Juniper SRX / EX Q-in-Q VLAN Tagging

IN OFFICIAL JUNIPER DOCUMENTS YOU CAN HARDLY FIND INFORMATION REGARDING Q-IN-Q VLAN TAGGING CONFIGURATION FOR SRX 210 DEVICES, ALL INFORMATION THEY PROVIDE - ONLY A FEW CONFIGS FOR HI-END DEVICES OR J-SERIES ROUTERS.

I highlighted the info that Juniper provides:

Q-in-Q tunneling, defined by the IEEE 802.1ad standard, allows service providers on Ethernet access networks to extend a Layer 2 Ethernet connection between two customer sites. 
In Q-in-Q tunneling, as a packet travels from a customer VLAN (C-VLAN) to a service provider's VLAN, a service provider-specific 802.1Q tag is added to the packet. This additional tag is used to segregate traffic into service-provider-defined service VLANs (S-VLANs). The original customer 802.1Q tag of the packet remains and is transmitted transparently, passing through the service provider's network. As the packet leaves the S-VLAN in the downstream direction, the extra 802.1Q tag is removed.

i
Note: When Q-in-Q tunneling is configured for a service provider’s VLAN, all Routing Engine packets, including packets from the routed VLAN interface, that are transmitted from the customer-facing access port of that VLAN will always be untagged.


There are three ways to map C-VLANs to an S-VLAN: 
  • All-in-one bundling—Use the dot1q-tunneling statement at the [edit vlans] hierarchy to map without specifying customer VLANs. All packets from a specific access interface are mapped to the S-VLAN. 
  • Many-to-one bundling—Use the customer-vlans statement at the [edit vlans] hierarchy to specify which C-VLANs are mapped to the S-VLAN.
  • Mapping C-VLAN on a specific interface—Use the mapping statement at the [edit vlans] hierarchy to map a specific C-VLAN on a specified access interface to the S-VLAN.

i
Note: On SRX650 devices, in the dot1q-tunneling configuration options, customer VLANs range and VLAN push do not work together for the same S-VLAN, even when you commit the configuration. If both are configured, then VLAN push takes priority over customer VLANs range. 





So now I'd like to show a small lab with configuration on each SRX 210 device that has been presented by Pradeep (JNCIP-Security).Thanx Pradeep )))

CE1 :
set interfaces fe-0/0/0.0 family ethernet-switching
set interfaces fe-0/0/7.0 family ethernet-switching port-mode trunk
set vlans v100 vlan-id 100
set vlans v100 interface fe-0/0/0.0
set vlans v100 interface fe-0/0/7.0

PE1 :

set interfaces ge-0/0/0.0 family ethernet-switching
set interfaces ge-0/0/7.0 family ethernet-switching port-mode trunk
set vlans v200 vlan-id 200
set vlans v200 interface ge-0/0/0.0
set vlans v200 interface ge-0/0/7.0
set vlans v200 dot1q-tunneling

PE2 :

set interfaces ge-0/0/0.0 family ethernet-switching
set interfaces ge-0/0/7.0 family ethernet-switching port-mode trunk
set vlans v200 vlan-id 200
set vlans v200 interface ge-0/0/0.0
set vlans v200 interface ge-0/0/7.0
set vlans v200 dot1q-tunneling

CE2 :

set interfaces ge-0/0/0.0 family ethernet-switching
set interfaces ge-0/0/7.0 family ethernet-switching port-mode trunk
set vlans v100 vlan-id 100
set vlans v100 interface ge-0/0/0.0
set vlans v100 interface ge-0/0/7.0


PC1 and PC2 should be able to communicate with each other.









Comments

Popular posts from this blog

Mikrotik Router OS CAPsMAN Wifi Controller Simple Configuration