set ge-1/0/0 unit 0 family ethernet-switching interface-mode trunk vlan members vlan-pri
Configure access port security features on the primary VLAN and all its secondary VLANs:
Note:When you configure ARP inspection, IP source guard, IPv6 source guard, neighbor discovery inspection, DHCP option 82, or DHCPv6 options, then DHCP snooping and DHCPv6 snooping are automatically configured.
[edit vlans] user@switch# set vlan-pri forwarding-options dhcp-security arp-inspection user@switch# set vlan-pri forwarding-options dhcp-security ip-source-guard user@switch# set vlan-pri forwarding-options dhcp-security ipv6-source-guard user@switch# set vlan-pri forwarding-options dhcp-security neighbor-discovery-inspection user@switch# set vlan-pri forwarding-options dhcp-security option-82 user@switch# set vlan-pri forwarding-options dhcp-security dhcpv6-options option-16 user@switch# set vlan-pri forwarding-options dhcp-security dhcpv6-options light-weight-dhcpv6-relay user@switch# set vlan-hr forwarding-options dhcp-security arp-inspection user@switch# set vlan-hr forwarding-options dhcp-security ip-source-guard user@switch# set vlan-hr forwarding-options dhcp-security ipv6-source-guard user@switch# set vlan-hr forwarding-options dhcp-security neighbor-discovery-inspection user@switch# set vlan-hr forwarding-options dhcp-security option-82 user@switch# set vlan-hr forwarding-options dhcp-security dhcpv6-options option-16 user@switch# set vlan-hr forwarding-options dhcp-security dhcpv6-options light-weight-dhcpv6-relay user@switch# set vlan-finance forwarding-options dhcp-security arp-inspection user@switch# set vlan-finance forwarding-options dhcp-security ip-source-guard user@switch# set vlan-finance forwarding-options dhcp-security ipv6-source-guard user@switch# set vlan-finance forwarding-options dhcp-security neighbor-discovery-inspection user@switch# set vlan-finance forwarding-options dhcp-security option-82 user@switch# set vlan-finance forwarding-options dhcp-security dhcpv6-options option-16 user@switch# set vlan-finance forwarding-options dhcp-security dhcpv6-options light-weight-dhcpv6-relay user@switch# set vlan-iso forwarding-options dhcp-security arp-inspection user@switch# set vlan-iso forwarding-options dhcp-security ip-source-guard user@switch# set vlan-iso forwarding-options dhcp-security ipv6-source-guard user@switch# set vlan-iso forwarding-options dhcp-security neighbor-discovery-inspection user@switch# set vlan-iso forwarding-options dhcp-security option-82 user@switch# set vlan-iso forwarding-options dhcp-security dhcpv6-options option-16 user@switch# set vlan-iso forwarding-options dhcp-security dhcpv6-options light-weight-dhcpv6-relay
Results
From configuration mode, confirm your configuration
by entering the following show
commands on the switch.
If the output does not display the intended configuration, repeat
the instructions in this example to correct the configuration.
[edit] user@switch# show interfaces ge-0/0/0 { unit 0 { family ethernet-switching { interface-mode trunk; vlan { members vlan-pri; } } } } ge-1/0/0 { unit 0 { family ethernet-switching { interface-mode trunk; vlan { members vlan-pri; } } } } ge-0/0/11 { unit 0 { family ethernet-switching { interface-mode access; vlan { members vlan-hr; } } } } ge-0/0/12 { unit 0 { family ethernet-switching { interface-mode access; vlan { members vlan-hr; } } } } ge-0/0/13 { unit 0 { family ethernet-switching { interface-mode access; vlan { members vlan-hr; } } } } ge-0/0/14 { unit 0 { family ethernet-switching { interface-mode access; vlan { members vlan-hr; } } } } ge-0/0/15 { unit 0 { family ethernet-switching { interface-mode access; vlan { members vlan-iso; } } } } ge-0/0/16 { unit 0 { family ethernet-switching { interface-mode access; vlan { members vlan-iso; } } } } user@switch# show vlans vlan-finance { vlan-id 300; private-vlan community; interface { ge-0/0/13.0; ge-0/0/14.0; } forwarding-options { dhcp-security { arp-inspection; ip-source-guard; neighbor-discovery-inspection; ipv6-source-guard; option-82; dhcpv6-options light-weight-dhcpv6-relay; dhcpv6-options option-16; } } } vlan-hr { vlan-id 200; private-vlan community; interface { ge-0/0/11.0; ge-0/0/12.0; } forwarding-options { dhcp-security { arp-inspection; ip-source-guard; neighbor-discovery-inspection; ipv6-source-guard; option-82; dhcpv6-options light-weight-dhcpv6-relay; dhcpv6-options option-16; } } } vlan-iso { vlan-id 400; private-vlan isolated; interface { ge-0/0/15.0; ge-0/0/16.0; } forwarding-options { dhcp-security { arp-inspection; ip-source-guard; neighbor-discovery-inspection; ipv6-source-guard; option-82; dhcpv6-options light-weight-dhcpv6-relay; dhcpv6-options option-16; } } } vlan-pri { vlan-id 100; community-vlan vlan-finance; community-vlan vlan-hr; isolated-vlan vlan-iso; interface { ge-0/0/0.0; ge-1/0/0.0; } forwarding-options { dhcp-security { arp-inspection; ip-source-guard; neighbor-discovery-inspection; ipv6-source-guard; option-82; dhcpv6-options light-weight-dhcpv6-relay; dhcpv6-options option-16; } } }
Verification
Verify That Access Security Features Are Working as Expected
Purpose
Verify that the access port security features that you configured on your PVLAN are working as expected.
Action
Use the show dhcp-security
and the clear
dhcp-security
CLI commands to verify that the features are working
as expected. See details about those commands in Security Services Administration Guide.
Creating a Private VLAN on a Single Switch with ELS Support (CLI Procedure)
This task uses Junos OS for switches with support for the Enhanced Layer 2 Software (ELS) configuration style. If your EX Series switch runs software that does not support ELS, see Creating a Private VLAN on a Single EX Series Switch (CLI Procedure). For ELS details, see Using the Enhanced Layer 2 Software CLI.
Private VLANs are not supported on QFX5100 switches and QFX10002 switches running Junos OS Release 15.1X53.
For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic or limit the communication between known hosts. Private VLANs (PVLANs) enable you to split a broadcast domain (primary VLAN) into multiple isolated broadcast subdomains (secondary VLANs), essentially putting a VLAN inside a VLAN. This procedure describes how to create a PVLAN on a single switch.
You must specify a VLAN ID for each secondary VLAN even if the PVLAN is configured on a single switch.
You do not need to preconfigure the primary VLAN. This topic shows the primary VLAN being configured as part of this PVLAN configuration procedure.
For a list of guidelines on configuring PVLANs, see Understanding Private VLANs.
To configure a private VLAN on a single switch:
Creating a Private VLAN on a Single QFX Switch
For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and to even limit the communication between known hosts. The private VLAN (PVLAN) feature allows you to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a secondary VLAN inside a primary VLAN. This topic describes how to configure a PVLAN on a single switch.
Before you begin, configure names for all secondary VLANs that will be part of the primary VLAN. (You do not need to preconfigure the primary VLAN—it is configured as part of this procedure.) You do not need to create VLAN IDs (tags) for the secondary VLANs. It does not impair functioning if you tag the secondary VLANS, but tags are not used when secondary VLANs are configured on a single switch.
Keep these rules in mind when configuring a PVLAN:
The primary VLAN must be a tagged VLAN.
If you are going to configure a community VLAN, you must first configure the primary VLAN and the PVLAN trunk port. You must also configure the primary VLAN to be private using the pvlan statement.
If you are going to configure an isolated VLAN, you must first configure the primary VLAN and the PVLAN trunk port.
If you complete your configuration steps in the order shown, you will not violate these PVLAN rules. To configure a private VLAN on a single switch:
Creating a Private VLAN on a Single EX Series Switch (CLI Procedure)
For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and to even limit the communication between known hosts. The private VLAN (PVLAN) feature on EX Series switches enables you to split a broadcast domain, also known as a primary VLAN, into multiple isolated broadcast subdomains, also known as secondary VLANs. Splitting the primary VLAN into secondary VLANs essentially nests a VLAN inside another VLAN. This topic describes how to configure a PVLAN on a single switch.
Before you begin, configure names for all secondary VLANs that will be part of the primary VLAN. (Unlike the secondary VLANs, you do not need to preconfigure the primary VLAN—this procedure provides the complete configuration of the primary VLAN.) Although tags are not needed when a secondary VLAN is configured on a single switch, configuring a secondary VLAN as tagged does not adversely affect its functionality. For instructions on configuring the secondary VLANs, see Configuring VLANs for EX Series Switches.
Keep these rules in mind when configuring a PVLAN on a single switch:
The primary VLAN must be a tagged VLAN.
Configuring a VoIP VLAN on PVLAN interfaces is not supported.
To configure a private VLAN on a single switch:
Isolated VLANs are not configured as part of this process. Instead, they are created internally if no-local-switching is enabled on the primary VLAN and the isolated VLAN has access interfaces as members.
To optionally enable routing between isolated and community VLANs by using a routed VLAN interface (RVI) instead of a promiscuous port connected to a router, see Configuring a Routed VLAN Interface in a Private VLAN on an EX Series Switch.
Only an EX8200 switch or EX8200 Virtual Chassis support the use of an RVI to route Layer 3 traffic between isolated and community VLANs in a PVLAN domain.
Creating a Private VLAN Spanning Multiple QFX Series Switches
For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and to even limit the communication between known hosts. The private VLAN (PVLAN) feature allows you to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a secondary VLAN inside a primary VLAN. This topic describes how to configure a PVLAN to span multiple switches.
Before you begin, configure names for all secondary VLANs that will be part of the primary VLAN. (You do not need to preconfigure the primary VLAN—it is configured as part of this procedure.) You do not need to create VLAN IDs (tags) for the secondary VLANs. It does not impair functioning if you tag the secondary VLANS, but tags are not used when secondary VLANs are configured on a single switch.
The following rules apply to creating PVLANs:
The primary VLAN must be a tagged VLAN.
If you are going to configure a community VLAN, you must first configure the primary VLAN and the PVLAN trunk port. You must also configure the primary VLAN to be private using the pvlan statement.
If you are going to configure an isolated VLAN, you must first configure the primary VLAN and the PVLAN trunk port.
If you complete your configuration steps in the order shown, you will not violate these PVLAN rules. To configure a private VLAN to span multiple switches:
Creating a Private VLAN Spanning Multiple EX Series Switches with ELS Support (CLI Procedure)
This task uses Junos OS for EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style If your switch runs software that does not support ELS, see Creating a Private VLAN Spanning Multiple EX Series Switches (CLI Procedure). For ELS details, see Using the Enhanced Layer 2 Software CLI.
Private VLANs are not supported on QFX5100 switches and QFX10002 switches running Junos OS Release 15.1X53.
For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic or limit the communication between known hosts. Private VLANs (PVLANs) enable you to split a broadcast domain (primary VLAN) into multiple isolated broadcast subdomains (secondary VLANs), essentially putting a VLAN inside a VLAN. This procedure describes how to configure a PVLAN to span multiple switches.
For a list of guidelines on configuring PVLANs, see Understanding Private VLANs.
To configure a PVLAN to span multiple switches, perform the following procedure on all the switches that will participate in the PVLAN::
Creating a Private VLAN Spanning Multiple EX Series Switches (CLI Procedure)
For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and to even limit the communication between known hosts. The private VLAN (PVLAN) feature on EX Series switches enables an administrator to split a broadcast domain, also known as a primary VLAN, into multiple isolated broadcast subdomains, also known as secondary VLANs. Splitting the primary VLAN into secondary VLANs essentially nests a VLAN inside another VLAN. This topic describes how to configure a PVLAN to span multiple switches.
Before you begin, configure names for all secondary VLANs that will be part of the primary VLAN. (Unlike the secondary VLANs, you do not need to preconfigure the primary VLAN—this procedure provides the complete configuration of the primary VLAN.) For instructions on configuring the secondary VLANs, see Configuring VLANs for EX Series Switches.
The following rules apply to creating PVLANs:
The primary VLAN must be a tagged VLAN.
You must configure the primary VLAN and the PVLAN trunk port before configuring the secondary VLANs.
Configuring a VoIP VLAN on PVLAN interfaces is not supported.
If the Multiple VLAN Registration Protocol (MVRP) is configured on the PVLAN trunk port, the configuration of secondary VLANs and the PVLAN trunk port must be committed with the same commit operation.
To configure a private VLAN to span multiple switches:
To optionally enable routing between isolated and community VLANs by using a routed VLAN interface (RVI) instead of a promiscuous port connected to a router, see Configuring a Routed VLAN Interface in a Private VLAN on an EX Series Switch.
Only an EX8200 switch or EX8200 Virtual Chassis support the use of an RVI to route Layer 3 traffic between isolated and community VLANs in a PVLAN domain.
Example: Configuring a Private VLAN on a Single Switch with ELS Support
This example uses Junos OS for switches with support for the Enhanced Layer 2 Software (ELS) configuration style. If your EX switch runs software that does not support ELS, see Example: Configuring a Private VLAN on a Single EX Series Switch. For ELS details, see Using the Enhanced Layer 2 Software CLI.
Private VLANs are not supported on QFX5100 switches and QFX10002 switches running Junos OS Release 15.1X53.
For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic or limit the communication between known hosts. Private VLANs (PVLANs) enable you to split a broadcast domain (primary VLAN) into multiple isolated broadcast subdomains (secondary VLANs), essentially putting a VLAN inside a VLAN.
This example describes how to create a PVLAN on a single switch:
Requirements
This example uses the following hardware and software components:
One Junos OS switch
Junos OS Release 14.1X53-D10 or later for EX Series switches
Junos OS Release 14.1X53-D15 or later for QFX Series switches
Overview and Topology
You can isolate groups of subscribers for improved security and efficiency. This configuration example uses a simple topology to illustrate how to create a PVLAN with one primary VLAN and three secondary VLANs (one isolated VLAN, and two community VLANs).
Table 6 lists the interfaces of the topology used in the example.
Interface | Description |
---|---|
|
Promiscuous member ports |
|
HR community VLAN member ports |
|
Finance community VLAN member ports |
|
Isolated member ports |
Table 7 lists the VLAN IDs of the topology used in the example.
VLAN ID | Description |
---|---|
|
Primary VLAN |
|
HR community VLAN |
|
Finance community VLAN |
|
Isolated VLAN |
Figure 16 shows the topology for this example.
Configuration
You can use an existing VLAN as the basis for your private PVLAN and create subdomains within it. This example creates a primary VLAN—using the VLAN name vlan-pri—as part of the procedure.
To configure a PVLAN, perform these tasks:
CLI Quick Configuration
To quickly create and configure a PVLAN, copy the following commands and paste them into the switch terminal window:
[edit] set vlans vlan-pri vlan-id 100 set vlans vlan-iso private-vlan isolated vlan-id 400 set vlans vlan-hr private-vlan community vlan-id 200 set vlans vlan-finance private-vlan community vlan-id 300 set vlans vlan-pri vlan-id 100 isolated-vlan vlan-iso community-vlan vlan-hr community-vlan vlan-finance set interface ge-0/0/11 unit 0 family ethernet-switching interface-mode access vlan members vlan-hr set interface ge-0/0/12 unit 0 family ethernet-switching interface-mode trunk vlan members vlan-hr set interface ge-0/0/13 unit 0 family ethernet-switching interface-mode access vlan members vlan-finance set interface ge-0/0/14 unit 0 family ethernet-switching interface-mode trunk vlan members vlan-finance set interface ge-0/0/15 unit 0 family ethernet-switching interface-mode access vlan members vlan-iso set interface ge-0/0/16 unit 0 family ethernet-switching interface-mode access vlan members vlan-iso set interface ge-0/0/0 unit 0 family ethernet-switching interface-mode trunk vlan members vlan-pri set interface ge-1/0/0 unit 0 family ethernet-switching interface-mode trunk vlan members vlan-pri
Procedure
Step-by-Step Procedure
To configure the PVLAN:
Create the primary VLAN (in this example, the name is vlan-pri) of the private VLAN:
[edit vlans] user@switch# set vlan-pri vlan-id 100
Create an isolated VLAN and assign it a VLAN ID:
[edit vlans] user@switch# set vlan-iso private-vlan isolated vlan-id 400
Create the HR community VLAN and assign it a VLAN ID:
[edit vlans] user@switch# set vlan-hr private-vlan community vlan-id 200
Create the finance community VLAN and assign it a VLAN ID:
[edit vlans] user@switch# set vlan-finance private-vlan community vlan-id 300
Associate the secondary VLANs with the primary VLAN:
[edit vlans] user@switch# set vlan-pri vlan-id 100 isolated-vlan vlan-iso community-vlan vlan-hr community-vlan vlan-finance
Set the interfaces to the appropriate interface modes:
[edit interfaces] user@switch# set ge-0/0/11 unit 0 family ethernet-switching interface-mode access vlan members vlan-hr user@switch# set ge-0/0/12 unit 0 family ethernet-switching interface-mode access vlan members vlan-hr user@switch# set ge-0/0/13 unit 0 family ethernet-switching interface-mode access vlan members vlan-finance user@switch# set ge-0/0/14 unit 0 family ethernet-switching interface-mode trunk vlan members vlan-finance user@switch# set ge-0/0/15 unit 0 family ethernet-switching interface-mode access vlan members vlan-iso user@switch# set ge-0/0/16 unit 0 family ethernet-switching interface-mode trunk vlan members vlan-iso
Configure a promiscuous trunk interface of the primary VLAN. This interface is used by the primary VLAN to communicate with the secondary VLANs.
user@switch# set ge-0/0/0 unit 0 family ethernet-switching interface-mode trunk vlan members vlan-pri
Configure another trunk interface (it is also a promiscuous interface) of the primary VLAN, connecting the PVLAN to the router.
user@switch# set ge-1/0/0 unit 0 family ethernet-switching interface-mode trunk vlan members vlan-pri
Example: Configuring a Private VLAN on a Single QFX Series Switch
For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and even to limit the communication between known hosts. The private VLAN (PVLAN) feature allows an administrator to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a VLAN inside a VLAN.
