It is often a requirement to split a broadcast traffic or to restrict communication between hosts within a same VLAN. Private VLAN or PVLAN is a feature that is used to split broadcast traffic or restrict communication between hosts within a same VLAN in a switch. Private VLANs can be configured on all models of Juniper switches. In this post, I will show steps to configure Private VLANs in Juniper Switch.
Configure Private VLANs in Juniper Switch
Private VLANs in Juniper switch can have four types of switch ports.
- Promiscuous Port – It is a trunk port on a switch that is connected uplink to Router or Firewall or servers. Promiscuous port can communicate with all other private VLAN ports within a private VLAN. The port is assigned member of primary VLAN and must be associated with 802.1Q tag. Trunk ports that are member of private VLANs are promiscuous port.
- Community Port – It is a private VLAN where hosts connected to ports in a same community VLAN can communicate with each others and can also communicate with promiscuous port of the same private VLAN. It is a secondary VLAN and the port is assigned member of primary VLAN.
- Isolated Port – The isolated port can’t communicate with other hosts connected to other isolated ports or community ports within a same private VLAN. Isolated port can communicate with promiscuous port and private VLAN trunk ports. If you want an Isolated port in a single switch then you don’t need to create VLAN for Isolated vlan. In Juniper switches, we have another flavor of Isolated port called inter-switch Isolated VLAN. This VLAN is used to pass traffic from one Isolated port of a switch to Isolated port of another switch through a PVLAN trunk. Inter-switch isolated VLAN must have secondary VLAN ID associated with it.
- PVLAN Trunk Port – It is the trunk port which is used to connect two or more switches when PVLAN is configured in all of these switches. The trunk port is member of all the private VLAN, the primary VLAN, community VLAN and inter-switch Isolated VLAN. Trunk ports that are member of private VLANs with pvlan-trunk command are PVLAN trunk ports.
Before creating private VLANs in Juniper switch, check whether current version of JunOS running on switch supports PVLAN feature or not. I am running JunOS 12.3R6.6 in EX3300 switch. Here is our simple scenario.
We have a single switch connected to a SRX gateway. In addition, we have two community VLANs, COMM-SALES-10 and COMM-MARKETING-20. Similarly, one Isolated VLAN with no VLAN ID because this is a single switch setup.
At first, let’s look at configuration of SRX. As the promiscuous trunk port (ge-0/0/0 of switch) is connected to port ge-0/0/0 of SRX, the port of SRX needs to understand the tagged frames sent by the switch. So we have to configure vlan tagging in SRX port in following way,
[edit interfaces ge-0/0/0]
root@SRX# show
vlan-tagging;
unit 100 {
vlan-id 100;
family inet {
address 192.168.10.1/24;
}
}
Now, let’s configure the switch step by step.
Step 1. Configure primary VLAN name and VLAN-ID of 100.
{master:0}[edit]
root@EX3300# set vlans PVLAN vlan-id 100 no-local-switchingStep 2. Configure the promiscuous trunk port.
{master:0}[edit interfaces ge-0/0/0]
root@EX3300# set unit 0 family ethernet-switching port-mode trunk
{master:0}[edit interfaces ge-0/0/0]
root@EX3300# set unit 0 family ethernet-switching vlan members PVLANStep 3. Assign promiscuous trunk port in primary VLAN.
{master:0}[edit vlans]
root@EX3300# set PVLAN interface ge-0/0/0Step 4. Configure Access Ports. All community ports and isolated ports must be in access port mode.
{master:0}[edit]
root# set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode access
{master:0}[edit]
root# set interfaces ge-0/0/4 unit 0 family ethernet-switching port-mode access
{master:0}[edit]
root# set interfaces ge-0/0/5 unit 0 family ethernet-switching port-mode accessStep 5. Configure Community VLANs and assign ports to the community PVLANs.
{master:0}[edit vlans]
root@EX3300# set COMM-SALES-10 vlan-id 10
{master:0}[edit vlans]
root@EX3300# set COMM-SALES-10 primary-vlan PVLAN
{master:0}[edit vlans]
root@EX3300# set COMM-SALES-10 interface ge-0/0/3
{master:0}[edit vlans]
root@EX3300# set COMM-MARKETING-20 vlan-id 20
{master:0}[edit vlans]
root@EX3300# set COMM-MARKETING-20 primary-vlan PVLAN
{master:0}[edit vlans]
root@EX3300# set COMM-MARKETING-20 interface ge-0/0/4Step 6. Assign port to Isolated PVLAN.
{master:0}[edit vlans]
root@EX3300# set PVLAN interface ge-0/0/5.0To verify the configuration you can use following commands,
root@EX3300> show vlans root@EX3300> show vlans pvlan extensive root@EX3300> show vlans extensive
Here is the output of vlan configuration.
{master:0}[edit vlans]
root# show
COMM-MARKETING-20 {
vlan-id 20;
interface {
ge-0/0/4.0;
}
primary-vlan PVLAN;
}
COMM-SALES-10 {
vlan-id 10;
interface {
ge-0/0/3.0;
}
primary-vlan PVLAN;
}
PVLAN {
vlan-id 100;
interface {
ge-0/0/0.0; //This is promiscuous port. See step 2 and 3 above.
ge-0/0/5.0; //This is ISOLATED port. See step 6 above.
}
no-local-switching;
}
Here is the output of show vlan command.
{master:0}[edit vlans]
root# run show vlans
Name Tag Interfaces
COMM-MARKETING-20 20
ge-0/0/0.0*, ge-0/0/4.0
COMM-SALES-10 10
ge-0/0/0.0*, ge-0/0/3.0
PVLAN 100
ge-0/0/0.0*, ge-0/0/3.0, ge-0/0/4.0, ge-0/0/5.0
__pvlan_PVLAN_ge-0/0/5.0__
ge-0/0/0.0*, ge-0/0/5.0
default
ge-0/0/2.0*, ge-0/0/8.0
Here is the output of show vlan PVLAN extensive command. You can see here Isolated 1, Community 2.
root# run show vlans PVLAN extensive
VLAN: PVLAN, Created at: Sun Jun 29 15:30:35 2014
802.1Q Tag: 100, Internal index: 2, Admin State: Enabled, Origin: Static
Private VLAN Mode: Primary
Protocol: Port Mode, Mac aging time: 300 seconds
Number of interfaces: Tagged 1 (Active = 1), Untagged 3 (Active = 0)
ge-0/0/0.0*, tagged, trunk
ge-0/0/3.0, untagged, access
ge-0/0/4.0, untagged, access
ge-0/0/5.0, untagged, access
Secondary VLANs: Isolated 1, Community 2, Inter-switch-isolated 0
Isolated VLANs :
__pvlan_PVLAN_ge-0/0/5.0__
Community VLANs :
COMM-MARKETING-20
COMM-SALES-10
In this way you can configure private VLANs in Juniper switch.
