Overview of Layer 2 Networking
Layer 2, also known as the Data Link Layer, is the secondlevel in the seven-layer OSI reference model for network protocoldesign. Layer 2 is equivalent to the link layer (the lowest layer)in the TCP/IP network model. Layer2 is the network layer used to transferdata between adjacent network nodes in a wide area network or betweennodes on the same local area network.
A frame is a protocol data unit, the smallestunit of bits on a Layer 2 network. Frames are transmitted to and receivedfrom devices on the same local area network (LAN). Unilke bits, frameshave a defined structure and can be used for error detection, controlplane activities and so forth. Not all frames carry user data. Thenetwork uses some frames to control the data link itself..
At Layer 2, unicast refers to sending framesfrom one node to a single other node, whereas multicast denotes sending traffic from one node to multiple nodes, and broadcasting refers to the transmission of frames to allnodes in a network. A broadcast domain is a logicaldivision of a network in which all nodes of that network can be reachedat Layer 2 by a broadcast.
Segments of a LAN can be linked at the frame level using bridges. Bridging creates separate broadcast domains onthe LAN, creating VLANs, which are independent logical networks thatgroup together related devices into separate network segments. Thegrouping of devices on a VLAN is independent of where the devicesare physically located in the LAN. Without bridging and VLANs, alldevices on the Ethernet LAN are in a single broadcast domain, andall the devices detect all the packets on the LAN.
Forwarding is the relaying of packets fromone network segment to another by nodes in the network. On a VLAN,a frame whose origin and destination are in the same VLAN are forwardedonly within the local VLAN. A network segment is a portion of a computernetwork wherein every device communicates using the same physicallayer.
Layer 2 contains two sublayers:
Logical link control (LLC) sublayer, which is responsiblefor managing communications links and handling frame traffic.
Media access control (MAC) sublayer, which governs protocolaccess to the physical network medium. By using the MAC addressesthat are assigned to all ports on a switch, multiple devices on thesame physical link can uniquely identify one another.
The ports, or interfaces, on a switch operate in eitheraccess mode, tagged-access, or trunk mode:
Access mode ports connect to a networkdevice such as a desktop computer, an IP telephone, a printer, a fileserver, or a security camera. The port itself belongs to a singleVLAN. The frames transmitted over an access interface are normal Ethernetframes. By default, all ports on a switch are in access mode.
Tagged-Access mode ports connectto a network device such as a desktop computer, an IP telephone, aprinter, a file server, or a security camera. The port itself belongsto a single VLAN. The frames transmitted over an access interfaceare normal Ethernet frames. By default, all ports on a switch arein access mode. Tagged-access mode accommodates cloud computing, specificallyscenarios including virtual machines or virtual computers. Becauseseveral virtual computers can be included on one physical server,the packets generated by one server can contain an aggregation ofVLAN packets from different virtual machines on that server. To accommodatethis situation, tagged-access mode reflects packets back to the physicalserver on the same downstream port when the destination address ofthe packet was learned on that downstream port. Packets are also reflectedback to the physical server on the downstream port when the destinationhas not yet been learned. Therefore, the third interface mode, taggedaccess, has some characteristics of access mode and some characteristicsof trunk mode:
Trunk mode ports handle traffic formultiple VLANs, multiplexing the traffic for all those VLANs overthe same physical connection. Trunk interfaces are generally usedto interconnect switches to other devices or switches.
With native VLAN configured, frames that do not carry VLAN tagsare sent over the trunk interface. If you have a situation where packetspass from a device to a switch in access mode, and you want to thensend those packets from the switch over a trunk port, use native VLANmode. Configure the single VLAN on the switch’s port (whichis in access mode) as a native VLAN. The switch’s trunk portwill then treat those frames differently than the other tagged packets.For example, if a trunk port has three VLANs, 10, 20, and 30, assignedto it with VLAN 10 being the native VLAN, frames on VLAN 10 that leavethe trunk port on the other end have no 802.1Q header (tag). Thereis another native VLAN option. You can have the switch add and removetags for untagged packets. To do this, you first configure the singleVLAN as a native VLAN on a port attached to a device on the edge.Then, assign a VLAN ID tag to the single native VLAN on the port connectedto a device. Last, add the VLAN ID to the trunk port. Now, when theswitch receives the untagged packet, it adds the ID you specifiedand sends and receives the tagged packets on the trunk port configuredto accept that VLAN.
Including the sublayers, Layer 2 on the QFX Series supportsthe following functionality:
Unicast, multicast, and broadcast traffic.
Bridging.
VLAN 802.1Q—Also known as VLAN tagging, this protocol allows multiple bridged networks to transparentlyshare the same physical network link by adding VLAN tags to an Ethernetframe.
Extension of Layer 2 VLANs across multiple switches usingSpanning Tree Protocol (STP) prevents looping across the network.
MAC learning, including per-VLANMAC learning and Layer 2 learning suppression–This process obtainsthe MAC addresses of all the nodes on a network
Link aggregation—This process groups of Ethernetinterfaces at the physical layer to form a single link layer interface,also known as a link aggregation group (LAG) orLAG bundle
Note:
Link aggregation is not supported on NFX150 devices.
Storm control on the physical port for unicast, multicast,and broadcast
Note:
Storm control is not supported on NFX150 devices.
STP support, including 802.1d, RSTP, MSTP, and Root Guard
Understanding VLANs
A VLAN (virtual LAN) is a collection of network nodes grouped together to form separate broadcast domains. On an Ethernet network that is a single LAN, all traffic is forwarded to all nodes on the LAN. On VLANs, frames whose origin and destination are in the same VLAN are forwarded only within the local VLAN. Frames that are not destined for the local VLAN are the only ones forwarded to other broadcast domains. VLANs thus limit the amount of traffic flowing across the entire LAN, reducing the possible number of collisions and packet retransmissions within a VLAN and on the whole LAN.
On an Ethernet LAN, all network nodes must be physically connected to the same network. On VLANs, the physical location of the nodes is not important; therefore, you can group network devices in any way that makes sense for your organization, such as by department or business function, by types of network nodes, or by physical location. Each VLAN is identified by a single IP subnetwork and by standardized IEEE 802.1Q encapsulation.
