Example: Configuring an IRB Interface in a Private VLAN on a Single MX Series Router
For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and to even limit the communication between known hosts. The private VLAN (PVLAN) feature on MX Series routers allows an administrator to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a VLAN inside a VLAN.
This example describes how to create an integrated routing and bridging (IRB) interface in a PVLAN bridge domain associated with a virtual switch instance on a single MX Series router:
Configuring a voice over IP (VoIP) VLAN on PVLAN interfaces is not supported.
Requirements
This example uses the following hardware and software components:
One MX Series router in enhanced LAN mode.
Junos OS Release 15.1 or later for MX Series routers
Before you begin configuring a PVLAN, make sure you have:
Created and configured the necessary VLANs. See Configuring VLAN and Extended VLAN Encapsulation and Enabling VLAN Tagging.
Configured MX240, MX480, and MX960 routers to function in enhanced LAN mode by entering the
network-services lanstatement at the[edit chassis]hierarchy level.
Overview and Topology
In a large office with multiple buildings and VLANs, you might need to isolate some workgroups or other endpoints for security reasons or to partition the broadcast domain. This configuration example shows a simple topology to illustrate how to create a PVLAN with one primary VLAN and four community VLANs, as well as two isolated ports.
Assume a sample deployment in which a primary VLAN named VP contains ports, p1, p2, t1, t2, i1, i2, cx1, and cx2. The port types of these configured ports are as follows:
Promiscuous ports = p1, p2
ISL ports = t1, t2
Isolated ports = i1, i2
Community VLAN = Cx
Community ports = cx1, cx2
An IRB interface, irb.0, is configured and mapped to the bridge domain in the virtual switch instance.
Bridge domains are provisioned for each of the VLANs, namely, Vp, Vi, and Vcx. Assume the bridge domains to be configured as follows:
Vp—BD_primary_Vp (ports contained are p1, t1, i1, i2, cx1, cx2)
Vi—BD_isolate_Vi (ports contained are p1, t1, *i1, *i2)
Vcx—BD_community_Vcx (ports contained are p1, t1, cx1, cx2)
The bridge domains for community, primary, and isolated VLANs are automatically created by the system internally when you configure a bridge domain with a trunk interface, access interface, or interswitch link. The bridge domains contain the same VLAN ID corresponding to the VLANs. To use bridge domains for PVLANs, you must configure the following additional attributes:
Configuration
To configure an IRB interface in a PVLAN, perform these tasks:
CLI Quick Configuration
To quickly create and configure a PVLAN and include an IRB interface in a PVLAN bridge domain associated with a virtual switch instance, copy the following commands and paste them into the router terminal window:
Configuring an IRB Interface
set interfaces irb unit 0 family inet address 22.22.22.1/24
Configuring Promiscuous, ISL, Isolated, and Community Ports
set interfaces ge-0/0/9 unit 0 family bridge interface-mode trunk set interfaces ge-0/0/9 unit 0 family bridge vlan-id 100 set interfaces ge-0/0/13 unit 0 family bridge interface-mode trunk set interfaces ge-0/0/13 unit 0 family bridge vlan-id 100 set interfaces ge-0/0/10 unit 0 family bridge interface-mode access set interfaces ge-0/0/10 unit 0 family bridge vlan-id 10 set interfaces ge-0/0/12 unit 0 family bridge interface-mode access set interfaces ge-0/0/12 unit 0 family bridge vlan-id 10 set interfaces ge-0/0/1 unit 0 family bridge interface-mode access set interfaces ge-0/0/1 unit 0 family bridge vlan-id 50 set interfaces ge-0/0/2 unit 0 family bridge interface-mode access set interfaces ge-0/0/2 unit 0 family bridge vlan-id 50 set interfaces ge-0/0/3 unit 0 family bridge interface-mode access set interfaces ge-0/0/3 unit 0 family bridge vlan-id 60 set interfaces ge-0/0/4 unit 0 family bridge interface-mode access set interfaces ge-0/0/4 unit 0 family bridge vlan-id 60
Configuring a Virtual Switch Instance With Bridge Domain Interfaces
set routing-instances vs-1 instance-type virtual-switch set routing-instances vs-1 interface ge-0/0/1.0 set routing-instances vs-1 interface ge-0/0/2.0 set routing-instances vs-1 interface ge-0/0/3.0 set routing-instances vs-1 interface ge-0/0/4.0 set routing-instances vs-1 interface ge-0/0/9.0 set routing-instances vs-1 interface ge-0/0/10.0 set routing-instances vs-1 interface ge-0/0/12.0 set routing-instances vs-1 interface ge-0/0/13.0 set routing-instances vs-1 bridge-domains bd1
Specify the IRB Interface and Primary, Isolated, and Community VLAN IDs in the Bridge Domain
set routing-instances vs1 bridge-domains bd1 vlan-id 100 set routing-instances vs1 bridge-domains bd1 isolated-vlan 10 set routing-instances vs1 bridge-domains bd1 community-vlans [50 60] set routing-instances vs1 bridge-domains bd1 routing-interface irb.0
Procedure
Step-by-Step Procedure
To configure the interswitch link (ISL) for a PVLAN, the PVLAN port types, and secondary VLANs for the PVLAN:
Create an IRB interface.