This example describes how to create a PVLAN on a single switch:
Requirements
This example uses the following hardware and software components:
One QFX3500 device
Junos OS Release 12.1 or later for the QFX Series
Before you begin configuring a PVLAN, make sure you have created and configured the necessary VLANs. See Configuring VLANs on Switches.
Overview and Topology
In a large office with multiple buildings and VLANs, you might need to isolate some workgroups or other endpoints for security reasons or to partition the broadcast domain. This configuration example shows a simple topology to illustrate how to create a PVLAN with one primary VLAN and two community VLANs, one for HR and one for finance, as well as two isolated ports—one for the mail server and the other for the backup server.
Table 8 lists the settings for the sample topology.
Interface | Description |
---|---|
|
Primary VLAN ( |
|
User 1, HR Community ( |
|
User 2, HR Community ( |
|
User 3, Finance Community ( |
|
User 4, Finance Community ( |
|
Mail server, Isolated ( |
|
Backup server, Isolated ( |
|
Primary VLAN ( |
Configuration
CLI Quick Configuration
To quickly create and configure a PVLAN, copy the following commands and paste them into the switch terminal window:
[edit] set vlans pvlan100 vlan-id 100 set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members pvlan set interfaces ge-1/0/0 unit 0 family ethernet-switching port-mode trunk set interfaces ge-1/0/0 unit 0 family ethernet-switching vlan members pvlan set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/12 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/13 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/14 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/15 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/16 unit 0 family ethernet-switching port-mode access set vlans pvlan100 pvlan set vlans pvlan100 interface ge-0/0/0.0 set vlans pvlan100 interface ge-1/0/0.0 set vlans hr-comm interface ge-0/0/11.0 set vlans hr-comm interface ge-0/0/12.0 set vlans finance-comm interface ge-0/0/13.0 set vlans finance-comm interface ge-0/0/14.0 set vlans hr-comm primary-vlan pvlan100 set vlans finance-comm primary-vlan pvlan100 set pvlan100 interface ge-0/0/15.0 isolated set pvlan100 interface ge-0/0/16.0 isolated
Procedure
Step-by-Step Procedure
To configure the PVLAN:
Set the VLAN ID for the primary VLAN:
[edit vlans] user@switch# set pvlan vlan-id 100
Set the interfaces and port modes:
[edit interfaces] user@switch# set ge-0/0/0 unit 0 family ethernet-switching port-mode trunk user@switch# set ge-0/0/0 unit 0 family ethernet-switching vlan members pvlan user@switch# set ge-1/0/0 unit 0 family ethernet-switching port-mode trunk user@switch# set ge-1/0/0 unit 0 family ethernet-switching vlan members pvlan user@switch# set ge-0/0/11 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/12 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/13 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/14 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/15 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/16 unit 0 family ethernet-switching port-mode access
Set the primary VLAN to have no local switching:
Note:The primary VLAN must be a tagged VLAN.
[edit vlans] user@switch# set pvlan100 pvlan
Add the trunk interfaces to the primary VLAN:
[edit vlans] user@switch# set pvlan100 interface ge-0/0/0.0 user@switch# set pvlan100 interface ge-1/0/0.0
For each secondary VLAN, configure access interfaces:
Note:We recommend that the secondary VLANs be untagged VLANs. It does not impair functioning if you tag the secondary VLANS. However, the tags are not used when a secondary VLAN is configured on a single switch.
[edit vlans] user@switch# set hr-comm interface ge-0/0/11.0 user@switch# set hr-comm interface ge-0/0/12.0 user@switch# set finance-comm interface ge-0/0/13.0 user@switch# set finance-comm interface ge-0/0/14.0
For each community VLAN, set the primary VLAN:
[edit vlans] user@switch# set hr-comm primary-vlan pvlan100 user@switch# set finance-comm primary-vlan pvlan100
Configure the isolated interfaces in the primary VLAN:
[edit vlans] user@switch# set pvlan100 interface ge-0/0/15.0 isolated user@switch# set pvlan100 interface ge-0/0/16.0 isolated
Results
Check the results of the configuration:
[edit] user@switch# show interfaces { ge-0/0/0 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members pvlan100; } } } } ge-1/0/0 { unit 0 { family ethernet-switching; } } ge-0/0/11 { unit 0 { family ethernet-switching { port-mode access; } } } ge-0/0/12 { unit 0 { family ethernet-switching { port-mode access; } } } ge-0/0/13 { unit 0 { family ethernet-switching { port-mode access; } } } ge-0/0/14 { unit 0 { family ethernet-switching { port-mode access; } } } vlans { finance-comm { interface { ge-0/0/13.0; ge-0/0/14.0; } primary-vlan pvlan100; } hr-comm { interface { ge-0/0/11.0; ge-0/0/12.0; } primary-vlan pvlan100; } pvlan100 { vlan-id 100; interface { ge-0/0/15.0; ge-0/0/16.0; ge-0/0/0.0; ge-1/0/0.0; } pvlan; } }
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying That the Private VLAN and Secondary VLANs Were Created
Purpose
Verify that the primary VLAN and secondary VLANs were properly created on the switch.
Action
Use the show vlans
command:
user@switch> show vlans pvlan100 extensive VLAN: pvlan100, Created at: Tue Sep 16 17:59:47 2008 802.1Q Tag: 100, Internal index: 18, Admin State: Enabled, Origin: Static Private VLAN Mode: Primary Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 6 (Active = 0) ge-0/0/0.0, tagged, trunk ge-0/0/11.0, untagged, access ge-0/0/12.0, untagged, access ge-0/0/13.0, untagged, access ge-0/0/14.0, untagged, access ge-0/0/15.0, untagged, access ge-0/0/16.0, untagged, access ge-1/0/0.0, tagged, trunk Secondary VLANs: Isolated 2, Community 2 Isolated VLANs : __pvlan_pvlan_ge-0/0/15.0__ __pvlan_pvlan_ge-0/0/16.0__ Community VLANs : finance-comm hr-comm user@switch> show vlans hr-comm extensive VLAN: hr-comm, Created at: Tue Sep 16 17:59:47 2008 Internal index: 22, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 2 (Active = 0) ge-0/0/0.0, tagged, trunk ge-0/0/11.0, untagged, access ge-0/0/12.0, untagged, access ge-1/0/0.0, tagged, trunk user@switch> show vlans finance-comm extensive VLAN: finance-comm, Created at: Tue Sep 16 17:59:47 2008 Internal index: 21, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 2 (Active = 0) ge-0/0/0.0, tagged, trunk ge-0/0/13.0, untagged, access ge-0/0/14.0, untagged, access ge-1/0/0.0, tagged, trunk user@switch> show vlans __pvlan_pvlan_ge-0/0/15.0__ extensive VLAN: __pvlan_pvlan_ge-0/0/15.0__, Created at: Tue Sep 16 17:59:47 2008 Internal index: 19, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: pvlan100 Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 1 (Active = 0) ge-0/0/0.0, tagged, trunk ge-0/0/15.0, untagged, access ge-1/0/0.0, tagged, trunk user@switch> show vlans __pvlan_pvlan_ge-0/0/16.0__ extensive VLAN: __pvlan_pvlan_ge-0/0/16.0__, Created at: Tue Sep 16 17:59:47 2008 Internal index: 20, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: pvlan100 Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 1 (Active = 0) ge-0/0/0.0, tagged, trunk ge-0/0/16.0, untagged, access ge-1/0/0.0, tagged, trunk
Meaning
The output shows that the primary VLAN was created and identifies the interfaces and secondary VLANs associated with it.
Example: Configuring a Private VLAN on a Single EX Series Switch
For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and to even limit the communication between known hosts. The private VLAN (PVLAN) feature on EX Series switches allows an administrator to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a VLAN inside a VLAN.
This example describes how to create a PVLAN on a single EX Series switch:
Configuring a voice over IP (VoIP) VLAN on PVLAN interfaces is not supported.
Requirements
This example uses the following hardware and software components:
One EX Series switch
Junos OS Release 9.3 or later for EX Series switches
Before you begin configuring a PVLAN, make sure you have created and configured the necessary VLANs. See Configuring VLANs for EX Series Switches.
Overview and Topology
In a large office with multiple buildings and VLANs, you might need to isolate some workgroups or other endpoints for security reasons or to partition the broadcast domain. This configuration example shows a simple topology to illustrate how to create a PVLAN with one primary VLAN and two community VLANs, one for HR and one for finance, as well as two isolated ports—one for the mail server and the other for the backup server.
Table 9 lists the settings for the example topology.
Interface | Description |
---|---|
ge-0/0/0.0 |
Primary VLAN (vlan1) trunk interface |
ge-0/0/11.0 |
User 1, HR Community (hr-comm) |
ge-0/0/12.0 |
User 2, HR Community (hr-comm) |
ge-0/0/13.0 |
User 3, Finance Community (finance-comm) |
ge-0/0/14.0 |
User 4, Finance Community (finance-comm) |
ge-0/0/15.0 |
Mail server, Isolated (isolated) |
ge-0/0/16.0 |
Backup server, Isolated (isolated) |
ge-1/0/0.0 |
Primary VLAN ( pvlan) trunk interface |
Figure 17 shows the topology for this example.
Configuration
To configure a PVLAN, perform these tasks:
CLI Quick Configuration
To quickly create and configure a PVLAN, copy the following commands and paste them into the switch terminal window:
[edit] set vlans vlan1 vlan-id 1000 set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan1 set interfaces ge-1/0/0 unit 0 family ethernet-switching port-mode trunk set interfaces ge-1/0/0 unit 0 family ethernet-switching vlan members vlan1 set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/12 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/13 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/14 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/15 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/16 unit 0 family ethernet-switching port-mode access set vlans vlan1 no-local-switching set vlans vlan1 interface ge-0/0/0.0 set vlans vlan1 interface ge-1/0/0.0 set vlans hr-comm vlan-id 400 set vlans hr-comm interface ge-0/0/11.0 set vlans hr-comm interface ge-0/0/12.0 set vlans finance-comm vlan-id 300 set vlans finance-comm interface ge-0/0/13.0 set vlans finance-comm interface ge-0/0/14.0 set vlans hr-comm primary-vlan vlan1 set vlans finance-comm primary-vlan vlan1 set vlans vlan1 interface ge-0/0/15.0 set vlans vlan1 interface ge-0/0/16.0
Procedure
Step-by-Step Procedure
To configure the PVLAN:
Set the VLAN ID for the primary VLAN:
[edit vlans] user@switch# set vlan1 vlan-id 1000
Set the interfaces and port modes:
[edit interfaces] user@switch# set ge-0/0/0 unit 0 family ethernet-switching port-mode trunk user@switch# set ge-0/0/0 unit 0 family ethernet-switching vlan members pvlan user@switch# set ge-1/0/0 unit 0 family ethernet-switching port-mode trunk user@switch# set ge-1/0/0 unit 0 family ethernet-switching vlan members vlan1 user@switch# set ge-0/0/11 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/12 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/13 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/14 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/15 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/16 unit 0 family ethernet-switching port-mode access
Set the primary VLAN to have no local switching:
Note:The primary VLAN must be a tagged VLAN.
[edit vlans] user@switch# set vlan1 no-local-switching
Add the trunk interfaces to the primary VLAN:
[edit vlans] user@switch# set vlan1 interface ge-0/0/0.0 user@switch# set vlan1 interface ge-1/0/0.0
For each secondary VLAN, configure the VLAN IDs and the access interfaces:
Note:We recommend that the secondary VLANs be untagged VLANs. It does not impair functioning if you tag the secondary VLANS. However, the tags are not used when a secondary VLAN is configured on a single switch.
[edit vlans] user@switch# set hr-comm vlan-id 400 user@switch# set hr-comm interface ge-0/0/11.0 user@switch# set hr-comm interface ge-0/0/12.0 user@switch# set finance-comm vlan-id 300 user@switch# set finance-comm interface ge-0/0/13.0 user@switch# set finance-comm interface ge-0/0/14.0
For each community VLAN, set the primary VLAN:
[edit vlans] user@switch# set hr-comm primary-vlan vlan1 user@switch# set finance-comm primary-vlan vlan1
Add each isolated interface to the primary VLAN:
[edit vlans] user@switch# set vlan1 interface ge-0/0/15.0 user@switch# set vlan1 interface ge-0/0/16.0
Results
Check the results of the configuration:
[edit] user@switch# show interfaces { ge-0/0/0 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members vlan1; } } } } ge-1/0/0 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members vlan1; } } } } ge-0/0/11 { unit 0 { family ethernet-switching { port-mode access; } } } ge-0/0/12 { unit 0 { family ethernet-switching { port-mode access; } } } ge-0/0/13 { unit 0 { family ethernet-switching { port-mode access; } } } ge-0/0/14 { unit 0 { family ethernet-switching { port-mode access; } } } vlans { finance-comm { vlan-id 300; interface { ge-0/0/13.0; ge-0/0/14.0; } primary-vlan vlan1; } hr-comm { vlan-id 400; interface { ge-0/0/11.0; ge-0/0/12.0; } primary-vlan vlan1; } vlan1 { vlan-id 1000; interface { ge-0/0/15.0; ge-0/0/16.0; ge-0/0/0.0; ge-1/0/0.0; } no-local-switching; } }
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying That the Private VLAN and Secondary VLANs Were Created
Purpose
Verify that the primary VLAN and secondary VLANs were properly created on the switch.
Action
Use the show vlans
command:
user@switch> show vlans vlan1 extensive VLAN: vlan1, Created at: Tue Sep 16 17:59:47 2008 802.1Q Tag: 1000, Internal index: 18, Admin State: Enabled, Origin: Static Private VLAN Mode: Primary Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 6 (Active = 0) ge-0/0/0.0, tagged, trunk ge-0/0/11.0, untagged, access ge-0/0/12.0, untagged, access ge-0/0/13.0, untagged, access ge-0/0/14.0, untagged, access ge-0/0/15.0, untagged, access ge-0/0/16.0, untagged, access ge-1/0/0.0, tagged, trunk Secondary VLANs: Isolated 2, Community 2 Isolated VLANs : __vlan1_vlan1_ge-0/0/15.0__ __vlan1_vlan1_ge-0/0/16.0__ Community VLANs : finance-comm hr-comm user@switch> show vlans hr-comm extensive VLAN: hr-comm, Created at: Tue Sep 16 17:59:47 2008 802.1Q Tag: 400,Internal index: 22, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: vlan1 Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 2 (Active = 0) ge-0/0/0.0, tagged, trunk ge-0/0/11.0, untagged, access ge-0/0/12.0, untagged, access ge-1/0/0.0, tagged, trunk user@switch> show vlans finance-comm extensive VLAN: finance-comm, Created at: Tue Sep 16 17:59:47 2008 802.1Q Tag: 300,Internal index: 21, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: vlan1 Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 2 (Active = 0) ge-0/0/0.0, tagged, trunk ge-0/0/13.0, untagged, access ge-0/0/14.0, untagged, access ge-1/0/0.0, tagged, trunk user@switch> show vlans __vlan1_vlan1_ge-0/0/15.0__ extensive VLAN: __vlan1_vlan1_ge-0/0/15.0__, Created at: Tue Sep 16 17:59:47 2008 Internal index: 19, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: vlan1 Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 1 (Active = 0) ge-0/0/0.0, tagged, trunk ge-0/0/15.0, untagged, access ge-1/0/0.0, tagged, trunk user@switch> show vlans __vlan1_vlan1_ge-0/0/16.0__ extensive VLAN: __vlan1_vlan1_ge-0/0/16.0__, Created at: Tue Sep 16 17:59:47 2008 Internal index: 20, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: vlan1 Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 1 (Active = 0) ge-0/0/0.0, tagged, trunk ge-0/0/16.0, untagged, access ge-1/0/0.0, tagged, trunk
Meaning
The output shows that the primary VLAN was created and identifies the interfaces and secondary VLANs associated with it.