To identify which VLAN the traffic belongs to, all frames on an Ethernet VLAN are identified by a tag, as defined in the IEEE 802.1Q standard. These frames are tagged and are encapsulated with 802.1Q tags.
For a simple network that has only a single VLAN, all traffic has the same 802.1Q tag. When an Ethernet LAN is divided into VLANs, each VLAN is identified by a unique 802.1Q tag. The tag is applied to all frames so that the network nodes receiving the frames know to which VLAN a frame belongs. Trunk ports, which multiplex traffic among a number of VLANs, use the tag to determine the origin of frames and where to forward them.
Ethernet Switching and Layer 2 Transparent Mode Overview
Layer2 transparent mode provides the ability to deploy the firewall withoutmaking changes to the existing routing infrastructure. The firewallis deployed as a Layer 2 switch with multiple VLAN segments and providessecurity services within VLAN segments. Secure wire is a special versionof Layer 2 transparent mode that allows bump-in-wire deployment.
A device operates in transparent mode when there are interfacesdefined as Layer 2 interfaces. The device operates in route mode (thedefault mode) if there are no physical interfaces configured as Layer2 interfaces.
For SRX Series Firewalls, transparent mode provides full securityservices for Layer 2 switching capabilities. On these SRX Series Firewalls,you can configure one or more VLANs to perform Layer 2 switching.A VLAN is a set of logical interfaces that share the same floodingor broadcast characteristics. Like a virtual LAN (VLAN), a VLAN spansone or more ports of multiple devices. Thus, the SRX Series Firewallcan function as a Layer 2 switch with multiple VLANs that participatein the same Layer 2 network.
In transparent mode, the SRX Series Firewall filterspackets that traverse the device without modifying any of the sourceor destination information in the IP packet headers. Transparent modeis useful for protecting servers that mainly receive traffic fromuntrusted sources because there is no need to reconfigure the IP settingsof routers or protected servers.
In transparent mode, all physical ports on the device are assignedto Layer 2 interfaces. Do not route Layer 3 traffic through the device.Layer 2 zones can be configured to host Layer 2 interfaces, and securitypolicies can be defined between Layer 2 zones. When packets travelbetween Layer 2 zones, security policies can be enforced on thesepackets.
Table 1 lists the securityfeatures that are supported and are not supported in transparent modefor Layer 2 switching.
Mode Type | Supported | Not Supported |
|---|---|---|
Transparent mode |
|
|
Note:
On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, theDHCP server propagation is not supported in Layer 2 transparent mode.
In addition, the SRX Series Firewalls do not support the followingLayer 2 features in Layer 2 transparent mode:
Spanning Tree Protocol (STP), RSTP, or MSTP—It isthe user’s responsibility to ensure that no flooding loops existin the network topology.
Internet Group Management Protocol (IGMP) snooping—Host-to-routersignaling protocol for IPv4 used to report their multicast group membershipsto neighboring routers and determine whether group members are presentduring IP multicasting.
Double-tagged VLANs or IEEE 802.1Q VLAN identifiers encapsulatedwithin 802.1Q packets (also called “Q in Q” VLAN tagging)—Onlyuntagged or single-tagged VLAN identifiers are supported on SRX Series Firewalls.
Nonqualified VLAN learning, where only the MAC addressis used for learning within the VLAN—VLAN learning on SRX Series Firewalls is qualified; that is, both the VLAN identifier and MAC addressare used.
Also, on SRX100, SRX110, SRX210, SRX220, SRX240, SRX300, SRX320,SRX340, SRX345, SRX550, or SRX650 devices, some features are not supported.(Platform support depends on the Junos OS release in your installation.)The following features are not supported for Layer 2 transparent modeon the mentioned devices:
G-ARP on the Layer 2 interface
IP address monitoring on any interface
Transit traffic through IRB
IRB interface in a routing instance
IRB interface handling of Layer 3 traffic
Note:
The IRB interface is a pseudointerface and does not belongto the reth interface and redundancy group.
- Layer 2 Transparent Mode on the SRX5000 Line Module Port Concentrator
- Understanding IPv6 Flows in Transparent Mode on Security Devices
- Understanding Layer 2 Transparent Mode Chassis Clusters onSecurity Devices
- Configuring Out-of-Band Management on SRX Series Firewalls
- Ethernet Switching
- Layer 2 Switching Exceptions on SRX Series Devices
Layer 2 Transparent Mode on the SRX5000 Line Module Port Concentrator
The SRX5000 line Module Port Concentrator (SRX5K-MPC) supportsLayer 2 transparent mode and processes the traffic when the SRX Series Firewall is configured in Layer 2 transparent mode.
When the SRX5K-MPC is operating in Layer 2 mode, you can configureall interfaces on the SRX5K-MPC as Layer 2 switching ports to supportLayer 2 traffic.
The security processing unit (SPU) supports all security servicesfor Layer 2 switching functions, and the MPC delivers the ingresspackets to the SPU and forwards the egress packets that are encapsulatedby the SPU to the outgoing interfaces.
When the SRX Series Firewall is configured in Layer 2 transparentmode, you can enable the interfaces on the MPC to work in Layer 2mode by defining one or more logical units on a physical interfacewith the family address type as Ethernet switching. Lateryou can proceed with configuring Layer 2 security zones and configuringsecurity policies in transparent mode. Once this is done, next-hoptopologies are set up to process ingress and egress packets.
Understanding IPv6 Flows in Transparent Mode on Security Devices
In transparent mode, the SRX Series Firewall filters packets thattraverse the device without modifying any of the source or destinationinformation in the packet MAC headers. Transparent mode is usefulfor protecting servers that mainly receive traffic from untrustedsources because there is no need to reconfigure the IP settings ofrouters or protected servers.
A device operates in transparent mode when all physical interfaceson the device are configured as Layer 2 interfaces. A physical interfaceis a Layer 2 interface if its logical interface is configured with the ethernet-switching option at the[edit interfaces interface-name unit unit-number family] hierarchy level. There is nocommand to define or enable transparent mode on the device. The deviceoperates in transparent mode when there are interfaces defined asLayer 2 interfaces. The device operates in route mode (the defaultmode) if all physical interfaces are configured as Layer 3 interfaces.
