Configuration Library
Configuration Library

Simple EX8200 VLAN isolation

[ Edited ]
‎01-11-2016 03:52 AM

Title: Configuration Example - VLAN isolation between access switches.

How to make simple layer 2 isolation for targeted vlan(s) on specific ports

Product:  EX8200

Version:  15.1R2.9

Network Topology:    EX8200 switch as aggregator for access layer switches.

EX8208.jpg

Description:

- Tasks:

1) Configure layer 2 traffic isolation for particular vlans on specific ports
2) Configure trunk/uplink port(s) for these isolated vlans

 

 Configuration:
1) Configure layer 2 traffic isolation for particular vlans on specific ports:
 
UNI-interfaces configuration (clients/isolatied):
set interfaces ge-3/0/38 unit 0 family ethernet-switching port-mode access
set interfaces ge-3/0/39 unit 0 family ethernet-switching port-mode access
Create and Associate vlan with customer ports:
set vlans CUSTOMERS description CUSTOMERS
set vlans CUSTOMERS vlan-id 1299
set vlans CUSTOMERS no-local-switching
set vlans CUSTOMERS interface ge-3/0/38.0 mapping 1299 swap
set vlans CUSTOMERS interface ge-3/0/39.0 mapping 1299 swap
*Notice that interfaces GE-3/0/38 and GE-3/0/39 are trunk ports for VLANID 1299 towards access switches.  
 
2) Configure trunk/uplink port(s) for vlan:
 
NNI-interface configuration (uplink):
set interfaces xe-0/0/0 unit 0 family ethernet-switching port-mode trunk
set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members CUSTOMERS
It works pretty well.
 
Or you can terminate this vlan on EX8200 if you wish:
set vlans CUSTOMERS l3-interface vlan.1299
set interface vlan unit 1299 family inet address 192.168.1.1/24
As result - PC1 and PC2 could communicate with uplink router (gateway) or with EX8200 (if vlan terminated on EX8208), but not with each other.
 
1 REPLY 1
Highlighted
Configuration Library

Re: Simple EX8200 VLAN isolation

[ Edited ]
‎01-16-2016 04:20 AM

And what actually we have got with applying above configuration:

 

1) VLANs and PVLANs

 

root56@j8208> show ethernet-switching interfaces ge-3/0/38  
Interface    State  VLAN members        Tag   Tagging  Blocking 
ge-3/0/38.0  up     CUSTOMERS           1299  tagged   unblocked
                    __pvlan_CUSTOMERS_ge-3/0/38.0__ tagged unblocked

root56@j8208> show ethernet-switching interfaces ge-3/0/39  
Interface    State  VLAN members        Tag   Tagging  Blocking 
ge-3/0/39.0  up     CUSTOMERS           1299  tagged   unblocked
                    __pvlan_CUSTOMERS_ge-3/0/39.0__ tagged unblocked

 

2) Ethernet switching table for these ports:

 

root56@j8208> show ethernet-switching table interface ge-3/0/38   
Ethernet-switching table: 4 unicast entries
  VLAN              MAC address       Type         Age Interfaces
  CUSTOMESR         *                 Flood          - All-members
  CUSTOMESR         1c:bb:a8:0d:a6:0f Replicated        0 ge-3/0/38.0
  __pvlan_IPTV-1299_ge-3/0/38.0__ *   Flood          - All-members
  __pvlan_IPTV-1299_ge-3/0/38.0__ 1c:bb:a8:0d:a6:0f Learn        0 ge-3/0/38.0
  __pvlan_IPTV-1299_ge-3/0/38.0__ e4:27:71:15:6e:d6 Learn       37 ge-3/0/38.0

root56@j8208> show ethernet-switching table interface ge-3/0/39    
Ethernet-switching table: 4 unicast entries
  VLAN              MAC address       Type         Age Interfaces
  CUSTOMESR         *                 Flood          - All-members
  CUSTOMESR         1c:bb:a8:0c:af:3a Replicated        0 ge-3/0/39.0
  CUSTOMESR         e4:27:71:08:5f:a5 Replicated        0 ge-3/0/39.0
  __pvlan_CUSTOMESR_ge-3/0/39.0__ *   Flood          - All-members
  __pvlan_CUSTOMESR_ge-3/0/39.0__ 1c:bb:a8:0c:af:3a Learn        0 ge-3/0/39.0
  __pvlan_CUSTOMESR_ge-3/0/39.0__ e4:27:71:08:5f:a5 Learn        0 ge-3/0/39.0

 

Pay attention at amount of plvans. Each pair of port-vlan generates unique pvlan entry. You should be careful with some layer 2 protocols. For example: vstp protocol has a limitation for vlan numbers by 253 and config must be changed in some cases.

 

[edit protocols vstp]
  'vlan all'
    Cannot configure VSTP on all VLANs when more than 253 VLANs are configured. Configure vstp vlan-group along with STP or RSTP to cover all VLANs