Switching

Hi All

 

I hope someone can enlighten me on this subject: what is "no-local-switching" option supposed to do in private vlan configuration? In my lab I see no difference in private vlan working with or without this option. For example in such a config

 

lab@exA-2# show vlans 
execs {
    vlan-id 41;
    interface {
        ge-0/0/7.0;
        ge-0/0/8.0;
    }
    primary-vlan pvlan;
}
pvlan {
    vlan-id 50;
    interface {
        ge-0/0/12.0 {
            pvlan-trunk;
        }
        ge-0/0/9.0;
    }
    no-local-switching;
    isolation-id 222;
}

{master:0}[edit]
lab@exA-2# show interfaces 
ge-0/0/7 {
    unit 0 {
        family ethernet-switching;
    }
}
ge-0/0/8 {
    unit 0 {
        family ethernet-switching;
    }
}
ge-0/0/9 {
    unit 0 {
        family ethernet-switching {
            port-mode trunk;
        }
    }
}
ge-0/0/12 {
    unit 0 {
        family ethernet-switching {
            port-mode trunk;
        }
    }
}  

 

community ports ge-0/0/7 and ge-0/0/8 anyway can communicate with each other but can't communicate with other communities or isolated ports. And all ports can communicate to promiscuos port ge-0/0/9, as it should be. So, what does this option do? Should it be enabled or not in this case? Junos 11.4R7.5, EX4200.

 

Hi,

 

I checked it here:

 

http://www.juniper.net/techpubs/en_US/junos9.3/topics/reference/configuration-statement/no-local-switching-edit-vlans-private-vlans-ex-series.html

 

 

Hi

 

Thanks for your reply, but I wasn't able to see the difference in Junos working with and without this option. That is, regardless of this option, community ports from different private vlans don't communicate with each other and do communicate within a vlan; isolated ports are isolated and talk to promiscuos ports only. The explanation "You use this statement with ... isolated secondary VLANs" is obscure, as no isolated vlan is really created in configuration, you just set isolation-id for it. It would make sense to configure no-local-switching inside the secondary (community) vlan, but commit fails in this case, you can set this option under primary vlan only.

The no-local-switching enables the VLAN for private vlan functionality
And you do not have to set an isolation-id either, if the pvlans are only on one switch. In fact if the pvlans do not span multiple swtches, then the community vlans do not require vlan ID's either. The ports configured under the primary vlans are isolated ports.

Look at the VLAN tags in the traffic on your promiscuous ports with or without the option configured.

Hi Lyndidon,

 

Thanks for your reply. Are you sure that no-local-switching is needed
to enable private vlan functionality? From what I've seen, you
just need "primary-vlan" option on secondary vlan for basic pvlan
functionality.

 

Agree about isolation id and vlan ids for secondary vlans.
"The ports configured under the primary vlans are isolated ports" ->
correct, if they are access ports. If they are trunk ports,
they become promiscuos! (It is not easy do figure it out from the
doc directly, by the way). And I don't believe sniffering on
promiscuos port will give any result: this port is likely
to have only primary vlan's tag anyway - the upsteam router (switch)
is unaware of secondary or isolated vlans.

 

So my question remains... Any more ideas?

"Are you sure that no-local-switching is needed to enable private vlan functionality?" Yes- That is what we learn in the AJEX Course. I will not be able to set up and test what you are alluding to, until next week. So if no one else has any input, I will set up lab environment and test it next week.

Isolated VLANs are created internally when the isolated VLAN has access interfaces as members and theoption no-local-switching is enabledon theprimary VLAN.

In your case I do not see any access interfaces in the PVLAN. If you had the access interfaces in the PVLAN then they would not be able to communicate with each other at L2.

Isolated VLANs are created internally when two criteria have been met: the VLAN has access interfaces as members and the primary VLAN has the option no-local-switching enabled.

 page 14-26 or so gives very good explanation. Docs ae available but you have to use the content explorer.

http://www.juniper.net/techpubs/en_US/junos12.3/information-products/pathway-pages/ex-series/ethernet-switching-vlans.pdf#search=%22VSTP%20for%20EX-series%22

 

Hi Lyndidon

 

Thanks for your help. You assisted me to solve my problem so I will accept
your post as a solution, but here are some comments

 

1) Private vlan feature (primary + secondary/community ones) work fine without no-local-switching
option. AJEX instructor guide has no place where no-local-switching is mentioned;
AJEX lab guide just says to configure no-local-switching without telling what it does;
it is actually not needed in that lab setup. But this option is indeed required for
isolated vlans to work properly.

 

2) Access ports in the primary vlan (if you have more than one) are not
"isolated" from each other before you configure no-local-switching.

 

Before:

 

{master:0}[edit]
lab@exA-1# show vlans 
v12-13 {
    vlan-id 300;
    interface {
        ge-0/0/12.0;
        ge-0/0/13.0;
    }
    isolation-id 600;
}

{master:0}[edit]
lab@exA-1# run show vlans 
Name           Tag     Interfaces
__pvlan_v12-13_isiv__ 600    
                       None
default       
                       None
v12-13         300    
                       ge-0/0/12.0*, ge-0/0/13.0*

 

(and I can ping between ports);

 

After:

 

{master:0}[edit]
lab@exA-1# set vlans v12-13 no-local-switching 

{master:0}[edit]
lab@exA-1# commit 
warning: Isolation-id configured with no pvlan_trunk associated with primary vlan v12-13.
configuration check succeeds
commit complete

{master:0}[edit]
lab@exA-1# run show vlans 
Name           Tag     Interfaces
__pvlan_v12-13_ge-0/0/12.0__
                       ge-0/0/12.0*
__pvlan_v12-13_ge-0/0/13.0__
                       ge-0/0/13.0*
__pvlan_v12-13_isiv__ 600    
                       None
default       
                       None
v12-13         300    
                       ge-0/0/12.0*, ge-0/0/13.0*

 

and ping does not go between ports - they are indeed isolated (and have separate
internal vlan assigned).

 

Any other comments welcome.

 

 

 

 

Thanks for the kudos! Thank you for the post. This saves me a lot and I am copying your output here to use as reference, with your permission of course:) Just an FYI, you have to use the available documents in addition to practical testing to find out the accuracy of "certain material" and to get better explanation provided by "certain documents":). FYI, here it is: see attachment!

Thanks so much for your reply, I've made a lab, and the no-local-switching function is correct as you say.