Ethernet Port Switching Modes on Security Devices
Understanding Switching Modes on Security Devices
There are two types of switching modes:
Switching Mode–The uPIM appears in the list of interfaces as a single interface, which is the first interface on the uPIM. For example, ge-2/0/0. You can optionally configure each uPIM port only for autonegotiation, speed, and duplex mode. A uPIM in switching mode can perform the following functions:
Layer 3 forwarding—Routes traffic destined for WAN interfaces and other PIMs present on the chassis.
Layer 2 forwarding—Switches intra-LAN traffic from one host on the LAN to another LAN host (one port of uPIM to another port of same uPIM).
Enhanced Switching Mode–Each port can be configured for switching or routing mode. This usage differs from the routing and switching modes, in which all ports must be in either switching or routing mode. The uPIM in enhanced switching mode provides the following benefits:
Benefits of enhnanced switch mode:
Supports configuration of different types of VLANs and inter-VLAN routing.
Supports Layer 2 control plane protocol such as Link Aggregation Control Protocol (LACP).
Supports port-based Network Access Control (PNAC) by means of authentication servers.
Note:The SRX300 and SRX320 devices support enhanced switching mode only. When you set a multiport uPIM to enhanced switching mode, all the Layer 2 switching features are supported on the uPIM. (Platform support depends on the Junos OS release in your installation.)
You can set a multiport Gigabit Ethernet uPIM on a device to either switching or enhanced switching mode.
When you set a multiport uPIM to switching mode, the uPIM appears as a single entity for monitoring purposes. The only physical port settings that you can configure are autonegotiation, speed, and duplex mode on each uPIM port, and these settings are optional.
Ethernet Ports Switching Overview for Security Devices
Certain ports on Juniper Networks devices can function as Ethernet access switches that switch traffic at Layer 2 and route traffic at Layer 3.
You can deploy supported devices in branch offices as an access or desktop switch with integrated routing capability, thus eliminating intermediate access switch devices from your network topology. The Ethernet ports provide switching while the Routing Engine provides routing functionality, enabling you to use a single device to provide routing, access switching, and WAN interfaces.
This topic contains the following sections:
- Supported Devices and Ports
- Integrated Bridging and Routing
- Link Layer Discovery Protocol and LLDP-Media Endpoint Discovery
- Types of Switch Ports
- uPIM in a Daisy Chain
- Q-in-Q VLAN Tagging
Supported Devices and Ports
Juniper Networks supports switching features on a variety of Ethernet ports and devices (see Table 1). Platform support depends on the Junos OS release in your installation. The following ports and devices are included:
Onboard Ethernet ports (Gigabit and Fast Ethernet built-in ports) on the SRX300, SRX320, SRX320 PoE, SRX340, SRX345, SRX550M and SRX1500 devices.
Multiport Gigabit Ethernet XPIM on the SRX650 device.
Device |
Ports |
|---|---|
SRX100 devices |
Onboard Fast Ethernet ports (fe-0/0/0 and fe-0/0/7) |
SRX210 devices |
Onboard Gigabit Ethernet ports (ge-0/0/0 and ge-0/0/1) and 1-Port Gigabit Ethernet SFP Mini-PIM port. Onboard Fast Ethernet ports (fe-0/0/2 and fe-0/0/7) |
SRX220 devices |
Onboard Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/7) and 1-Port Gigabit Ethernet SFP Mini-PIM port. |
SRX240 devices |
Onboard Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/15) and 1-Port Gigabit Ethernet SFP Mini-PIM port. |
SRX300 devices |
Onboard Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/7) |
SRX320 devices |
Onboard Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/7) |
SRX340 devices |
Onboard Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/15) |
SRX345 devices |
Onboard Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/15) |
SRX550 devices |
Onboard Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/9, Multiport Gigabit Ethernet XPIM modules, and 1-Port Gigabit Ethernet SFP Mini-PIM port. |
SRX550M devices |
Onboard Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/9 and Multiport Gigabit Ethernet XPIM modules. |
SRX650 devices |
Multiport Gigabit Ethernet XPIM modules Note:
On SRX650 devices, Ethernet switching is not supported on Gigabit Ethernet interfaces (ge-0/0/0 through ge-0/0/3 ports). |
SRX1500 devices |
Onboard Gigabit Ethernet ports (ge-0/0/0 through ge-0/0/19) |
On the SRX100. SRX220, SRX240, SRX300, SRX320, SRX340 and SRX345 devices, you can set the onboard Gigabit Ethernet ports to operate as either switched ports or routed ports. (Platform support depends on the Junos OS release in your installation.)
