Ethernet Switching
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 77
Registered: ‎12-08-2010
0 Kudos

"filter-based VLANs"?

I'm looking through the JNCIP-ENT exam blueprint and they mention "filter-based VLANs".  Does anyone know what that means?  Is it simply applying a firewall filter to a VLAN?  That's easy enough, but I'm not sure that's what they're talking about.

 

JNCIP-ENT Blueprint

 

Ethernet Switching and Spanning Tree
 Describe, configure and monitor advanced switching features 
 Explain and implement filter-based VLANs <--- this!
 Describe and configure private VLANs
 Explain and implement dynamic VLAN registration using MVRP
 Tunnel Layer 2 traffic through Ethernet networks
 Implement Layer 2 tunneling using Q-in-Q and L2PT

 

Distinguished Expert
Posts: 5,028
Registered: ‎03-30-2009
0 Kudos

Re: "filter-based VLANs"?

I believe this is talking about the Q-in-Q feature to assign van based on firewall filters.

EX Feature list:
http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/concept/ex-series-software-fe...

Q-in-Q VLAN extended support for multiple S-VLANs per access interface, firewall-filter-based VLAN assignment, and routed VLAN interfaces (RVIs)

Understanding Q-in-Q Tunneling

http://www.juniper.net/techpubs/en_US/junos10.3/topics/concept/qinq-tunneling-ex-series.html

Firewall filters allow you to map an interface to a VLAN based on a policy. Using firewall filters to map an interface to a VLAN is useful when you want a subset of traffic from a port to be mapped to a selected VLAN instead of the designated VLAN. To configure a firewall filter to map an interface to a VLAN, the vlan option has to be configured as part of the firewall filter and the mapping policy option must be specified in the interface configuration for each logical interface using the filter.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 77
Registered: ‎12-08-2010
0 Kudos

Re: "filter-based VLANs"?

Thanks for the response. 

 

Has anybody implemented this?  Anybody have a real-world use-case for this?

 

root@ex3200-1# set firewall family ethernet-switching filter FWF1 term T10 from ? 
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> destination-address  Match IP destination address
> destination-mac-address  Match MAC destination address
+ destination-port     Match TCP/UDP destination port
> destination-prefix-list  Match IP destination prefixes in named list
+ dot1q-tag            Match Dot1Q Tag Value
+ dot1q-user-priority  Match Dot1Q user priority
+ dscp                 Match Differentiated Services (DiffServ) code point
+ ether-type           Match Ethernet Type
  fragment-flags       Match fragment flags (in symbolic or hex formats) - (Ingress only)
+ icmp-code            Match ICMP message code
+ icmp-type            Match ICMP message type
> interface            Match interface name
> ip-version           Define IP version
  is-fragment          Match if packet is a fragment
+ l2-encap-type        Match Ethernet Encapsulation Type
+ precedence           Match IP precedence value
+ protocol             Match IP protocol type
> source-address       Match IP source address
> source-mac-address   Match MAC source address
+ source-port          Match TCP/UDP source port
> source-prefix-list   Match IP source prefixes in named list
  tcp-established      Match packet of an established TCP connection
  tcp-flags            Match TCP flags (in symbolic or hex formats)
  tcp-initial          Match initial packet of a TCP connection
+ vlan                 Match Vlan Id or Name
[edit]

root@ex3200-1# set firewall family ethernet-switching filter FWF1 term T10 then ?
Possible completions:
  accept               Accept the packet
  analyzer             Name of analyzer - (Ingress only)
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  count                Count the packet in the named counter
  discard              Discard the packet
  forwarding-class     Classify packet to forwarding class
  interface            Switch traffic to the specified interface by-passing switching lookup - (Ingress only)
  log                  Log the packet
  loss-priority        Packet's loss priority
  policer              Name of policer to use to rate-limit traffic
  syslog               System log (syslog) information about the packet
> three-color-policer  Police the packet using a three-color-policer
  vlan                 Name of VLAN - (Ingress only)

 

Juniper Employee
Posts: 20
Registered: ‎04-04-2011
0 Kudos

Re: "filter-based VLANs"?

This is for the firewall filter which needs to be applied on a VLAN instead on a port or Routed interface.

 

We have multiple types of Firewall Filter including PACL, RACL and VACL which are as follows:

PACL: Port ACL

RACL: Routed ACL

VACL: VLAN ACL

Regards,
Rahul
Trusted Expert
Posts: 279
Registered: ‎02-13-2012
0 Kudos

Re: "filter-based VLANs"?

Hi ,

 

Filter-based VLAN assignment is very flexible compared to the port-based vlan assignment(static) .
This feature can be used in scenarios that include multiple devices attached to a single switch port through an attached hub or passive switch.

 

Let's say that two PCs are attached to a hub and then to the switch port ge-0/0/0 ,from then to the upstream cloud.  If we go by port-based vlan assignment method , both PCs will be part of same VLAN(11 in the example below) . If our requirement is to separate them into two vlans(11 and 22)  , we can use filter-based VLAN .