By default, IPv6 flows are dropped on security devices. To enableprocessing by security features such as zones, screens, and firewallpolicies, you must enable flow-based forwarding for IPv6 traffic withthe mode flow-based configuration option at the [editsecurity forwarding-options family inet6] hierarchy level. Youmust reboot the device when you change the mode.
In transparent mode, you can configure Layer 2 zones to hostLayer 2 interfaces, and you can define security policies between Layer2 zones. When packets travel between Layer 2 zones, security policiescan be enforced on these packets. The following security featuresare supported for IPv6 traffic in transparent mode:
Layer 2 security zones and security policies. See Understanding Layer 2 Security Zones and Understanding Security Policies in Transparent Mode .
Firewall user authentication. See Understanding Firewall User Authentication in Transparent Mode .
Layer 2 transparent mode chassis clusters.
Class of service functions. See Class of Service Functions in Transparent Mode Overview.
The following security features are not supported for IPv6 flows in transparent mode:
Logical systems
IPv6 GTPv2
J-Web interface
NAT
IPsec VPN
With the exception of DNS, FTP, and TFTP ALGs, all otherALGs are not supported.
Configuring VLANs and Layer 2 logical interfaces for IPv6 flowsis the same as configuring VLANs and Layer 2 logical interfaces forIPv4 flows. You can optionally configure an integrated routing andbridging (IRB) interface for management traffic in a VLAN. The IRBinterface is the only Layer 3 interface allowed in transparent mode.The IRB interface on the SRX Series Firewall does not support trafficforwarding or routing. The IRB interface can be configured with bothIPv4 and IPv6 addresses. You can assign an IPv6 address for the IRBinterface with the address configurationstatement at the [edit interfaces irb unit number family inet6] hierarchy level. You can assignan IPv4 address for the IRB interface with the address configurationstatement at the [edit interfaces irb unit number family inet] hierarchy level.
The Ethernet Switching functions on SRX Series Firewalls are similar to the switching features on Juniper Networks MX Series routers. However, not all Layer 2 networking features supported on MX Series routers are supported on SRX Series Firewalls. See Ethernet Switching and Layer 2 Transparent Mode Overview.
The SRX Series Firewall maintains forwarding tables that containMAC addresses and associated interfaces for each Layer 2 VLAN. TheIPv6 flow processing is similar to IPv4 flows. See Layer2 Learning and Forwarding for VLANs Overview.
Understanding Layer 2 Transparent Mode Chassis Clusters onSecurity Devices
A pair of SRX Series Firewalls in Layer 2 transparent mode canbe connected in a chassis cluster toprovide network node redundancy. When configured in a chassis cluster,one node acts as the primary device and the other as the secondarydevice, ensuring stateful failover of processes and services in theevent of system or hardware failure. If the primary device fails,the secondary device takes over processing of traffic.
Note:
If the primary device fails in a Layer 2 transparent mode chassiscluster, the physical ports in the failed device become inactive (godown) for a few seconds before they become active (come up) again.
To form a chassis cluster, a pair of the same kind of supportedSRX Series Firewalls combines to act as a single system that enforcesthe same overall security.
Devices in Layer 2 transparent mode can be deployed in active/backupand active/active chassis cluster configurations.
The following chassis cluster features are not supported fordevices in Layer 2 transparent mode:
Gratuitous ARP—The newly elected primary in a redundancygroup cannot send gratuitous ARP requests to notify network devicesof a change in primary role on the redundant Ethernet interface links.
IP address monitoring—Failure of an upstream devicecannot be detected.
A redundancy group is a construct that includes a collectionof objects on both nodes. A redundancy group is primary on one nodeand backup on the other. When a redundancy group is primary on a node,its objects on that node are active. When a redundancy group failsover, all its objects fail over together.
You can create one or more redundancy groups numbered 1 through128 for an active/active chassis cluster configuration. Each redundancygroup contains one or more redundant Ethernet interfaces. A redundantEthernet interface is a pseudointerface that contains physical interfacesfrom each node of the cluster. The physical interfaces in a redundantEthernet interface must be the same kind—either Fast Ethernetor Gigabit Ethernet. If a redundancy group is active on node 0, thenthe child links of all associated redundant Ethernet interfaces onnode 0 are active. If the redundancy group fails over to the node1, then the child links of all redundant Ethernet interfaces on node1 become active.
Note:
In the active/active chassis cluster configuration, the maximumnumber of redundancy groups is equal to the number of redundant Ethernetinterfaces that you configure. In the active/backup chassis clusterconfiguration, the maximum number of redundancy groups supported istwo.
Configuring redundant Ethernet interfaces on a device in Layer2 transparent mode is similar to configuring redundant Ethernet interfaceson a device in Layer 3 route mode, with the following difference:the redundant Ethernet interface on a device in Layer 2 transparentmode is configured as a Layer 2 logical interface.
The redundant Ethernet interface may be configured as eitheran access interface (with a single VLAN ID assigned to untagged packetsreceived on the interface) or as a trunk interface (with a list ofVLAN IDs accepted on the interface and, optionally, a native-vlan-idfor untagged packets received on the interface). Physical interfaces(one from each node in the chassis cluster) are bound as child interfacesto the parent redundant Ethernet interface.
In Layer 2 transparent mode, MAC learning is based on the redundantEthernet interface. The MAC table is synchronized across redundantEthernet interfaces and Services Processing Units (SPUs) between thepair of chassis cluster devices.
The IRB interface is used only for management traffic, and itcannot be assigned to any redundant Ethernet interface or redundancygroup.
All Junos OS screen options that are available for a single,nonclustered device are available for devices in Layer 2 transparentmode chassis clusters.
Note:
Spanning Tree Protocols (STPs) are not supported for Layer 2transparent mode. You must ensure that there are no loop connectionsin the deployment topology.
Configuring Out-of-Band Management on SRX Series Firewalls
You can configure the fxp0 out-of-bandmanagement interface on the SRX Series Firewall as a Layer 3 interface,even if Layer 2 interfaces are defined on the device. With the exceptionof the fxp0 interface, you can define Layer2 and Layer 3 interfaces on the device’s network ports.
Note:
There is no fxp0 out-of-band management interface on the SRX300,SRX320, and SRX550M devices. (Platform support dependson the Junos OS release in your installation.)