Example: Configuring a Private VLAN Spanning Multiple QFX Switches
For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and even to limit the communication between known hosts. The private VLAN (PVLAN) feature allows an administrator to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a VLAN inside a VLAN. A PVLAN can span multiple switches.
This example describes how to create a PVLAN spanning multiple switches. The example creates one primary PVLAN containing multiple secondary VLANs:
- Requirements
- Overview and Topology
- Configuring a PVLAN on Switch 1
- Configuring a PVLAN on Switch 2
- Configuring a PVLAN on Switch 3
- Verification
Requirements
This example uses the following hardware and software components:
Three QFX3500 devices
Junos OS Release 12.1 or later for the QFX Series
Before you begin configuring a PVLAN, make sure you have created and configured the necessary VLANs. See Configuring VLANs on Switches.
Overview and Topology
In a large office with multiple buildings and VLANs, you might need to isolate some workgroups or other endpoints for security reasons or to partition the broadcast domain. This configuration example shows how to create a PVLAN spanning multiple QFX devices, with one primary VLAN containing two community VLANs (one for HR and one for Finance), and an interswitch isolated VLAN (for the mail server, the backup server, and the CVS server). The PVLAN comprises three switches, two access switches and one distribution switch. The PVLAN is connected to a router through a promiscuous port, which is configured on the distribution switch.
The isolated ports on Switch 1 and on Switch 2 do not have Layer 2 connectivity with one another even though they are included within the same domain. See Understanding Private VLANs.
Figure 18 shows the topology for this example—two access switches connecting to a distribution switch, which has a connection (through a promiscuous port) to the router.
Table 10, Table 11, and Table 12 list the settings for the example topology.
Property | Settings |
---|---|
VLAN names and tag IDs |
primary-vlan, tag 100 isolation-vlan-id, tag 50finance-comm, tag 300hr-comm, tag 400 |
PVLAN trunk interfaces |
ge-0/0/0.0, connects Switch 1 to Switch 3 ge-0/0/5.0, connects Switch 1 to Switch 2 |
Isolated Interfaces in primary VLAN |
ge-0/0/15.0, mail server ge-0/0/16.0, backup server |
Interfaces in VLAN finance-com |
ge-0/0/11.0 ge-0/0/12.0 |
Interfaces in VLAN hr-comm |
ge-0/0/13.0 ge-0/0/14.0 |
Property | Settings |
---|---|
VLAN names and tag IDs |
primary-vlan, tag 100 isolation-vlan-id, tag 50finance-comm, tag 300hr-comm, tag 400 |
PVLAN trunk interfaces |
ge-0/0/0.0, connects Switch 2 to Switch 3 ge-0/0/5.0, connects Switch 2 to Switch 1 |
Isolated Interface in primary VLAN |
ge-0/0/17.0, CVS server |
Interfaces in VLAN finance-com |
ge-0/0/11.0 ge-0/0/12.0 |
Interfaces in VLAN hr-comm |
ge-0/0/13.0 ge-0/0/14.0 |
Property | Settings |
---|---|
VLAN names and tag IDs |
primary-vlan, tag 100 isolation-vlan-id, tag 50finance-comm, tag 300hr-comm, tag 400 |
PVLAN trunk interfaces |
ge-0/0/0.0, connects Switch 3 to Switch 1 ge-0/0/1.0, connects Switch 3 to Switch 2 |
Promiscuous port |
ge-0/0/2, connects the PVLAN to the router Note:
You must configure the trunk port that connects the PVLAN to another switch or router outside the PVLAN as a member of the PVLAN, which implicitly configures it as a promiscuous port. |
Topology
Configuring a PVLAN on Switch 1
When configuring a PVLAN on multiple switches, these rules apply:
The primary VLAN must be a tagged VLAN. We recommend that you configure the primary VLAN first.
If you are going to configure a community VLAN ID, you must first configure the primary VLAN and the PVLAN trunk port. You must also configure the primary VLAN to be private using the pvlan statement.
If you are going to configure an isolation VLAN ID, you must first configure the primary VLAN and the PVLAN trunk port.
CLI Quick Configuration
To quickly create and configure a PVLAN spanning multiple switches, copy the following commands and paste them into the terminal window of Switch 1:
[edit] set vlans finance-comm vlan-id 300 set vlans finance-comm interface ge-0/0/11.0 set vlans finance-comm interface ge-0/0/12.0 set vlans finance-comm primary-vlan pvlan100 set vlans hr-comm vlan-id 400 set vlans hr-comm interface ge-0/0/13.0 set vlans hr-comm interface ge-0/0/14.0 set vlans hr-comm primary-vlan pvlan100 set vlans pvlan100 vlan-id 100 set vlans pvlan100 interface ge-0/0/15.0 set vlans pvlan100 interface ge-0/0/16.0 set vlans pvlan100 interface ge-0/0/0.0 pvlan-trunk set vlans pvlan100 interface ge-0/0/5.0 pvlan-trunk set vlans pvlan100 pvlan set vlans pvlan100 pvlan isolation-vlan-id 50 set pvlan100 interface ge-0/0/15.0 isolated set pvlan100 interface ge-0/0/16.0 isolated
Procedure
Step-by-Step Procedure
Set the VLAN ID for the primary VLAN:
[edit vlans] user@switch# set pvlan100 vlan-id 100
Set the PVLAN trunk interfaces to connect this VLAN across neighboring switches:
[edit vlans] user@switch# set pvlan100 interface ge-0/0/0.0 pvlan-trunk user@switch# set pvlan100 interface ge-0/0/5.0 pvlan-trunk
Set the primary VLAN to be private and have no local switching:
[edit vlans] user@switch# set pvlan100 pvlan
Set the VLAN ID for the finance-comm community VLAN that spans the switches:
[edit vlans] user@switch# set finance-comm vlan-id 300
Configure access interfaces for the finance-comm VLAN:
[edit vlans] user@switch# set finance-comm interface ge-0/0/11.0
user@switch# set finance-comm interface ge-0/0/12.0
Set the primary VLAN of this secondary community VLAN, finance-comm :
[edit vlans] user@switch# set vlans finance-comm primary-vlan pvlan100
Set the VLAN ID for the HR community VLAN that spans the switches.
[edit vlans] user@switch# set hr-comm vlan-id 400
Configure access interfaces for the hr-comm VLAN:
[edit vlans] user@switch# set hr-comm interface ge-0/0/13.0 user@switch# set hr-comm interface ge-0/0/14.0
Set the primary VLAN of this secondary community VLAN, hr-comm:
[edit vlans] user@switch# set vlans hr-comm primary-vlan pvlan100
Set the interswitch isolated ID to create an interswitch isolated domain that spans the switches:
[edit vlans] user@switch# set pvlan100 pvlan isolation-vlan-id 50
Configure the isolated interfaces in the primary VLAN:
[edit vlans] user@switch# set pvlan100 interface ge-0/0/15.0 isolated user@switch# set pvlan100 interface ge-0/0/16.0 isolated
Note:When you configure an isolated port, include it as a member of the primary VLAN, but do not configure it as a member of any community VLAN.
Results
Check the results of the configuration:
[edit] user@switch# show vlans { finance-comm { vlan-id 300; interface { ge-0/0/11.0; ge-0/0/12.0; } primary-vlan pvlan100; } hr-comm { vlan-id 400; interface { ge-0/0/13.0; ge-0/0/14.0; } primary-vlan pvlan100; } pvlan100 { vlan-id 100; interface { ge-0/0/15.0; ge-0/0/16.0; ge-0/0/0.0 { pvlan-trunk; } ge-0/0/5.0 { pvlan-trunk; } } pvlan; isolation-vlan-id 50; } }
Configuring a PVLAN on Switch 2
CLI Quick Configuration
To quickly create and configure a private VLAN spanning multiple switches, copy the following commands and paste them into the terminal window of Switch 2:
The configuration of Switch 2 is the same as the configuration of Switch 1 except for the interface in the interswitch isolated domain. For Switch 2, the interface is ge-0/0/17.0.
[edit] set vlans finance-comm vlan-id 300 set vlans finance-comm interface ge-0/0/11.0 set vlans finance-comm interface ge-0/0/12.0 set vlans finance-comm primary-vlan pvlan100 set vlans hr-comm vlan-id 400 set vlans hr-comm interface ge-0/0/13.0 set vlans hr-comm interface ge-0/0/14.0 set vlans hr-comm primary-vlan pvlan100 set vlans pvlan100 vlan-id 100 set vlans pvlan100 interface ge-0/0/17.0 set vlans pvlan100 interface ge-0/0/0.0 pvlan-trunk set vlans pvlan100 interface ge-0/0/5.0 pvlan-trunk set vlans pvlan100 pvlan set vlans pvlan100 pvlan isolation-vlan-id 50 set pvlan100 interface ge-0/0/17.0 isolated
Procedure
Step-by-Step Procedure
To configure a PVLAN on Switch 2 that will span multiple switches:
Set the VLAN ID for the finance-comm community VLAN that spans the switches:
[edit vlans] user@switch# set finance-comm vlan-id 300
Configure access interfaces for the finance-comm VLAN:
[edit vlans] user@switch# set finance-comm interface ge-0/0/11.0
user@switch# set finance-comm interface ge-0/0/12.0
Set the primary VLAN of this secondary community VLAN, finance-comm:
[edit vlans] user@switch# set vlans finance-comm primary-vlan pvlan100
Set the VLAN ID for the HR community VLAN that spans the switches.
[edit vlans] user@switch# set hr-comm vlan-id 400
Configure access interfaces for the hr-comm VLAN:
[edit vlans] user@switch# set hr-comm interface ge-0/0/13.0 user@switch# set hr-comm interface ge-0/0/14.0
Set the primary VLAN of this secondary community VLAN, hr-comm:
[edit vlans] user@switch# set vlans hr-comm primary-vlan pvlan100
Set the VLAN ID for the primary VLAN:
[edit vlans] user@switch# set pvlan100 vlan-id 100
Set the PVLAN trunk interfaces that will connect this VLAN across neighboring switches:
[edit vlans] user@switch# set pvlan100 interface ge-0/0/0.0 pvlan-trunk user@switch# set pvlan100 interface ge-0/0/5.0 pvlan-trunk
Set the primary VLAN to be private and have no local switching:
[edit vlans] user@switch# set pvlan100 pvlan
Set the interswitch isolated ID to create an interswitch isolated domain that spans the switches:
[edit vlans] user@switch# set pvlan100 pvlan isolation-vlan-id 50
Note:To configure an isolated port, include it as one of the members of the primary VLAN, but do not configure it as belonging to one of the community VLANs.
Configure the isolated interface in the primary VLAN:
[edit vlans] user@switch# set pvlan100 interface ge-0/0/17.0 isolated
Results
Check the results of the configuration:
[edit] user@switch# show vlans { finance-comm { vlan-id 300; interface { ge-0/0/11.0; ge-0/0/12.0; } primary-vlan pvlan100; } hr-comm { vlan-id 400; interface { ge-0/0/13.0; ge-0/0/14.0; } primary-vlan pvlan100; } pvlan100 { vlan-id 100; interface { ge-0/0/15.0; ge-0/0/16.0; ge-0/0/0.0 { pvlan-trunk; } ge-0/0/5.0 { pvlan-trunk; } ge-0/0/17.0; } pvlan; isolation-vlan-id 50; } }
Configuring a PVLAN on Switch 3
CLI Quick Configuration
To quickly configure Switch 3 to function as the distribution switch of this PVLAN, copy the following commands and paste them into the terminal window of Switch 3:
Interface ge-0/0/2.0 is a trunk port connecting the PVLAN to a router.
[edit] set vlans finance-comm vlan-id 300 set vlans finance-comm primary-vlan pvlan100 set vlans hr-comm vlan-id 400 set vlans hr-comm primary-vlan pvlan100 set vlans pvlan100 vlan-id 100 set vlans pvlan100 interface ge-0/0/0.0 pvlan-trunk set vlans pvlan100 interface ge-0/0/1.0 pvlan-trunk set vlans pvlan100 pvlan set vlans pvlan100 pvlan isolation-vlan-id 50
Procedure
Step-by-Step Procedure
To configure Switch 3 to function as the distribution switch for this PVLAN, use the following procedure:
Set the VLAN ID for the finance-comm community VLAN that spans the switches:
[edit vlans] user@switch# finance-comm vlan-id 300
Set the primary VLAN of this secondary community VLAN, finance-comm:
[edit vlans] user@switch# set vlans finance-comm primary-vlan pvlan100
Set the VLAN ID for the HR community VLAN that spans the switches:
[edit vlans] user@switch# set hr-comm vlan-id 400
Set the primary VLAN of this secondary community VLAN, hr-comm:
[edit vlans] user@switch# set vlans hr-comm primary-vlan pvlan100
Set the VLAN ID for the primary VLAN:
[edit vlans] user@switch# set pvlan100 vlan-id 100
Set the PVLAN trunk interfaces that will connect this VLAN across neighboring switches:
[edit vlans] user@switch# set pvlan100 interface ge-0/0/0.0 pvlan-trunk user@switch# set pvlan100 interface ge-0/0/5.0 pvlan-trunk
Set the primary VLAN to be private and have no local switching:
[edit vlans] user@switch# set pvlan100 pvlan
Set the interswitch isolated ID to create an interswitch isolated domain that spans the switches:
[edit vlans] user@switch# set pvlan100 pvlan isolation-vlan-id 50
Note:To configure an isolated port, include it as one of the members of the primary VLAN, but do not configure it as belonging to one of the community VLANs.
Results
Check the results of the configuration:
[edit] user@switch# show vlans { finance-comm { vlan-id 300; primary-vlan pvlan100; } hr-comm { vlan-id 400; primary-vlan pvlan100; } pvlan100 { vlan-id 100; interface { ge-0/0/0.0 { pvlan-trunk; } ge-0/0/1.0 { pvlan-trunk; } ge-0/0/2.0; } pvlan; isolation-vlan-id 50; } }
Verification
To confirm that the configuration is working properly, perform these tasks:
- Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 1
- Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 2
- Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 3
Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 1
Purpose
Verify that the PVLAN configuration spanning multiple switches is working properly on Switch 1:
Action
Use the show vlans
extensive
command:
user@switch> show vlans extensive VLAN: __pvlan_pvlan100_ge-0/0/15.0__, Created at: Thu Sep 16 23:15:27 2010 Internal index: 5, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 1 (Active = 1) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/15.0*, untagged, access VLAN: __pvlan_pvlan100_ge-0/0/16.0__, Created at: Thu Sep 16 23:15:27 2010 Internal index: 6, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 1 (Active = 1) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/16.0*, untagged, access VLAN: __pvlan_pvlan100_isiv__, Created at: Thu Sep 16 23:15:27 2010 802.1Q Tag: 50, Internal index: 7, Admin State: Enabled, Origin: Static Private VLAN Mode: Inter-switch-isolated, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 0 (Active = 0) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk VLAN: default, Created at: Thu Sep 16 03:03:18 2010 Internal index: 2, Admin State: Enabled, Origin: Static Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 0 (Active = 0), Untagged 0 (Active = 0) VLAN: finance-comm, Created at: Thu Sep 16 23:15:27 2010 802.1Q Tag: 300, Internal index: 8, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 2 (Active = 2) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/11.0*, untagged, access ge-0/0/12.0*, untagged, access VLAN: hr-comm, Created at: Thu Sep 16 23:15:27 2010 802.1Q Tag: 400, Internal index: 9, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 2 (Active = 2) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/13.0*, untagged, access ge-0/0/14.0*, untagged, access VLAN: pvlan100, Created at: Thu Sep 16 23:15:27 2010 802.1Q Tag: 100, Internal index: 4, Admin State: Enabled, Origin: Static Private VLAN Mode: Primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 6 (Active = 6) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/11.0*, untagged, access ge-0/0/12.0*, untagged, access ge-0/0/13.0*, untagged, access ge-0/0/14.0*, untagged, access ge-0/0/15.0*, untagged, access ge-0/0/16.0*, untagged, access Secondary VLANs: Isolated 2, Community 2, Inter-switch-isolated 1 Isolated VLANs : __pvlan_pvlan100_ge-0/0/15.0__ __pvlan_pvlan100_ge-0/0/16.0__ Community VLANs : finance-comm hr-comm Inter-switch-isolated VLAN : __pvlan_pvlan100_isiv__
Meaning
The output shows that a PVLAN was created on Switch 1 and shows that it includes two isolated VLANs, two community VLANs, and an interswitch isolated VLAN. The presence of the pvlan-trunk and Inter-switch-isolated fields indicates that this PVLAN is spanning more than one switch.
Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 2
Purpose
Verify that the PVLAN configuration spanning multiple switches is working properly on Switch 2:
Action
Use the show vlans
extensive
command:
user@switch> show vlans extensive VLAN: __pvlan_pvlan100_ge-0/0/17.0__, Created at: Thu Sep 16 23:19:22 2010 Internal index: 5, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 1 (Active = 1) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/17.0*, untagged, access VLAN: __pvlan_pvlan100_isiv__, Created at: Thu Sep 16 23:19:22 2010 802.1Q Tag: 50, Internal index: 6, Admin State: Enabled, Origin: Static Private VLAN Mode: Inter-switch-isolated, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 0 (Active = 0) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk VLAN: default, Created at: Thu Sep 16 03:03:18 2010 Internal index: 2, Admin State: Enabled, Origin: Static Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 0 (Active = 0), Untagged 0 (Active = 0) VLAN: finance-comm, Created at: Thu Sep 16 23:19:22 2010 802.1Q Tag: 300, Internal index: 7, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 2 (Active = 2) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/11.0*, untagged, access ge-0/0/12.0*, untagged, access VLAN: hr-comm, Created at: Thu Sep 16 23:19:22 2010 802.1Q Tag: 400, Internal index: 8, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 2 (Active = 2) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/13.0*, untagged, access ge-0/0/14.0*, untagged, access VLAN: pvlan100, Created at: Thu Sep 16 23:19:22 2010 802.1Q Tag: 100, Internal index: 4, Admin State: Enabled, Origin: Static Private VLAN Mode: Primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 5 (Active = 5) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/11.0*, untagged, access ge-0/0/12.0*, untagged, access ge-0/0/13.0*, untagged, access ge-0/0/14.0*, untagged, access ge-0/0/17.0*, untagged, access Secondary VLANs: Isolated 1, Community 2, Inter-switch-isolated 1 Isolated VLANs : __pvlan_pvlan100_ge-0/0/17.0__ Community VLANs : finance-comm hr-comm Inter-switch-isolated VLAN : __pvlan_pvlan100_isiv__
Meaning
The output shows that a PVLAN was created on Switch 2 and shows that it includes one isolated VLAN, two community VLANs, and an interswitch isolated VLAN. The presence of the pvlan-trunk and Inter-switch-isolated fields indicates that this PVLAN is spanning more than one switch. When you compare this output to the output of Switch 1, you can see that both switches belong to the same PVLAN (pvlan100).
Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 3
Purpose
Verify that the PVLAN configuration spanning multiple switches is working properly on Switch 3:
Action
Use the show vlans
extensive
command:
user@switch> show vlans extensive VLAN: __pvlan_pvlan100_isiv__, Created at: Thu Sep 16 23:22:40 2010 802.1Q Tag: 50, Internal index: 5, Admin State: Enabled, Origin: Static Private VLAN Mode: Inter-switch-isolated, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 0 (Active = 0) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/1.0*, tagged, trunk, pvlan-trunk VLAN: default, Created at: Thu Sep 16 03:03:18 2010 Internal index: 2, Admin State: Enabled, Origin: Static Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 0 (Active = 0), Untagged 0 (Active = 0) VLAN: finance-comm, Created at: Thu Sep 16 23:22:40 2010 802.1Q Tag: 300, Internal index: 6, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 0 (Active = 0) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/1.0*, tagged, trunk, pvlan-trunk VLAN: hr-comm, Created at: Thu Sep 16 23:22:40 2010 802.1Q Tag: 400, Internal index: 7, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 0 (Active = 0) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/1.0*, tagged, trunk, pvlan-trunk VLAN: pvlan100, Created at: Thu Sep 16 23:22:40 2010 802.1Q Tag: 100, Internal index: 4, Admin State: Enabled, Origin: Static Private VLAN Mode: Primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 0 (Active = 0) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/1.0*, tagged, trunk, pvlan-trunk Secondary VLANs: Isolated 0, Community 2, Inter-switch-isolated 1 Community VLANs : finance-comm hr-comm Inter-switch-isolated VLAN : __pvlan_pvlan100_isiv__
Meaning
The output shows that the PVLAN (pvlan100) is configured on Switch 3 and that it includes no isolated VLANs, two community VLANs, and an interswitch isolated VLAN. But Switch 3 is functioning as a distribution switch, so the output does not include access interfaces within the PVLAN. It shows only the pvlan-trunk interfaces that connect pvlan100 from Switch 3 to the other switches (Switch 1 and Switch 2) in the same PVLAN.
Example: Configuring a Private VLAN Spanning Multiple Switches With an IRB Interface
For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and even to limit the communication between known hosts. The private VLAN (PVLAN) feature allows an administrator to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a VLAN inside a VLAN. A PVLAN can span multiple switches. This example describes how to create a PVLAN spanning multiple switches. The example creates one primary PVLAN, containing multiple secondary VLANs.
Just like regular VLANs, PVLANs are isolated at Layer 2 and normally require that a Layer 3 device be used if you want to route traffic. Starting with Junos OS 14.1X53-D30, you can use an integrated routing and bridging (IRB) interface to route Layer 3 traffic between devices connected to a PVLAN. Using an IRB interface in this way can also allow the devices in the PVLAN to communicate at Layer 3 with devices in other community or isolated VLANs or with devices outside the PVLAN. This example also demonstrates how to include an IRB interface in a PVLAN configuration.
- Requirements
- Overview and Topology
- Configuration Overview
- Configuring a PVLAN on Switch 1
- Configuring a PVLAN on Switch 2
- Configuring a PVLAN on Switch 3
- Verification
Requirements
This example uses the following hardware and software components:
Three QFX Series or EX4600 switches
Junos OS release with PVLAN for QFX Series or EX4600
Overview and Topology
In a large office with multiple buildings and VLANs, you might need to isolate some workgroups or other endpoints for security reasons or to partition the broadcast domain. This configuration example shows how to create a PVLAN spanning multiple switches, with one primary VLAN containing two community VLANs (one for HR and one for Finance), and an interswitch isolated VLAN (for the mail server, the backup server, and the CVS server). The PVLAN comprises three switches—two access switches and one distribution switch. The devices in the PVLAN are connected at Layer 3 to each other and to devices outside the PVLAN through an IRB interface configured on the distribution switch.
The isolated ports on Switch 1 and on Switch 2 do not have Layer 2 connectivity with one another even though they are included within the same domain. See Understanding Private VLANs.
Figure 19 shows the topology for this example.
Table 13, Table 14, and Table 15 list the settings for the example topology.
Property | Settings |
---|---|
VLAN names and tag IDs |
|
Interswitch link interfaces |
|
Isolated Interfaces in primary VLAN |
|
Interfaces in VLAN |
|
Interfaces in VLAN |
|
Property | Settings |
---|---|
VLAN names and tag IDs |
|
Interswitch link interfaces |
|
Isolated Interface in primary VLAN |
|
Interfaces in VLAN |
|
Interfaces in VLAN |
|
Property | Settings |
---|---|
VLAN names and tag IDs |
|
Interswitch link interfaces |
|
Promiscuous port |
Note:
You must configure the trunk port that connects the PVLAN to another switch or router outside the PVLAN as a member of the PVLAN, which implicitly configures it as a promiscuous port. |
IRB interface |
Configure unrestricted proxy ARP on the IRB interface to allow ARP resolution to occur so that devices that use IPv4 can communicate at Layer 3. For IPv6 traffic, you must explicitly map an IRB address to the destination address to allow ARP resolution. |
Topology
Configuration Overview
When configuring a PVLAN on multiple switches, the following rules apply:
The primary VLAN must be a tagged VLAN.
The primary VLAN is the only VLAN that can be a member of an interswitch link interface.
When configuring an IRB interface in a PVLAN, these rules apply:
You can create only one IRB interface in a PVLAN, regardless of how many switches participate in the PVLAN.
The IRB interface must be a member of the primary VLAN in the PVLAN.
Each host device that you want to connect at Layer 3 must use an IP address of the IRB as its default gateway address.
Configuring a PVLAN on Switch 1
CLI Quick Configuration
To quickly create and configure a PVLAN spanning multiple switches, copy the following commands and paste them into the terminal window of Switch 1:
[edit] set interfaces xe-0/0/0 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/0 unit 0 family ethernet-switching inter-switch-link set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members 100 set interfaces xe-0/0/5 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/5 unit 0 family ethernet-switching inter-switch-link set interfaces xe-0/0/5 unit 0 family ethernet-switching vlan members 100 set vlans finance-comm vlan-id 300 private-vlan community set vlans hr-comm vlan-id 400 private-vlan community set vlans isolated-vlan vlan-id 50 private-vlan isolated set vlans pvlan100 vlan-id 100 community-vlans [300 400] isolated-vlan 50 set interfaces xe-0/0/11 unit 0 family ethernet-switching vlan members 300 set interfaces xe-0/0/12 unit 0 family ethernet-switching vlan members 300 set interfaces xe-0/0/13 unit 0 family ethernet-switching vlan members 400 set interfaces xe-0/0/14 unit 0 family ethernet-switching vlan members 400 set interfaces xe-0/0/15 unit 0 family ethernet-switching vlan members 50 set interfaces xe-0/0/16 unit 0 family ethernet-switching vlan members 50
Procedure
Step-by-Step Procedure
Configure interface xe-0/0/0 to be a trunk:
[edit interfaces] user@switch# set xe-0/0/0 unit 0 family ethernet-switching interface-mode trunk
Configure interface xe-0/0/0 to be an interswitch link that carries all the VLANs:
[edit interfaces] user@switch# set xe-0/0/0 unit 0 family ethernet-switching inter-switch-link
Configure pvlan100 (the primary VLAN) to be a member of interface xe-0/0/0:
[edit interfaces] user@switch# set xe-0/0/0 unit 0 family ethernet-switching vlan members 100
Configure interface xe-0/0/5 to be a trunk:
[edit interfaces] user@switch# set xe-0/0/0 unit 0 family ethernet-switching interface-mode trunk
Configure interface xe-0/0/5 to be an interswitch link that carries all the VLANs:
[edit interfaces] user@switch# set xe-0/0/5 unit 0 family ethernet-switching inter-switch-link
Configure pvlan100 to be a member of interface xe-0/0/5:
[edit interfaces] user@switch# set xe-0/0/5 unit 0 family ethernet-switching vlan members 100
Create the community VLAN for the finance organization:
[edit vlans] set finance-comm vlan-id 300 private-vlan community
Create the community VLAN for the HR organization:
[edit vlans] set hr-comm vlan-id 400 private-vlan community
Create the isolated VLAN for the mail and backup servers:
[edit vlans] set isolated-vlan vlan-id 50 private-vlan isolated
Create the primary VLAN and make the community and isolated VLANs members of it:
[edit vlans] set pvlan100 vlan-id 100 community-vlans [300 400] isolated-vlan 50
Configure VLAN 300 (the a community VLAN) to be a member of interface xe-0/0/11:
[edit interfaces] user@switch# set xe-0/0/11 unit 0 family ethernet-switching vlan members 300
Configure VLAN 300 (a community VLAN) to be a member of interface xe-0/0/12:
[edit interfaces] user@switch# set xe-0/0/12 unit 0 family ethernet-switching vlan members 300
Configure VLAN 400 (a community VLAN) to be a member of interface xe-0/0/13:
[edit interfaces] user@switch# set xe-0/0/13 unit 0 family ethernet-switching vlan members 400
Configure VLAN 400 (a community VLAN) to be a member of interface xe-0/0/14:
[edit interfaces] user@switch# set xe-0/0/14 unit 0 family ethernet-switching vlan members 400
Configure VLAN 50 (the isolated VLAN) to be a member of interface xe-0/0/15:
[edit interfaces] user@switch# set xe-0/0/15 unit 0 family ethernet-switching vlan members 50
Configure VLAN 50 (the isolated VLAN) to be a member of interface xe-0/0/16:
[edit interfaces] user@switch# set xe-0/0/16 unit 0 family ethernet-switching vlan members 50
Results
Check the results of the configuration:
[edit] user@switch# show vlans { finance-comm { vlan-id 300; private-vlan community; } hr-comm { vlan-id 400; private-vlan community; } isolated-vlan{ vlan-id 50; private-vlan isolated; } pvlan100 { vlan-id 100; isolated-vlan 50; community-vlans [300 400] } }
Configuring a PVLAN on Switch 2
CLI Quick Configuration
To quickly create and configure a private VLAN spanning multiple switches, copy the following commands and paste them into the terminal window of Switch 2:
The configuration of Switch 2 is the same as the configuration
of Switch 1 except for the isolated VLAN. For Switch 2, the isolated
VLAN interface is xe-0/0/17.0
.
[edit] set interfaces xe-0/0/0 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/0 unit 0 family ethernet-switching inter-switch-link set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members 100 set interfaces xe-0/0/5 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/5 unit 0 family ethernet-switching inter-switch-link set interfaces xe-0/0/5 unit 0 family ethernet-switching vlan members 100 set vlans finance-comm vlan-id 300 private-vlan community set vlans hr-comm vlan-id 400 private-vlan community set vlans isolated-vlan vlan-id 50 private-vlan isolated set vlans pvlan100 vlan-id 100 community-vlans [300 400] isolated-vlan 50 set interfaces xe-0/0/11 unit 0 family ethernet-switching vlan members 300 set interfaces xe-0/0/12 unit 0 family ethernet-switching vlan members 300 set interfaces xe-0/0/13 unit 0 family ethernet-switching vlan members 400 set interfaces xe-0/0/14 unit 0 family ethernet-switching vlan members 400 set interfaces xe-0/0/17 unit 0 family ethernet-switching vlan members 50
Procedure
Step-by-Step Procedure
Configure interface xe-0/0/0 to be a trunk:
[edit interfaces] user@switch# set xe-0/0/0 unit 0 family ethernet-switching interface-mode trunk
Configure interface xe-0/0/0 to be an interswitch link that carries all the VLANs:
[edit interfaces] user@switch# set xe-0/0/0 unit 0 family ethernet-switching inter-switch-link
Configure pvlan100 (the primary VLAN) to be a member of interface xe-0/0/0:
[edit interfaces] user@switch# set xe-0/0/0 unit 0 family ethernet-switching vlan members 100
Configure interface xe-0/0/5 to be a trunk:
[edit interfaces] user@switch# set xe-0/0/0 unit 0 family ethernet-switching interface-mode trunk
Configure interface xe-0/0/5 to be an interswitch link that carries all the VLANs:
[edit interfaces] user@switch# set xe-0/0/5 unit 0 family ethernet-switching inter-switch-link
Configure pvlan100 to be a member of interface xe-0/0/5:
[edit interfaces] user@switch# set xe-0/0/5 unit 0 family ethernet-switching vlan members 100
Create the community VLAN for the finance organization:
[edit vlans] set finance-comm vlan-id 300 private-vlan community
Create the community VLAN for the HR organization:
[edit vlans] set hr-comm vlan-id 400 private-vlan community
Create the isolated VLAN for the mail and backup servers:
[edit vlans] set isolated-vlan vlan-id 50 private-vlan isolated
Create the primary VLAN and make the community and isolated VLANs members of it:
[edit vlans] set pvlan100 vlan-id 100 community-vlans [300 400] isolated-vlan 50
Configure VLAN 300 (the a community VLAN) to be a member of interface xe-0/0/11:
[edit interfaces] user@switch# set xe-0/0/11 unit 0 family ethernet-switching vlan members 300
Configure VLAN 300 (a community VLAN) to be a member of interface xe-0/0/12:
[edit interfaces] user@switch# set xe-0/0/12 unit 0 family ethernet-switching vlan members 300
Configure VLAN 400 (a community VLAN) to be a member of interface xe-0/0/13:
[edit interfaces] user@switch# set xe-0/0/13 unit 0 family ethernet-switching vlan members 400
Configure VLAN 400 (a community VLAN) to be a member of interface xe-0/0/14:
[edit interfaces] user@switch# set xe-0/0/14 unit 0 family ethernet-switching vlan members 400
Configure VLAN 50 (the isolated VLAN) to be a member of interface xe-0/0/17:
[edit interfaces] user@switch# set xe-0/0/17 unit 0 family ethernet-switching vlan members 50
Results
Check the results of the configuration:
[edit] user@switch# show vlans { finance-comm { vlan-id 300; private-vlan community; } hr-comm { vlan-id 400; private-vlan community; } isolated-vlan{ vlan-id 50; private-vlan isolated; } pvlan100 { vlan-id 100; isolated-vlan 50; community-vlans [300 400] } }
Configuring a PVLAN on Switch 3
CLI Quick Configuration
To quickly configure Switch 3 to function as the distribution switch of this PVLAN, copy the following commands and paste them into the terminal window of Switch 3:
Interface xe-0/0/2.0 is a trunk port connecting the PVLAN to another network.
