Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Ethernet Port Switching Modes on Security Devices

Understanding Switching Modes on Security Devices

There are two types of switching modes:

  • Switching Mode–The uPIM appears in the list of interfaces as a single interface, which is the first interface on the uPIM. For example, ge-2/0/0. You can optionally configure each uPIM port only for autonegotiation, speed, and duplex mode. A uPIM in switching mode can perform the following functions:

    • Layer 3 forwarding—Routes traffic destined for WAN interfaces and other PIMs present on the chassis.

    • Layer 2 forwarding—Switches intra-LAN traffic from one host on the LAN to another LAN host (one port of uPIM to another port of same uPIM).

  • Enhanced Switching Mode–Each port can be configured for switching or routing mode. This usage differs from the routing and switching modes, in which all ports must be in either switching or routing mode. The uPIM in enhanced switching mode provides the following benefits:

    Benefits of enhnanced switch mode:

    • Supports configuration of different types of VLANs and inter-VLAN routing.

    • Supports Layer 2 control plane protocol such as Link Aggregation Control Protocol (LACP).

    • Supports port-based Network Access Control (PNAC) by means of authentication servers.

    Note:

    The SRX300 and SRX320 devices support enhanced switching mode only. When you set a multiport uPIM to enhanced switching mode, all the Layer 2 switching features are supported on the uPIM. (Platform support depends on the Junos OS release in your installation.)

You can set a multiport Gigabit Ethernet uPIM on a device to either switching or enhanced switching mode.

When you set a multiport uPIM to switching mode, the uPIM appears as a single entity for monitoring purposes. The only physical port settings that you can configure are autonegotiation, speed, and duplex mode on each uPIM port, and these settings are optional.

Ethernet Ports Switching Overview for Security Devices

Certain ports on Juniper Networks devices can function as Ethernet access switches that switch traffic at Layer 2 and route traffic at Layer 3.

You can deploy supported devices in branch offices as an access or desktop switch with integrated routing capability, thus eliminating intermediate access switch devices from your network topology. The Ethernet ports provide switching while the Routing Engine provides routing functionality, enabling you to use a single device to provide routing, access switching, and WAN interfaces.

This topic contains the following sections:

Supported Devices and Ports

Juniper Networks supports switching features on a variety of Ethernet ports and devices (see Table 1). Platform support depends on the Junos OS release in your installation. The following ports and devices are included:

  • Onboard Ethernet ports (Gigabit and Fast Ethernet built-in ports) on the SRX300, SRX320, SRX320 PoE, SRX340, SRX345, SRX550M and SRX1500 devices.

  • Multiport Gigabit Ethernet XPIM on the SRX650 device.

Table 1: Supported Devices and Ports for Switching Features

Device

Ports

SRX100 devices

Onboard Fast Ethernet ports (fe-0/0/0 and fe-0/0/7)

SRX210 devices

Onboard Gigabit Ethernet ports (ge-0/0/0 and ge-0/0/1) and 1-Port Gigabit Ethernet SFP Mini-PIM port.

Onboard Fast Ethernet ports (fe-0/0/2 and fe-0/0/7)

SRX220 devices

Onboard Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/7) and 1-Port Gigabit Ethernet SFP Mini-PIM port.

SRX240 devices

Onboard Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/15) and 1-Port Gigabit Ethernet SFP Mini-PIM port.

SRX300 devices

Onboard Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/7)

SRX320 devices

Onboard Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/7)

SRX340 devices

Onboard Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/15)

SRX345 devices

Onboard Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/15)

SRX550 devices

Onboard Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/9, Multiport Gigabit Ethernet XPIM modules, and 1-Port Gigabit Ethernet SFP Mini-PIM port.

SRX550M devices

Onboard Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/9 and Multiport Gigabit Ethernet XPIM modules.

SRX650 devices

Multiport Gigabit Ethernet XPIM modules

Note:

On SRX650 devices, Ethernet switching is not supported on Gigabit Ethernet interfaces (ge-0/0/0 through ge-0/0/3 ports).