Ethernet Switching
Ethernet switching forwards the Ethernet frames within or acrossthe LAN segment (or VLAN) using the Ethernet MAC address information.Ethernet switching on the SRX1500 device is performed in the hardwareusing ASICs.
Starting in JunosOS Release 15.1X49-D40, use the set protocols l2-learning global-mode(transparent-bridge| switching) command to switch between the Layer 2 transparentbridge mode and Ethernet switching mode. Afterswitching the mode, you must reboot the device for the configurationto take effect. Table 2 describes the default Layer 2 global mode on SRX Series Firewalls.
Junos OS Release | Platforms | Default Layer 2 Global Mode | Details |
|---|---|---|---|
Prior to Junos OS Release 15.1X49-D50 and Junos OS Release 17.3R1 onwards | SRX300, SRX320, SRX340, and SRX345 | Switching mode | None |
Junos OS Release 15.1X49-D50 to Junos OS Release 15.1X49-D90 | SRX300, SRX320, SRX340, and SRX345 | Switching mode | When you delete the Layer 2 global mode configuration on a device,the device is in transparent bridge mode. |
Junos OS Release 15.1X49-D100 onwards | SRX300, SRX320, SRX340, SRX345, SRX550, and SRX550M | Switching mode | When you delete the Layer 2 global mode configuration on a device,the device is in switching mode. Configure the |
Junos OS Release 15.1X49-D50 onwards | SRX1500 | Transparent bridge mode | None |
The Layer 2 protocol supported in switching mode is Link AggregationControl Protocol (LACP).
You can configure Layer 2 transparent mode on a redundant Ethernetinterface. Use the following commands to define a redundant Ethernetinterface:
set interfaces interface-name ether-options redundant-parent reth-interface-nameset interfaces reth-interface-name redundant-ether-options redundancy-group number
Layer 2 Switching Exceptions on SRX Series Devices
The switching functions on the SRX Series Firewalls are similarto the switching features on Juniper Networks MX Series routers. However,the following Layer 2 networking features on MX Series routers arenot supported on SRX Series Firewalls:
Layer 2 control protocols—These protocols are usedon MX Series routers for Rapid Spanning Tree Protocol (RSTP) or MultipleSpanning Tree Protocol (MSTP) in customer edge interfaces of a VPLSrouting instance.
Virtual switch routing instance—The virtual switchingrouting instance is used on MX Series routers to group one or moreVLANs.
Virtual private LAN services (VPLS) routing instance—TheVPLS routing instance is used on MX Series routers for point-to-multipointLAN implementations between a set of sites in a VPN.
Understanding Unicast
Unicasting is the act of sendingdata from one node of the network to another. In contrast, multicasttransmissions send traffic from one data node to multiple other datanodes.
Unknown unicast traffic consists of unicastframes with unknown destination MAC addresses. By default, the switchfloods these unicast frames that are traveling in a VLAN to all interfacesthat are members of the VLAN. Forwarding this type of traffic to interfaceson the switch can trigger a security issue. The LAN is suddenly floodedwith packets, creating unnecessary traffic that leads to poor networkperformance or even a complete loss of network service. This is knownas a traffic storm.
To prevent a storm, you can disable the flooding of unknownunicast packets to all interfaces by configuring one VLAN or all VLANsto forward any unknown unicast traffic to a specific trunk interface.(This channels the unknown unicast traffic to a single interface.)
Understanding Layer 2 Broadcasting on Switches
In a Layer 2 network, broadcasting refers to sending traffic to all nodes on a network.
Layer 2 broadcast traffic stays within a local area network(LAN) boundary; known as the broadcast domain. Layer 2 broadcast traffic is sent to the broadcast domain usinga MAC address of FF:FF:FF:FF:FF:FF. Every device in the broadcastdomain recognizes this MAC address and passes the broadcast trafficon to other devices in the broadcast domain, if applicable. Broadcastingcan be compared to unicasting (sending traffic to a single node) ormulticasting (delivering traffic to a group of nodes simultaneously).
Layer 3 broadcast traffic, however, is sent to all devices ina network using a broadcast network address. For example, if yournetwork address is 10.0.0.0, the broadcast network address is 10.255.255.255.In this case, only devices that belong to the 10.0.0.0 network receivethe Layer 3 broadcast traffic. Devices that do not belong to thisnetwork drop the traffic.
Broadcasting is used in the following situations:
Address Resolution Protocol (ARP) uses broadcasting tomap MAC addresses to IP addresses. ARP dynamically binds the IP address(the logical address) to the correct MAC address. Before IP unicastpackets can be sent, ARP discovers the MAC address used by the Ethernetinterface where the IP address is configured.
Dynamic Host Configuration Protocol (DHCP) uses broadcastingto dynamically assign IP addresses to hosts on a network segment orsubnet.
Routing protocols use broadcasting to advertise routes.
Excessive broadcast traffic can sometimes create a broadcaststorm. A broadcast storm occurs when messages are broadcast on a networkand each message prompts a receiving node to respond by broadcastingits own messages on the network. This, in turn, prompts further responsesthat create a snowball effect. The LAN is suddenly flooded with packets,creating unnecessary traffic that leads to poor network performanceor even a complete loss of network service.
Using the Enhanced Layer 2 Software CLI
Enhanced Layer 2 Software (ELS) provides a uniformCLI for configuring and monitoring Layer 2 features on QFX Seriesswitches, EX Series switches, and other Juniper Networks devices,such as MX Series routers. With ELS, you configure Layer 2 featuresin the same way on all these Juniper Networks devices.
This topic explains how to know if your platform is runningELS. It also explains how to perform some common tasks using the ELSstyle of configuration.
- Understanding Which Devices Support ELS
- Understanding How to Configure Layer 2 Features Using ELS
- Understanding ELS Configuration Statement and Command Changes
Understanding Which Devices Support ELS
ELS is automatically supported if your device is running a JunosOS release that supports it. You do not need to take any action toenable ELS, and you cannot disable ELS. See Feature Explorer for information about which platforms andreleases support ELS.
