Routing
Highlighted
Routing

Is there any way?. Out-Vlan-Tagging , In-Transparent

[ Edited ]
‎05-26-2020 07:49 AM

Hi!

I wonder if someone can solve my doubt..

 

I need to connect Subnets (vlans): A, B & C from SITE 1 to SITE 2 (see attached diagram).

Between router and FW there is a TRUNK.

 

The thing is:

 

The outgoing traffic from SITE 2 (vlans: A, B) needs to go out in layer 3 (vlan-tagging) to SITE 1.

But..

 

The inbound traffic from SITE 1 (vlans: A, B) needs to ingress in transparent mode...

 

trunk1.PNG

 

Is this possible with flexible vlan-tagging? or with any other way?

 

Thank you very much
Best regards

6 REPLIES 6
Highlighted
Routing

Re: Is there any way?. Out-Vlan-Tagging , In-Transparent

‎05-26-2020 03:44 PM

Hi,

 

Something that could work but limited would be with native-vlan-id but this would only apply to a single VLAN, to allow untagged traffic to pass through the trunk. on both ways. Let's say that Site A is untagged traffic while Site B is tagged as well as Site C. 

 

Flexible-vlan-tagging will allow the interface to accept single tag and dual tagged frames (https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/flexible-...), so it might not be what you are looking for. What you could do instead is move Site A and B to layer 3 (family inet) instead on both sides or modify a little your design.

Highlighted
Routing

Re: Is there any way?. Out-Vlan-Tagging , In-Transparent

‎05-26-2020 07:29 PM

Hello,

 

You might be able to pull this off if You:

1/ use 2 logical subinterfaces to interconnect between SITE 1 and SITE 2 

1a/ please make sure there is no L2 loop : You can use FW filters to block BUM traffic on one of these logical subinterfaces 

2/ disable MAC learning and use static MACs for VLANs A & B

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/static-ma...

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Routing

Re: Is there any way?. Out-Vlan-Tagging , In-Transparent

[ Edited ]
‎05-28-2020 03:21 AM

Hi Jospina,

 

First of all, thank you for your answer and help.

 

I've some doubts regarding to what you said:

 

Something that could work but limited would be with native-vlan-id but this would only apply to a single VLAN, to allow untagged traffic to pass through the trunk. on both ways. Let's say that Site A is untagged traffic while Site B is tagged as well as Site C.

 

What I need to acheive (if there is the possibility) is not to have SITE A untagged and B & C tagged but the outgoing traffic from let's say SUBNET A from SITE 2 --> to --> SUBNET A on SITE 1 (down-to-up traffic) is tagged but the traffic that is originated on SUBNET A in SITE 1 incoming to SUBNET A on SITE 2 (up-to-down) pass-through the FW transparently, as FW didin't exist..

 

Do you see any way to acheive that?...

 

Also I take the opportunity to ask what it is exactly the difference in single vs dual tagged frames? I've read the link and searched but still don't quite undestand the definition.

 

Thank you very much
Best regards

Highlighted
Routing

Re: Is there any way?. Out-Vlan-Tagging , In-Transparent

‎05-28-2020 03:28 AM

Hi aarseniev,

 

First of all, thank you for your answer and help.

 

I've also some doubts regarding to what you said:

 

1/ use 2 logical subinterfaces to interconnect between SITE 1 and SITE 2

1a/ please make sure there is no L2 loop : You can use FW filters to block BUM traffic on one of these logical subinterfaces

2/ disable MAC learning and use static MACs for VLANs A & B

1) Let say interfaces:
ge-0/0/0.0 (this should be both trunk I understand?)
&
ge-0/0/0.1(this should be both trunk I understand?)

 

1a) OK

 

2) OK

 

But as I said to Jospina what I need to acheive (if there is the possibility) is not to have SITE A untagged and B & C tagged but the outgoing traffic from let's say SUBNET A from SITE 2 --> to --> SUBNET A on SITE 1 (down-to-up traffic) is tagged but the traffic that is originated on SUBNET A in SITE 1 incoming to SUBNET A on SITE 2 (up-to-down) pass-through the FW transparently, as FW didin't exist..

