- play_arrow Understanding Layer 2 Networking
- play_arrow Configuring MAC Addresses
- play_arrow Configuring MAC Learning
- play_arrow Configuring MAC Accounting
- play_arrow Configuring MAC Notification
- play_arrow Configuring MAC Table Aging
- play_arrow Configuring Learning and Forwarding
- play_arrow Configuring Bridging and VLANs
- play_arrow Configuring 802.1Q VLANs
- 802.1Q VLANs Overview
- 802.1Q VLAN IDs and Ethernet Interface Types
- Configuring Dynamic 802.1Q VLANs
- Enabling VLAN Tagging
- Configuring Tagged Interface with multiple tagged vlans and native vlan
- Sending Untagged Traffic Without VLAN ID to Remote End
- Configuring Tag Protocol IDs (TPIDs) on QFX Series Switches
- Configuring Flexible VLAN Tagging on PTX Series Packet Transport Routers
- Configuring an MPLS-Based VLAN CCC with Pop, Push, and Swap and Control Passthrough
- Binding VLAN IDs to Logical Interfaces
- Associating VLAN IDs to VLAN Demux Interfaces
- Configuring VLAN and Extended VLAN Encapsulation
- Configuring a Layer 2 VPN Routing Instance on a VLAN-Bundled Logical Interface
- Example: Configuring a Layer 2 VPN Routing Instance on a VLAN-Bundled Logical Interface
- Specifying the Interface Over Which VPN Traffic Travels to the CE Router
- Configuring Access Mode on a Logical Interface
- Configuring a Logical Interface for Trunk Mode
- Configuring the VLAN ID List for a Trunk Interface
- Configuring a Trunk Interface on a Bridge Network
- Configuring a VLAN-Bundled Logical Interface to Support a Layer 2 VPN Routing Instance
- Configuring a VLAN-Bundled Logical Interface to Support a Layer 2 VPN Routing Instance
- Configuring a Layer 2 Circuit on a VLAN-Bundled Logical Interface
- Example: Configuring a Layer 2 Circuit on a VLAN-Bundled Logical Interface
- Guidelines for Configuring VLAN ID List-Bundled Logical Interfaces That Connect CCCs
- Specifying the Interface to Handle Traffic for a CCC
- Specifying the Interface to Handle Traffic for a CCC Connected to the Layer 2 Circuit
- play_arrow Configuring Static ARP Table Entries
- play_arrow Configuring Restricted and Unrestricted Proxy ARP
- play_arrow Configuring Gratuitous ARP
- play_arrow Adjusting the ARP Aging Timer
- play_arrow Configuring Tagged VLANs
- play_arrow Stacking and Rewriting Gigabit Ethernet VLAN Tags
- Stacking and Rewriting Gigabit Ethernet VLAN Tags Overview
- Stacking and Rewriting Gigabit Ethernet VLAN Tags
- Configuring Frames with Particular TPIDs to Be Processed as Tagged Frames
- Configuring Tag Protocol IDs (TPIDs) on PTX Series Packet Transport Routers
- Configuring Stacked VLAN Tagging
- Configuring Dual VLAN Tags
- Configuring Inner and Outer TPIDs and VLAN IDs
- Stacking a VLAN Tag
- Stacking Two VLAN Tags
- Removing a VLAN Tag
- Removing the Outer and Inner VLAN Tags
- Removing the Outer VLAN Tag and Rewriting the Inner VLAN Tag
- Rewriting the VLAN Tag on Tagged Frames
- Rewriting a VLAN Tag on Untagged Frames
- Rewriting a VLAN Tag and Adding a New Tag
- Rewriting the Inner and Outer VLAN Tags
- Examples: Stacking and Rewriting Gigabit Ethernet IQ VLAN Tags
- Understanding Transparent Tag Operations and IEEE 802.1p Inheritance
- Understanding swap-by-poppush
- Configuring IEEE 802.1p Inheritance push and swap from the Transparent Tag
- play_arrow Configuring Layer 2 Bridging Interfaces
- play_arrow Configuring Layer 2 Virtual Switch Instances
- play_arrow Configuring Link Layer Discovery Protocol
- play_arrow Configuring Layer 2 Protocol Tunneling
- play_arrow Configuring Virtual Routing Instances
- play_arrow Configuring Layer 3 Logical Interfaces
- play_arrow Configuring Routed VLAN Interfaces
- play_arrow Configuring Integrated Routing and Bridging
- play_arrow Configuring VLANS and VPLS Routing Instances
- play_arrow Configuring Multiple VLAN Registration Protocol (MVRP)
- play_arrow Configuring Ethernet Ring Protection Switching
- play_arrow Configuring Q-in-Q Tunneling and VLAN Translation
- play_arrow Configuring Redundant Trunk Groups
- play_arrow Configuring Proxy ARP
- play_arrow Configuring Layer 2 Interfaces on Security Devices
- play_arrow Configuring Security Zones and Security Policies on Security Devices
- play_arrow Configuring Ethernet Port Switching Modes on Security Devices
- play_arrow Configuring Ethernet Port VLANs in Switching Mode on Security Devices
- play_arrow Configuring Secure Wire on Security Devices
- play_arrow Configuring Reflective Relay on Switches
- play_arrow Configuring Edge Virtual Bridging
- play_arrow Troubleshooting Ethernet Switching
- play_arrow Configuration Statements and Operational Commands
Forwarding of Packets Using IRB Interfaces in PVLANs
This topic describes how PVLAN packet forwarding operates with IRB interfaces on MX Series routers in enhanced LAN mode. The IRB interface operates as a Layer 3 gateway for all members of a bridging domain. All the members of bridging domain are assumed to be in the same subnet as the subnet of the IRB interface, which works as a gateway.