Understanding How to Configure Layer 2 Features Using ELS
Because ELS provides a uniform CLI, you can now performthe following tasks on supported devices in the same way:
- Configuring a VLAN
- Configuring the Native VLAN Identifier
- Configuring Layer 2 Interfaces
- Configuring Layer 3 Interfaces
- Configuring an IRB Interface
- Configuring an Aggregated Ethernet Interface and ConfiguringLACP on That Interface
Configuring a VLAN
You can configure one or more VLANs to perform Layer 2 bridging.The Layer 2 bridging functions include integrated routing and bridging(IRB) for support for Layer 2 bridging and Layer 3 IP routing on thesame interface. EX Series and QFX Series switches can function asLayer 2 switches, each with multiple bridging, or broadcast, domainsthat participate in the same Layer 2 network. You can also configureLayer 3 routing support for a VLAN.
To configure a VLAN:
- Create the VLAN by setting a unique VLAN name and configuringthe VLAN ID:
[edit]user@host# set vlans vlan-name vlan-id vlan-id-number
Using the VLAN ID list option, you can optionally specify arange of VLAN IDs.
[edit]user@host# set vlans vlan-name vlan-id-list vlan-ids | vlan-id--vlan-id
- Assign at least one interface to the VLAN:
[edit]user@host# set interface interface-name family ethernet-switching vlan members vlan-name
Configuring the Native VLAN Identifier
EX Series and QFX Series switches support receiving and forwardingrouted or bridged Ethernet frames with 802.1Q VLAN tags. Typically,trunk ports, which connect switches to each other, accept untaggedcontrol packets, but do not accept untagged data packets. You canenable a trunk port to accept untagged data packets by configuringa native VLAN ID on the interface on which you want the untagged datapackets to be received.
To configure the native VLAN ID:
- On the interface on which you want untagged data packetsto be received, set the interface mode to
trunk, whichspecifies that the interface is in multiple VLANs and can multiplextraffic between different VLANs.[edit interfaces]user@host# set interface-name unit logical-unit-number family ethernet-switching interface-mode trunk
- Configure the native VLAN ID and assign the interfaceto the native VLAN ID:
[edit interfaces]user@host# set interface-name native-vlan-id number
- Assign the interface to the native VLAN ID:
[edit interfaces]user@host# set interface-name unit logical-unit-number family ethernet-switching vlan members native-vlan-id-number
Configuring Layer 2 Interfaces
To ensure that your high-traffic network is tuned for optimalperformance, explicitly configure some settings on the switch's networkinterfaces.
To configure a Gigabit Ethernet interface or a 10-Gigabit Ethernetinterface as a trunk interface:
[edit] user@host# set interfaces interface-name unit logical-unit-number family ethernet-switching interface-mode trunk
To configure a Gigabit Ethernet interface or a 10-Gigabit Ethernetinterface as a access interface:
[edit] user@host# set interfaces interface-name unit logical-unit-number family ethernet-switching interface-mode access
To assign an interface to VLAN:
[edit interfaces] user@host# set interface-name unit logical-unit-number family ethernet-switching vlan members [all | vlan-names | vlan-ids]
Configuring Layer 3 Interfaces
To configure a Layer 3 interface, you must assign an IP addressto the interface. You assign an address to an interface by specifyingthe address when you configure the protocol family. For the inet or inet6 family, configure the interface IP address.
You can configure interfaces with a 32-bit IP version 4 (IPv4)address and optionally with a destination prefix, sometimes calleda subnet mask. An IPv4 address utilizes a 4-octet dotted decimal addresssyntax (for example, 192.168.1.1). An IPv4 address with destinationprefix utilizes a 4-octet dotted decimal address syntax with a destinationprefix appended (for example, 192.168.1.1/16).
To specify an IP4 address for the logical unit:
[edit]user@host# set interfaces interface-name unit logical-unit-number family inet address ip-address
You represent IP version 6 (IPv6) addresses in hexadecimal notationby using a colon-separated list of 16-bit values. You assign a 128-bitIPv6 address to an interface.
To specify an IP6 address for the logical unit:
[edit]user@host# set interfaces interface-name unit logical-unit-number family inet6 address ip-address
Configuring an IRB Interface
Integrated routing and bridging (IRB) provides support for Layer2 bridging and Layer 3 IP routing on the same interface. IRB enablesyou to route packets to another routed interface or to another VLANthat has a Layer 3 protocol configured. IRB interfaces enable thedevice to recognize packets that are being sent to local addressesso that they are bridged (switched) whenever possible and are routedonly when necessary. Whenever packets can be switched instead of routed,several layers of processing are eliminated. An interface named irbfunctions as a logical router on which you can configure a Layer 3logical interface for VLAN. For redundancy, you can combine an IRBinterface with implementations of the Virtual Router Redundancy Protocol(VRRP) in both bridging and virtual private LAN service (VPLS) environments.
To configure an IRB interface:
- Create a Layer 2 VLAN by assigning it a name and a VLANID:
[edit] user@host# set vlans vlan-name vlan-id vlan-id
- Create an IRB logical interface:
[edit]user@host# set interface irb unit logical-unit-number family inet address ip-address
- Associate the IRB interface with the VLAN:
[edit]user@host# set vlans vlan-name l3-interface irb.logical-unit-number
Configuring an Aggregated Ethernet Interface and ConfiguringLACP on That Interface
Use the link aggregation feature to aggregate one or more linksto form a virtual link or link aggregation group (LAG). The MAC clientcan treat this virtual link as if it were a single link to increasebandwidth, provide graceful degradation as failure occurs, and increaseavailability.
To configure an aggregated Ethernet interface:
- Specify the number of aggregated Ethernet interfaces tobe created:
[edit chassis]user@host# set aggregated-devices ethernet device-count number
- Specify the name of the link aggregation group interface:
[edit]user@host# set interfaces aex
- Specify the minimum number of links for the aggregatedEthernet interface (aex)– that is, the defined bundle–to be labeled up:
[edit interfaces]user@host# set aex aggregated-ether-options minimum-links number
- Specify the link speed for the aggregated Ethernet bundle:
[edit interfaces]user@host# set aex aggregated-ether-options link-speed link-speed
- Specify the members to be included within the aggregatedEthernet bundle:
[edit interfaces] user@host# set interface-name ether-options 802.3ad aex
- Specify an interface family for the aggregated Ethernetbundle:
[edit interfaces]user@host# set aex unit 0 family inet address ip-address
For aggregated Ethernet interfaces on the device, you can configurethe Link Aggregation Control Protocol (LACP). LACP bundles severalphysical interfaces to form one logical interface. You can configureaggregated Ethernet with or without LACP enabled.