SRX1500 devices

Onboard Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/19)

On the SRX100. SRX220, SRX240, SRX300, SRX320, SRX340 and SRX345 devices, you can set the onboard Gigabit Ethernet ports to operate as either switched ports or routed ports. (Platform support depends on the Junos OS release in your installation.)

Integrated Bridging and Routing

Integrated bridging and routing (IRB) provides support for simultaneous Layer 2 swiching and Layer 3 routing within the same VLAN. Packets arriving on an interface of the VLAN are switched or routed based on the destination MAC address of the packet. Packets with the router’s MAC address as the destination are routed to other Layer 3 interfaces.

Link Layer Discovery Protocol and LLDP-Media Endpoint Discovery

Devices use Link Layer Discovery Protocol (LLDP) and LLDP-Media Endpoint Discovery (MED) to learn and distribute device information about network links. The information allows the device to quickly identify a variety of systems, resulting in a LAN that interoperates smoothly and efficiently.

LLDP-capable devices transmit information in Type Length Value (TLV) messages to neighbor devices. Device information can include specifics, such as chassis and port identification and system name and system capabilities. The TLVs leverage this information from parameters that have already been configured in the Junos OS.

LLDP-MED goes one step further, exchanging IP-telephony messages between the device and the IP telephone. These TLV messages provide detailed information about Power over Ethernet (PoE) policy. The PoE Management TLVs let the device ports advertise the power level and power priority needed. For example, the device can compare the power needed by an IP telephone running on a PoE interface with available resources. If the device cannot meet the resources required by the IP telephone, the device could negotiate with the telephone until a compromise on power is reached.

The following basic TLVs are supported:

  • Chassis Identifier—The MAC address associated with the local system.

  • Port identifier—The port identification for the specified port in the local system.

  • Port Description—The user-configured port description. The port description can be a maximum of 256 characters.

  • System Name—The user-configured name of the local system. The system name can be a maximum of 256 characters.

  • Switching Features Overview—This information is not configurable, but taken from the software.

  • System Capabilities—The primary function performed by the system. The capabilities that system supports; for example, Ethernet switching or router. This information is not configurable, but based on the model of the product.

  • Management Address—The IP management address of the local system.

The following LLDP-MED TLVs are supported:

  • LLDP-MED Capabilities—A TLV that advertises the primary function of the port. The values range from 0 through 15:

    • 0—Capabilities

    • 1—Network policy

    • 2—Location identification

    • 3—Extended power through medium-dependent interface power-sourcing equipment (MDI-PSE)

    • 4—Inventory

    • 5–15—Reserved

  • LLDP-MED Device Class Values:

    • 0—Class not defined

    • 1—Class 1 device

    • 2—Class 2 device

    • 3—Class 3 device

    • 4—Network connectivity device

    • 5–255— Reserved

    Note:

    Starting in Junos OS Release 15.1X49-D60 and Junos OS Release 17.3R1, Link Layer Discovery Protocol (LLDP) and LLDP-Media Endpoint Discovery (MFD) are enabled on SRX300, SRX320, SRX340, SRX345, SRX550M and SRX1500 devices.

  • Network Policy—A TLV that advertises the port VLAN configuration and associated Layer 2 and Layer 3 attributes. Attributes include the policy identifier, application types, such as voice or streaming video, 802.1Q VLAN tagging, and 802.1p priority bits and Diffserv code points.

  • Endpoint Location—A TLV that advertises the physical location of the endpoint.

  • Extended Power via MDI—A TLV that advertises the power type, power source, power priority, and power value of the port. It is the responsibility of the PSE device (network connectivity device) to advertise the power priority on a port.

LLDP and LLDP-MED must be explicitly configured on uPIMs (in enhanced switching mode) on base ports on SRX100, SRX210, SRX240, SRX300, SRX320, SRX340, and SRX345 devices, and Gigabit Backplane Physical Interface Modules (GPIMs) on SRX650 devices. (Platform support depends on the Junos OS release in your installation.) To configure LLDP on all interfaces or on a specific interface, use the lldp statement at the [set protocols] hierarchy level. To configure LLDP-MED on all interfaces or on a specific interface, use the lldp-med statement at the [set protocols] hierarchy level.