Integrated Bridging and Routing
Integrated bridging and routing (IRB) provides support for simultaneous Layer 2 swiching and Layer 3 routing within the same VLAN. Packets arriving on an interface of the VLAN are switched or routed based on the destination MAC address of the packet. Packets with the router’s MAC address as the destination are routed to other Layer 3 interfaces.
Link Layer Discovery Protocol and LLDP-Media Endpoint Discovery
Devices use Link Layer Discovery Protocol (LLDP) and LLDP-Media Endpoint Discovery (MED) to learn and distribute device information about network links. The information allows the device to quickly identify a variety of systems, resulting in a LAN that interoperates smoothly and efficiently.
LLDP-capable devices transmit information in Type Length Value (TLV) messages to neighbor devices. Device information can include specifics, such as chassis and port identification and system name and system capabilities. The TLVs leverage this information from parameters that have already been configured in the Junos OS.
LLDP-MED goes one step further, exchanging IP-telephony messages between the device and the IP telephone. These TLV messages provide detailed information about Power over Ethernet (PoE) policy. The PoE Management TLVs let the device ports advertise the power level and power priority needed. For example, the device can compare the power needed by an IP telephone running on a PoE interface with available resources. If the device cannot meet the resources required by the IP telephone, the device could negotiate with the telephone until a compromise on power is reached.
The following basic TLVs are supported:
Chassis Identifier—The MAC address associated with the local system.
Port identifier—The port identification for the specified port in the local system.
Port Description—The user-configured port description. The port description can be a maximum of 256 characters.
System Name—The user-configured name of the local system. The system name can be a maximum of 256 characters.
Switching Features Overview—This information is not configurable, but taken from the software.
System Capabilities—The primary function performed by the system. The capabilities that system supports; for example, Ethernet switching or router. This information is not configurable, but based on the model of the product.
Management Address—The IP management address of the local system.
The following LLDP-MED TLVs are supported:
LLDP-MED Capabilities—A TLV that advertises the primary function of the port. The values range from 0 through 15:
0—Capabilities
1—Network policy
2—Location identification
3—Extended power through medium-dependent interface power-sourcing equipment (MDI-PSE)
4—Inventory
5–15—Reserved
LLDP-MED Device Class Values:
0—Class not defined
1—Class 1 device
2—Class 2 device
3—Class 3 device
4—Network connectivity device
5–255— Reserved
Note:Starting in Junos OS Release 15.1X49-D60 and Junos OS Release 17.3R1, Link Layer Discovery Protocol (LLDP) and LLDP-Media Endpoint Discovery (MFD) are enabled on SRX300, SRX320, SRX340, SRX345, SRX550M and SRX1500 devices.
Network Policy—A TLV that advertises the port VLAN configuration and associated Layer 2 and Layer 3 attributes. Attributes include the policy identifier, application types, such as voice or streaming video, 802.1Q VLAN tagging, and 802.1p priority bits and Diffserv code points.
Endpoint Location—A TLV that advertises the physical location of the endpoint.
Extended Power via MDI—A TLV that advertises the power type, power source, power priority, and power value of the port. It is the responsibility of the PSE device (network connectivity device) to advertise the power priority on a port.
LLDP and LLDP-MED must be explicitly configured on uPIMs (in
enhanced switching mode) on base ports on SRX100, SRX210, SRX240,
SRX300, SRX320, SRX340, and SRX345 devices, and Gigabit Backplane
Physical Interface Modules (GPIMs) on SRX650 devices. (Platform support
depends on the Junos OS release in your installation.) To configure
LLDP on all interfaces or on a specific interface, use the lldp statement at the [set protocols] hierarchy level. To
configure LLDP-MED on all interfaces or on a specific interface, use
the lldp-med statement at the [set protocols] hierarchy level.
Types of Switch Ports
The ports, or interfaces, on a switch operate in either access mode or trunk mode.
An interface in access mode connects to a network device, such as a desktop computer, an IP telephone, a printer, a file server, or a security camera. The interface itself belongs to a single VLAN. The frames transmitted over an access interface are normal Ethernet frames.
