Ethernet Switching
Reply
Trusted Contributor
jozef.klacko
Posts: 142
Registered: ‎07-19-2010
0

mac-based vlans

Hi

 

How can I set mac-based vlans on ex-2200 or ex-4200?

It should be supported:

EX Series Switch Software Features Overview

but I didn't find any guide. Does it have something with ethernet firewall filters?

 

Waiting for reply.

Recognized Expert
NateK
Posts: 234
Registered: ‎02-03-2009
0

Re: mac-based vlans

By 'mac-based vlans' do you mean layer 2 VLANs?

 

Here is some information, hope it is useful.

 

JUNOS EX has two types of ports when it comes to VLANs:

 

  • Access ports - ports that are members of 1 (and only 1) VLAN, these ports do not carry 802.1q tagged VLAN traffic
  • Trunk ports - carry multiple VLANs via 802.1q tagging

A port is an access port by default in JUNOS and they are initially part of the default VLAN on the switch (more on that in a minute).

 

Creating a VLAN is pretty easy:

 

[edit]

 edit vlans

 

[edit vlans]

set <vlan name> vlan-id <ID>

 

For example:

 

[edit]

root@burro# edit vlans

 

[edit vlans]

root@burro# set blue vlan-id 10

root@burro# set orange vlan-id 20

root@burro# commit

 

Now you can assign ports to your VLANs via set <interface> unit <unit number> family ethernet-switching vlan members <VLAN>

 

[edit vlans]

root@burro# up

 

[edit]

root@burro# edit interfaces

 

[edit interfaces]

root@burro#  set ge-0/0/0 unit 0 family ethernet-switching vlan members blue

root@burro# set ge-0/0/1 unit 0 family ethernet-switching vlan members orange

 

Now we need a trunk port to allow our VLANs to travel to another switch:

 

[edit interfaces]

root@burro# set ge-0/0/23 unit 0 family ethernet-switching port-mode trunk

 

And then we make this port a member of the VLANs that we want the port to handle:

 

[edit interfaces]

root@burro# set ge-0/0/23 unit 0 family ethernet-switching vlan members blue

root@burro# set ge-0/0/23 unit 0 family ethernet-switching vlan members orange

root@burro# commit

 

 

The following is true of the default VLAN:

 

  • By default each switch has a common default VLAN named 'default'
  • This default VLAN is untagged and has no VLAN ID
  • JUNOS EX trunk ports do not accept untagged traffic

If you wanted to pass traffic from the default VLAN over a trunk port you would do the following:

 

set <trunk interface> unit 0 family ethernet-switching native-vlan-id default

 

[edit interfaces]

root@burro# set ge-0/0/23 unit 0 family ethernet-switching native-vlan-id default

 

You can also add a VLAN ID to the default VLAN:

 

[edit interfaces]

root@burro# set vlans default vlan-id 1

root@burro# commit

 

Running 'show vlans detail' in operational mode on your switch will now show the native/default VLAN with an ID of 1.

 

You can create a layer 3 VLAN by adding what Juniper calls a 'routed VLAN interface' or 'RVI'. The only real difference between a layer 2 VLAN and a layer 3 VLAN, in terms of configuration, is that you are adding an IP address to your VLAN.

 

set interfaces vlan unit <VLAN ID> family inet address <VLAN IP/mask>

 

[edit interfaces]

root@burro# set vlan unit 10 family inet address 192.168.1.1/24

root@burro# set vlan unit 20 family inet address 192.168.2.1/24

 

Now we associate the layer 3 interface with the VLAN:

 

root@burro# set vlans blue l3-interface vlan.10

root@burro# set vlans orange l3-interface vlan.20

root@burro# commit

 

Now our end node devices such as a PC can use the VLAN interface IP as the default gateway and the switch will route traffic between the VLANs.