Consider a sample deployment scenario in which two routers, Router1 and Router2, are configured with a PVLAN. On Router1, the promiscuous port is P1, interswitch link is L1, isolated port is I1, and two community ports are C11 and C21. Similarly, on Router2, the promiscuous port is P2, interswitch link is L2, isolated port is I2, and two community ports are C12 and C22. In the example configuration, the two routers are interconnected through an ISL link, L1 with L2. A PVLAN domain is defined across these two routers encompassing a subdomain of isolated ports (I1, I2), and Community1 ports (C11, C12), and Community2 ports (C21, C22). Because all the ports are in the same subnet, without IRB, switching capability works across ports, across routers following the PVLAN rules. When the end-host needs to reach out cross the subnet, you must configure IRB on the bridging domain. From an end-host perspective, to reach out across the bridging domain, it needs to be configured with the IRB IP address as the default gateway address. All Layer 3 connectivity is established by processing ARP request and ARP responses. The following sections describe the different scenarios encountered for Layer 3 traffic support in PVLANs.
Incoming ARP Requests on PVLAN Ports
ARP requests enter a PVLAN port as broadcast packets. All packets that enter in the ingress direction of a PVLAN domain contain their bridge domain ID translated into the primary VLAN bridge domain ID. In this case, the bridge domain ID contained in the ARP packet is also translated be to the bridge domain ID of the primary VLAN. When IRB is configured in a bridging domain, the IRB MAC address is added to the MAC table as an eligible destination MAC address on the primary VLAN bridge domain ID. The ARP request is flooded to all ports of the secondary bridging domain in which it was received and, in addition, a copy is sent to the IRB logical interface.
When an IRB logical interface receives this packet, it sends the packet to the host as an ARP packet with the primary BD and the Layer 2 logical interface on which it is received. The PVLAN domain learns the source MAC address of the ARP packet and the kernel learns the sender IP of the ARP packet, and triggers a next-hop installation. If the ARP request is destined for IRB IP address, then an ARP response is sent. If proxy ARP is enabled on IRB, IRB responds with an ARP reply if the destination IP address is known.
The preceding configuration case describes a scenario the ARP request came on Local PVLAN port. If the ARP request is received on a remote PVLAN port, then it is flooded on all the ports of the remote PVLAN domain. Because IRB is configured only on one router of the PVLAN domain, on the remote PVLAN, the flooding is on all the ports. As part of the flooding in the remote PVLAN domain, a copy of the packet is sent to the ISL port. The ISL port processes this packet as though it was received on the local isolated port or community port and the aforementioned method of processing takes place
Outgoing ARP Responses on PVLAN Ports
When a ARP request is received in the kernel, both the bridge domain ID and the receiving Layer 2 logical interface are transmitted. A next-hop installation is triggered to create a next-hop to the Layer 2 logical interface for the sender IP address with the IRB MAC Address as the destination MAC address and the sender MAC address as the source MAC address, with both these addresses appearing as Layer 2 rewrite during the next-hop. If the ARP request queries for the IRB IP address, then an ARP response is sent to the receiving Layer 2 logical interface. If the ARP request queries for an IP address other than the IRB IP address, it is processed as though proxy ARP is enabled on IRB or it is discarded. Because all ARP requests are processed as being received on the primary VLAN, the response is also sent with the primary VLAN. However, when it reaches the receiving Layer 2 logical interface, the appropriate VLAN translation takes place.
The preceding scenario describes an ARP response being sent on a local PVLAN port. If the ARP request is received from a remote PVLAN domain, the receiving Layer 2 logical interface is the ISL port. In this case, the ARP response is sent to the ISL port, on the remote PVLAN domain, the ARP response received on the ISL port is forwarded to the same port where the ARP request is received. This behavior is possible because the source MAC address of the ARP request is learned on the shared VLAN.
Outgoing ARP Requests on PVLAN Ports
When IRB has to advertise a ARP request, it uses the kernel flood next-hop for the primary VLAN and floods to all the ports in the local PVLAN domain. The receiving ISL port also floods the packet to the remote PVLAN domain. Although the ARP request is constructed with the primary VLAN, in the egress direction, appropriate VLAN translation or VLAN pop is performed using the specific port.
Incoming ARP Responses on PVLAN Ports
ARP responses are unicast packets with the destination MAC address as the IRB MAC Address. When such a packet is received on the local PVLAN domain where IRB is enabled, it is forwarded to the IRB logical interface. When the packet arrives at the IRB logical interface, it is propagated to the host. The kernel triggers a next-hop installation with the appropriate Layer 2 rewrite. This operation works properly for ARP responses received on the local PVLAN port. If the ARP response is received on a remote PVLAN port, it is forwarded similar to a normal Layer 2 packet because IRB is not enabled in such a scenario. When the ARP request is sent out from the local PVLAN domain, the receiving ISL port in the remote PVLAN domain might have learned the IRB MAC address on that port, and this address is used to forward the packet to the IRB logical interface.
