- play_arrow Understanding Layer 2 Networking
- play_arrow Configuring MAC Addresses
- play_arrow Configuring MAC Learning
- play_arrow Configuring MAC Accounting
- play_arrow Configuring MAC Notification
- play_arrow Configuring MAC Table Aging
- play_arrow Configuring Learning and Forwarding
- play_arrow Configuring Bridging and VLANs
- play_arrow Configuring 802.1Q VLANs
- 802.1Q VLANs Overview
- 802.1Q VLAN IDs and Ethernet Interface Types
- Configuring Dynamic 802.1Q VLANs
- Enabling VLAN Tagging
- Configuring Tagged Interface with multiple tagged vlans and native vlan
- Sending Untagged Traffic Without VLAN ID to Remote End
- Configuring Tag Protocol IDs (TPIDs) on QFX Series Switches
- Configuring Flexible VLAN Tagging on PTX Series Packet Transport Routers
- Configuring an MPLS-Based VLAN CCC with Pop, Push, and Swap and Control Passthrough
- Binding VLAN IDs to Logical Interfaces
- Associating VLAN IDs to VLAN Demux Interfaces
- Configuring VLAN and Extended VLAN Encapsulation
- Configuring a Layer 2 VPN Routing Instance on a VLAN-Bundled Logical Interface
- Example: Configuring a Layer 2 VPN Routing Instance on a VLAN-Bundled Logical Interface
- Specifying the Interface Over Which VPN Traffic Travels to the CE Router
- Configuring Access Mode on a Logical Interface
- Configuring a Logical Interface for Trunk Mode
- Configuring the VLAN ID List for a Trunk Interface
- Configuring a Trunk Interface on a Bridge Network
- Configuring a VLAN-Bundled Logical Interface to Support a Layer 2 VPN Routing Instance
- Configuring a VLAN-Bundled Logical Interface to Support a Layer 2 VPN Routing Instance
- Configuring a Layer 2 Circuit on a VLAN-Bundled Logical Interface
- Example: Configuring a Layer 2 Circuit on a VLAN-Bundled Logical Interface
- Guidelines for Configuring VLAN ID List-Bundled Logical Interfaces That Connect CCCs
- Specifying the Interface to Handle Traffic for a CCC
- Specifying the Interface to Handle Traffic for a CCC Connected to the Layer 2 Circuit
- play_arrow Configuring Static ARP Table Entries
- play_arrow Configuring Restricted and Unrestricted Proxy ARP
- play_arrow Configuring Gratuitous ARP
- play_arrow Adjusting the ARP Aging Timer
- play_arrow Configuring Tagged VLANs
- play_arrow Stacking and Rewriting Gigabit Ethernet VLAN Tags
- Stacking and Rewriting Gigabit Ethernet VLAN Tags Overview
- Stacking and Rewriting Gigabit Ethernet VLAN Tags
- Configuring Frames with Particular TPIDs to Be Processed as Tagged Frames
- Configuring Tag Protocol IDs (TPIDs) on PTX Series Packet Transport Routers
- Configuring Stacked VLAN Tagging
- Configuring Dual VLAN Tags
- Configuring Inner and Outer TPIDs and VLAN IDs
- Stacking a VLAN Tag
- Stacking Two VLAN Tags
- Removing a VLAN Tag
- Removing the Outer and Inner VLAN Tags
- Removing the Outer VLAN Tag and Rewriting the Inner VLAN Tag
- Rewriting the VLAN Tag on Tagged Frames
- Rewriting a VLAN Tag on Untagged Frames
- Rewriting a VLAN Tag and Adding a New Tag
- Rewriting the Inner and Outer VLAN Tags
- Examples: Stacking and Rewriting Gigabit Ethernet IQ VLAN Tags
- Understanding Transparent Tag Operations and IEEE 802.1p Inheritance
- Understanding swap-by-poppush
- Configuring IEEE 802.1p Inheritance push and swap from the Transparent Tag
- play_arrow Configuring Private VLANs
- Private VLANs
- Understanding Private VLANs
- Bridge Domains Setup in PVLANs on MX Series Routers
- Bridging Functions With PVLANs
- Flow of Frames on PVLAN Ports Overview
- Guidelines for Configuring PVLANs on MX Series Routers
- Configuring PVLANs on MX Series Routers in Enhanced LAN Mode
- Example: Configuring PVLANs with Secondary VLAN Trunk Ports and Promiscuous Access Ports on a QFX Series Switch
- IRB Interfaces in Private VLANs on MX Series Routers
- Guidelines for Configuring IRB Interfaces in PVLANs on MX Series Routers
- Forwarding of Packets Using IRB Interfaces in PVLANs
- Configuring IRB Interfaces in PVLAN Bridge Domains on MX Series Routers in Enhanced LAN Mode
- Example: Configuring an IRB Interface in a Private VLAN on a Single MX Series Router
- play_arrow Configuring Layer 2 Bridging Interfaces
- play_arrow Configuring Layer 2 Virtual Switch Instances
- play_arrow Configuring Link Layer Discovery Protocol
- play_arrow Configuring Layer 2 Protocol Tunneling
- play_arrow Configuring Virtual Routing Instances
- play_arrow Configuring Layer 3 Logical Interfaces
- play_arrow Configuring Routed VLAN Interfaces
- play_arrow Configuring Integrated Routing and Bridging
