Ethernet Switching
Reply
Visitor
ravnjak
Posts: 4
Registered: ‎06-30-2011
0

PVLAN on trunk isolated port?

I would like to do isolation between ports on aggregation EX4200 switch. As I check in junos 11.1 I didn't find that support also isolated trunk ports and assigning more PVLANs on promiscuous port.
For example cisco 4500 support also isolated trunk ports.
I need that functionality because I have more 802.1q vlans on each port and need to isolate traffic between DSLAM ports on switch. The simplest solution will be like have cisco "switchport protected" but also with PVLANs will be OK if I can assign to isolated port more tagged isolated vlans.

Thanks for answers, Aleksander.

Trusted Expert
dpapana
Posts: 282
Registered: ‎04-01-2011
0

Re: PVLAN on trunk isolated port?

[ Edited ]
Visitor
ravnjak
Posts: 4
Registered: ‎06-30-2011
0

Re: PVLAN on trunk isolated port?

I know that examples, but I have problem in how to assign more isolated vlans per one port, because port must be in trunk mode. In all examples port are defined as access port for secondary isolated vlans.

Is anywhere else defining mapping between PVLAN and secondary vlan? Where is defined isolated and promiscuous port?



pvlan {vlan-id 1000;interface {ge-0/0/15.0;ge-0/0/16.0;ge-0/0/0.0;ge-1/0/0.0;}no-local-switching;

Thanks & regards, Aleksander

Trusted Expert
dpapana
Posts: 282
Registered: ‎04-01-2011
0

Re: PVLAN on trunk isolated port?

[ Edited ]

Try something like this:

}

vlans {

P1{

vlan-id 10;

interface {

ge-0/0/1.0;

}

primary-vlan pvlan100;

}

P2 {

vlan-id 20;

interface {

ge-0/0/1.0;

}

primary-vlan pvlan100;

}

pvlan100 {

vlan-id 100;

interface {

ge-0/0/0.0 {

pvlan-trunk;

}

 

}

no-local-switching;

}

}

 

In this configuration the ge-0/0/1.0 is a trunk port that pass 2 vlans(community vlans) that can communicate only with the gateway connected to ge-0/0/0.0.

Regards,
Dumitru Papana
Visitor
ravnjak
Posts: 4
Registered: ‎06-30-2011
0

Re: PVLAN on trunk isolated port?

We use EX4200 as tripple play aggregation switch so we must have same vlan-id on all aggregation ports, but communication between ports must be disable, to block any direct communication between hosts and to prevent broadcast storm of CPE devices. So vlans must be isolated and have same vlan-id on all ports.

We try to test something like that but not working:

    INET {
        vlan-id 3500;
        interface {
            ge-0/1/1.0;
            ge-0/1/3.0;
            ge-0/1/2.0;
        }
        no-local-switching;
        isolation-id 3501;
    }
    NA {
        vlan-id 4000;
        interface {
            ge-0/1/1.0;
            ge-0/1/3.0;
            ge-0/1/2.0;
        }
        no-local-switching;
        isolation-id 4001;
    }
    TV {
        vlan-id 3900;
        interface {
            ge-0/1/1.0;
            ge-0/1/3.0;
            ge-0/1/2.0;
        }
        no-local-switching;
        isolation-id 3901;
    }
    VoIP {
        vlan-id 3960;
        interface {
            ge-0/1/1.0;
            ge-0/1/3.0;
            ge-0/1/2.0;
        }
        no-local-switching;
        isolation-id 3961;

 

Thanks & regards, Aleksander.

Trusted Expert
dpapana
Posts: 282
Registered: ‎04-01-2011
0

Re: PVLAN on trunk isolated port?

[ Edited ]

Try this:

 

INET {

        vlan-id 3500;

        interface {

            ge-0/1/1.0;

            ge-0/1/3.0;

            ge-0/1/2.0;

        }

     primary-vlan uplink;

    }

    NA {

        vlan-id 4000;

        interface {

            ge-0/1/1.0;

            ge-0/1/3.0;

            ge-0/1/2.0;

        }

        primary-vlan uplink;

    }

    TV {

        vlan-id 3900;

        interface {

            ge-0/1/1.0;

            ge-0/1/3.0;

            ge-0/1/2.0;

        }

        primary-vlan uplink;

    }

    VoIP {

        vlan-id 3960;

        interface {

            ge-0/1/1.0;

            ge-0/1/3.0;

            ge-0/1/2.0;

        }

        primary-vlan uplink;

    uplink {

        vlan-id 100;

        interface {

            ge-0/1/5.0;

        }

        no-local-switching;

 

 Interface ge-0/1/5.0 is the uplink to the router.

 

Regards,
Dumitru Papana
Visitor
ravnjak
Posts: 4
Registered: ‎06-30-2011
0

Re: PVLAN on trunk isolated port?

I need isolated vlans, command  "primary-vlan uplink" is for assigning community vlan to primary. I need following:

- at least 4 tagged vlans on each aggregation ports where we have connected DSLAMs (no communication allowed between that ports). On each aggregation ports we have identical tagged vlans.

- on uplink where we need more (at least 4) PVLANs (limitation of one isolated vlan per PVLAN). Where in junos is defining mapping between isolated vlan_id and primary vlan_id?

 

In cisco config is like:

vlan 3500
 private-vlan primary
 private-vlan association 3501
!
vlan 3900
 private-vlan primary
 private-vlan association 3901
!
vlan 3901
 private-vlan isolated
!
vlan 3501
 private-vlan isolated

!

interface Gi0/1
 switchport mode private-vlan trunk promiscuous
 switchport private-vlan mapping trunk 3500 3501

 switchport private-vlan association trunk 3900 3901

!

interface Gi0/2
 switchport mode private-vlan trunk secondary
 switchport private-vlan association trunk 3500 3501

 switchport private-vlan association trunk 3900 3901

 

Thanks & regards, Aleksander.



Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.