Juniper EX – Private vlans

I’ve gone over pvlans before on IOS, so I’m going to cover Juniper’s implementation today. This post will be based on the following topology:
PVLANS-1
There are five hosts and a single router. Host1 and Host3 are in the same community vlan, while Host2, Host4, and Host5 are in isolated vlans. R1 is the default gateway for all hosts.
The vlan plan is laid out as follows:

PVLAN Table
Host Switch Vlan
1 SW1 Community 501
2 SW1 Isolated 502
3 SW2 Community 501
4 SW2 Isolated 502
5 SW2 Isolated 502
R1 SW3 Primary 500

Community vlan – SW1

The community vlan has a vlan-id and primary vlan specified. You enable the interface under tha vlan config:

set vlans HOST_COMM vlan-id 501
set vlans HOST_COMM primary-vlan HOST_PRIMARY
set vlans HOST_COMM interface ge-0/0/4.0

Isolated and Primary Van – SW1

Isolated vlans are configured directly under the primary vlan. You also specify the interfaces in this vlan under the vlans hierarchy. Finally, as this pvlans span multiple switches, you need to ensure the trunk interfaces are pvlans aware:

set vlans HOST_PRIMARY vlan-id 500
set vlans HOST_PRIMARY interface ge-0/0/1.0 pvlan-trunk
set vlans HOST_PRIMARY interface ge-0/0/3.0 pvlan-trunk
set vlans HOST_PRIMARY interface ge-0/0/5.0
set vlans HOST_PRIMARY no-local-switching
set vlans HOST_PRIMARY isolation-id 502

Personally I really don’t like the Junos way of doing isolated vlans. Interface ge-0/0/5.0 is an isolated port as its untagged and no-local-switching is configured. Configuring the promiscuous port to R1 from SW3 is configured like so:

set vlans HOST_PRIMARY vlan-id 500
set vlans HOST_PRIMARY interface ge-0/0/2.0 pvlan-trunk
set vlans HOST_PRIMARY interface ge-0/0/1.0 pvlan-trunk
set vlans HOST_PRIMARY interface ge-0/0/0.0
set vlans HOST_PRIMARY no-local-switching
set vlans HOST_PRIMARY isolation-id 502

There is no difference in the vlan configuration between an actual isolated port and a promiscuous port. What makes the difference is the interface config itself on both switches:

[email protected]> show configuration interfaces ge-0/0/5
unit 0 {
    family ethernet-switching {
        port-mode access;
    }
}

While SW3’s port to R1 is tagged:

[email protected]> show configuration interfaces ge-0/0/0
unit 0 {
    family ethernet-switching {
        port-mode trunk;
    }
}

If I wanted SW3’s like to R1 to be untagged it would change it to an isolated port. If I needed a host to send tagged traffic into an isolated vlan (like an ESX server), Junos makes that a promiscuous port. This is a lack of flexibility that I don’t like. The switches should be able to put devices in isolated or promiscuous mode by config separate to the fact that the host-facing port has a dot1q tag or not.

Verification

Show vlans extensive shows the pvlan information. It would be nice if Junos had a separate show pvlans command:

[email protected]> show vlans extensive
VLAN: HOST_COMM, Created at: Wed Mar 19 04:00:58 2014
802.1Q Tag: 501, Internal index: 14, Admin State: Enabled, Origin: Static
Private VLAN Mode: Community, Primary VLAN: HOST_PRIMARY
Protocol: Port Mode, Mac aging time: 300 seconds
Number of interfaces: Tagged 2 (Active = 2), Untagged  1 (Active = 1)
      ge-0/0/1.0*, tagged, trunk, pvlan-trunk
      ge-0/0/3.0*, tagged, trunk, pvlan-trunk
      ge-0/0/4.0*, untagged, access

Here we see ge-0/0/4.0 is an access port in vlan HOST_COMM. ge-0/0/1.0 and ge-0/0/3.0 are pvlan trunks as expected.

LAN: HOST_PRIMARY, Created at: Wed Mar 19 04:00:58 2014
802.1Q Tag: 500, Internal index: 16, Admin State: Enabled, Origin: Static
Private VLAN Mode: Primary
Protocol: Port Mode, Mac aging time: 300 seconds
Number of interfaces: Tagged 2 (Active = 2), Untagged  2 (Active = 2)
      ge-0/0/1.0*, tagged, trunk, pvlan-trunk
      ge-0/0/3.0*, tagged, trunk, pvlan-trunk
      ge-0/0/4.0*, untagged, access
      ge-0/0/5.0*, untagged, access
Secondary VLANs: Isolated 1, Community  1, Inter-switch-isolated  1
  Isolated VLANs :
      __pvlan_HOST_PRIMARY_ge-0/0/5.0__
  Community VLANs :
      HOST_COMM
  Inter-switch-isolated VLAN :
      __pvlan_HOST_PRIMARY_isiv__