When LACP is enabled, the local and remote sides of the aggregatedEthernet links exchange protocol data units (PDUs), containing informationabout the state of the link. You can configure Ethernet links to activelytransmit PDUs, or you can configure the links to passively transmitthem, sending out LACP PDUs only when they receive them from anotherlink. One side of the link must be configured as active for the linkto be up.
To configure LACP:
Enable one side of the aggregated Ethernet link as active:
[edit interfaces]user@host# set aex aggregated-ether-options lacp active
Specify the interval at which the interfaces send LACPpackets:
[edit interfaces] user@host# set aex aggregated-ether-options lacp periodic interval
Understanding ELS Configuration Statement and Command Changes
ELS was introduced in Junos OS Release 12.3R2 for EX9200switches. ELS changes the CLI for some of the Layer 2 features onsupported EX Series and QFX Series switches.
The following sections provide a list of existing commands thatwere moved to new hierarchy levels or changed on EX Series switchesas part of this CLI enhancement effort. These sections are providedas a high-level reference only. For detailed information about thesecommands, use the links to the configuration statements provided orsee the technical documentation.
- Changes to the ethernet-switching-options Hierarchy Level
- Changes to the Port Mirroring Hierarchy Level
- Changes to the Layer 2 Control Protocol Hierarchy Level
- Changes to the dot1q-tunneling Statement
- Changes to the L2 Learning Protocol
- Changes to Nonstop Bridging
- Changes to Port Security and DHCP Snooping
- Changes to Configuring VLANs
- Changes to Storm Control Profiles
- Changes to the Interfaces Hierarchy
- Changes to IGMP Snooping
Changes to the ethernet-switching-options Hierarchy Level
This section outlines the changes to the ethernet-switching-options hierarchy level.
Note:
The ethernet-switching-options hierarchy levelhas been renamed as switch-options.
Original Hierarchy | Changed Hierarchy |
|---|---|
ethernet-switching-options { authentication-whitelist { ... }} | switch-options { ... authentication-whitelist { ... }} |
ethernet-switching-options { interfaces interface-name { no-mac-learning; ... }} | switch-options { interfaces interface-name { no-mac-learning; ... }} |
ethernet-switching-options { unknown-unicast-forwarding { (...) }} | switch-options { unknown-unicast-forwarding { (...) }} |
ethernet-switching-options { voip { interface (all | [interface-name | access-ports]) { forwarding-class (assured-forwarding | best-effort | expedited-forwarding | network-control); vlan vlan-name; ... } }} | switch-options { voip { interface (all | [interface-name | access-ports]) { forwarding-class (assured-forwarding | best-effort | expedited-forwarding | network-control); vlan vlan-name; ... } }} |
Original Hierarchy | Changed Hierarchy |
|---|---|
ethernet-switching-options { redundant-trunk-group { group name { description; interface interface-name { primary; } preempt-cutover-timer seconds; ... } }} | switch-options { redundant-trunk-group { group name { description; interface interface-name { primary; } preempt-cutover-timer seconds; ... } }} |
Original Hierarchy | Changed Hierarchy |
|---|---|
ethernet-switching-options { mac-notification { notification-interval seconds; ... }} | The statements have been removed from the |
ethernet-switching-options { traceoptions { file filename <files number> <no-stamp> <replace> <size size> <world-readable | no-world-readable>; flag flag <disable>; ... }} | The statements have been removed from the |
ethernet-switching-options { port-error-disable { disable-timeout timeout; ... }} | Note: The interfaces interface-name family ethernet-switching { recovery-timeout seconds;} |
Changes to the Port Mirroring Hierarchy Level
Changes to the Layer 2 Control Protocol Hierarchy Level
The Layer 2 control protocol statements have moved from the ethernet-switching-options hierarchy to the protocols hierarchy.
Original Hierarchy | Changed Hierarchy |
|---|---|
ethernet-switching-options { bpdu-block { ... }} | protocols { layer2-control { bpdu-block { ... } }} |
Changes to the dot1q-tunneling Statement
The dot1q-tunneling statement has been replaced witha new statement and moved to a different hierarchy level.
Original Hierarchy | Changed Hierarchy |
|---|---|
ethernet-switching-options { dot1q-tunneling { ether-type (0x8100 | 0x88a8 | 0x9100); ... }} | interfaces interface-name { ether-options { ethernet-switch-profile { tag-protocol-id [tpids]; } }}interfaces interface-name { aggregated-ether-options { ethernet-switch-profile { tag-protocol-id [tpids]; } }} |
Changes to the L2 Learning Protocol
The mac-table-aging-time statement has been replacedwith a new statement and moved to a different hierarchy level.
Original Hierarchy | Changed Hierarchy |
|---|---|
ethernet-switching-options { mac-table-aging-time seconds; ...} | protocols { l2-learning { global-mac-table-aging-time seconds; ... }} |
Changes to Nonstop Bridging
The nonstop-bridging statement has moved to a differenthierarchy level.
Original Hierarchy | Changed Hierarchy |
|---|---|
ethernet-switching-options { nonstop-bridging;} | protocols { layer2-control { nonstop-bridging { } }} |
Changes to Port Security and DHCP Snooping
Port security and DHCP snooping statements have moved to differenthierarchy levels.
Note:
The statement examine-dhcp does not exist inthe changed hierarchy. DHCP snooping is now enabled automaticallywhen other DHCP security features are enabled on a VLAN. See ConfiguringPort Security (ELS) for additional information.