[edit] [edit] set interfaces xe-0/0/0 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/0 unit 0 family ethernet-switching inter-switch-link set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members 100 set interfaces xe-0/0/1 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/1 unit 0 family ethernet-switching inter-switch-link set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members 100 set interfaces xe-0/0/2 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/2 unit 0 family ethernet-switching vlan members 100 set vlans pvlan100 vlan-id 100 set interfaces irb unit 100 family inet address 192.168.1.1/24 set vlans pvlan100 l3-interface irb.100 set interfaces irb unit 100 proxy-arp unrestricted
Procedure
Step-by-Step Procedure
To configure Switch 3 to function as the distribution switch for this PVLAN, use the following procedure:
Configure interface xe-0/0/0 to be a trunk:
[edit interfaces] user@switch# set xe-0/0/0 unit 0 family ethernet-switching interface-mode trunk
Configure interface xe-0/0/0 to be an interswitch link that carries all the VLANs:
[edit interfaces] user@switch# set xe-0/0/0 unit 0 family ethernet-switching inter-switch-link
Configure pvlan100 (the primary VLAN) to be a member of interface xe-0/0/0:
[edit interfaces] user@switch# set xe-0/0/0 unit 0 family ethernet-switching vlan members 100
Configure interface xe-0/0/5 to be a trunk:
[edit interfaces] user@switch# set xe-0/0/0 unit 0 family ethernet-switching interface-mode trunk
Configure interface xe-0/0/5 to be an interswitch link that carries all the VLANs:
[edit interfaces] user@switch# set xe-0/0/5 unit 0 family ethernet-switching inter-switch-link
Configure pvlan100 to be a member of interface xe-0/0/5:
[edit interfaces] user@switch# set xe-0/0/5 unit 0 family ethernet-switching vlan members 100
Configure interface xe-0/0/2 (the promiscuous interface) to be a trunk:
[edit interfaces] user@switch# set xe-0/0/2 unit 0 family ethernet-switching interface-mode trunk
Configure pvlan100 to be a member of interface xe-0/0/2:
[edit interfaces] user@switch# set xe-0/0/2 unit 0 family ethernet-switching vlan members 100
Create the primary VLAN:
[edit vlans] set vlans pvlan100 vlan-id 100
Create the IRB interface
irb
and assign it an address in the subnet used by the devices attached to Switches 1 and 2:[edit interfaces] set irb unit 100 family inet address 192.168.1.1/24
Note:Each host device that you want to connect at Layer 3 must be in the same subnet as the IRB interface and use the IP address of the IRB interface as its default gateway address.
Complete the IRB interface configuration by binding the interface to the primary VLAN
pvlan100
:[edit vlans] set pvlan100 l3-interface irb.100
Configure unrestricted proxy ARP for each unit of the IRB interface so that ARP resolution works for IPv4 traffic:
[edit interfaces] set irb unit 100 proxy-arp unrestricted
Note:Because the devices in the community and isolated VLANs are isolated at Layer 2, this step is required to allow ARP resolution to occur between the VLANs so that devices using IPv4 can communicate at Layer 3. (For IPv6 traffic, you must explicitly map an IRB address to the destination address to allow ARP resolution.)
Results
Check the results of the configuration:
[edit] user@switch# show vlans { pvlan100{ vlan-id 100; } }
Verification
To confirm that the configuration is working properly, perform these tasks:
- Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 1
- Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 2
- Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 3
Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 1
Purpose
Verify that the PVLAN configuration spanning multiple switches is working properly on Switch 1:
Action
Use the show vlans
extensive
command:
user@switch> show vlans extensive VLAN: __pvlan_pvlan100_xe-0/0/15.0__, Created at: Wed Sep 16 23:15:27 2015 Internal index: 5, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 1 (Active = 1) xe-0/0/0.0*, tagged, trunk xe-0/0/5.0*, tagged, trunk xe-0/0/15.0*, untagged, access VLAN: __pvlan_pvlan100_xe-0/0/16.0__, Created at: Wed Sep 16 23:15:27 2015 Internal index: 6, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 1 (Active = 1) xe-0/0/0.0*, tagged, trunk xe-0/0/5.0*, tagged, trunk xe-0/0/16.0*, untagged, access VLAN: __pvlan_pvlan100_isiv__, Created at: Wed Sep 16 23:15:27 2015 802.1Q Tag: 50, Internal index: 7, Admin State: Enabled, Origin: Static Private VLAN Mode: Inter-switch-isolated, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 0 (Active = 0) xe-0/0/0.0*, tagged, trunk xe-0/0/5.0*, tagged, trunk VLAN: default, Created at: Wed Sep 16 03:03:18 2015 Internal index: 2, Admin State: Enabled, Origin: Static Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 0 (Active = 0), Untagged 0 (Active = 0) VLAN: finance-comm, Created at: Wed Sep 16 23:15:27 2015 802.1Q Tag: 300, Internal index: 8, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 2 (Active = 2) xe-0/0/0.0*, tagged, trunk xe-0/0/5.0*, tagged, trunk xe-0/0/11.0*, untagged, access xe-0/0/12.0*, untagged, access VLAN: hr-comm, Created at: Wed Sep 16 23:15:27 2015 802.1Q Tag: 400, Internal index: 9, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 2 (Active = 2) xe-0/0/0.0*, tagged, trunk xe-0/0/5.0*, tagged, trunk xe-0/0/13.0*, untagged, access xe-0/0/14.0*, untagged, access VLAN: pvlan100, Created at: Wed Sep 16 23:15:27 2015 802.1Q Tag: 100, Internal index: 4, Admin State: Enabled, Origin: Static Private VLAN Mode: Primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 6 (Active = 6) xe-0/0/0.0*, tagged, trunk xe-0/0/5.0*, tagged, trunk xe-0/0/11.0*, untagged, access xe-0/0/12.0*, untagged, access xe-0/0/13.0*, untagged, access xe-0/0/14.0*, untagged, access xe-0/0/15.0*, untagged, access xe-0/0/16.0*, untagged, access Secondary VLANs: Isolated 2, Community 2, Inter-switch-isolated 1 Isolated VLANs : __pvlan_pvlan100_xe-0/0/15.0__ __pvlan_pvlan100_xe-0/0/16.0__ Community VLANs : finance-comm hr-comm Inter-switch-isolated VLAN : __pvlan_pvlan100_isiv__
Meaning
The output shows that a PVLAN was created on Switch 1 and shows that it includes two isolated VLANs, two community VLANs, and an interswitch isolated VLAN. The presence of the trunk and Inter-switch-isolated fields indicates that this PVLAN is spanning more than one switch.
Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 2
Purpose
Verify that the PVLAN configuration spanning multiple switches is working properly on Switch 2:
Action
Use the show vlans
extensive
command:
user@switch> show vlans extensive VLAN: __pvlan_pvlan100_xe-0/0/17.0__, Created at: Wed Sep 16 23:19:22 2015 Internal index: 5, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 1 (Active = 1) xe-0/0/0.0*, tagged, trunk xe-0/0/5.0*, tagged, trunk xe-0/0/17.0*, untagged, access VLAN: __pvlan_pvlan100_isiv__, Created at: Wed Sep 16 23:19:22 2015 802.1Q Tag: 50, Internal index: 6, Admin State: Enabled, Origin: Static Private VLAN Mode: Inter-switch-isolated, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 0 (Active = 0) xe-0/0/0.0*, tagged, trunk xe-0/0/5.0*, tagged, trunk VLAN: default, Created at: Wed Sep 16 03:03:18 2015 Internal index: 2, Admin State: Enabled, Origin: Static Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 0 (Active = 0), Untagged 0 (Active = 0) VLAN: finance-comm, Created at: Wed Sep 16 23:19:22 2015 802.1Q Tag: 300, Internal index: 7, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 2 (Active = 2) xe-0/0/0.0*, tagged, trunk xe-0/0/5.0*, tagged, trunk xe-0/0/11.0*, untagged, access xe-0/0/12.0*, untagged, access VLAN: hr-comm, Created at: Wed Sep 16 23:19:22 2015 802.1Q Tag: 400, Internal index: 8, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 2 (Active = 2) xe-0/0/0.0*, tagged, trunk xe-0/0/5.0*, tagged, trunk xe-0/0/13.0*, untagged, access xe-0/0/14.0*, untagged, access VLAN: pvlan100, Created at: Wed Sep 16 23:19:22 2015 802.1Q Tag: 100, Internal index: 4, Admin State: Enabled, Origin: Static Private VLAN Mode: Primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 5 (Active = 5) xe-0/0/0.0*, tagged, trunk xe-0/0/5.0*, tagged, trunk xe-0/0/11.0*, untagged, access xe-0/0/12.0*, untagged, access xe-0/0/13.0*, untagged, access xe-0/0/14.0*, untagged, access xe-0/0/17.0*, untagged, access Secondary VLANs: Isolated 1, Community 2, Inter-switch-isolated 1 Isolated VLANs : __pvlan_pvlan100_xe-0/0/17.0__ Community VLANs : finance-comm hr-comm Inter-switch-isolated VLAN : __pvlan_pvlan100_isiv__
Meaning
The output shows that a PVLAN was created on Switch
2 and shows that it includes one isolated VLAN, two community VLANs,
and an interswitch isolated VLAN. The presence of the trunk and Inter-switch-isolated
fields indicates that this PVLAN is spanning more than one switch.
When you compare this output to the output of Switch 1, you can see
that both switches belong to the same PVLAN (pvlan100
).
Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 3
Purpose
Verify that the PVLAN configuration spanning multiple switches is working properly on Switch 3:
Action
Use the show vlans
extensive
command:
user@switch> show vlans extensive VLAN: __pvlan_pvlan100_isiv__, Created at: Wed Sep 16 23:22:40 2015 802.1Q Tag: 50, Internal index: 5, Admin State: Enabled, Origin: Static Private VLAN Mode: Inter-switch-isolated, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 0 (Active = 0) xe-0/0/0.0*, tagged, trunk xe-0/0/1.0*, tagged, trunk VLAN: default, Created at: Wed Sep 16 03:03:18 2015 Internal index: 2, Admin State: Enabled, Origin: Static Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 0 (Active = 0), Untagged 0 (Active = 0) VLAN: finance-comm, Created at: Wed Sep 16 23:22:40 2015 802.1Q Tag: 300, Internal index: 6, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 0 (Active = 0) xe-0/0/0.0*, tagged, trunk xe-0/0/1.0*, tagged, trunk VLAN: hr-comm, Created at: Wed Sep 16 23:22:40 2015 802.1Q Tag: 400, Internal index: 7, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 0 (Active = 0) xe-0/0/0.0*, tagged, trunk xe-0/0/1.0*, tagged, trunk VLAN: pvlan100, Created at: Wed Sep 16 23:22:40 2015 802.1Q Tag: 100, Internal index: 4, Admin State: Enabled, Origin: Static Private VLAN Mode: Primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 0 (Active = 0) xe-0/0/0.0*, tagged, trunk xe-0/0/1.0*, tagged, trunk Secondary VLANs: Isolated 0, Community 2, Inter-switch-isolated 1 Community VLANs : finance-comm hr-comm Inter-switch-isolated VLAN : __pvlan_pvlan100_isiv__
Meaning
The output shows that the PVLAN (pvlan100
) is configured on Switch 3 and that it includes no isolated VLANs,
two community VLANs, and an interswitch isolated VLAN. But Switch
3 is functioning as a distribution switch, so the output does not
include access interfaces within the PVLAN. It shows only the trunk
interfaces that connect pvlan100
from Switch 3 to the other
switches (Switch 1 and Switch 2) in the same PVLAN.
Example: Configuring a Private VLAN Spanning Multiple EX Series Switches
For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and to even limit the communication between known hosts. The private VLAN (PVLAN) feature on EX Series switches allows an administrator to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a VLAN inside a VLAN. A PVLAN can span multiple switches.
This example describes how to create a PVLAN spanning multiple EX Series switches. The example creates one primary PVLAN, containing multiple secondary VLANs:
Configuring a voice over IP (VoIP) VLAN on PVLAN interfaces is not supported.
- Requirements
- Overview and Topology
- Configuring a PVLAN on Switch 1
- Configuring a PVLAN on Switch 2
- Configuring a PVLAN on Switch 3
- Verification
Requirements
This example uses the following hardware and software components:
Three EX Series switches
Junos OS Release 10.4 or later for EX Series switches
Before you begin configuring a PVLAN, make sure you have created and configured the necessary VLANs. See Configuring VLANs for EX Series Switches.
Overview and Topology
In a large office with multiple buildings and VLANs, you might need to isolate some workgroups or other endpoints for security reasons or to partition the broadcast domain. This configuration example shows how to create a PVLAN spanning multiple EX Series switches, with one primary VLAN containing two community VLANs (one for HR and one for Finance), and an Interswitch isolated VLAN (for the mail server, the backup server, and the CVS server). The PVLAN comprises three switches, two access switches and one distribution switch. The PVLAN is connected to a router through a promiscuous port, which is configured on the distribution switch.
The isolated ports on Switch 1 and on Switch 2 do not have Layer 2 connectivity with each other even though they are included within the same domain. See Understanding Private VLANs.
Figure 20 shows the topology for this example—two access switches connecting to a distribution switch, which has a connection (through a promiscuous port) to the router.
Table 16, Table 17, and Table 18 list the settings for the example topology.
Property | Settings |
---|---|
VLAN names and tag IDs |
primary-vlan, tag 100 isolation-id, tag 50finance-comm, tag 300hr-comm, tag 400 |
PVLAN trunk interfaces |
ge-0/0/0.0, Connects Switch 1 to Switch 3 ge-0/0/5.0, Connects Switch 1 to Switch 2 |
Interfaces in VLAN isolation |
ge-0/0/15.0, Mail server ge-0/0/16.0, Backup server |
Interfaces in VLAN finance-com |
ge-0/0/11.0 ge-0/0/12.0 |
Interfaces in VLAN hr-comm |
ge-0/0/13.0 ge-0/0/14.0 |
Property | Settings |
---|---|
VLAN names and tag IDs |
primary-vlan, tag 100 isolation-id, tag 50finance-comm, tag 300hr-comm, tag 400 |
PVLAN trunk interfaces |
ge-0/0/0.0, Connects Switch 2 to Switch 3 ge-0/0/5.0, Connects Switch 2 to Switch 1 |
Interfaces in VLAN isolation |
ge-0/0/17.0,CVS server |
Interfaces in VLAN finance-com |
ge-0/0/11.0 ge-0/0/12.0 |
Interfaces in VLAN hr-comm |
ge-0/0/13.0 ge-0/0/14.0 |
Property | Settings |
---|---|
VLAN names and tag IDs |
primary-vlan, tag 100 isolation-id, tag 50finance-comm, tag 300hr-comm, tag 400 |
PVLAN trunk interfaces |
ge-0/0/0.0, Connects Switch 3 to Switch 1 ge-0/0/1.0, Connects Switch 3 to Switch 2 |
Promiscuous port |
ge-0/0/2, Connects the PVLAN to the router Note:
You must configure the trunk port that connects the PVLAN to another switch or router outside the PVLAN as a member of the PVLAN, which implicitly configures it as a promiscuous port. |
Topology
Configuring a PVLAN on Switch 1
CLI Quick Configuration
When configuring a PVLAN on multiple switches, these rules apply:
The primary VLAN must be a tagged VLAN. We recommend that you configure the primary VLAN first.
