Ivy Consultants Inc.

Consulting Services for Security, Networking, Wi-Fi and Windows Server

You Are Here

Networking

Configuring Private VLANs in Juniper Switches

no Comments

VLANs (Virtual LANs) are logical grouping of devices in the same broadcast domain. VLANs are usually configured on switches by placing some interfaces into one broadcast domain and some interfaces into another. Each VLAN acts as a subgroup of the switch ports in an Ethernet LAN.

VLANs can spread across multiple switches, with each VLAN being treated as its own subnet or broadcast domain. This means that frames broadcasted onto the network will be switched only between the ports within the same VLAN.


Private VLANs
As per Wikipedia, “Private VLAN, also known as port isolation, is a technique in computer networking where a VLAN contains switch ports that are restricted such that they can only communicate with a given uplink. The restricted ports are called private ports. Each private VLAN typically contains many private ports, and a single uplink. The uplink will typically be a port (or link aggregation group) connected to a routerfirewallserverprovider network, or similar central resource.”

Lets now focus on the topology and configuration of the Private VLANs on Juniper Switches as a simple example. It can be different as per the network and the design in your environment.

Topology

The goal is to create a Private vlan for ports ge-0/0/11-12 in HR Community, ports ge-0/0/15-16 in server room and ports ge-0/0/13-14 in Fianace community

Below is the configuration associated with the above topology 

Setting the VLAN ID
SSB@switch#set vlans pvlan vlan-id 1000

Setting Interfaces and Port modes
SSB@switch#set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode trunk
SSB@switch#set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members pvlan
SSB@switch#set interfaces ge-1/0/0 unit 0 family ethernet-switching port-mode trunk
SSB@switch#set interfaces ge-1/0/0 unit 0 family ethernet-switching vlan members pvlan
SSB@switch#set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode access
SSB@switch#set interfaces ge-0/0/12 unit 0 family ethernet-switching port-mode access
SSB@switch#set interfaces ge-0/0/13 unit 0 family ethernet-switching port-mode access
SSB@switch#set interfaces ge-0/0/14 unit 0 family ethernet-switching port-mode access
SSB@switch#set interfaces ge-0/0/15 unit 0 family ethernet-switching port-mode access
SSB@switch#set interfaces ge-0/0/16 unit 0 family ethernet-switching port-mode access

Configuring the Primary VLAN with no Local Switching
SSB@switch#set vlans pvlan no-local-switching

Adding trunk Interfaces
SSB@switch#set vlans pvlan interface ge-0/0/0.0
SSB@switch#set vlans pvlan interface ge-1/0/0.0

Configure the secondary VLANs with VLAN IDs and interfaces
SSB@switch#set vlans hr-comm vlan-id 400
SSB@switch#set vlans hr-comm interface ge-0/0/11.0
SSB@switch#set vlans hr-comm interface ge-0/0/12.0
SSB@switch#set vlans finance-comm vlan-id 300
SSB@switch#set vlans finance-comm interface ge-0/0/13.0
SSB@switch#set vlans finance-comm interface ge-0/0/14.0

Setting up Community Private VLANs
SSB@switch#set vlans hr-comm primary-vlan pvlan
SSB@switch#set vlans finance-comm primary-vlan pvlan

Setting up the Isolated VLANs further
SSB@switch#set vlans pvlan interface ge-0/0/15.0
SSB@switch#set vlans pvlan interface ge-0/0/16.0

And Voila! you are done and the Private VLAN is created