[edit interfaces] user@host# set interfaces irb unit 0 family inet address 22.22.22.1/24
Create a promiscuous port for the PVLAN.
[edit interfaces] user@host# set ge-0/0/9 unit 0 family bridge interface-mode trunk user@host# set ge-0/0/9 unit 0 family bridge vlan-id 100
Create the interswitch link (ISL) trunk port for the PVLAN.
[edit interfaces] user@host# set ge-0/0/13 unit 0 family bridge interface-mode trunk inter-switch-link user@host# set ge-0/0/13 unit 0 family bridge vlan-id 100
Create the isolated ports for the PVLAN.
[edit interfaces] user@host# set ge-0/0/10 unit 0 family bridge interface-mode access user@host# set ge-0/0/10 unit 0 family bridge vlan-id 10 user@host# set ge-0/0/12 unit 0 family bridge interface-mode access user@host# set ge-0/0/12 unit 0 family bridge vlan-id 10
Create the community ports for the PVLAN.
[edit interfaces] user@host# set ge-0/0/1 unit 0 family bridge interface-mode access user@host# set ge-0/0/1 unit 0 family bridge vlan-id 50 user@host# set ge-0/0/2 unit 0 family bridge interface-mode access user@host# set ge-0/0/2 unit 0 family bridge vlan-id 50 user@host# set ge-0/0/3 unit 0 family bridge interface-mode access user@host# set ge-0/0/3 unit 0 family bridge vlan-id 60 user@host# set ge-0/0/4 unit 0 family bridge interface-mode access user@host# set ge-0/0/4 unit 0 family bridge vlan-id 60
Create a virtual switch instance with a bridge domain and associate the logical interfaces.
[edit routing-instances] user@host# set vs-1 instance-type virtual-switch user@host# set vs-1 interface ge-0/0/1.0 user@host# set vs-1 interface ge-0/0/2.0 user@host# set vs-1 interface ge-0/0/3.0 user@host# set vs-1 interface ge-0/0/4.0 user@host# set vs-1 interface ge-0/0/9.0 user@host# set vs-1 interface ge-0/0/10.0 user@host# set vs-1 interface ge-0/0/12.0 user@host# set vs-1 interface ge-0/0/13.0 user@host# set vs-1 bridge-domains bd1
Specify the IRB interface, primary, isolated, and community VLAN IDs, and associate the VLANs with the bridge domain.
[edit routing-instances vs1 bridge-domains bd1] user@host# set vlan-id 100 user@host# set isolated-vlan 10 user@host# set community-vlans [50 60] user@host# set routing-interface irb.0
Results
Check the results of the configuration:
[edit]
[interfaces]
ge-0/0/9 {
unit 0 {
family bridge {
interface-mode trunk;
vlan-id 100; Promiscuous port by vlan id
}
}
}
ge-0/0/13 {
unit 0 {
family bridge {
interface-mode trunk inter-switch-link; ISL trunk
vlan-id 100;
}
}
}
ge-0/0/10 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 10; isolated port by vlan ID
}
}
}
ge-0/0/12 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 10; isolated port by vlan ID
}
}
}
ge-0/0/1 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 50; community port by vlan ID
}
}
}
ge-0/0/2 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 50; community port by vlan ID
}
}
}
ge-0/0/3 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 60; community port by vlan ID
}
}
}
ge-0/0/4 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 60; community port by vlan ID
}
}
}
irb {
unit 0 {
family inet {
address 22.22.22.1/24;
}
}
}
[edit]
routing-instances {
vs-1 {
instance-type virtual-switch;
interface ge-0/0/1.0;
interface ge-0/0/2.0;
interface ge-0/0/3.0;
interface ge-0/0/4.0;
interface ge-0/0/9.0;
interface ge-0/0/10.0;
interface ge-0/0/12.0;
interface ge-0/0/13.0;
bridge-domains {
bd1 {
vlan-id 100; /* primary vlan */
isolated-vlan 10;
community-vlans [50 60]
routing-interface irb.0 /* IRB interface */
}
}
}
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying That the Private VLAN and Secondary VLANs Were Created
Purpose
Verify that the primary VLAN and secondary VLANs were properly created on the switch.
Action
Use the show bridge domain command:
user@host> show bridge domain
Routing instance Bridge domain VLAN ID Interfaces
default-switch bd1-primary-100 100
ge-0/0/9.0
ge-0/0/10.0
ge-0/0/12.0
ge-0/0/13.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/3.0
ge-0/0/4.0
default-switch bd1-isolation-10 10
ge-0/0/9.0
ge-0/0/10.0
ge-0/0/12.0
ge-0/0/13.0
default-switch bd1-comunity-50 50
ge-0/0/9.0
ge-0/0/13.0
ge-0/0/1.0
ge-0/0/2.0
default-switch bd1-comunity-60 60
ge-0/0/9.0
ge-0/0/13.0
ge-0/0/3.0
ge-0/0/4.0Meaning
The output shows that the primary VLAN was created and identifies the interfaces and secondary VLANs associated with it.