Trunk interfaces handle traffic for multiple VLANs, multiplexing the traffic for all those VLANs over the same physical connection. Trunk interfaces are generally used to interconnect switches to one another.
uPIM in a Daisy Chain
You cannot combine multiple uPIMs to act as a single integrated switch. However, you can connect uPIMs on the same chassis externally by physically connecting a port on one uPIM to a port on another uPIM in a daisy-chain fashion.
Two or more uPIMs daisy-chained together create a single switch with a higher port count than either individual uPIM. One port on each uPIM is used solely for the connection. For example, if you daisy-chain a 6-port uPIM and an 8-port uPIM, the result operates as a 12-port uPIM. Any port of a uPIM can be used for daisy chaining.
Configure the IP address for only one of the daisy-chained uPIMs, making it the primary uPIM. The secondary uPIM routes traffic to the primary uPIM, which forwards it to the Routing Engine. This results in some increase in latency and packet drops due to oversubscription of the external link.
Only one link between the two uPIMs is supported. Connecting more than one link between uPIMs creates a loop topology, which is not supported.
Q-in-Q VLAN Tagging
Q-in-Q tunneling, defined by the IEEE 802.1ad standard, allows service providers on Ethernet access networks to extend a Layer 2 Ethernet connection between two customer sites.
In Q-in-Q tunneling, as a packet travels from a customer VLAN (C-VLAN) to a service provider's VLAN, a service provider-specific 802.1Q tag is added to the packet. This additional tag is used to segregate traffic into service-provider-defined service VLANs (S-VLANs). The original customer 802.1Q tag of the packet remains and is transmitted transparently, passing through the service provider's network. As the packet leaves the S-VLAN in the downstream direction, the extra 802.1Q tag is removed.
When Q-in-Q tunneling is configured for a service provider’s VLAN, all Routing Engine packets, including packets from the routed VLAN interface, that are transmitted from the customer-facing access port of that VLAN will always be untagged.
There are three ways to map C-VLANs to an S-VLAN:
All-in-one bundling—Use the
dot1q-tunnelingstatement at the [edit vlans] hierarchy level to map without specifying customer VLANs. All packets from a specific access interface are mapped to the S-VLAN.Many-to-one bundling—Use the
customer-vlansstatement at the [edit vlans] hierarchy level to specify which C-VLANs are mapped to the S-VLAN.Mapping C-VLAN on a specific interface—Use the
mappingstatement at the [edit vlans] hierarchy level to map a specific C-VLAN on a specified access interface to the S-VLAN.
Table 2 lists the C-VLAN to S-VLAN mapping supported on SRX Series Firewalls. (Platform support depends on the Junos OS release in your installation.)
Mapping |
SRX210 |
SRX240 |
SRX300 |
SRX320 |
SRX340 |
SRX345 |
SRX550M |
SRX650 |
|---|---|---|---|---|---|---|---|---|
All-in-one bundling |
Yes |
Yes |
No |
No |
Yes |
Yes |
Yes |
Yes |
Many-to-one bundling |
No |
No |
No |
No |
Yes |
Yes |
Yes |
Yes |
Mapping C-VLAN on a specific interface |
No |
No |
No |
No |
Yes |
Yes |
Yes |
Yes |
VLAN translation is supported on SRX300 and SRX320 devices and these devices do not support Q-in-Q tunneling.
On SRX650 devices, in the dot1q-tunneling configuration options, customer VLANs range and VLAN push do not work together for the same S-VLAN, even when you commit the configuration. If both are configured, then VLAN push takes priority over customer VLANs range.
IRB interfaces are supported on Q-in-Q VLANs for SRX210, SRX240, SRX340, SRX345, and SRX650 devices. Packets arriving on an IRB interface on a Q-in-Q VLAN are routed regardless of whether the packet is single or double tagged. The outgoing routed packets contain an S-VLAN tag only when exiting a trunk interface; the packets exit the interface untagged when exiting an access interface. (Platform support depends on the Junos OS release in your installation.)
In a Q-in-Q deployment, customer packets from downstream interfaces are transported without any changes to source and destination MAC addresses. You can disable MAC address learning at both the interface level and the VLAN level. Disabling MAC address learning on an interface disables learning for all the VLANs of which that interface is a member. When you disable MAC address learning on a VLAN, MAC addresses that have already been learned are flushed.
