How to Configure Private VLANs in Juniper Switch

I have come across a requirement to split a broadcast traffic or to restrict communication between hosts within a same VLAN. Private VLAN or PVLAN is a feature that is used to split broadcast traffic or restrict communication between hosts within a same VLAN in a switch. Private VLANs can be configured on all models of Juniper switches. In this article, I will show you steps to configure Private VLANs in Juniper Switch.

Configure Private VLANs in Juniper Switch

Private VLANs in Juniper switch can have four types of switch ports.
  • Promiscuous Port – It is a trunk port on a switch that is connected uplink to Router or Firewall or servers. Promiscuous port can communicate with all other private VLAN ports within a private VLAN. The port is assigned member of primary VLAN and must be associated with 802.1Q tag. Trunk ports that are member of private VLANs are promiscuous port.
  • Community Port – It is a private VLAN where hosts connected to ports in a same community VLAN can communicate with each others and can also communicate with promiscuous port of the same private VLAN. It is a secondary VLAN and the port is assigned member of primary VLAN.
  • Isolated Port – The isolated port can’t communicate with other hosts connected to other isolated ports or community ports within a same private VLAN. Isolated port can communicate with promiscuous port and private VLAN trunk ports. If you want an Isolated port in a single switch then you don’t need to create VLAN for Isolated vlan. In Juniper switches, we have another flavor of Isolated port called inter-switch Isolated VLAN. This VLAN is used to pass traffic from one Isolated port of a switch to Isolated port of another switch through a PVLAN trunk. Inter-switch isolated VLAN must have secondary VLAN ID associated with it.
  • PVLAN Trunk Port – It is the trunk port which is used to connect two or more switches when PVLAN is configured in all of these switches. The trunk port is member of all the private VLAN, the primary VLAN, community VLAN and inter-switch Isolated VLAN. Trunk ports that are member of private VLANs with pvlan-trunk command are PVLAN trunk ports.
Before creating private VLANs in Juniper switch, check whether current version of JunOS running on switch supports PVLAN feature or not. I am running JunOS 12.3R6.6 in EX3300 switch. Here is our simple scenario.

We have a single switch connected to a SRX gateway. In addition, we have two community VLANs, COMM-SALES-10 and COMM-MARKETING-20. Similarly, one Isolated VLAN with no VLAN ID because this is a single switch setup.

At first, let’s look at configuration of SRX. As the promiscuous trunk port (ge-0/0/0 of switch) is connected to port ge-0/0/0 of SRX, the port of SRX needs to understand the tagged frames sent by the switch. So we have to configure vlan tagging in SRX port in following way.

[edit interfaces ge-0/0/0]
root@SRX# show
unit 100 {
    vlan-id 100;
    family inet {

Now, let’s configure the switch step by step.

Step 1. Configure primary VLAN name and VLAN-ID of 100.

root@EX3300# set vlans PVLAN vlan-id 100 no-local-switching

Step 2. Configure the promiscuous trunk port.

{master:0}[edit interfaces ge-0/0/0]
root@EX3300# set unit 0 family ethernet-switching port-mode trunk
{master:0}[edit interfaces ge-0/0/0]
root@EX3300# set unit 0 family ethernet-switching vlan members PVLAN

Step 3. Assign promiscuous trunk port in primary VLAN.

{master:0}[edit vlans] 
root@EX3300# set PVLAN interface ge-0/0/0


Step 4. Configure Access Ports. All community ports and isolated ports must be in access port mode.

root# set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode access
root# set interfaces ge-0/0/4 unit 0 family ethernet-switching port-mode access
root# set interfaces ge-0/0/5 unit 0 family ethernet-switching port-mode access


Step 5. Configure Community VLANs and assign ports to the community PVLANs.

{master:0}[edit vlans]
root@EX3300# set COMM-SALES-10 vlan-id 10
{master:0}[edit vlans]
root@EX3300# set COMM-SALES-10 primary-vlan PVLAN
{master:0}[edit vlans]
root@EX3300# set COMM-SALES-10 interface ge-0/0/3
{master:0}[edit vlans]
root@EX3300# set COMM-MARKETING-20 vlan-id 20
{master:0}[edit vlans]
root@EX3300# set COMM-MARKETING-20 primary-vlan PVLAN
{master:0}[edit vlans]
root@EX3300# set COMM-MARKETING-20 interface ge-0/0/4


Step 6. Assign port to Isolated PVLAN.

{master:0}[edit vlans]
root@EX3300# set PVLAN interface ge-0/0/5.0


To verify the configuration you can use following commands,

root@EX3300> show vlans 
root@EX3300> show vlans pvlan extensive
root@EX3300> show vlans extensive


Here is the output of vlan configuration.

{master:0}[edit vlans]
root# show
    vlan-id 20;
    interface {
    primary-vlan PVLAN;
    vlan-id 10;
    interface {
    primary-vlan PVLAN;
    vlan-id 100;
    interface {
        ge-0/0/0.0; //This is promiscuous port. See step 2 and 3 above. 
        ge-0/0/5.0; //This is ISOLATED port. See step 6 above. 

Here is the output of show vlan command.

{master:0}[edit vlans]
root# run show vlans
Name           Tag     Interfaces
                       ge-0/0/0.0*, ge-0/0/4.0
                       ge-0/0/0.0*, ge-0/0/3.0
PVLAN          100
                       ge-0/0/0.0*, ge-0/0/3.0, ge-0/0/4.0, ge-0/0/5.0
                       ge-0/0/0.0*, ge-0/0/5.0
                       ge-0/0/2.0*, ge-0/0/8.0

Here is the output of show vlan PVLAN extensive command. You can see here Isolated 1, Community 2.
root# run show vlans PVLAN extensive
VLAN: PVLAN, Created at: Sun Jun 29 15:30:35 2014
802.1Q Tag: 100, Internal index: 2, Admin State: Enabled, Origin: Static
Private VLAN Mode: Primary
Protocol: Port Mode, Mac aging time: 300 seconds
Number of interfaces: Tagged 1 (Active = 1), Untagged  3 (Active = 0)
      ge-0/0/0.0*, tagged, trunk
      ge-0/0/3.0, untagged, access
      ge-0/0/4.0, untagged, access
      ge-0/0/5.0, untagged, access
Secondary VLANs: Isolated 1, Community  2, Inter-switch-isolated  0
  Isolated VLANs :
  Community VLANs :

Through above steps, you can configure private VLANs in Juniper switch.

No comments:

Powered by Blogger.