- play_arrow Configuring VLANS and VPLS Routing Instances
- play_arrow Configuring Multiple VLAN Registration Protocol (MVRP)
- play_arrow Configuring Ethernet Ring Protection Switching
- play_arrow Configuring Q-in-Q Tunneling and VLAN Translation
- play_arrow Configuring Redundant Trunk Groups
- play_arrow Configuring Proxy ARP
- play_arrow Configuring Layer 2 Interfaces on Security Devices
- play_arrow Configuring Security Zones and Security Policies on Security Devices
- play_arrow Configuring Ethernet Port Switching Modes on Security Devices
- play_arrow Configuring Secure Wire on Security Devices
- play_arrow Configuring Reflective Relay on Switches
- play_arrow Configuring Edge Virtual Bridging
- play_arrow Troubleshooting Ethernet Switching
- play_arrow Configuration Statements and Operational Commands
Ethernet Port VLANs in Switching Mode on Security Devices
Understanding VLAN Retagging on Security Devices
VLAN retagging is not supported from Junos OS Release 15.1X49-D40 to Junos OS Release 15.1X49-D60.
Starting in Junos OS Release 15.1X49-D70, VLAN retagging in switching mode is supported on SRX300, SRX320, SRX340, SRX345, and SRX550M devices.
Starting in Junos OS Release 15.1X49-D80, VLAN retagging in switching mode is supported on SRX1500 devices.
To support VLAN retagging on SRX Series Firewalls, configure vlan-rewrite in transparent mode and configure swap in switching mode.
The VLAN identifier in packets arriving on a Layer 2 trunk port can be rewritten or retagged with a different internal VLAN identifier. VLAN retagging is a symmetric operation; upon exiting the same trunk port, the retagged VLAN identifier is replaced with the original VLAN identifier. VLAN retagging provides a way to selectively screen incoming packets and redirect them to a firewall or other security device without affecting other VLAN traffic.
VLAN retagging can be applied only to interfaces configured as Layer 2 trunk interfaces. These interfaces can include redundant Ethernet interfaces in a Layer 2 transparent mode within a chassis cluster configuration.
If a trunk port is configured for VLAN retagging, untagged
packets received on the port are not assigned a VLAN identifier with
the VLAN retagging configuration. To configure a VLAN identifier for
untagged packets received on the physical interface, use the native-vlan-id statement.
To configure VLAN retagging for a Layer 2 trunk interface, specify a one-to-one mapping of the following:
Incoming VLAN identifier—VLAN identifier of the incoming packet that is to be retagged. This VLAN identifier must not be the same VLAN identifier configured with the
native-vlan-idstatement for the trunk port.Internal VLAN identifier—VLAN identifier for the retagged packet. This VLAN identifier must be in the VLAN identifier list for the trunk port and must not be the same VLAN identifier configured with the
native-vlan-idstatement for the trunk port.
See Also
Configuring VLAN Retagging on a Layer 2 Trunk Interface of a Security Device
VLAN retagging is a feature that works on IEEE standard 802.1Q virtual LAN tagging (VLAN tagging. VLAN retagging for SRX1500 devices is an enterprise style of VLAN retagging, in which a single command is sufficient on top of normal trunk configuration.
Example: Configuring a Guest VLAN on a Security Device
This example shows how to configure a guest VLAN for limited network access or for Internet-only access to avoid compromising a company’s security.
Guest VLANs are not supported from Junos OS Release 15.1X49-D40 to Junos OS Release 15.1X49-D60.
Requirements
Before you begin, verify that the interfaces that will be used are in switch mode. See Example: Configuring Switching Modes on Security Devices and Understanding Switching Modes on Security Devices.
Overview
In this example, you configure a VLAN called visitor-vlan with a VLAN ID of 300. Then you set protocols and configure visitor-vlan as the guest VLAN.
Configuration
Procedure
Step-by-Step Procedure
To configure a guest VLAN:
Configure a VLAN.
content_copy zoom_out_map[edit] user@host# set vlans visitor-vlan vlan-id 300
Specify the guest VLAN.
content_copy zoom_out_map[edit] user@host# set protocols dot1x authenticator interface all guest-vlan visitor-vlan
If you are done configuring the device, commit the configuration.
content_copy zoom_out_map[edit] user@host# commit
Verification
To verify the configuration is working properly,
enter the show vlans and show protocols dot1x commands.
