Ethernet Switching
Ethernet Switching

mac-based vlans

02.28.11   |  
‎02-28-2011 07:31 AM

Hi

 

How can I set mac-based vlans on ex-2200 or ex-4200?

It should be supported:

EX Series Switch Software Features Overview

but I didn't find any guide. Does it have something with ethernet firewall filters?

 

Waiting for reply.

9 REPLIES
Ethernet Switching

Re: mac-based vlans

02.28.11   |  
‎02-28-2011 12:14 PM

By 'mac-based vlans' do you mean layer 2 VLANs?

 

Here is some information, hope it is useful.

 

JUNOS EX has two types of ports when it comes to VLANs:

 

  • Access ports - ports that are members of 1 (and only 1) VLAN, these ports do not carry 802.1q tagged VLAN traffic
  • Trunk ports - carry multiple VLANs via 802.1q tagging

A port is an access port by default in JUNOS and they are initially part of the default VLAN on the switch (more on that in a minute).

 

Creating a VLAN is pretty easy:

 

[edit]

 edit vlans

 

[edit vlans]

set <vlan name> vlan-id <ID>

 

For example:

 

[edit]

root@burro# edit vlans

 

[edit vlans]

root@burro# set blue vlan-id 10

root@burro# set orange vlan-id 20

root@burro# commit

 

Now you can assign ports to your VLANs via set <interface> unit <unit number> family ethernet-switching vlan members <VLAN>

 

[edit vlans]

root@burro# up

 

[edit]

root@burro# edit interfaces

 

[edit interfaces]

root@burro#  set ge-0/0/0 unit 0 family ethernet-switching vlan members blue

root@burro# set ge-0/0/1 unit 0 family ethernet-switching vlan members orange

 

Now we need a trunk port to allow our VLANs to travel to another switch:

 

[edit interfaces]

root@burro# set ge-0/0/23 unit 0 family ethernet-switching port-mode trunk

 

And then we make this port a member of the VLANs that we want the port to handle:

 

[edit interfaces]

root@burro# set ge-0/0/23 unit 0 family ethernet-switching vlan members blue

root@burro# set ge-0/0/23 unit 0 family ethernet-switching vlan members orange

root@burro# commit

 

 

The following is true of the default VLAN:

 

  • By default each switch has a common default VLAN named 'default'
  • This default VLAN is untagged and has no VLAN ID
  • JUNOS EX trunk ports do not accept untagged traffic

If you wanted to pass traffic from the default VLAN over a trunk port you would do the following:

 

set <trunk interface> unit 0 family ethernet-switching native-vlan-id default

 

[edit interfaces]

root@burro# set ge-0/0/23 unit 0 family ethernet-switching native-vlan-id default

 

You can also add a VLAN ID to the default VLAN:

 

[edit interfaces]

root@burro# set vlans default vlan-id 1

root@burro# commit

 

Running 'show vlans detail' in operational mode on your switch will now show the native/default VLAN with an ID of 1.

 

You can create a layer 3 VLAN by adding what Juniper calls a 'routed VLAN interface' or 'RVI'. The only real difference between a layer 2 VLAN and a layer 3 VLAN, in terms of configuration, is that you are adding an IP address to your VLAN.

 

set interfaces vlan unit <VLAN ID> family inet address <VLAN IP/mask>

 

[edit interfaces]

root@burro# set vlan unit 10 family inet address 192.168.1.1/24

root@burro# set vlan unit 20 family inet address 192.168.2.1/24

 

Now we associate the layer 3 interface with the VLAN:

 

root@burro# set vlans blue l3-interface vlan.10

root@burro# set vlans orange l3-interface vlan.20

root@burro# commit

 

Now our end node devices such as a PC can use the VLAN interface IP as the default gateway and the switch will route traffic between the VLANs.

Ethernet Switching

Re: mac-based vlans

02.28.11   |  
‎02-28-2011 12:38 PM

Yes I mean L2 lans

 

http://www.juniper.net/techpubs/en_US/junos10.4/topics/concept/ex-series-software-features-overview....

- Table 11: Layer 2 Network Protocols Features by Junos OS Release

-- MAC-based VLANs

 

Nice guide Smiley Happy

I only want to have something that other vendors have. For example you have VoIP phone with mac 00:11:22:aa:bb:cc that does not support vlan tagging and you want to tag interfaces with that mac and untag on the other direction on access port. Or to another vlan if mac is other... Maybe a saw solution through family ethernet firewall filters ... then vlan statement. I didn't checked it.

Ethernet Switching

Re: mac-based vlans

02.28.11   |  
‎02-28-2011 01:46 PM

I can't find anything on how to setup a JUNOS MAC-based VLAN.

 

The table you listed shows this but I can't find information anywhere on how to do it exactly.

Ethernet Switching

Re: mac-based vlans

02.28.11   |  
‎02-28-2011 01:53 PM
Thanks for your attention :-)
Highlighted
Ethernet Switching

Re: mac-based vlans

03.01.11   |  
‎03-01-2011 07:16 PM

Yes the EX family supports filter-based VLAN assignments.  In this example I show you how to match on a list of source-mac-addresses and accept the packet and move it into the vlan called "test"

 

 

root@EX4200# show firewall 
family ethernet-switching {
    filter mac-based {
        term 1 {
            from {
                source-mac-address {
                    00:00:00:00:00:11;
                    00:00:00:00:00:12;
                    00:00:00:00:00:13;
                    00:00:00:00:00:14;
                    00:00:00:00:00:15;
                }
            }
            then {
                accept;
                vlan test;
            }
        }
    }
}

 

Then just apply this firewall filter where you need to dynamically assign VLANs.

 

Doug Hanks
JNCIE-ENT #213, JNCIE-SP #875

Follow me on Twitter @douglashanksjr
Ethernet Switching

Re: mac-based vlans

03.01.11   |  
‎03-01-2011 11:36 PM

 

[edit firewall]
root@ex2200# show
family ethernet-switching {
filter mac-based {
term 1 {
from {
source-mac-address {
00:00:00:00:00:11/48;
00:00:00:00:00:12/48;
00:00:00:00:00:13/48;
00:00:00:00:00:14/48;
00:00:00:00:00:15/48;
}
}
then {
accept;
##
## Warning: statement ignored: unsupported platform (ex2200-48t-4g)
##
vlan vlan1337;
}
}
}
}

 Unfortnunately not on ex2200 Smiley Sad JUNOS Base OS Software Suite [10.4R1.9]

But table said

MAC-based VLANs ex2200 - 10.1R1

or could I ignore that Warning?

 

Ethernet Switching

Re: mac-based vlans

03.17.11   |  
‎03-17-2011 12:12 AM

can someone paste working configuration with interface config? it is trunk or access.. Because this dont work on ex-4200. If I`m right this should make all trafic from mac address 000000000011 tagged with vlan test?

 

root@EX4200# show firewall 
family ethernet-switching {
filter mac-based {
term 1 {
from {
source-mac-address {
00:00:00:00:00:11;
}
}
then {
accept;
vlan test;
}
}
}
}
Ethernet Switching

Re: mac-based vlans

03.18.11   |  
‎03-18-2011 03:15 AM

Hi,

 

did you apply your FF on the ingress interfaces? Like that:

lab@ex8208-1-re0# set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input mac-based

 

Kind Regards

Michael Pergament

Ethernet Switching

Re: mac-based vlans

10.17.11   |  
‎10-17-2011 06:45 AM

I found that it is possible via dot1x configuration:

 

root@test> show configuration protocols dot1x
authenticator {
    static {
        00:d0:e9:00:00:00/24 {
            vlan-assignment voice;
        }
}