Ethernet Switching
Highlighted
Ethernet Switching

Filter based SVLAN tagging

‎02-02-2014 09:40 AM

Hello,

 

http://pathfinder.juniper.net/feature-explorer/feature-info.html?fKey=1061&fn=Filter based SVLAN tagging

 

I've just found THIS for EX8200 in Feature Explorer. Could anyone can help me to understand "how it works"?

13 REPLIES 13
Highlighted
Ethernet Switching

Re: Filter based SVLAN tagging

‎02-02-2014 02:24 PM

See the q in q topic page.

 

http://www.juniper.net/techpubs/en_US/junos10.3/topics/concept/qinq-tunneling-ex-series.html

 

And the example configuration

 

http://www.juniper.net/techpubs/en_US/junos10.3/topics/example/qinq-tunneling-ex-series.html

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Ethernet Switching

Re: Filter based SVLAN tagging

‎02-02-2014 06:25 PM

Hello,

 

But it is just a "classical" dot1q-tunneling with ACCESS port configuration. Maybe I misunderstood, but... What "Filter based SVLAN tagging" is? From FE: "Filter based SVLAN tagging" You can use a firewall filter to perform S-VLAN tagging as part of the Q-in-Q tunneling feature.

Is it really works on EX8200 series switches?

 

 

 

Highlighted
Ethernet Switching

Re: Filter based SVLAN tagging

‎02-04-2014 02:49 AM

Well you are right.  I just spent 20 minutes looking for this documenation in search and I can't find the filter based vlan either.  This is a topic covered in the Advanced Junos Enterprise Switching course.  And I can't lay my hands on that book right now either.

 

My recollection is that the use case for q in q is using the firewall filter to retag the base vlan on the q in q trunk port as an input filter.

 

The match condition is the current vlan tag the action is the tag you want to replace it with.   And the filter works then bidirectionally.  this can compensate for overlapping vlan tags on each side of the q in q trunk. 

 

So local tag 30 becomes tag 300 before being sent to the q in q trunk.  And the reverse, all received tags 300 become local tag 30.

 

The regular filter based vlan can take matches of mac addresses including the use of masks on a default vlan access port and place them into a action condition local vlan.  

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Ethernet Switching

Re: Filter based SVLAN tagging

‎02-04-2014 09:59 AM

I've wasted a few hours for trying to add the SVLAN to incoming CVLANs. But all the I can do - just REWRITE dot1q-tags.

Highlighted
Ethernet Switching

Re: Filter based SVLAN tagging

‎02-05-2014 04:06 AM

Well, I don't know if that is the ONLY function you can use the firewall filters for.  That is just the one I remember.

 

Since I can't find the documentation on the feature my fragile memory is all that I have.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Ethernet Switching

Re: Filter based SVLAN tagging

‎02-05-2014 08:46 AM

http://pathfinder.juniper.net/feature-explorer/feature-info.html?fKey=1213&fn=Q-in-Q+VLAN+extended+s...

 

Really hard to think that all features from the link above are unsupported by EX8200.

 

 

 

 

Highlighted
Ethernet Switching

Re: Filter based SVLAN tagging

‎02-07-2014 08:50 PM

I've found another solution for "partial-dot1q-tunneling". My issue was: apply a dot1q-tunneling for 100-1000 cvlans and normal trunking for 20,30 and 40 cvlans.

 

ethernet-switching-options {
    dot1q-tunneling {
        ether-type 0x8100;
    }

#############################

    ge-2/0/39 {
        mtu 9216;
        unit 0 {
            family ethernet-switching {
                port-mode access;
            }
        }

    ge-2/0/42 {
        mtu 9216;
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members CUST-QinQ;
                }
            }

#############################

vlans {
    CUST-QinQ {
        vlan-id 3401;
        interface {
            ge-2/0/39.0;
        }
        dot1q-tunneling {
            customer-vlans 100-1000;
        }
    }
    ETTH-MGMT {
        description ETTH-MANAGEMENT;
        vlan-id 20;
        interface {
            ge-2/0/39.0 {
                mapping {
                    20 {
                        swap;
                    }
                }
            }
        }
        l3-interface vlan.20;
    }
    IPTV {
        description STB-UNICAST;
        vlan-id 30;
        interface {
            ge-2/0/39.0 {
                mapping {
                    30 {
                        swap;
                    }
                }
            }
        }
        l3-interface vlan.30;
    }
    MCAST {
        description MULTICAST-DOWNSTREAM;
        vlan-id 40;
        interface {
            ge-2/0/39.0 {
                mapping {
                    40 {
                        swap;
                    }
                }
            }
        }
        l3-interface vlan.40;
    }

 And IT WORKS. Without any physical loops and without 100-1000 CVLANs creation.

 

 

Highlighted
Ethernet Switching

Re: Filter based SVLAN tagging

‎02-08-2014 04:13 AM

Thanks for posting a good use case and working scenario.  Obviously the documentation is sparse on the filter based q in q feature.

 

Would you consider writting this up and posting it in the Configuration Library forum as a sample for others to use?

 

http://forums.juniper.net/t5/Configuration-Library/bd-p/ConfigLib

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Ethernet Switching

Re: Filter based SVLAN tagging

‎02-08-2014 10:02 PM

Yes I would. By the way. You can add a several dot1q-tunneling S-VLANs to ONE interface (exactly like in the "feature explorer"). They just need to have different c-vlan ranges.

