Juniper SRX / EX Q-in-Q VLAN Tagging

IN OFFICIAL JUNIPER DOCUMENTS YOU CAN HARDLY FIND INFORMATION REGARDING Q-IN-Q VLAN TAGGING CONFIGURATION FOR SRX 210 DEVICES, ALL INFORMATION THEY PROVIDE - ONLY A FEW CONFIGS FOR HI-END DEVICES OR J-SERIES ROUTERS.

I highlighted the info that Juniper provides:

Q-in-Q tunneling, defined by the IEEE 802.1ad standard, allows service providers on Ethernet access networks to extend a Layer 2 Ethernet connection between two customer sites. 
In Q-in-Q tunneling, as a packet travels from a customer VLAN (C-VLAN) to a service provider's VLAN, a service provider-specific 802.1Q tag is added to the packet. This additional tag is used to segregate traffic into service-provider-defined service VLANs (S-VLANs). The original customer 802.1Q tag of the packet remains and is transmitted transparently, passing through the service provider's network. As the packet leaves the S-VLAN in the downstream direction, the extra 802.1Q tag is removed.

i
Note: When Q-in-Q tunneling is configured for a service provider’s VLAN, all Routing Engine packets, including packets from the routed VLAN interface, that are transmitted from the customer-facing access port of that VLAN will always be untagged.


There are three ways to map C-VLANs to an S-VLAN: 
  • All-in-one bundling—Use the dot1q-tunneling statement at the [edit vlans] hierarchy to map without specifying customer VLANs. All packets from a specific access interface are mapped to the S-VLAN. 
  • Many-to-one bundling—Use the customer-vlans statement at the [edit vlans] hierarchy to specify which C-VLANs are mapped to the S-VLAN.
  • Mapping C-VLAN on a specific interface—Use the mapping statement at the [edit vlans] hierarchy to map a specific C-VLAN on a specified access interface to the S-VLAN.

i
Note: On SRX650 devices, in the dot1q-tunneling configuration options, customer VLANs range and VLAN push do not work together for the same S-VLAN, even when you commit the configuration. If both are configured, then VLAN push takes priority over customer VLANs range. 





So now I'd like to show a small lab with configuration on each SRX 210 device that has been presented by Pradeep (JNCIP-Security).Thanx Pradeep )))

CE1 :
set interfaces fe-0/0/0.0 family ethernet-switching
set interfaces fe-0/0/7.0 family ethernet-switching port-mode trunk
set vlans v100 vlan-id 100
set vlans v100 interface fe-0/0/0.0
set vlans v100 interface fe-0/0/7.0

PE1 :

set interfaces ge-0/0/0.0 family ethernet-switching
set interfaces ge-0/0/7.0 family ethernet-switching port-mode trunk
set vlans v200 vlan-id 200
set vlans v200 interface ge-0/0/0.0
set vlans v200 interface ge-0/0/7.0
set vlans v200 dot1q-tunneling

PE2 :

set interfaces ge-0/0/0.0 family ethernet-switching
set interfaces ge-0/0/7.0 family ethernet-switching port-mode trunk
set vlans v200 vlan-id 200
set vlans v200 interface ge-0/0/0.0
set vlans v200 interface ge-0/0/7.0
set vlans v200 dot1q-tunneling

CE2 :

set interfaces ge-0/0/0.0 family ethernet-switching
set interfaces ge-0/0/7.0 family ethernet-switching port-mode trunk
set vlans v100 vlan-id 100
set vlans v100 interface ge-0/0/0.0
set vlans v100 interface ge-0/0/7.0


PC1 and PC2 should be able to communicate with each other.









Comments

Popular posts from this blog

Mikrotik Router OS CAPsMAN Wifi Controller Simple Configuration

Quality of Service scenarios and configuration HP Series 2530 Switches