 

Step 1 :

set vlans v11 vlan-id 11 
set vlans v11 interface ge-0/0/0.0
set vlans v22 vlan-id 22
set vlans v22 interface ge-0/0/0.0 mapping policy 

Step 2:

set firewall family ethernet-switching filter separate-vlans term 1 from source-address <PC2 IP> 
set firewall family ethernet-switching filter separate-vlans term 1 then vlan v22
set firewall family ethernet-switching filter separate-vlans term 2 then accept

Step 3: 

set interface ge-0/0/0.0 family ethernet-switching filter input separate-vlans

 Because of term 1 , PC2 will now be part of v22 and because of term 2 , PC1 will be part of v11.

 

Hope this helps Smiley Happy

 

Regards,
Pradeep JNCIE-SEC
Contributor
Posts: 85
Registered: ‎06-24-2011
0 Kudos

Re: "filter-based VLANs"?

Hello!

found this tread searching about filtered VLAN.

I have another problem:

 

Ex2200 with trunked port and unmanaged switch connected to this port. There are some Well-Knows MAC addresses at unmanaged switch wich have to be assigned to some VLAN at Ex2200, and all other MAC addresses have to be at default (untagged) VLAN.

I'm using this config:

 

interfaces {
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/8 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/9 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                filter {
                    input MAC_assig;
                }
            }
        }
    }
    ge-0/0/10 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/11 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/12 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/13 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/14 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/15 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/16 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/17 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/18 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/19 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/20 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/21 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/22 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/23 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/1/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/1/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/1/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/1/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    me0 {
        unit 0 {
            family inet;
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 172.16.5.81/16;
            }
        }
    }
}
protocols {
    igmp-snooping {
        vlan all;
    }
    rstp;
    lldp {
        interface all;
    }
    lldp-med {
        interface all;
    }
}
firewall {
    family ethernet-switching {
        filter MAC_assig {
            term 1 {
                from {
                    source-mac-address {
                        58:6d:8f:57:e9:b0/48;
                    }
                }
                then vlan VOIP;
            }
            term 2 {
                then accept;
            }
        }
    }
}
ethernet-switching-options {
    storm-control {
        interface all;
    }
}
vlans {
    VOIP {
        vlan-id 10;
        interface {
            ge-0/0/9.0 {
                mapping {
                    policy;
                }
            }
        }
    }
    default {
        l3-interface vlan.0;
    }
}

 

by this config if MAC 58:bla-bla at port 0/0/8 it's in default VLAN

root# run show ethernet-switching table
Ethernet-switching table: 4 entries, 1 learned, 0 persistent entries
  VLAN              MAC address       Type         Age Interfaces
  default           *                 Flood          - All-members
  default           40:b4:f0:ca:81:41 Static         - Router
  default           58:6d:8f:57:e9:b0 Learn          0 ge-0/0/8.0
  VOIP              *                 Flood          - All-members

 if MAC 58:bal-bla at 0/0/9 port

root# run show ethernet-switching table
Ethernet-switching table: 5 entries, 2 learned, 0 persistent entries
  VLAN              MAC address       Type         Age Interfaces
  default           *                 Flood          - All-members
  default           40:b4:f0:ca:81:41 Static         - Router
  default           e4:11:5b:2d:cf:e4 Learn          0 ge-0/0/8.0
  VOIP              *                 Flood          - All-members
  VOIP              58:6d:8f:57:e9:b0 Learn          0 ge-0/0/9.0

 as you can see here is one more MAC - e4:11-bla-bla at 0/0/8 port

if I'll change cables at ports 0/0/8 and 0/0/9 vice-versa

 

root# run show ethernet-switching table
Ethernet-switching table: 4 entries, 1 learned, 0 persistent entries
  VLAN              MAC address       Type         Age Interfaces
  default           *                 Flood          - All-members
  default           40:b4:f0:ca:81:41 Static         - Router
  default           58:6d:8f:57:e9:b0 Learn          0 ge-0/0/8.0
  VOIP              *                 Flood          - All-members

 there is no any MAC at 0/0/9 port BUT device with e4:11-bla-bla is connected.

so default VLAN assigment doesn't work.

 

If I'll add native-vlan-id to 0/0/9 port

set interfaces ge-0/0/9 unit 0 family ethernet-switching native-vlan-id default

I'll see the following:

root# run show ethernet-switching table
Ethernet-switching table: 5 entries, 2 learned, 0 persistent entries
  VLAN              MAC address       Type         Age Interfaces
  default           *                 Flood          - All-members
  default           40:b4:f0:ca:81:41 Static         - Router
  default           58:6d:8f:57:e9:b0 Learn          0 ge-0/0/8.0
  default           e4:11:5b:2d:cf:e4 Learn         48 ge-0/0/9.0
  VOIP              *                 Flood          - All-members

 seems to be good, but not:

root# run show ethernet-switching table
Ethernet-switching table: 6 entries, 3 learned, 0 persistent entries
  VLAN              MAC address       Type         Age Interfaces
  default           *                 Flood          - All-members
  default           40:b4:f0:ca:81:41 Static         - Router
  default           58:6d:8f:57:e9:b0 Learn         30 ge-0/0/9.0
  default           e4:11:5b:2d:cf:e4 Learn          0 ge-0/0/8.0
  VOIP              *                 Flood          - All-members
  VOIP              58:6d:8f:57:e9:b0 Learn         30 ge-0/0/9.0

{master:0}[edit]

 58:bla-bla have two VLANs!