 

Can be set the ougoing traffic from VLAN A - SITE 2 to be tagged through ge-0/0/0.0 and the originated traffic to come from VLAN A - SITE 1untagged through ge-0/0/0.1?

 

I don't quite see how..

 

Thank you very much
Best regards

Highlighted
Routing

Re: Is there any way?. Out-Vlan-Tagging , In-Transparent

[ Edited ]
‎05-28-2020 04:39 AM

Hello,

 


@chaimae wrote:

what I need to acheive (if there is the possibility) is not to have SITE A untagged and B & C tagged but the outgoing traffic from let's say SUBNET A from SITE 2 --> to --> SUBNET A on SITE 1 (down-to-up traffic) is tagged but the traffic that is originated on SUBNET A in SITE 1 incoming to SUBNET A on SITE 2 (up-to-down) pass-through the FW transparently, as FW didin't exist..

 

Can be set the ougoing traffic from VLAN A - SITE 2 to be tagged through ge-0/0/0.0 and the originated traffic to come from VLAN A - SITE 1untagged through ge-0/0/0.1?

 

 

Ok so we are finally cooking on gas mark 4 ;-)

 

So, ge-0/0/0.0 is for Up->Down untagged traffic, hence ge-0/0/0.0 must be mapped to a "native VLAN".

And ge-0/0/0.1 is for Down->Up tagged traffic so ge-0/0/0.1 must not be mapped to a "native VLAN".

 

Example ge-0/0/0 interface configuration for MX router, applies to both SITE1/UP and SITE2/DOWN:

 

set interfaces ge-0/0/0 encapsulation flexible-ethernet-services
set interfaces ge-0/0/0 flexible-vlan-tagging
set interfaces ge-0/0/0 native-vlan-id 100
set interfaces ge-0/0/0.0 encapsulation vlan-bridge
set interfaces ge-0/0/0.0 vlan-id 100
set interfaces ge-0/0/0.0 family bridge
set interfaces ge-0/0/0.1 encapsulation vlan-bridge
set interfaces ge-0/0/0.1 vlan-id 1
set interfaces ge-0/0/0.1 family bridge

 

 

Example bridge-domain configuration for MX router on SITE1/UP-side:

 

 

set bridge-domains VLAN-A domain-type bridge
set bridge-domains VLAN-A vlan-id 123 ## not required for this solution to work, just for Your peace of mind
set bridge-domains VLAN-A interface ge-0/0/0.0
set bridge-domains VLAN-A interface ge-0/0/0.1 set bridge-domains VLAN-A bridge-options no-mac-learning
set bridge-domains VLAN-A bridge-options interface ge-0/0/0.0 static-mac BLAH:BLAH:BLAH

 

 

For the MX router on SITE2/DOWN-side bridge-domain config, You have to assign static MACs to point to a tagged interface.

 

 

Finally, a filter to stop L2 loop, applies to both SITE1 and SITE2 MX routers:

 

set firewall family bridge filter FF-DROP-BUM interface-specific
set firewall family bridge filter FF-DROP-BUM term 1 from interface ge-0/0/0.0
set firewall family bridge filter FF-DROP-BUM term 1 form interface ge-0/0/0.1
set firewall family bridge filter FF-DROP-BUM term 1 then discard
set firewall family bridge filter FF-DROP-BUM term 1 then count CNT-DROP-BUM
set firewall family bridge filter FF-DROP-BUM term 2 then accept
set interfaces ge-0/0/0.0 family bridge filter output FF-DROP-BUM
set interfaces ge-0/0/0.1 family bridge filter output FF-DROP-BUM

 

Hope this makes sense.

HTH

Thx

Alex

 

 

 

 

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Routing

Re: Is there any way?. Out-Vlan-Tagging , In-Transparent

‎05-28-2020 07:10 AM

@aarseniev wrote:

 

Ok so we are finally cooking on gas mark 4 ;-)

 

hahahaha

 


@aarseniev wrote:

Hope this makes sense.

I am not that experienced so I will have to look into some of that options to fully understand exactly how works, but I'll jump right into it now and give it a try!

 

As soon as I was able to try it, I tell you how it has gone.

 

Thank you so much!.

Best regards!