Original Hierarchy | Changed Hierarchy |
|---|---|
ethernet-switching-options { secure-access-port { interface (all | interface-name) { (dhcp-trusted | no-dhcp-trusted ); static-ip ip-address { mac mac-address; vlan vlan-name; } } vlan (all | vlan-name) { (arp-inspection | no-arp-inspection ); dhcp-option82 { disable; circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix (hostname | mac | none); use-interface-description; use-string string; } vendor-id [string]; } (examine-dhcp | no-examine-dhcp); } (ip-source-guard | no-ip-source-guard); } } | vlans vlan-name forwarding-options{ dhcp-security { arp-inspection; group group-name { interfaceiinterface-name { static-ip ip-address { mac mac-address; } } overrides { no-option82; trusted; } } ip-source-guard; no-dhcp-snooping; option-82 { circuit-id { prefix { host-name; routing-instance-name; } use-interface-description (device | logical); use-vlan-id; } remote-id { host-name; use-interface-description (device | logical); use-string string; } vendor-id { use-string string; } } } |
Tip:
For allowed mac configuration, the original hierarchy statement set ethernet-switching-options secure-access-port interface ge-0/0/2allowed-mac 00:05:85:3A:82:8 is replaced by the ELS command set interfaces ge-0/0/2 unit 0 accept-source-mac mac-address 00:05:85:3A:82:8
Note:
DHCP snooping statements have moved to a different hierarchylevel.
Original Hierarchy | Changed Hierarchy |
|---|---|
ethernet-switching-options { secure-access-port { dhcp-snooping-file { location local_pathname | remote_URL; timeout seconds; write-interval seconds; } | system [ processes [ dhcp-service dhcp-snooping-file local_pathname | remote_URL; write-interval interval; } } |
Changes to Configuring VLANs
The statements for configuring VLANs have moved to a differenthierarchy level.
Note:
Starting with Junos OS Release 14.1X53-D10 for EX4300 and EX4600switches, when enabling xSTP, you can enableit on some or all interfaces included in a VLAN. For example, if youconfigure VLAN 100 to include interfaces ge-0/0/0, ge-0/0/1, and ge-0/0/2,and you want to enable MSTP on interfaces ge-0/0/0 and ge-0/0/2, youcan specify the set protocols mstp interface ge-0/0/0 and set protocols mstp interface ge-0/0/2 commands. In this example,you did not explicitly enable MSTP on interface ge-0/0/1; therefore,MSTP is not enabled on this interface.
Original Hierarchy | Changed Hierarchy |
|---|---|
ethernet-switching-options { secure-access-port vlan (all | vlan-name{ mac-move-limit } | vlans vlan-name switch-options { mac-move-limit} |
ethernet-switching-options { static { vlan vlan-id { mac mac-address next-hop interface-name; ... } }} | Note: Statement is replaced with a new statement and has movedto a different hierarchy level. vlans { vlan-name { switch-options { interface interface-name { static-mac mac-address; ... } } }} |
vlans { vlan-name { interface interface-name { egress; ingress; mapping (native (push | swap) | policy | tag (push | swap)); pvlan-trunk; ... } }} | These statements have been removed. You can assign interfacesto a VLAN using the |
vlans { vlan-name { isolation-id id-number; ... }} | Statements have been removed. |
vlans { vlan-name { interface vlan.logical-interface-number; ... }} | Note: Syntax is changed. vlans { vlan-name { interface irb.logical-interface-number; ... }} |
vlans { vlan-name { l3-interface-ingress-counting layer-3-interface-name; ... }} | Statement is removed. Ingress traffic is automaticallytracked. |
vlans { vlan-name { no-local-switching; ... }} | Statement is removed. |
vlans { vlan-name { no-mac-learning; ... }} | Statement has been moved to different hierarchy. vlans { vlan-name { switch-options { no-mac-learning limit ... } }} |
vlans { vlan-name { primary-vlan vlan-name; ... }} | Statement has been removed. |
vlans { vlan-name { vlan-prune; ... }} | Statement is removed. |
vlans { vlan-name { vlan-range vlan-id-low-vlan-id-high; ... }} | Note: Statement has been replaced with a new statement. vlans { vlan-name { vlan-id-list [vlan-id-numbers]; ... }} |
vlans { vlan-name { l3-interface vlan.logical-interface-number; ... }} | Note: Syntax is changed. vlans { vlan-name { interface irb.logical-interface-number; ... }} |
Original Hierarchy | Changed Hierarchy |
|---|---|
vlans { vlan-name { dot1q-tunneling { customer-vlans (id | native | range); layer2-protocol-tunneling all | protocol-name { drop-threshold number; shutdown-threshold number; ... } } }} | For interface interface-name { encapsulation extended-vlan-bridge; flexible-vlan-tagging; native-vlan-id number; unit logical-unit-number { input-vlan-map action; output-vlan-map action; vlan-id number; vlan-id-list [vlan-id vlan-id–vlan-id]; }}For protocols { layer2-control { mac-rewrite { interface interface-name { protocol { ... } } } }} |
vlans { vlan-name { filter{ input filter-name output filter-name; ... } }} | vlans { vlan-name { forwarding-options { filter{ input filter-name output filter-name; ... } } }} |
vlans { vlan-name { mac-limit limit action action; ... }} | vlans { vlan-name { switch-options { interface-mac-limit limit { packet-action action; ... } } }}vlans { vlan-name { switch-options { interface interface-name { interface-mac-limit limit { packet-action action; ... } } } }} |
vlans { vlan-name { mac-table-aging-time seconds; ... }} | protocols { l2-learning { global-mac-table-aging-time seconds; ... }} |
Changes to Storm Control Profiles
Storm control is configured in two steps. The first step isto create a storm control profile at the [edit forwarding-options] hierarchy level, and the second step is to bind the profile to alogical interface at the [edit interfaces] hierarchy level.See Example: Configuring Storm Controlto Prevent Network Outages on EX Series Switches for thechanged procedure.
Original Hierarchy | Changed Hierarchy |
|---|---|
ethernet-switching-options { storm-control { (...) }} | forwarding-options { storm-control-profiles profile-name { (...) } }interfaces interface-name unit number family ethernet-switching { storm-control storm-control-profile;} |
Changes to the Interfaces Hierarchy
Note:
Statements have been moved to a different hierarchy.