On SRX100, SRX210, SRX240, SRX300, SRX320, SRX340, SRX345, and SRX650 devices (with platform support depending on the Junos OS release in your installation), on the Layer 3 aggregated Ethernet, the following features are not supported:
Encapsulations (such as CCC, VLAN CCC, VPLS, and PPPoE)
J-Web
Starting in Junos OS Release 19.4R2, you can configure the LLDP on redundant Ethernet (reth) interfaces. Use the
set protocol lldp interface <reth-interface>command to configure LLDP on reth interface.
On SRX550M devices the aggregate Ethernet (ae) interface with XE member interface cannot be configured with the Ethernet switching family.
On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, the Q-in-Q support on a Layer 3 interface has the following limitations:
Double tagging is not supported on reth and ae interfaces.
Multitopology routing is not supported in flow mode and in chassis clusters.
Dual tagged frames are not supported on encapsulations (such as CCC, TCC, VPLS, and PPPoE)
On Layer 3 logical interfaces,
input-vlan-map,output-vlan-map,inner-range, andinner-listare not applicableOnly TPIDs with 0x8100 are supported, and the maximum number of tags is 2.
Dual tagged frames are accepted only for logical interfaces with IPV4 and IPv6 families.
On SRX100, SRX210, SRX240, SRX300, SRX320, SRX340, SRX345, and SRX650 devices (with platform support depending on the Junos OS release in your installation), on the routed VLAN interface (RVI), the following features are not supported:
IS-IS (family ISO)
Encapsulations (Ether CCC, VLAN CCC, VPLS, PPPoE, and so on) on VLAN interfaces
CLNS
DVMRP
VLAN interface MAC change
G-ARP
Change VLAN-Id for VLAN interface
Example: Configuring Switching Modes on Security Devices
Requirements
Before you begin, see Ethernet Ports Switching Overview for Security Devices.
Overview
In this example, you configure chassis and set the
l2-learning protocol to global mode switching. You then set a physical
port parameter on the l2-learning protocols.
Topology
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set protocols l2-learning global-mode switching set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
Step-by-Step Procedure
To configure switching mode:
Set l2-learning protocol to global mode switching.
[edit protocols l2-learning] user@host# set protocols l2-learning global-mode switching
Set a physical port parameter on the l2-learning protocols.
[edit] user@host# set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Results
From configuration mode, confirm your configuration
by entering the show protocols and show interfaces commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit]
user@host# show protocols
l2-learning {
global-mode switching;
}
[edit]
user@host# show interfaces
ge-0/0/1 {
unit 0 {
family ethernet-switching {
interface-mode access;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying the Switching Mode
Purpose
Make sure that the switching mode is configured as expected.
Action
From operational mode, enter the show ethernet-switching
global-information command.
user@host> show ethernet-switching global-information
Global Configuration:
MAC aging interval : 300
MAC learning : Enabled
MAC statistics : Disabled
MAC limit Count : 16383
MAC limit hit : Disabled
MAC packet action drop: Disabled
MAC+IP aging interval : IPv4 - 1200 seconds
IPv6 - 1200 seconds
MAC+IP limit Count : 393215
MAC+IP limit reached : No
LE aging time : 1200
LE VLAN aging time : 1200
Global Mode : Switching
RE state : MasterMeaning
The sample output shows that the global mode switching is configured as expected.
Verifying the Ethernet switching on Interface ge-0/0/1
Purpose
Make sure that the Ethernet switching is configured as expected on interface ge-0/0/1.
Action
From operational mode, enter the show interfaces
ge-0/0/1 brief command.
user@host> show interfaces ge-0/0/1 brief
Physical interface: ge-0/0/1, Enabled, Physical link is Down
Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Speed: 1000mbps, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Auto-negotiation: Enabled, Remote fault: Online
Device flags : Present Running Down
Interface flags: Hardware-Down SNMP-Traps Internal: 0x0
Link flags : None
Logical interface ge-0/0/1.0
Flags: Device-Down SNMP-Traps 0x0 Encapsulation: Ethernet-Bridge
Security: Zone: Null
eth-switchMeaning
The sample output shows that the Ethernet switching is configured on interface ge-0/0/1 as expected .
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.