VLAN: __pvlan_HOST_PRIMARY_ge-0/0/5.0__, Created at: Wed Mar 19 04:26:16 2014
Internal index: 17, Admin State: Enabled, Origin: Static
Private VLAN Mode: Isolated, Primary VLAN: HOST_PRIMARY
Protocol: Port Mode, Mac aging time: 300 seconds
Number of interfaces: Tagged 2 (Active = 2), Untagged  1 (Active = 1)
      ge-0/0/1.0*, tagged, trunk, pvlan-trunk
      ge-0/0/3.0*, tagged, trunk, pvlan-trunk
      ge-0/0/5.0*, untagged, access

VLAN: __pvlan_HOST_PRIMARY_isiv__, Created at: Wed Mar 19 04:26:16 2014
802.1Q Tag: 502, Internal index: 18, Admin State: Enabled, Origin: Static
Private VLAN Mode: Inter-switch-isolated, Primary VLAN: HOST_PRIMARY
Protocol: Port Mode, Mac aging time: 300 seconds
Number of interfaces: Tagged 2 (Active = 2), Untagged  0 (Active = 0)
      ge-0/0/1.0*, tagged, trunk, pvlan-trunk
      ge-0/0/3.0*, tagged, trunk, pvlan-trunk

A lot of information above, buit it does show which ports are connected to the primary vlan and which are isolated. It also shows which community and isolated vlans are connected to the primary vlan.

Ultimately the end result is that Host1 should be able to ping Host3 and Router1, but nothing else:

[email protected]_HOST> ping routing-instance HOST1 10.0.0.2 rapid
PING 10.0.0.2 (10.0.0.2): 56 data bytes
.....
--- 10.0.0.2 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

{master:0}
[email protected]_HOST> ping routing-instance HOST1 10.0.0.3 rapid
PING 10.0.0.3 (10.0.0.3): 56 data bytes
!!!!!
--- 10.0.0.3 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.056/1.175/1.415/0.136 ms

{master:0}
[email protected]_HOST> ping routing-instance HOST1 10.0.0.4 rapid
PING 10.0.0.4 (10.0.0.4): 56 data bytes
.....
--- 10.0.0.4 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

{master:0}
[email protected]_HOST> ping routing-instance HOST1 10.0.0.5 rapid
PING 10.0.0.5 (10.0.0.5): 56 data bytes
.....
--- 10.0.0.5 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

{master:0}
[email protected]_HOST> ping routing-instance HOST1 10.0.0.254 rapid
PING 10.0.0.254 (10.0.0.254): 56 data bytes
!!!!!
--- 10.0.0.254 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.007/1.189/1.638/0.229 ms

I won’t go every single possible combination a there will simply be too much text, but I’ll go over Host4 and Router1.

Host4 should only be able to ping Router1 and nothing else:

[email protected]_HOST> ping routing-instance HOST4 10.0.0.1 rapid
PING 10.0.0.1 (10.0.0.1): 56 data bytes
.....
--- 10.0.0.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

{master:0}
[email protected]_HOST> ping routing-instance HOST4 10.0.0.2 rapid
PING 10.0.0.2 (10.0.0.2): 56 data bytes
.....
--- 10.0.0.2 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

{master:0}
[email protected]_HOST> ping routing-instance HOST4 10.0.0.3 rapid
PING 10.0.0.3 (10.0.0.3): 56 data bytes
.....
--- 10.0.0.3 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

{master:0}
[email protected]_HOST> ping routing-instance HOST4 10.0.0.5 rapid
PING 10.0.0.5 (10.0.0.5): 56 data bytes
.....
--- 10.0.0.5 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

{master:0}
[email protected]_HOST> ping routing-instance HOST4 10.0.0.254 rapid
PING 10.0.0.254 (10.0.0.254): 56 data bytes
!!!!!
--- 10.0.0.254 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.997/1.763/3.471/0.927 ms

Finally, Router1 should be able to ping all hosts:

[email protected]_HOST> ping routing-instance ROUTER1 10.0.0.1 rapid
PING 10.0.0.1 (10.0.0.1): 56 data bytes
!!!!!
--- 10.0.0.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.011/1.168/1.301/0.122 ms

{master:0}
[email protected]_HOST> ping routing-instance ROUTER1 10.0.0.2 rapid
PING 10.0.0.2 (10.0.0.2): 56 data bytes
!!!!!
--- 10.0.0.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.963/1.194/1.432/0.180 ms

{master:0}
[email protected]_HOST> ping routing-instance ROUTER1 10.0.0.3 rapid
PING 10.0.0.3 (10.0.0.3): 56 data bytes
!!!!!
--- 10.0.0.3 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.988/1.165/1.438/0.161 ms

{master:0}
[email protected]_HOST> ping routing-instance ROUTER1 10.0.0.4 rapid
PING 10.0.0.4 (10.0.0.4): 56 data bytes
!!!!!
--- 10.0.0.4 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.997/1.194/1.444/0.200 ms

{master:0}
[email protected]_HOST> ping routing-instance ROUTER1 10.0.0.5 rapid
PING 10.0.0.5 (10.0.0.5): 56 data bytes
!!!!!
--- 10.0.0.5 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.015/1.174/1.324/0.123 ms