Configuring a voice over IP (VoIP) VLAN on PVLAN interfaces is not supported.
If you are going to configure a community VLAN ID, you must first configure the primary VLAN and the PVLAN trunk port.
If you are going to configure an isolation VLAN ID, you must first configure the primary VLAN and the PVLAN trunk port.
Secondary VLANs and the PVLAN trunk port must be committed on a single commit if MVRP is configured on the PVLAN trunk port.
To quickly create and configure a PVLAN spanning multiple switches, copy the following commands and paste them into the terminal window of Switch 1:
[edit] set vlans finance-comm vlan-id 300 set vlans finance-comm interface ge-0/0/11.0 set vlans finance-comm interface ge-0/0/12.0 set vlans finance-comm primary-vlan pvlan100 set vlans hr-comm vlan-id 400 set vlans hr-comm interface ge-0/0/13.0 set vlans hr-comm interface ge-0/0/14.0 set vlans hr-comm primary-vlan pvlan100 set vlans pvlan100 vlan-id 100 set vlans pvlan100 interface ge-0/0/15.0 set vlans pvlan100 interface ge-0/0/16.0 set vlans pvlan100 interface ge-0/0/0.0 pvlan-trunk set vlans pvlan100 interface ge-0/0/5.0 pvlan-trunk set vlans pvlan100 no-local-switching set vlans pvlan100 isolation-id 50
Procedure
Step-by-Step Procedure
Complete the configuration steps below in the order shown—also, complete all steps before committing the configuration in a single commit. This is the easiest way to avoid error messages triggered by violating any of these three rules:
If you are going to configure a community VLAN ID, you must first configure the primary VLAN and the PVLAN trunk port.
If you are going to configure an isolation VLAN ID, you must first configure the primary VLAN and the PVLAN trunk port.
Secondary vlans and a PVLAN trunk must be committed on a single commit.
To configure a PVLAN on Switch 1 that will span multiple switches:
Set the VLAN ID for the primary VLAN:
[edit vlans] user@switch# set pvlan100 vlan–id 100
Set the PVLAN trunk interfaces that will connect this VLAN across neighboring switches:
[edit vlans] user@switch# set pvlan100 interface ge-0/0/0.0 pvlan-trunk user@switch# set pvlan100 interface ge-0/0/5.0 pvlan-trunk
Set the primary VLAN to have no local switching:
[edit vlans] user@switch# set pvlan100 no-local-switching
Set the VLAN ID for the finance-comm community VLAN that spans the switches:
[edit vlans] user@switch# finance-comm vlan-id 300
user@switch# set pvlan100 vlan–id 100
Configure access interfaces for the finance-comm VLAN:
[edit vlans] user@switch# set finance-comm interface interfacege-0/0/11.0
user@switch# set finance-comm interface ge-0/0/12.0
Set the primary VLAN of this secondary community VLAN, finance-comm :
[edit vlans] user@switch# set vlans finance-comm primary-vlan pvlan100
Set the VLAN ID for the HR community VLAN that spans the switches.
[edit vlans] user@switch# hr-comm vlan-id 400
Configure access interfaces for the hr-comm VLAN:
[edit vlans] user@switch# set hr-comm interface ge-0/0/13.0 user@switch# set hr-comm interface ge-0/0/14.0
Set the primary VLAN of this secondary community VLAN, hr-comm :
[edit vlans] user@switch# set vlans hr-comm primary-vlan pvlan100
Set the inter-switch isolated ID to create an inter-switch isolated domain that spans the switches:
[edit vlans] user@switch# set pvlan100 isolation-id 50
Note:To configure an isolated port, include it as one of the members of the primary VLAN but do not configure it as belonging to one of the community VLANs.
Results
Check the results of the configuration:
[edit] user@switch# show vlans { finance-comm { vlan-id 300; interface { ge-0/0/11.0; ge-0/0/12.0; } primary-vlan pvlan100; } hr-comm { vlan-id 400; interface { ge-0/0/13.0; ge-0/0/14.0; } primary-vlan pvlan100; } pvlan100 { vlan-id 100; interface { ge-0/0/15.0; ge-0/0/16.0; ge-0/0/0.0 { pvlan-trunk; } ge-0/0/5.0 { pvlan-trunk; } } no-local-switching; isolation-id 50; } }
Configuring a PVLAN on Switch 2
CLI Quick Configuration
To quickly create and configure a private VLAN spanning multiple switches, copy the following commands and paste them into the terminal window of Switch 2:
The configuration of Switch 2 is the same as the configuration of Switch 1 except for the interface in the inter-switch isolated domain. For Switch 2, the interface is ge-0/0/17.0.
[edit] set vlans finance-comm vlan-id 300 set vlans finance-comm interface ge-0/0/11.0 set vlans finance-comm interface ge-0/0/12.0 set vlans finance-comm primary-vlan pvlan100 set vlans hr-comm vlan-id 400 set vlans hr-comm interface ge-0/0/13.0 set vlans hr-comm interface ge-0/0/14.0 set vlans hr-comm primary-vlan pvlan100 set vlans pvlan100 vlan-id 100 set vlans pvlan100 interface ge-0/0/17.0 set vlans pvlan100 interface ge-0/0/0.0 pvlan-trunk set vlans pvlan100 interface ge-0/0/5.0 pvlan-trunk set vlans pvlan100 no-local-switching set vlans pvlan100 isolation-id 50
Procedure
Step-by-Step Procedure
To configure a PVLAN on Switch 2 that will span multiple switches:
Set the VLAN ID for the finance-comm community VLAN that spans the switches:
[edit vlans] user@switch# finance-comm vlan-id 300
user@switch# set pvlan100 vlan–id 100
Configure access interfaces for the finance-comm VLAN:
[edit vlans] user@switch# set finance-comm interface ge-0/0/11.0
user@switch# set finance-comm interface ge-0/0/12.0
Set the primary VLAN of this secondary community VLAN, finance-comm :
[edit vlans] user@switch# set vlans finance-comm primary-vlan pvlan100
Set the VLAN ID for the HR community VLAN that spans the switches.
[edit vlans] user@switch# hr-comm vlan-id 400
Configure access interfaces for the hr-comm VLAN:
[edit vlans] user@switch# set hr-comm interface ge-0/0/13.0 user@switch# set hr-comm interface ge-0/0/14.0
Set the primary VLAN of this secondary community VLAN, hr-comm :
[edit vlans] user@switch# set vlans hr-comm primary-vlan pvlan100
Set the VLAN ID for the primary VLAN:
[edit vlans] user@switch# set pvlan100 vlan–id 100
Set the PVLAN trunk interfaces that will connect this VLAN across neighboring switches:
[edit vlans] user@switch# set pvlan100 interface ge-0/0/0.0 pvlan-trunk user@switch# set pvlan100 interface ge-0/0/5.0 pvlan-trunk
Set the primary VLAN to have no local switching:
[edit vlans] user@switch# set pvlan100 no-local-switching
Set the inter-switch isolated ID to create an inter-switch isolated domain that spans the switches:
[edit vlans] user@switch# set pvlan100 isolation-id 50
Note:To configure an isolated port, include it as one of the members of the primary VLAN but do not configure it as belonging to one of the community VLANs.
Results
Check the results of the configuration:
[edit] user@switch# show vlans { finance-comm { vlan-id 300; interface { ge-0/0/11.0; ge-0/0/12.0; } primary-vlan pvlan100; } hr-comm { vlan-id 400; interface { ge-0/0/13.0; ge-0/0/14.0; } primary-vlan pvlan100; } pvlan100 { vlan-id 100; interface { ge-0/0/15.0; ge-0/0/16.0; ge-0/0/0.0 { pvlan-trunk; } ge-0/0/5.0 { pvlan-trunk; } ge-0/0/17.0; } no-local-switching; isolation-id 50; } }
Configuring a PVLAN on Switch 3
CLI Quick Configuration
To quickly configure Switch 3 to function as the distribution switch of this PVLAN, copy the following commands and paste them into the terminal window of Switch 3:
Interface ge-0/0/2.0 is a trunk port connecting the PVLAN to a router.
[edit] set vlans finance-comm vlan-id 300 set vlans finance-comm primary-vlan pvlan100 set vlans hr-comm vlan-id 400 set vlans hr-comm primary-vlan pvlan100 set vlans pvlan100 vlan-id 100 set vlans pvlan100 interface ge-0/0/0.0 pvlan-trunk set vlans pvlan100 interface ge-0/0/1.0 pvlan-trunk set vlans pvlan100 no-local-switching set vlans pvlan100 isolation-id 50
Procedure
Step-by-Step Procedure
To configure Switch 3 to function as the distribution switch for this PVLAN, use the following procedure:
Set the VLAN ID for the finance-comm community VLAN that spans the switches:
[edit vlans] user@switch# finance-comm vlan-id 300
[edit vlans] user@switch# set pvlan100 vlan–id 100
Set the primary VLAN of this secondary community VLAN, finance-comm:
[edit vlans] user@switch# set vlans finance-comm primary-vlan pvlan100
Set the VLAN ID for the HR community VLAN that spans the switches:
[edit vlans] user@switch# hr-comm vlan-id 400
Set the primary VLAN of this secondary community VLAN, hr-comm:
[edit vlans] user@switch# set vlans hr-comm primary-vlan pvlan100
Set the VLAN ID for the primary VLAN:
[edit vlans] user@switch# set pvlan100 vlan–id 100
Set the PVLAN trunk interfaces that will connect this VLAN across neighboring switches:
[edit vlans] user@switch# set pvlan100 interface ge-0/0/0.0 pvlan-trunk user@switch# set pvlan100 interface ge-0/0/5.0 pvlan-trunk
Set the primary VLAN to have no local switching:
[edit vlans] user@switch# set pvlan100 no-local-switching
Set the inter-switch isolated ID to create an inter-switch isolated domain that spans the switches:
[edit vlans] user@switch# set pvlan100 isolation-id 50
Note:To configure an isolated port, include it as one of the members of the primary VLAN but do not configure it as belonging to one of the community VLANs.
Results
Check the results of the configuration:
[edit] user@switch# show vlans { finance-comm { vlan-id 300; primary-vlan pvlan100; } hr-comm { vlan-id 400; primary-vlan pvlan100; } pvlan100 { vlan-id 100; interface { ge-0/0/0.0 { pvlan-trunk; } ge-0/0/1.0 { pvlan-trunk; } ge-0/0/2.0; } no-local-switching; isolation-id 50; } }
Verification
To confirm that the configuration is working properly, perform these tasks:
- Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 1
- Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 2
- Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 3
Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 1
Purpose
Verify that the PVLAN configuration spanning multiple switches is working properly on Switch 1:
Action
Use the show vlans
extensive
command:
user@switch> show vlans extensive VLAN: __pvlan_pvlan100_ge-0/0/15.0__, Created at: Thu Sep 16 23:15:27 2010 Internal index: 5, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 1 (Active = 1) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/15.0*, untagged, access VLAN: __pvlan_pvlan100_ge-0/0/16.0__, Created at: Thu Sep 16 23:15:27 2010 Internal index: 6, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 1 (Active = 1) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/16.0*, untagged, access VLAN: __pvlan_pvlan100_isiv__, Created at: Thu Sep 16 23:15:27 2010 802.1Q Tag: 50, Internal index: 7, Admin State: Enabled, Origin: Static Private VLAN Mode: Inter-switch-isolated, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 0 (Active = 0) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk VLAN: default, Created at: Thu Sep 16 03:03:18 2010 Internal index: 2, Admin State: Enabled, Origin: Static Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 0 (Active = 0), Untagged 0 (Active = 0) VLAN: finance-comm, Created at: Thu Sep 16 23:15:27 2010 802.1Q Tag: 300, Internal index: 8, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 2 (Active = 2) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/11.0*, untagged, access ge-0/0/12.0*, untagged, access VLAN: hr-comm, Created at: Thu Sep 16 23:15:27 2010 802.1Q Tag: 400, Internal index: 9, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 2 (Active = 2) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/13.0*, untagged, access ge-0/0/14.0*, untagged, access VLAN: pvlan100, Created at: Thu Sep 16 23:15:27 2010 802.1Q Tag: 100, Internal index: 4, Admin State: Enabled, Origin: Static Private VLAN Mode: Primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 6 (Active = 6) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/11.0*, untagged, access ge-0/0/12.0*, untagged, access ge-0/0/13.0*, untagged, access ge-0/0/14.0*, untagged, access ge-0/0/15.0*, untagged, access ge-0/0/16.0*, untagged, access Secondary VLANs: Isolated 2, Community 2, Inter-switch-isolated 1 Isolated VLANs : __pvlan_pvlan100_ge-0/0/15.0__ __pvlan_pvlan100_ge-0/0/16.0__ Community VLANs : finance-comm hr-comm Inter-switch-isolated VLAN : __pvlan_pvlan100_isiv__
Meaning
The output shows that a PVLAN was created on Switch 1 and shows that it includes two isolated VLANs, two community VLANs, and an interswitch isolated VLAN. The presence of the pvlan-trunk and Inter-switch-isolated fields indicates that this PVLAN is spanning more than one switch.
Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 2
Purpose
Verify that the PVLAN configuration spanning multiple switches is working properly on Switch 2:
Action
Use the show vlans
extensive
command:
user@switch> show vlans extensive VLAN: __pvlan_pvlan100_ge-0/0/17.0__, Created at: Thu Sep 16 23:19:22 2010 Internal index: 5, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 1 (Active = 1) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/17.0*, untagged, access VLAN: __pvlan_pvlan100_isiv__, Created at: Thu Sep 16 23:19:22 2010 802.1Q Tag: 50, Internal index: 6, Admin State: Enabled, Origin: Static Private VLAN Mode: Inter-switch-isolated, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 0 (Active = 0) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk VLAN: default, Created at: Thu Sep 16 03:03:18 2010 Internal index: 2, Admin State: Enabled, Origin: Static Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 0 (Active = 0), Untagged 0 (Active = 0) VLAN: finance-comm, Created at: Thu Sep 16 23:19:22 2010 802.1Q Tag: 300, Internal index: 7, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 2 (Active = 2) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/11.0*, untagged, access ge-0/0/12.0*, untagged, access VLAN: hr-comm, Created at: Thu Sep 16 23:19:22 2010 802.1Q Tag: 400, Internal index: 8, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 2 (Active = 2) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/13.0*, untagged, access ge-0/0/14.0*, untagged, access VLAN: pvlan100, Created at: Thu Sep 16 23:19:22 2010 802.1Q Tag: 100, Internal index: 4, Admin State: Enabled, Origin: Static Private VLAN Mode: Primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 5 (Active = 5) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/5.0*, tagged, trunk, pvlan-trunk ge-0/0/11.0*, untagged, access ge-0/0/12.0*, untagged, access ge-0/0/13.0*, untagged, access ge-0/0/14.0*, untagged, access ge-0/0/17.0*, untagged, access Secondary VLANs: Isolated 1, Community 2, Inter-switch-isolated 1 Isolated VLANs : __pvlan_pvlan100_ge-0/0/17.0__ Community VLANs : finance-comm hr-comm Inter-switch-isolated VLAN : __pvlan_pvlan100_isiv__
Meaning
The output shows that a PVLAN was created on Switch 1 and shows that it includes two isolated VLANs, two community VLANs, and an interswitch isolated VLAN. The presence of the pvlan-trunk and Inter-switch-isolated fields indicates that this is PVLAN spanning more than one switch. When you compare this output to the output of Switch 1, you can see that both switches belong to the same PVLAN (pvlan100).