Types of Switch Ports

The ports, or interfaces, on a switch operate in either access mode or trunk mode.

An interface in access mode connects to a network device, such as a desktop computer, an IP telephone, a printer, a file server, or a security camera. The interface itself belongs to a single VLAN. The frames transmitted over an access interface are normal Ethernet frames.

Trunk interfaces handle traffic for multiple VLANs, multiplexing the traffic for all those VLANs over the same physical connection. Trunk interfaces are generally used to interconnect switches to one another.

uPIM in a Daisy Chain

You cannot combine multiple uPIMs to act as a single integrated switch. However, you can connect uPIMs on the same chassis externally by physically connecting a port on one uPIM to a port on another uPIM in a daisy-chain fashion.

Two or more uPIMs daisy-chained together create a single switch with a higher port count than either individual uPIM. One port on each uPIM is used solely for the connection. For example, if you daisy-chain a 6-port uPIM and an 8-port uPIM, the result operates as a 12-port uPIM. Any port of a uPIM can be used for daisy chaining.

Configure the IP address for only one of the daisy-chained uPIMs, making it the primary uPIM. The secondary uPIM routes traffic to the primary uPIM, which forwards it to the Routing Engine. This results in some increase in latency and packet drops due to oversubscription of the external link.

Only one link between the two uPIMs is supported. Connecting more than one link between uPIMs creates a loop topology, which is not supported.

Q-in-Q VLAN Tagging

Q-in-Q tunneling, defined by the IEEE 802.1ad standard, allows service providers on Ethernet access networks to extend a Layer 2 Ethernet connection between two customer sites.

In Q-in-Q tunneling, as a packet travels from a customer VLAN (C-VLAN) to a service provider's VLAN, a service provider-specific 802.1Q tag is added to the packet. This additional tag is used to segregate traffic into service-provider-defined service VLANs (S-VLANs). The original customer 802.1Q tag of the packet remains and is transmitted transparently, passing through the service provider's network. As the packet leaves the S-VLAN in the downstream direction, the extra 802.1Q tag is removed.

Note:

When Q-in-Q tunneling is configured for a service provider’s VLAN, all Routing Engine packets, including packets from the routed VLAN interface, that are transmitted from the customer-facing access port of that VLAN will always be untagged.

There are three ways to map C-VLANs to an S-VLAN:

  • All-in-one bundling—Use the dot1q-tunneling statement at the [edit vlans] hierarchy level to map without specifying customer VLANs. All packets from a specific access interface are mapped to the S-VLAN.

  • Many-to-one bundling—Use the customer-vlans statement at the [edit vlans] hierarchy level to specify which C-VLANs are mapped to the S-VLAN.

  • Mapping C-VLAN on a specific interface—Use the mapping statement at the [edit vlans] hierarchy level to map a specific C-VLAN on a specified access interface to the S-VLAN.

Table 2 lists the C-VLAN to S-VLAN mapping supported on SRX Series Firewalls. (Platform support depends on the Junos OS release in your installation.)

Table 2: Supported Mapping Methods

Mapping

SRX210

SRX240

SRX300

SRX320

SRX340

SRX345

SRX550M

SRX650

All-in-one bundling

Yes

Yes

No

No

Yes

Yes

Yes

Yes

Many-to-one bundling

No

No

No

No

Yes

Yes

Yes

Yes

Mapping C-VLAN on a specific interface

No

No

No

No

Yes

Yes

Yes

Yes

Note:

VLAN translation is supported on SRX300 and SRX320 devices and these devices do not support Q-in-Q tunneling.

Note:

On SRX650 devices, in the dot1q-tunneling configuration options, customer VLANs range and VLAN push do not work together for the same S-VLAN, even when you commit the configuration. If both are configured, then VLAN push takes priority over customer VLANs range.

