Switching

Expand all | Collapse all

EX4550 with l3 interface in a Private VLAN

Jump to Best Answer
  • 1.  EX4550 with l3 interface in a Private VLAN

    Posted 09-07-2020 12:48

    Hello,

     

    I am trying to assess if it's possible to configure an l3.interface with a private vlan?

     

    My goal is to connect a VC of EX4550 to two routers r0 and r1 via respectively ae0 and ae1. I can get the L2 part working, no problem, my configuration works as expected.

     

    Now I would like to add routing between my VC private VLAN and r0 and r1 but the interface ae0 and ae1 are the primary ports and I cannot have them with two families. Also I do not seem to be able to add an l3.interface (vlan or irb) to it, nor into the secondary VLAN although my VC sw and r0 and r1 would not have their /30 to establish their OSPF.

     

    Is it even doable? Can EX4550 support Private VLAN and an l3.interface?

     

    Thanks.



  • 2.  RE: EX4550 with l3 interface in a Private VLAN

     
    Posted 09-07-2020 23:01

    It's not officially stated in the feature explorer and similar places, but I would expect it to work on EX4550 - try to follow these instructions and see where it gets you. Let us know of your progress 🙂

     

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/routed-vlan-interfaces.html

     

     



  • 3.  RE: EX4550 with l3 interface in a Private VLAN

    Posted 09-08-2020 00:20

    Many thanks for the reply!

     

    I've tried to apply, but it does not seem to work:

     

    set vlans pvlan vlan-id 100
    
    set interfaces ae1 unit 0 family ethernet-switching port-mode trunk
    set interfaces ae1 unit 0 family ethernet-switching vlan members pvlan
    
    set interfaces ge-0/0/24 unit 0 family ethernet-switching port-mode access
    set interfaces ge-1/0/24 unit 0 family ethernet-switching port-mode access
    set interfaces xe-0/0/0 unit 0 family ethernet-switching port-mode access
    set interfaces xe-1/0/0 unit 0 family ethernet-switching port-mode access
    
    set vlans pvlan no-local-switching
    set vlans pvlan interface ae1.0
    
    set vlans cust_01 interface ge-0/0/24.0
    set vlans cust_01 interface ge-1/0/24.0
    
    set vlans cust_02 interface xe-0/0/0.0
    set vlans cust_02 interface xe-1/0/0.0
    
    set vlans cust_01 primary-vlan pvlan
    set vlans cust_02 primary-vlan pvlan
    
    set interfaces vlan unit 100 family inet address 10.10.10.6/24
    set interfaces vlan unit 100 proxy-arp unrestricted
    set interfaces vlan unit 100 family inet no-redirects
    
    set vlans pvlan l3-interface vlan.100
    

     

    - When applying to primary VLAN:

    {master:0}[edit]
    root@switch01# commit check
    [edit vlans]
    'pvlan'
    L3-interface cannot be specified in Private VLAN
    error: configuration check-out failed
    

    - When applying to secondary VLAN:

     

    {master:0}[edit vlans cust_01]
    root@switch01# commit check
    [edit vlans]
    'cust_01'
    L3-interface cannot be specified in Private VLAN
    error: configuration check-out failed
    

    and for the sake of clarity, I am running Junos 15.1R7-S7.1.

     

    Any hint would be highly appreciated.



  • 4.  RE: EX4550 with l3 interface in a Private VLAN

    Posted 09-08-2020 11:51

    Hi amn.

     

    I hope everything is ok with you.

     

    I checked your config and also tested in my Lab , the same commit error came up. I am afraid that what you are trying to do is not supported, L3 interface in Pvlan as you can see below, is only supported on EX8200 .

    Please check this link to get further details.

     

    NOTE

    Only an EX8200 switch or EX8200 Virtual Chassis support the use of an RVI to route Layer 3 traffic between isolated and community VLANs in a PVLAN domain.

     

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/private-vlans.html#id-creating-a-private-vlan-on-a-single-ex-series-switch-cli-procedure

     

    If this solves your problem, please mark this post as "Accepted Solution" so we can help others too.

     

    Kind regards

     



  • 5.  RE: EX4550 with l3 interface in a Private VLAN

    Posted 09-08-2020 14:03

    Many thanks for your help.

     

    I did follow this very documentation. I can configure private-vlan, but I cannot configure an irb or vlan l3 interface. I would assume this is, indeed, a platform limitation for EX4550.

     

    Thanks!



  • 6.  RE: EX4550 with l3 interface in a Private VLAN
    Best Answer

    Posted 09-08-2020 14:15

    Hi amn.

     

     

    Based on the link provided I'd say that all the legacy platforms like  (EX2200-Ex3300-EX4500)do not support that feature, however, as mentioned above by jonashauge it seems to work on ELS devices.

     

    If this solves your problem, please mark this post as "Accepted Solution" so we can help others too.

     

    Cheers.



  • 7.  RE: EX4550 with l3 interface in a Private VLAN

     
    Posted 09-08-2020 12:23

    I have just tested the following config on a QFX5110 and has previously also used it for educational purposes on an EX3400 where it worked as expected. Please try to alter you config to match this and see if you succeed 🙂

     

    user@qfx# show |compare
    [edit interfaces]
    +   xe-0/0/10 {
    +       unit 0 {
    +           family ethernet-switching {
    +               vlan {
    +                   members isolated-vlan;
    +               }
    +           }
    +       }
    +   }
    +   xe-0/0/11 {
    +       unit 0 {
    +           family ethernet-switching {
    +               vlan {
    +                   members pvlan-primary;
    +               }
    +           }
    +       }
    +   }
    +   irb {
    +       unit 100 {
    +           proxy-arp unrestricted;
    +           family inet {
    +               no-redirects;
    +               address 10.10.10.6/24;
    +           }
    +       }
    +   }
    [edit vlans]
    +   isolated-vlan {
    +       vlan-id 110;
    +       private-vlan isolated;
    +   }
    +   pvlan-primary {
    +       vlan-id 100;
    +       l3-interface irb.100;
    +       isolated-vlan isolated-vlan;
    +   }
    
    {master:0}[edit]
    user@qfx# commit check
    configuration check succeeds
    
    {master:0}[edit]
    user@qfx#
    

     

     



  • 8.  RE: EX4550 with l3 interface in a Private VLAN

    Posted 09-08-2020 14:01

    Many thanks for your help again.

     

    I think the platform is limited in terms of options and the command private-vlan under vlans does not exist, below are the possible options for the vlan portion. It could be that the EX4550 has indeed limitations as stated.

     

    {master:0}[edit vlans isolated-vlan]
    root@switch01# set ?
    Possible completions:
    + apply-groups         Groups from which to inherit configuration data
    + apply-groups-except  Don't inherit configuration data from these groups
      description          Text description of the VLAN
    > dot1q-tunneling      Dot1q-tunneling parameters
    > filter               Packet filtering
    > interface            Name of interface that uses this VLAN
      isolation-id         Isolation VLAN tag (1..4094)
      l3-interface         Layer 3 interface for this VLAN
      l3-interface-ingress-counting  Enable ingress counting on layer 3 interface for this VLAN
    > mac-limit            Number of MAC addresses allowed on this VLAN
    > mac-table-aging-time  MAC aging time configuration
      no-local-switching   Disable local switching
      no-mac-learning      Disable mac learning
      primary-vlan         Primary VLAN for this community VLAN
      vlan-id              802.1q tag (1..4094)
      vlan-prune           Prune unnecessary VCP links from a VLAN
      vlan-range           VLAN range in the form '-'