Verifying That the Primary VLAN and Secondary VLANs Were Created on Switch 3
Purpose
Verify that the PVLAN configuration spanning multiple switches is working properly on Switch 3:
Action
Use the show vlans
extensive
command:
user@switch> show vlans extensive VLAN: __pvlan_pvlan100_isiv__, Created at: Thu Sep 16 23:22:40 2010 802.1Q Tag: 50, Internal index: 5, Admin State: Enabled, Origin: Static Private VLAN Mode: Inter-switch-isolated, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 0 (Active = 0) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/1.0*, tagged, trunk, pvlan-trunk VLAN: default, Created at: Thu Sep 16 03:03:18 2010 Internal index: 2, Admin State: Enabled, Origin: Static Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 0 (Active = 0), Untagged 0 (Active = 0) VLAN: finance-comm, Created at: Thu Sep 16 23:22:40 2010 802.1Q Tag: 300, Internal index: 6, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 0 (Active = 0) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/1.0*, tagged, trunk, pvlan-trunk VLAN: hr-comm, Created at: Thu Sep 16 23:22:40 2010 802.1Q Tag: 400, Internal index: 7, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan100 Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 0 (Active = 0) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/1.0*, tagged, trunk, pvlan-trunk VLAN: pvlan100, Created at: Thu Sep 16 23:22:40 2010 802.1Q Tag: 100, Internal index: 4, Admin State: Enabled, Origin: Static Private VLAN Mode: Primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 2 (Active = 2), Untagged 0 (Active = 0) ge-0/0/0.0*, tagged, trunk, pvlan-trunk ge-0/0/1.0*, tagged, trunk, pvlan-trunk Secondary VLANs: Isolated 0, Community 2, Inter-switch-isolated 1 Community VLANs : finance-comm hr-comm Inter-switch-isolated VLAN : __pvlan_pvlan100_isiv__
Meaning
The output shows that the PVLAN (pvlan100) is configured on Switch 3 and that it includes two isolated VLANs, two community VLANs, and an interswitch isolated VLAN. But Switch 3 is functioning as a distribution switch, so the output does not include access interfaces within the PVLAN. It shows only the pvlan-trunk interfaces that connect pvlan100 from Switch 3 to the other switches (Switch 1 and Switch 2) in the same PVLAN.
Example: Configuring PVLANs with Secondary VLAN Trunk Ports and Promiscuous Access Ports on a QFX Series Switch
This example shows how to configure secondary VLAN trunk ports and promiscuous access ports as part of a private VLAN configuration. Secondary VLAN trunk ports carry secondary VLAN traffic.
This example uses Junos OS for switches that do not support the Enhanced Layer 2 Software (ELS) configuration style. For more about ELS, see Using the Enhanced Layer 2 Software CLI.
For a given private VLAN, a secondary VLAN trunk port can carry traffic for only one secondary VLAN. However, a secondary VLAN trunk port can carry traffic for multiple secondary VLANs as long as each secondary VLAN is a member of a different private (primary) VLAN. For example, a secondary VLAN trunk port can carry traffic for a community VLAN that is part of primary VLAN pvlan100 and also carry traffic for an isolated VLAN that is part of primary VLAN pvlan400.
To configure a trunk port to carry secondary VLAN traffic, use
the isolated and interface
statements, as shown in steps 12 and 13 of the example configuration
for Switch 1.
When traffic egresses from a secondary VLAN trunk port, it normally carries the tag of the primary VLAN that the secondary port is a member of. If you want traffic that egresses from a secondary VLAN trunk port to retain its secondary VLAN tag, use the extend-secondary-vlan-id statement.
A promiscuous access port carries untagged traffic and can be a member of only one primary VLAN. Traffic that ingresses on a promiscuous access port is forwarded to the ports of the secondary VLANs that are members of the primary VLAN that the promiscuous access port is a member of. This traffic carries the appropriate secondary VLAN tags when it egresses from the secondary VLAN ports if the secondary VLAN port is a trunk port.
To configure an access port to be promiscuous, use the promiscuous statement, as shown in step 12 of the example configuration for Switch 2.
If traffic ingresses on a secondary VLAN port and egresses on a promiscuous access port, the traffic is untagged on egress. If tagged traffic ingresses on a promiscuous access port, the traffic is discarded.
- Requirements
- Overview and Topology
- Configuring the PVLANs on Switch 1
- Configuring the PVLANs on Switch 2
- Verification
Requirements
This example uses the following hardware and software components:
Two QFX devices
Junos OS Release 12.2 or later for the QFX Series
Overview and Topology
Figure 21 shows the topology used in this example. Switch 1 includes several primary and secondary private VLANs and also includes two secondary VLAN trunk ports configured to carry secondary VLANs that are members of primary VLANs pvlan100 and pvlan400.
Switch 2 includes the same private VLANs. The figure shows xe-0/0/0 on Switch 2 as configured with promiscuous access ports or promiscuous trunk ports. The example configuration included here configures this port as a promiscuous access port.
The figure also shows how traffic would flow after ingressing on the secondary VLAN trunk ports on Switch 1.
Table 19 and Table 20 list the settings for the example topology on both switches.
Component | Description |
---|---|
pvlan100, ID 100 |
Primary VLAN |
pvlan400, ID 400 |
Primary VLAN |
comm300, ID 300 |
Community VLAN, member of pvlan100 |
comm600, ID 600 |
Community VLAN, member of pvlan400 |
isolation-vlan-id 200 |
VLAN ID for isolated VLAN, member of pvlan100 |
isolation–vlan-id 500 |
VLAN ID for isolated VLAN, member of pvlan400 |
xe-0/0/0.0 |
Secondary VLAN trunk port for primary VLANs pvlan100 and pvlan400 |
xe-0/0/1.0 |
PVLAN trunk port for primary VLANs pvlan100 and pvlan400 |
xe-0/0/2.0 |
Isolated access port for pvlan100 |
xe-0/0/3.0 |
Community access port for comm300 |
xe-0/0/5.0 |
Isolated access port for pvlan400 |
xe-0/0/6.0 |
Community trunk port for comm600 |
Component | Description |
---|---|
pvlan100, ID 100 |
Primary VLAN |
pvlan400, ID 400 |
Primary VLAN |
comm300, ID 300 |
Community VLAN, member of pvlan100 |
comm600, ID 600 |
Community VLAN, member of pvlan400 |
isolation-vlan-id 200 |
VLAN ID for isolated VLAN, member of pvlan100 |
isolation–vlan-id 500 |
VLAN ID for isolated VLAN, member of pvlan400 |
xe-0/0/0.0 |
Promiscuous access port for primary VLANs pvlan100 |
xe-0/0/1.0 |
PVLAN trunk port for primary VLANs pvlan100 and pvlan400 |
xe-0/0/2.0 |
Secondary trunk port for isolated VLAN, member of pvlan100 |
xe-0/0/3.0 |
Community access port for comm300 |
xe-0/0/5.0 |
Isolated access port for pvlan400 |
xe-0/0/6.0 |
Community access port for comm600 |
Configuring the PVLANs on Switch 1
CLI Quick Configuration
To quickly create and configure the PVLANs on Switch 1, copy the following commands and paste them into a switch terminal window:
[edit] set interfaces xe-0/0/0 unit 0 family ethernet-switching port-mode trunk set interfaces xe-0/0/1 unit 0 family ethernet-switching port-mode trunk set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members pvlan100 set interfacesxe-0/0/1 unit 0 family ethernet-switching vlan members pvlan400 set interfaces xe-0/0/2 unit 0 family ethernet-switching port-mode access set interfaces xe-0/0/3 unit 0 family ethernet-switching port-mode access set interfaces xe-0/0/5 unit 0 family ethernet-switching port-mode access set interfaces xe-0/0/6 unit 0 family ethernet-switching port-mode trunk set vlans pvlan100 vlan-id 100 set vlans pvlan400 vlan-id 400 set vlans pvlan100 pvlan set vlans pvlan400 pvlan set vlans pvlan100 interface xe-0/0/1.0 pvlan-trunk set vlans pvlan400 interface xe-0/0/1.0 pvlan-trunk set vlans comm300 vlan-id 300 set vlans comm300 primary-vlan pvlan100 set vlans comm300 interface xe-0/0/3.0 set vlans comm600 vlan-id 600 set vlans comm600 primary-vlan pvlan400 set vlans comm600 interface xe-0/0/6.0 set vlans pvlan100 pvlan isolation-vlan-id 200 set vlans pvlan400 pvlan isolation-vlan-id 500 set vlans pvlan100 interface xe-0/0/0.0 isolated set vlans pvlan400 interface xe-0/0/0.0 isolated set vlans comm600 interface xe-0/0/0.0 set vlans pvlan100 interface xe-0/0/2.0 isolated set vlans pvlan400 interface xe-0/0/5.0 isolated
Procedure
Step-by-Step Procedure
To configure the private VLANs and secondary VLAN trunk ports:
Configure the interfaces and port modes:
[edit interfaces] user@switch# set xe-0/0/0 unit 0 family ethernet-switching port-mode trunk user@switch# set xe-0/0/1 unit 0 family ethernet-switching port-mode trunk user@switch# set xe-0/0/1 unit 0 family ethernet-switching vlan members pvlan100 user@switch# set xe-0/0/1 unit 0 family ethernet-switching vlan members pvlan400 user@switch# set xe-0/0/2 unit 0 family ethernet-switching port-mode access user@switch# set xe-0/0/3 unit 0 family ethernet-switching port-mode access user@switch# set xe-0/0/5 unit 0 family ethernet-switching port-mode access user@switch# set xe-0/0/6 unit 0 family ethernet-switching port-mode access
Create the primary VLANs:
[edit vlans] user@switch# set pvlan100 vlan-id 100 user@switch# set pvlan400 vlan-id 400
Note:Primary VLANs must always be tagged VLANs, even if they exist on only one device.
Configure the primary VLANs to be private:
[edit vlans] user@switch# set pvlan100 pvlan user@switch# set pvlan400 pvlan
Configure the PVLAN trunk port to carry the private VLAN traffic between the switches:
[edit vlans] user@switch# set pvlan100 interface xe-0/0/1.0 pvlan-trunk user@switch# set pvlan400 interface xe-0/0/1.0 pvlan-trunk
Create secondary VLAN comm300 with VLAN ID 300:
[edit vlans] user@switch# set comm300 vlan-id 300
Configure the primary VLAN for comm300:
[edit vlans] user@switch# set comm300 primary-vlan pvlan100
Configure the interface for comm300:
[edit vlans] user@switch# set comm300 interface xe-0/0/3.0
Create secondary VLAN comm600 with VLAN ID 600:
[edit vlans] user@switch# set comm600 vlan-id 600
Configure the primary VLAN for comm600:
[edit vlans] user@switch# set comm600 primary-vlan pvlan400
Configure the interface for comm600:
[edit vlans] user@switch# set comm600 interface xe-0/0/6.0
Configure the interswitch isolated VLANs:
[edit vlans] user@switch# set pvlan100 pvlan isolation-vlan-id 200 user@switch# set pvlan400 pvlan isolation-vlan-id 500
Note:When you configure a secondary VLAN trunk port to carry an isolated VLAN, you must also configure an isolation-vlan-id. This is true even if the isolated VLAN exists only on one switch.
Enable trunk port xe-0/0/0 to carry secondary VLANs for the primary VLANs:
[edit vlans] user@switch# set pvlan100 interface xe-0/0/0.0 isolated user@switch# set pvlan400 interface xe-0/0/0.0 isolated
Configure trunk port xe-0/0/0 to carry comm600 (member of pvlan400):
[edit vlans] user@switch# set comm600 interface xe-0/0/0.0
Note:You do not need to explicitly configure xe-0/0/0 to carry the isolated VLAN traffic (tags 200 and 500) because all the isolated ports in pvlan100 and pvlan400–including xe-0/0/0.0–are automatically included in the isolated VLANs created when you configured
isolation-vlan-id 200
andisolation-vlan-id 500
.Configure xe-0/0/2 and xe-0/0/6 to be isolated:
[edit vlans] user@switch# set pvlan100 interface xe-0/0/2.0 isolated user@switch# set pvlan400 interface xe-0/0/5.0 isolated
Results
Check the results of the configuration on Switch 1:
[edit] user@switch# show interfaces { xe-0/0/0 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members pvlan100; members pvlan400; } } } } xe-0/0/1 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members pvlan100; members pvlan400; } } } } xe-0/0/2 { unit 0 { family ethernet-switching { port-mode access; } } } xe-0/0/3 { unit 0 { family ethernet-switching { port-mode access; } } } xe-0/0/5 { unit 0 { family ethernet-switching { port-mode access; } } } xe-0/0/6 { unit 0 { family ethernet-switching { port-mode trunk; } } } } vlans { comm300 { vlan-id 300; interface { xe-0/0/3.0; } primary-vlan pvlan100; } comm600 { vlan-id 600; interface { xe-0/0/6.0; } primary-vlan pvlan400; } pvlan100 { vlan-id 100; interface { xe-0/0/0.0; xe-0/0/2.0; xe-0/0/3.0; xe-0/0/1.0 { pvlan-trunk; } } no-local-switching; isolation-id 200; } pvlan400 { vlan-id 400; interface { xe-0/0/0.0; xe-0/0/5.0; xe-0/0/6.0; xe-0/0/1.0 { pvlan-trunk; } } no-local-switching; isolation-id 500; } }
Configuring the PVLANs on Switch 2
The configuration for Switch 2 is almost identical to the configuration for Switch 1. The most significant difference is that xe-0/0/0 on Switch 2 is configured as a promiscuous trunk port or a promiscuous access port, as Figure 21 shows. In the following configuration, xe-0/0/0 is configured as a promiscuous access port for primary VLAN pvlan100.
If traffic ingresses on VLAN-enabled port and egresses on a promiscuous access port, the VLAN tags are dropped on egress and the traffic is untagged at that point. For example, traffic for comm600 ingresses on the secondary VLAN trunk port configured on xe-0/0/0.0 on Switch 1 and carries tag 600 as it is forwarded through the secondary VLAN. When it egresses from xe-0/0/0.0 on Switch 2, it will be untagged if you configure xe-0/0/0.0 as a promiscuous access port as shown in this example. If you instead configure xe-0/0/0.0 as a promiscuous trunk port (port-mode trunk), the traffic for comm600 carries its primary VLAN tag (400) when it egresses.
CLI Quick Configuration
To quickly create and configure the PVLANs on Switch 2, copy the following commands and paste them into a switch terminal window:
[edit] set interfaces xe-0/0/0 unit 0 family ethernet-switching port-mode access set interfaces xe-0/0/1 unit 0 family ethernet-switching port-mode trunk set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members pvlan100 set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members pvlan400 set interfaces xe-0/0/2 unit 0 family ethernet-switching port-mode trunk set interfaces xe-0/0/3 unit 0 family ethernet-switching port-mode access set interfaces xe-0/0/5 unit 0 family ethernet-switching port-mode access set interfaces xe-0/0/6 unit 0 family ethernet-switching port-mode access set vlans pvlan100 vlan-id 100 set vlans pvlan400 vlan-id 400 set vlans pvlan100 pvlan set vlans pvlan400 pvlan set vlans pvlan100 interface xe-0/0/1.0 pvlan-trunk set vlans pvlan400 interface xe-0/0/1.0 pvlan-trunk set vlans comm300 vlan-id 300 set vlans comm300 primary-vlan pvlan100 set vlans comm300 interface xe-0/0/3.0 set vlans comm600 vlan-id 600 set vlans comm600 primary-vlan pvlan400 set vlans comm600 interface xe-0/0/6.0 set vlans pvlan100 pvlan isolation-vlan-id 200 set vlans pvlan400 pvlan isolation-vlan-id 500 set vlans pvlan100 interface xe-0/0/0.0 promiscuous set vlans pvlan100 interface xe-0/0/2.0 isolated set vlans pvlan400 interface xe-0/0/5.0 isolated
Procedure
Step-by-Step Procedure
To configure the private VLANs and secondary VLAN trunk ports:
Configure the interfaces and port modes:
[edit interfaces] user@switch# set xe-0/0/0 unit 0 family ethernet-switching port-mode access
user@switch# set xe-0/0/1 unit 0 family ethernet-switching port-mode trunk user@switch# set xe-0/0/1 unit 0 family ethernet-switching vlan members pvlan100 user@switch# set xe-0/0/1 unit 0 family ethernet-switching vlan members pvlan400 user@switch# set xe-0/0/2 unit 0 family ethernet-switching port-mode trunk user@switch# set xe-0/0/3 unit 0 family ethernet-switching port-mode access user@switch# set xe-0/0/5 unit 0 family ethernet-switching port-mode access user@switch# set xe-0/0/6 unit 0 family ethernet-switching port-mode access
Create the primary VLANs:
[edit vlans] user@switch# set pvlan100 vlan-id 100 user@switch# set pvlan400 vlan-id 400
Configure the primary VLANs to be private:
[edit vlans] user@switch# set pvlan100 pvlan user@switch# set pvlan400 pvlan
Configure the PVLAN trunk port to carry the private VLAN traffic between the switches:
[edit vlans] user@switch# set pvlan100 interface xe-0/0/1.0 pvlan-trunk user@switch# set pvlan400 interface xe-0/0/1.0 pvlan-trunk
Create secondary VLAN comm300 with VLAN ID 300:
[edit vlans] user@switch# set comm300 vlan-id 300
Configure the primary VLAN for comm300:
[edit vlans] user@switch# set comm300 primary-vlan pvlan100
Configure the interface for comm300:
[edit vlans] user@switch# set comm300 interface xe-0/0/3.0
Create secondary VLAN comm600 with VLAN ID 600:
[edit vlans] user@switch# set comm600 vlan-id 600
Configure the primary VLAN for comm600:
[edit vlans] user@switch# set comm600 primary-vlan pvlan400
Configure the interface for comm600:
[edit vlans] user@switch# set comm600 interface xe-0/0/6.0
- Configuring the PVLANs on Switch 1
Configure the interswitch isolated VLANs:
[edit vlans] user@switch# set pvlan100 pvlan isolation-vlan-id 200 user@switch# set pvlan400 pvlan isolation-vlan-id 500
Configure access port xe-0/0/0 to be promiscuous for pvlan100:
[edit vlans] user@switch# set pvlan100 interface xe-0/0/0.0 promiscuous
Note:A promiscuous access port can be a member of only one primary VLAN.