IRB interfaces are supported on Q-in-Q VLANs for SRX210, SRX240, SRX340, SRX345, and SRX650 devices. Packets arriving on an IRB interface on a Q-in-Q VLAN are routed regardless of whether the packet is single or double tagged. The outgoing routed packets contain an S-VLAN tag only when exiting a trunk interface; the packets exit the interface untagged when exiting an access interface. (Platform support depends on the Junos OS release in your installation.)

In a Q-in-Q deployment, customer packets from downstream interfaces are transported without any changes to source and destination MAC addresses. You can disable MAC address learning at both the interface level and the VLAN level. Disabling MAC address learning on an interface disables learning for all the VLANs of which that interface is a member. When you disable MAC address learning on a VLAN, MAC addresses that have already been learned are flushed.

On SRX100, SRX210, SRX240, SRX300, SRX320, SRX340, SRX345, and SRX650 devices (with platform support depending on the Junos OS release in your installation), on the Layer 3 aggregated Ethernet, the following features are not supported:

  • Encapsulations (such as CCC, VLAN CCC, VPLS, and PPPoE)

  • J-Web

  • Starting in Junos OS Release 19.4R2, you can configure the LLDP on redundant Ethernet (reth) interfaces. Use the set protocol lldp interface <reth-interface> command to configure LLDP on reth interface.

  • On SRX550M devices the aggregate Ethernet (ae) interface with XE member interface cannot be configured with the Ethernet switching family.

  • On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, the Q-in-Q support on a Layer 3 interface has the following limitations:

    • Double tagging is not supported on reth and ae interfaces.

    • Multitopology routing is not supported in flow mode and in chassis clusters.

    • Dual tagged frames are not supported on encapsulations (such as CCC, TCC, VPLS, and PPPoE)

    • On Layer 3 logical interfaces, input-vlan-map, output-vlan-map, inner-range, and inner-list are not applicable

    • Only TPIDs with 0x8100 are supported, and the maximum number of tags is 2.

    • Dual tagged frames are accepted only for logical interfaces with IPV4 and IPv6 families.

  • On SRX100, SRX210, SRX240, SRX300, SRX320, SRX340, SRX345, and SRX650 devices (with platform support depending on the Junos OS release in your installation), on the routed VLAN interface (RVI), the following features are not supported:

    • IS-IS (family ISO)

    • Encapsulations (Ether CCC, VLAN CCC, VPLS, PPPoE, and so on) on VLAN interfaces

    • CLNS

    • DVMRP

    • VLAN interface MAC change

    • G-ARP

    • Change VLAN-Id for VLAN interface

Example: Configuring Switching Modes on Security Devices

Requirements

Overview

In this example, you configure chassis and set the l2-learning protocol to global mode switching. You then set a physical port parameter on the l2-learning protocols.

Topology

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

To configure switching mode:

  1. Set l2-learning protocol to global mode switching.

  2. Set a physical port parameter on the l2-learning protocols.

  3. If you are done configuring the device, commit the configuration.

Results

From configuration mode, confirm your configuration by entering the show protocols and show interfaces commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying the Switching Mode

Purpose

Make sure that the switching mode is configured as expected.

Action

From operational mode, enter the show ethernet-switching global-information command.

Meaning

The sample output shows that the global mode switching is configured as expected.

Verifying the Ethernet switching on Interface ge-0/0/1

Purpose

Make sure that the Ethernet switching is configured as expected on interface ge-0/0/1.

Action

From operational mode, enter the show interfaces ge-0/0/1 brief command.

Meaning

The sample output shows that the Ethernet switching is configured on interface ge-0/0/1 as expected .

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
15.1X49-D60
Starting in Junos OS Release 15.1X49-D60 and Junos OS Release 17.3R1, Link Layer Discovery Protocol (LLDP) and LLDP-Media Endpoint Discovery (MFD) are enabled on SRX300, SRX320, SRX340, SRX345, SRX550M and SRX1500 devices.