Original Hierarchy | Changed Hierarchy |
|---|---|
interfaces interface-name { ether-options { link-mode mode; speed (auto-negotiation | speed) }} | interfaces interface-name { link-mode mode; speed speed)} |
interfaces interface-name { unit logical-unit-number { family ethernet-switching { native-vlan-id vlan-id } }} | interfaces interface-name { native-vlan-id vlan-id} |
interfaces interface-name { unit logical-unit-number { family ethernet-switching { port-mode mode } }} | Note: Statement has been replaced with a new statement. interfaces interface-name { unit logical-unit-number { family ethernet-switching { interface-mode mode } }} |
interfaces vlan | Note: Statement has been replaced with a new statement. interfaces irb |
Changes to IGMP Snooping
Original Hierarchy | Changed Hierarchy |
|---|---|
protocols { igmp-snooping { traceoptions { file filename <filesnumber> <no-stamp> <replace> <sizemaximum-file-size> <world-readable| no-world-readable>; flag flag <flag-modifier> <disable>; } vlan (all| vlan-identifier) { disable; data-forwarding { receiver { install; source-vlans vlan-name; } source { groups ip-address; } } immediate-leave; interface (all| interface-name) { multicast-router-interface; static { group multicast-ip-address; } } proxy { source-address ip-address; } robust-count number; } }} | protocols { igmp-snooping { vlan vlan-name { data-forwarding { receiver { install; source-list vlan-name; translate; } source { groups ip-address; } } immediate-leave; interface (all | interface-name) { group-limit <1..65535> host-only-interface multicast-router-interface; immediate-leave; static { group multicast-ip-address { source <> } } } } l2-querier { source-address ip-address; } proxy { source-address ip-address; } query-interval number; query-last-member-interval number; query-response-interval number; robust-count number; traceoptions { file filename <filesnumber> <no-stamp> <replace> <sizemaximum-file-size> <world-readable| no-world-readable>; flag flag <flag-modifier>; } } }} |
Enhanced Layer 2 CLI Configuration Statement and Command Changesfor Security Devices
Starting in JunosOS Release 15.1X49-D10 and Junos OS Release 17.3R1, some Layer 2 CLIconfiguration statements are enhanced, and some commands are changed. Table 18 and Table 19 provide lists ofexisting commands that have been moved to new hierarchies or changedon SRX Series Firewalls as part of this CLI enhancement effort. Thetables are provided as a high-level reference only. For detailed informationabout these commands, see CLI Explorer.
Original Hierarchy | Changed Hierarchy | Hierarchy Level | Change Description |
|---|---|---|---|
bridge-domains bridge-domain--name { ... }} | vlans vlans-name { ... }} | [edit] | Hierarchy renamed. |
bridge-domains bridge-domain--name { vlan-id-list [vlan-id] ;} | vlans vlans-name { vlan members [vlan-id] ;} | [edit vlans vlans-name] | Statement renamed. |
bridge-options { interface interface-name { encapsulation-type; ignore-encapsulation-mismatch; pseudowire-status-tlv; static-mac mac-address { vlan-id vlan-id; } } mac-table-aging-time seconds; mac-table-size { number; packet-action drop; }} | switch-options { interface interface-name { encapsulation-type; ignore-encapsulation-mismatch; pseudowire-status-tlv; static-mac mac-address { vlan-id vlan-id; } } mac-table-aging-time seconds; mac-table-size { number; packet-action drop; }} | [edit vlans vlans-name] | Statement renamed. |
bridge { block-non-ip-all; bpdu-vlan-flooding; bypass-non-ip-unicast; no-packet-flooding { no-trace-route; }} | ethernet-switching { block-non-ip-all; bpdu-vlan-flooding; bypass-non-ip-unicast; no-packet-flooding { no-trace-route; }} | [edit security flow] | Statement renamed. |
family { bridge { bridge-domain-type (svlan| bvlan); ... | family { ethernet-switching { ... | [edit interfaces interface-name ]unit unit-number | Hierarchy renamed. |
...routing-interface irb.0;... | ...l3-interface irb.0;... | [edit vlans vlans-name] | Statement renamed. |
Original Operational Command | Modified Operational Command |
|---|---|
clear bridge mac-table | clear ethernet-switching table |
clear bridge mac-table persistent-learning | clear ethernet-switching table persistent-learning |
show bridge domain | show vlans |
show bridge mac-table | show ethernet-switching table |
show l2-learning interface | show ethernet-switching interface |
Note:
There is no fxp0 out-of-band management interface on theSRX300, SRX320, and SRX500HM devices. (Platform support depends onthe Junos OS release in your installation.)
Layer 2 Next Generation Mode for ACX Series
The Layer 2 Next Generation mode, also called Enhanced Layer 2 Software (ELS), is supported on ACX5048, ACX5096, and ACX5448 routers for configuring Layer 2 features. The Layer 2 CLI configurations and show commands for ACX5048, ACX5096, ACX5448, ACX710, ACX7100, ACX7024, and ACX7509 routers differ from those for other ACX Series routers (ACX1000, ACX1100, ACX2000, ACX2100, ACX2200, and ACX4000) and MX Series routers.
Table 20 shows the differencesin CLI hierarchy for configuring Layer 2 features in Layer 2 nextgeneration mode.
Feature | ACX1000, ACX1100, ACX2000, ACX2100, ACX2200, ACX4000, and MX Series Routers | ACX5048, ACX5096, ACX5448, ACX710, ACX7100, ACX7024, and ACX7509 Routers |
|---|---|---|
Bridge Domain | [ | [ |
Family | [ | [ |
Layer 2 options | [ | [ |
Ethernet options | [ | [ |
Integrated routing and bridging (IRB) | [ |
|
Storm control | [ | [ [ |
Internet Group Management Protocol (IGMP) snooping | [ | [ |
Family | [ | [ |
Table 21 shows the differencesin show commands for Layer 2 features in Layer 2 next generationmode.
Feature | ACX1000, ACX1100, ACX2000, ACX2100, ACX2200,ACX4000, and MX Series Routers | ACX5048, ACX5096, ACX5448, ACX710, ACX7100, ACX7024, and ACX7509 Routers |
|---|---|---|
VLAN |
|
|
MAC table |
|
|
MAC table options |
|
|
Switch port listing with VLAN assignments |
|
|
Kernel state of flush database |
|
|
Release History Table
Release
Description
15.1X49-D40
Starting in JunosOS Release 15.1X49-D40, use the set protocols l2-learning global-mode(transparent-bridge| switching) command to switch between the Layer 2 transparentbridge mode and Ethernet switching mode.
15.1X49-D10
Starting in JunosOS Release 15.1X49-D10 and Junos OS Release 17.3R1, some Layer 2 CLIconfiguration statements are enhanced, and some commands are changed.