Configure xe-0/0/2 and xe-0/0/6 to be isolated:
[edit vlans] user@switch# set pvlan100 interface xe-0/0/2.0 isolated user@switch# set pvlan400 interface xe-0/0/5.0 isolated
Results
Check the results of the configuration on Switch 2:
[edit] user@switch# show interfaces { xe-0/0/0 { unit 0 { family ethernet-switching { port-mode access; vlan { members pvlan100; } } } } xe-0/0/1 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members pvlan100; members pvlan400; } } } } xe-0/0/2 { unit 0 { family ethernet-switching { port-mode trunk; } } } xe-0/0/3 { unit 0 { family ethernet-switching { port-mode access; } } } xe-0/0/5 { unit 0 { family ethernet-switching { port-mode access; } } } xe-0/0/6 { unit 0 { family ethernet-switching { port-mode access; } } } vlans { comm300 { vlan-id 300; interface { xe-0/0/3.0; } primary-vlan pvlan100; } comm600 { vlan-id 600; interface { xe-0/0/6.0; } primary-vlan pvlan400; } pvlan100 { vlan-id 100; interface { xe-0/0/0.0; xe-0/0/2.0; xe-0/0/3.0; xe-0/0/1.0 { pvlan-trunk; } } no-local-switching; isolation-id 200; } pvlan400 { vlan-id 400; interface { xe-0/0/5.0; xe-0/0/6.0; xe-0/0/1.0 { pvlan-trunk; } } no-local-switching; isolation-id 500; } }
Verification
To confirm that the configuration is working properly, perform these tasks:
- Verifying That the Private VLAN and Secondary VLANs Were Created
- Verifying The Ethernet Switching Table Entries
Verifying That the Private VLAN and Secondary VLANs Were Created
Purpose
Verify that the primary VLAN and secondary VLANs were properly created on Switch 1.
Action
Use the show vlans
command:
user@switch> show vlans private-vlan Name Role Tag Interfaces pvlan100 Primary 100 xe-0/0/0.0, xe-0/0/1.0, xe-0/0/2.0, xe-0/0/3.0 __iso_pvlan100__ Isolated 200 xe-0/0/2.0 comm300 Community 300 xe-0/0/3.0 pvlan400 Primary 400 xe-0/0/0.0, xe-0/0/1.0, xe-0/0/5.0, xe-0/0/6.0 __iso_pvlan400__ Isolated 500 xe-0/0/5.0 comm600 Community 600 xe-0/0/6.0
Meaning
The output shows that the private VLANs were created and identifies the interfaces and secondary VLANs associated with them.
Verifying The Ethernet Switching Table Entries
Purpose
Verify that the Ethernet switching table entries were created for primary VLAN pvlan100.
Action
Show the Ethernet switching table entries for pvlan100.
user@switch> show ethernet-switching table vlan pvlan100 private-vlan Ethernet-switching table: 0 unicast entries pvlan100 * Flood - All-members pvlan100 00:10:94:00:00:02 Learn xe-0/0/2.0 __iso_pvlan100__ * Flood - All-members __iso_pvlan100__ 00:10:94:00:00:02 Replicated - xe-0/0/2.0
Verifying That a Private VLAN Is Working on a Switch
Purpose
After creating and configuring private VLANs (PVLANs), verify that they are set up properly.
Action
To determine whether you successfully created the primary and secondary VLAN configurations:
For a PVLAN on a single switch, use the
show configuration vlans
command:user@switch> show configuration vlans community1 { interface { interface a; interface b; } primary-vlan pvlan; } community2 { interface { interface d; interface e; } primary-vlan pvlan; } pvlan { vlan-id 1000; interface { isolated1; isolated2; trunk1; trunk2; } no-local-switching; }
For a PVLAN spanning multiple switches, use the show vlans
extensive
command:user@switch> show vlans extensive VLAN: COM1, Created at: Tue May 11 18:16:05 2010 802.1Q Tag: 100, Internal index: 3, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 1 (Active = 1) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk ge-0/0/7.0*, untagged, access VLAN: __pvlan_primary_ge-0/0/0.0__, Created at: Tue May 11 18:16:05 2010 Internal index: 5, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 1 (Active = 1) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk ge-0/0/0.0*, untagged, access VLAN: __pvlan_primary_ge-0/0/2.0__, Created at: Tue May 11 18:16:05 2010 Internal index: 6, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 1 (Active = 0) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk ge-0/0/2.0, untagged, access VLAN: __pvlan_primary_isiv__, Created at: Tue May 11 18:16:05 2010 802.1Q Tag: 50, Internal index: 7, Admin State: Enabled, Origin: Static Private VLAN Mode: Inter-switch-isolated, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 0 (Active = 0) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk VLAN: community2, Created at: Tue May 11 18:16:05 2010 802.1Q Tag: 20, Internal index: 8, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 2 (Active = 2) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk ge-0/0/1.0*, untagged, access ge-1/0/6.0*, untagged, access VLAN: primary, Created at: Tue May 11 18:16:05 2010 802.1Q Tag: 10, Internal index: 2, Admin State: Enabled, Origin: Static Private VLAN Mode: Primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 5 (Active = 4) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk ge-0/0/0.0*, untagged, access ge-0/0/1.0*, untagged, access ge-0/0/2.0, untagged, access ge-0/0/7.0*, untagged, access ge-1/0/6.0*, untagged, access Secondary VLANs: Isolated 2, Community 2, Inter-switch-isolated 1 Isolated VLANs : __pvlan_primary_ge-0/0/0.0__ __pvlan_primary_ge-0/0/2.0__ Community VLANs : COM1 community2 Inter-switch-isolated VLAN : __pvlan_primary_isiv__
Use the
show vlans
extensive
command to view VLAN information and link status for a PVLAN on a single switch or for a PVLAN spanning multiple switches.For a PVLAN on a single switch:
user@switch> show vlans pvlan extensive VLAN: pvlan, Created at: time 802.1Q Tag: vlan-id, Internal index: index-number, Admin State: Enabled, Origin: Static Private VLAN Mode: Primary Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 6 (Active = 0) trunk1, tagged, trunk interface a, untagged, access interface b, untagged, access interface c, untagged, access interface d, untagged, access interface e, untagged, access interface f, untagged, access trunk2, tagged, trunk Secondary VLANs: Isolated 2, Community 2 Isolated VLANs : __pvlan_pvlan_isolated1__ __pvlan_pvlan_isolated2__ Community VLANs : community1 community2
For a PVLAN spanning multiple switches:
user@switch> show vlans extensive VLAN: COM1, Created at: Tue May 11 18:16:05 2010 802.1Q Tag: 100, Internal index: 3, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 1 (Active = 1) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk ge-0/0/7.0*, untagged, access VLAN: __pvlan_primary_ge-0/0/0.0__, Created at: Tue May 11 18:16:05 2010 Internal index: 5, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 1 (Active = 1) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk ge-0/0/0.0*, untagged, access VLAN: __pvlan_primary_ge-0/0/2.0__, Created at: Tue May 11 18:16:05 2010 Internal index: 6, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 1 (Active = 0) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk ge-0/0/2.0, untagged, access VLAN: __pvlan_primary_isiv__, Created at: Tue May 11 18:16:05 2010 802.1Q Tag: 50, Internal index: 7, Admin State: Enabled, Origin: Static Private VLAN Mode: Inter-switch-isolated, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 0 (Active = 0) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk VLAN: community2, Created at: Tue May 11 18:16:05 2010 802.1Q Tag: 20, Internal index: 8, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 2 (Active = 2) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk ge-0/0/1.0*, untagged, access ge-1/0/6.0*, untagged, access VLAN: primary, Created at: Tue May 11 18:16:05 2010 802.1Q Tag: 10, Internal index: 2, Admin State: Enabled, Origin: Static Private VLAN Mode: Primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 3 (Active = 3), Untagged 5 (Active = 4) ge-0/0/20.0*, tagged, trunk ge-0/0/22.0*, tagged, trunk, pvlan-trunk ge-0/0/23.0*, tagged, trunk, pvlan-trunk ge-0/0/0.0*, untagged, access ge-0/0/1.0*, untagged, access ge-0/0/2.0, untagged, access ge-0/0/7.0*, untagged, access ge-1/0/6.0*, untagged, access Secondary VLANs: Isolated 2, Community 2, Inter-switch-isolated 1 Isolated VLANs : __pvlan_primary_ge-0/0/0.0__ __pvlan_primary_ge-0/0/2.0__ Community VLANs : COM1 community2 Inter-switch-isolated VLAN : __pvlan_primary_isiv__
Use the
show ethernet-switching table
command to view logs for MAC learning on the VLANs:user@switch> show ethernet-switching table Ethernet-switching table: 8 entries, 1 learned VLAN MAC address Type Age Interfaces default * Flood - All-members pvlan * Flood - All-members pvlan MAC1 Replicated - interface a pvlan MAC2 Replicated - interface c pvlan MAC3 Replicated - isolated2 pvlan MAC4 Learn 0 trunk1 __pvlan_pvlan_isolated1__ * Flood - All-members __pvlan_pvlan_isolated1__ MAC4 Replicated - trunk1 __pvlan_pvlan_isolated2__ * Flood - All-members __pvlan_pvlan_isolated2__ MAC3 Learn 0 isolated2 __pvlan_pvlan_isolated2__ MAC4 Replicated - trunk1 community1 * Flood - All-members community1 MAC1 Learn 0 interface a community1 MAC4 Replicated - trunk1 community2 * Flood - All-members community2 MAC2 Learn 0 interface c community2 MAC4 Replicated - trunk1
If you have configured a PVLAN spanning multiple switches, you can use the same command on all the switches to check the logs for MAC learning on those switches.
Meaning
In the output displays for a PVLAN on a single switch, you can see that the primary VLAN contains two community domains (community1 and community2), two isolated ports, and two trunk ports. The PVLAN on a single switch has only one tag (1000), which is for the primary VLAN.
The PVLAN that spans multiple switches contains multiple tags:
The community domain COM1 is identified with tag 100.
The community domain community2 is identified with tag 20.
The interswitch isolated domain is identified with tag 50.
The primary VLAN primary is identified with tag 10.
Also, for the PVLAN that spans multiple switches, the trunk interfaces are identified as pvlan-trunk.
Troubleshooting Private VLANs on QFX Switches
Use the following information to troubleshoot a private VLAN configuration.
- Limitations of Private VLANs
- Forwarding with Private VLANs
- Egress Firewall Filters with Private VLANs
- Egress Port Mirroring with Private VLANs
Limitations of Private VLANs
The following constraints apply to private VLAN configurations:
IGMP snooping is not supported with private VLANs.
Routed VLAN interfaces are not supported on private VLANs
Routing between secondary VLANs in the same primary VLAN is not supported.
If you want to change a primary VLAN to be a secondary VLAN, you must first change it to a normal VLAN and commit the change. For example, you would follow this procedure:
Change the primary VLAN to be a normal VLAN.
Commit the configuration.
Change the normal VLAN to be a secondary VLAN.
Commit the configuration.
Follow the same sequence of commits if you want to change a secondary VLAN to be a primary VLAN. That is, make the secondary VLAN a normal VLAN and commit that change and then change the normal VLAN to be a primary VLAN.
Forwarding with Private VLANs
Problem
Description
When isolated VLAN or community VLAN tagged traffic is received on a PVLAN trunk port, MAC addresses are learned from the primary VLAN. This means that output from the show ethernet-switching table command shows that MAC addresses are learned from the primary VLAN and replicated to secondary VLANs. This behavior has no effect on forwarding decisions.
If a packet with a secondary VLAN tag is received on a promiscuous port, it is accepted and forwarded.
If a packet is received on a PVLAN trunk port and meets both of the conditions listed below, it is dropped.
The packet has a community VLAN tag.
The packet is destined to a unicast MAC address or multicast group MAC address that was learned on an isolated VLAN.
If a packet is received on a PVLAN trunk port and meets both of the conditions listed below, it is dropped.
The packet has an isolated VLAN tag.
The packet is destined to a unicast MAC address or multicast group MAC address that was learned on a community VLAN.
If a packet with a primary VLAN tag is received by a secondary (isolated or community) VLAN port, the secondary port forwards the packet.
If you configure a community VLAN on one device and configure another community VLAN on a second device and both community VLANs use the same VLAN ID, traffic for one of the VLANs can be forwarded to the other VLAN. For example, assume the following configuration:
Community VLAN comm1 on switch 1 has VLAN ID 50 and is a member of primary VLAN pvlan100.
Community VLAN comm2 on switch 2 also has VLAN ID 50 and is a member of primary VLAN pvlan200.
Primary VLAN pvlan100 exists on both switches.
If traffic for comm1 is sent from switch 1 to switch 2, it will be sent to the ports participating in comm2. (The traffic will also be forwarded to the ports in comm1, as you would expect.)
Solution
These are expected behaviors.
Egress Firewall Filters with Private VLANs
Problem
Description
If you apply a firewall filter in the output direction to a primary VLAN, the filter also applies to the secondary VLANs that are members of the primary VLAN when the traffic egresses with the primary VLAN tag or isolated VLAN tag, as listed below:
Traffic forwarded from a secondary VLAN trunk port to a promiscuous port (trunk or access)
Traffic forwarded from a secondary VLAN trunk port that carries an isolated VLAN to a PVLAN trunk port.
Traffic forwarded from a promiscuous port (trunk or access) to a secondary VLAN trunk port
Traffic forwarded from a PVLAN trunk port. to a secondary VLAN trunk port
Traffic forwarded from a community port to a promiscuous port (trunk or access)
If you apply a firewall filter in the output direction to a primary VLAN, the filter does not apply to traffic that egresses with a community VLAN tag, as listed below:
Traffic forwarded from a community trunk port to a PVLAN trunk port
Traffic forwarded from a secondary VLAN trunk port that carries a community VLAN to a PVLAN trunk port
Traffic forwarded from a promiscuous port (trunk or access) to a community trunk port
Traffic forwarded from a PVLAN trunk port. to a community trunk port
If you apply a firewall filter in the output direction to a community VLAN, the following behaviors apply:
The filter is applied to traffic forwarded from a promiscuous port (trunk or access) to a community trunk port (because the traffic egresses with the community VLAN tag).
The filter is applied to traffic forwarded from a community port to a PVLAN trunk port (because the traffic egresses with the community VLAN tag).
The filter is not applied to traffic forwarded from a community port to a promiscuous port (because the traffic egresses with the primary VLAN tag or untagged).
Solution
These are expected behaviors. They occur only if you apply a firewall filter to a private VLAN in the output direction and do not occur if you apply a firewall filter to a private VLAN in the input direction.
Egress Port Mirroring with Private VLANs
Problem
Description
If you create a port-mirroring configuration that mirrors private VLAN (PVLAN) traffic on egress, the mirrored traffic (the traffic that is sent to the analyzer system) has the VLAN tag of the ingress VLAN instead of the egress VLAN. For example, assume the following PVLAN configuration:
Promiscuous trunk port that carries primary VLANs pvlan100 and pvlan400.
Isolated access port that carries secondary VLAN isolated200. This VLAN is a member of primary VLAN pvlan100.
Community port that carries secondary VLAN comm300. This VLAN is also a member of primary VLAN pvlan100.
Output interface (monitor interface) that connects to the analyzer system. This interface forwards the mirrored traffic to the analyzer.
If a packet for pvlan100 enters on the promiscuous trunk port and exits on the isolated access port, the original packet is untagged on egress because it is exiting on an access port. However, the mirror copy retains the tag for pvlan100 when it is sent to the analyzer.
Here is another example: If a packet for comm300 ingresses on the community port and egresses on the promiscuous trunk port, the original packet carries the tag for pvlan100 on egress, as expected. However, the mirrored copy retains the tag for comm300 when it is sent to the analyzer.
Solution
This is expected behavior.