 

interfaces ge-2/0/43      
unit 0 {
    family ethernet-switching;
}

QinQ1 {
    vlan-id 2001;
    interface {
        ge-2/0/43.0;
    }
    dot1q-tunneling {
        customer-vlans 100-200;
    }
}                                       
QinQ2 {
    vlan-id 2002;
    interface {
        ge-2/0/43.0;
    }
    dot1q-tunneling {
        customer-vlans 300-400;
    }
}
QinQ3 {
    vlan-id 2003;
    interface {
        ge-2/0/43.0;
    }
    dot1q-tunneling {
        customer-vlans 500-600;
    }
}



run show vlans QinQ1 extensive                      
VLAN: QinQ1, Created at: Sat Feb  8 13:20:19 2014
802.1Q Tag: 2001, Internal index: 503, Admin State: Enabled, Origin: Static
Dot1q Tunneling status: Enabled
Customer VLAN ranges:
      100-200
Protocol: Port Mode, Mac aging time: 300 seconds
Number of interfaces: Tagged 0 (Active = 0), Untagged  1 (Active = 1)
      ge-2/0/43.0*, untagged, access


run show vlans QinQ2 extensive    
VLAN: QinQ2, Created at: Sat Feb  8 13:20:19 2014
802.1Q Tag: 2002, Internal index: 504, Admin State: Enabled, Origin: Static
Dot1q Tunneling status: Enabled
Customer VLAN ranges:
      300-400
Protocol: Port Mode, Mac aging time: 300 seconds
Number of interfaces: Tagged 0 (Active = 0), Untagged  1 (Active = 1)
      ge-2/0/43.0*, untagged, access

run show vlans QinQ3 extensive    
VLAN: QinQ3, Created at: Sat Feb  8 13:20:19 2014
802.1Q Tag: 2003, Internal index: 505, Admin State: Enabled, Origin: Static
Dot1q Tunneling status: Enabled
Customer VLAN ranges:
      500-600
Protocol: Port Mode, Mac aging time: 300 seconds
Number of interfaces: Tagged 0 (Active = 0), Untagged  1 (Active = 1)
      ge-2/0/43.0*, untagged, access

 

As we can see - all of them are UNTAGGED. And It works 🙂

 

And switch would prevent c-vlans range misconfiguration (overlapping):

error: Interface ge-2/0/43.0 has overlapping cvlans configuration for vlan <QinQ1> tag <100-200> and vlan <QinQ4> tag <100-200>
error: configuration check-out failed

 

 

Highlighted
Ethernet Switching

Re: Filter based SVLAN tagging

‎02-08-2014 10:25 PM

Very nice explanation. You see the dilema we face when trying to assist. You asked about a firewal filter for vlan assignment. You can you a firewall filter using the mapping policy.

"Firewall filters allow you to map an interface to a VLAN based on a policy. Using firewall filters to map an interface to a VLAN is useful when you want a subset of traffic from a port to be mapped to a selected VLAN instead of the designated VLAN. To configure a firewall filter to map an interface to a VLAN, the vlan option has to be configured as part of the firewall filter and the mapping policy option must be specified in the interface configuration for each logical interface using the filter."

What you wanted was this method of assigning cust-vlans an svlan tag with the mapping method. Using the firewall filter simply let you assign an access interface to a vlan 10 lets say ge-0/0/6.0, which means that by default all traffic entering that port will be tagged 10; but then use a firewall filter  to identify interesting traffic comming in on that port and put it in a different vlan say vlan 20. You would use mapping policy to allow you place ge-0/0/6.0 in    another vlan 20. Normally you can only associate a single vlan to an interface unless it is a trunk port. Different from what you have configured for Q-in-Q tunneling.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
Ethernet Switching

Re: Filter based SVLAN tagging

[ Edited ]
‎02-08-2014 11:34 PM

Yes, I've asked about "Filter based SVLAN tagging" feature: "You can use a firewall filter to perform S-VLAN tagging as part of the Q-in-Q tunneling feature." But all I've got with using firewall filter is only VLAN SWAPPING.

Highlighted
Ethernet Switching

Re: Filter based SVLAN tagging

‎02-09-2014 04:38 AM

Thanks for the updates EssentialRoot.  And you willingness to share the fruits of your labor.

 

This seems to be one of these areas where the documentation is either non-existent or invisible to search.  I find these very frustrating when trying to implement a feature for the first time.

 

In this case it was especailly frustrating for me that I knew a use case from the training (not one you needed obviously) but still could not find it in the official documenation.

 

And your "filter based SVLAN tagging" the only results are basically mentions that the feature exists and not HOW it works.

 

By coincidence just a few days before this thread I had reported a similar problem with a dhcp related feature to the documenation group.  I also pointed them to this thread as another example of the need for better documenation linkage with feature explorer and completness in documenation detail for sub features.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Ethernet Switching

Re: Filter based SVLAN tagging

‎02-09-2014 10:19 AM

I agree with you pulka and I communicate with Juniper on a regular basis on this issue. Sometimes, they have wrong information and they will correct it also. What also frustrates me is that in a number of cases, it does not take a lot to QA and correct before publishing. Not only that, whatever the search algorithm used on Juniper's website is not that great. Googling returns much better results. And as you pointed out this is an example of Juniper saying one thing, but offers no documentation on that feature. I hope that ypuself and others will continue to bring this kind lapse to Junipers attention and stick with it so you get a positive response. I have to say, Juniper is very good at responding to those issues though.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Feedback