Ethernet Switching
Highlighted
Ethernet Switching

EX2200 Double-tagging on ingress & popping outer VLAN on egress

[ Edited ]
a week ago

Hi all,

 

New to the forums but I've done a bit of searching and can't seem to find the scenario I'm looking to solve for.  I have an EX2200 on which I need to take incoming untagged traffic on multiple ports, mark the same inner VLAN on each but different outer VLANs on each port, to be conditioned to go out with the same inner VLAN on multiple trunk ports facing northbound.

 

For example:

Port 1: Trunk port for "Store A" VLAN 50

Port 2: Trunk port for "Store B" VLAN 50

Port 3: Access port for "Store A" VLAN 50

Port 4: Access port for "Store B" VLAN 50

(etc).

 

My expected behavior is that for "Store A," Port 3 receives untagged traffic, adds VLAN 50 and any local S-Tag (ex. 1000), then pops off the S-Tag on the way out the trunk port (1) so that it leaves the switch as VLAN 50.  "Store B" should have the same behavior but use a different S-Tag to differentiate the traffic.

 

I can add a single VLAN tag to untagged traffic when it comes in but not sure how to differentiate the traffic between the two separate customers/ports that use the same VLAN ID.  I've also looked into Private VLANs but I wasn't able to find a way to use the same VLAN ID northbound for two promiscuous ports.

 

Any suggestions on how to accomplish that would be greatly appreciated!

 

Cheers!

5 REPLIES
Ethernet Switching

Re: EX2200 Double-tagging on ingress & popping outer VLAN on egress

Thursday

I'm not following what behavior you want in the vlan transport as everything is labled the same vlan here.

 

You have two access ports in vlan 50

and two trunk ports with vlan 50 tagged

That all is so far normal vlan behavior.

 

From the description you want to push vlan ids on the "access" ports?  Maybe a different one per client?

But have the same vlan id inbound on the "trunk" side?

 

In orther words where exactly do you want to to the push/pop and where exactly are the vlan overlaps?

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Ethernet Switching

Re: EX2200 Double-tagging on ingress & popping outer VLAN on egress

Thursday

Just like @

 

 

Ethernet Switching

Re: EX2200 Double-tagging on ingress & popping outer VLAN on egress

Thursday

Thanks for the replies and sorry for the confusion; the situation is a little weird in that it's being used for a staging environment to configure multiple like devices at one time, which will always be VLAN50 and will always have the same IP addresses.  That's why I can't allow them to be part of the same broadcast domain, since there will be IP overlap.  What I left out initially for simplicity (ha) is that there are also multiple devices being configured at once per "store," and I do have to add VLAN 50 to the otherwise untagged traffic or I'd ask them to connect to the firewalls directly.  I use "Store A" and "Store B" in my example below to show the separation:

 

[Store A Devices]      [Switch Access]   [Switch Trunk]        [Store A Firewall]
192.168.1.2/24         <- Port 3                 Port 1 ->                  192.168.1.1/24

192.168.1.3/24         <- Port 4                 Port 1 ->                  192.168.1.1/24

Untagged                  +VLAN 50                VLAN 50                 VLAN 50

 

[Store B Devices]      [Switch Access]   [Switch Trunk]        [Store B Firewall]
192.168.1.2/24         <- Port 5                 Port 2 ->                  192.168.1.1/24

192.168.1.3/24         <- Port 6                 Port 2 ->                  192.168.1.1/24

Untagged                  +VLAN 50                VLAN 50                 VLAN 50

 

 

So in short, I need to separate traffic coming into / going out of the switch and need to add the same VLAN in all cases, whether it's as the traffic comes in or as it goes out.  I know it's a weird one but that's why I'm here Smiley Happy

 

The VRF / routing-instance thing sounds like it might be in the right direction.  In Ciscoland I've done similar things with bridge-domains but I'm still working on getting up to speed with Juniper devices.

Ethernet Switching

Re: EX2200 Double-tagging on ingress & popping outer VLAN on egress

Thursday

Been looking into routing-instances and going to try something like this later today and see if that separates the traffic:

 

set vlans TEST-VLAN vlan-id 50

 

set interfaces ge-0/0/1 description "STORE-A TRUNK"
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members TEST-VLAN

set interfaces ge-0/0/2 description "STORE-B TRUNK"
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members TEST-VLAN

set interfaces ge-0/0/3 description "STORE-A ACCESS 1"
set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members TEST-VLAN

set interfaces ge-0/0/4 description "STORE-A ACCESS 2"
set interfaces ge-0/0/4 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members TEST-VLAN

set interfaces ge-0/0/5 description "STORE-B ACCESS 1"
set interfaces ge-0/0/5 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members TEST-VLAN

set interfaces ge-0/0/6 description "STORE-B ACCESS 2"
set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members TEST-VLAN

 

set routing-instances STORE-A description "Store A routing-instance"
set routing-instances STORE-A instance-type l2vpn
set routing-instances STORE-A interface ge-0/0/1.0
set routing-instances STORE-A interface ge-0/0/3.0
set routing-instances STORE-A interface ge-0/0/4.0
set routing-instances STORE-A route-distinguisher 1234:1
set routing-instances STORE-A vrf-target target:1234:1

 

set routing-instances STORE-B description "Store B routing-instance"
set routing-instances STORE-B instance-type l2vpn
set routing-instances STORE-B interface ge-0/0/2.0
set routing-instances STORE-B interface ge-0/0/5.0
set routing-instances STORE-B interface ge-0/0/6.0
set routing-instances STORE-B route-distinguisher 1234:2
set routing-instances STORE-B vrf-target target:1234:2

Ethernet Switching

Re: EX2200 Double-tagging on ingress & popping outer VLAN on egress

Friday

What will be the other side of your l2 vpn?

I assume you are not looking to connect these to each other.  So the tricky part here will be how to manage the communications from whatever needs to talk to the stores during the setup process.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home