 

need advice how to solve it.

 

Thanks!

 

Distinguished Expert
Posts: 1,912
Registered: ‎06-06-2011
0 Kudos

Re: "filter-based VLANs"?

Remove the firewal filter from int 9 and apply as an input filter on port 8. (that is th einterface on which the device you are trying to assig to the vlan VOIP is on. And then you add the int 8 to VOIP Vlan with the conditional association,

===================================
ge-0/0/9.0 vlans {
VOIP {
vlan-id 10;
interface {
ge-0/0/9.0
ge-0/0/8.0 {
mapping {
policy;
}
}
}
}
============================================
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
port-mode access;
filter {
input MAC_assig

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Contributor
Posts: 17
Registered: ‎07-26-2012
0 Kudos

Re: "filter-based VLANs"?

Hi all,

 

This post is very interesting. I have tested this with two PC attach to a hub.

 

set interface ge-0/0/0.0 description "SERVER V10"
set interface ge-0/0/1.0 description "SERVER V11"
set interface ge-0/0/2.0 description "HUB"

set vlans v10 vlan-id 10
set vlans v10 interface ge-0/0/0.0
set vlans v11 interface ge-0/0/2.0
set vlans v11 vlan-id 11
set vlans v11 interface ge-0/0/1.0
set vlans v11 interface ge-0/0/2.0 mapping policy

set firewall family ethernet-switching filter svlan term 1 from source-address 10.255.11.10
set firewall family ethernet-switching filter svlan term 1 then vlan v11
set firewall family ethernet-switching filter svlan term 2 then accept

 

But I have a problem : The switch put them in their own vlan (correct output from "show ethernet-switching interface / table" commands), but when I start ICMP request to/from a sever (in port-based vlan), it doesn't work. When I make some troubleshooting tests (wireshark, ..), I found that ARP requests are not put in the correct VLAN (stay in vlan v10).

 

Thanks in advance for you help.

 

Contributor
Posts: 77
Registered: ‎12-08-2010
0 Kudos

Re: "filter-based VLANs"?

Good question!

 

The first time I heard about this feature my first thought was "what about ARP???"... since ARP isn't an IP packet, how can you classify things based on IP headers alone?  ARP would break.  Is the expectation that everyone would have static ARP entries?  Surely no.

 

So suppose we change the filter to be based on source MAC.  That might help a little.  At least a client's ARP request would be put into the correct VLAN.  But what if the client was ARP'ing for some other dynamic client in that VLAN.  Hmmm...

 

This seems like a niche feature.

Distinguished Expert
Posts: 5,028
Registered: ‎03-30-2009
0 Kudos

Re: "filter-based VLANs"?

Check the links and description in my earlier post.  Filter based vlans are part of a trunking operation not access port vlan assignment.  These are used with Q-in-Q to tag frames.  Or in the example above you can tag frames coming in from an unmanged switch on a trunk port.

 

The important point is this is a Q tag operation not an untagged access port.  This is helpful to tunnel overlapping tags through the switch network or to change tags on trunk ports coming in.

 

 

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 77
Registered: ‎12-08-2010
0 Kudos

Re: "filter-based VLANs"?

Hi Steve,

Thanks for the response.  I'm still a little unclear on this.  I'm looking at the latest "official" Advanced Junos Enterprise Switching (Revision 12.a) material and the example they use is a very simple one:

 

If the packet is from 172.23.20.0/24 then put it in vlan 20 (instead of the access vlan of 10).  Yes, the upstream is a trunk, but no mention of S or C vlans. 

 

So if the client sends an ARP request, which is not an IP packet, how could this possibly match?

 

Now, if we're talking q-in-q or the trunk to an unmanaged switch, I could see a filter based on source-mac.  But I must be missing something with an IP based filter. 

Contributor
Posts: 17
Registered: ‎07-26-2012
0 Kudos

Re: "filter-based VLANs"?

Hi all,

Thanks for your answers.

Exactly, in several books like AJES, there is an example of this feature. It never mention QinQ, but the example they used is about access port, especially trafic from one host identified by its IP address with ACL...

I made some tests on EX series switch, and if you match MAC address in your firewall filter it's work like a charm, but it's not the same with IP address. The problem is ARP requests which stay in default VLAN (VLAN configured on the access port). You will tell me that it's normal, because the filter match PC's IP, but when you enter the cmd "show ethernet-switching table", MAC address is in the correct VLAN, not the default. So the switch could transmit all layer 2 frames from this MAC address in VLAN assigned by firewall filter ?

Its a great features, but it would be great if we could use IP address instead of MAC address. We have MAC based VLAN for that which is more powerfull than filter based VLAN : static or dynamic (with dot1x), work with IP Source Guard, DAI, DHCP Snooping, STP, ...