Trusted Contributor
jozef.klacko
Posts: 142
Registered: ‎07-19-2010
0

Re: mac-based vlans

Yes I mean L2 lans

 

http://www.juniper.net/techpubs/en_US/junos10.4/topics/concept/ex-series-software-features-overview....

- Table 11: Layer 2 Network Protocols Features by Junos OS Release

-- MAC-based VLANs

 

Nice guide :smileyhappy:

I only want to have something that other vendors have. For example you have VoIP phone with mac 00:11:22:aa:bb:cc that does not support vlan tagging and you want to tag interfaces with that mac and untag on the other direction on access port. Or to another vlan if mac is other... Maybe a saw solution through family ethernet firewall filters ... then vlan statement. I didn't checked it.

Recognized Expert
NateK
Posts: 234
Registered: ‎02-03-2009
0

Re: mac-based vlans

I can't find anything on how to setup a JUNOS MAC-based VLAN.

 

The table you listed shows this but I can't find information anywhere on how to do it exactly.

Trusted Contributor
jozef.klacko
Posts: 142
Registered: ‎07-19-2010
0

Re: mac-based vlans

Thanks for your attention :-)
Recognized Expert
JNPRdhanks
Posts: 305
Registered: ‎11-01-2010

Re: mac-based vlans

Yes the EX family supports filter-based VLAN assignments.  In this example I show you how to match on a list of source-mac-addresses and accept the packet and move it into the vlan called "test"

 

 

root@EX4200# show firewall 
family ethernet-switching {
    filter mac-based {
        term 1 {
            from {
                source-mac-address {
                    00:00:00:00:00:11;
                    00:00:00:00:00:12;
                    00:00:00:00:00:13;
                    00:00:00:00:00:14;
                    00:00:00:00:00:15;
                }
            }
            then {
                accept;
                vlan test;
            }
        }
    }
}

 

Then just apply this firewall filter where you need to dynamically assign VLANs.

 

Doug Hanks
JNCIE-ENT #213, JNCIE-SP #875

Follow me on Twitter @douglashanksjr
Trusted Contributor
jozef.klacko
Posts: 142
Registered: ‎07-19-2010
0

Re: mac-based vlans

 

[edit firewall]
root@ex2200# show
family ethernet-switching {
filter mac-based {
term 1 {
from {
source-mac-address {
00:00:00:00:00:11/48;
00:00:00:00:00:12/48;
00:00:00:00:00:13/48;
00:00:00:00:00:14/48;
00:00:00:00:00:15/48;
}
}
then {
accept;
##
## Warning: statement ignored: unsupported platform (ex2200-48t-4g)
##
vlan vlan1337;
}
}
}
}

 Unfortnunately not on ex2200 :smileysad: JUNOS Base OS Software Suite [10.4R1.9]

But table said

MAC-based VLANs ex2200 - 10.1R1

or could I ignore that Warning?

 

Visitor
romanmt
Posts: 1
Registered: ‎02-17-2011
0

Re: mac-based vlans

can someone paste working configuration with interface config? it is trunk or access.. Because this dont work on ex-4200. If I`m right this should make all trafic from mac address 000000000011 tagged with vlan test?

 

root@EX4200# show firewall 
family ethernet-switching {
filter mac-based {
term 1 {
from {
source-mac-address {
00:00:00:00:00:11;
}
}
then {
accept;
vlan test;
}
}
}
}
Distinguished Expert
mikep
Posts: 483
Registered: ‎06-30-2009
0

Re: mac-based vlans

Hi,

 

did you apply your FF on the ingress interfaces? Like that:

lab@ex8208-1-re0# set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input mac-based

 

Kind Regards

Michael Pergament

Trusted Contributor
jozef.klacko
Posts: 142
Registered: ‎07-19-2010
0

Re: mac-based vlans

I found that it is possible via dot1x configuration:

 

root@test> show configuration protocols dot1x
authenticator {
    static {
        00:d0:e9:00:00:00/24 {
            vlan-assignment voice;
        }
}

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.