JNCIS-SP: Layer 2 Bridging and Vlans.Bridging elements and terminology:
An Ethernet LAN consists of a shared medium that's 1 broadcast and collision domain. Nodes can transmit simultaneously and use CSMA/CD. After a collision, there is a backoff algorithm that increases.
- 10Base-T: 802.2i - 10Mbps
- 100Base-TX: 802.3u - 100Mbps
- 1000Base-T: 802.3ab - 1000Mbps
Bridging (IEEE 802.1D-2004)
Uses microsegmentation to divide collision domains. Allows dissimilar interfaces. Bridges build and maintain bridge tables using these mechanisms;
- Learning: learns MAC-addresses and associated ports.
- Flooding: unkown MAC, multicast and broadcast traffic is flooded out all other ports.
- Filtering: limits traffic to associated network segment.
- Aging: ensures bridge table entries are current.
Source MACs are learned from all incoming Ethernet frames. Each MAC is associated with an interface.
'show bridge mac-table' to view these entries.
VLAN segment a broadcast domain into multiple broadcast domains. A VLAN has the same attributes a a physical-LAN.
pic will follow.
On an MX, VLANS are created under named bridge-domains. Use 'native-vlan-id' for untagged fraes on trunk links.
-  100 only
- 100 - 200] 100 until 200
- [100-109 111-200] 100 until 200 except 110
-100-109 111 113-200] 100 until 200 except 110&112
You can use 1 statement to create many bridge domains. By using set bridge-domains CUSTOMER vlan-id-list [2-400] you are effectively creating the following domains;
customer-vlan-0001, customer-vlan-0002, etc.
To monitor, use 'show bridge domain' or 'show bridge domain vlan_100 detail'.
'show interfaces' will reveal trunk or access mode on MX.
Dynamically creates and prunes VLANs, supported by MX. MVRP sends PDUs to exchange VLAN-membership between switches. Disabled by default, can only be enabled on trunks. Trunk ports must still be configured, but without VLAN-info.
set protocols mvrp interface ge-0/0/15
To disable dynamic VLAN creation:
set protocols mvrp no-dynamic-vlan
Use 'show mvrp' to see status and timers on itnerfaces.
Use 'show mvrp dynamic-vlan-memberships' to view membership.
IRB interface as an IP gateway.
set bridge-domains vlan.110 routing-interfac irb.1
set interfaces irb unit 1 family inet address 22.214.171.124/24
'show interfaces terse irb*'
Layer 2 learning is configurable globally, per virtual-switch, per bridge domain & per interface. You can alter;
- timeout interval for MAC (30s default)
- MAC statistics (default disabled)
- max MAC learned
- MAC learning (by turning it off)
set protocols l2-learning - global & switch level (also for virtual switches)
set switch-options - bridge domains associated with a virtual switch
set bridge-domain EX bridge-options
set bridge-domain EX bridge-options interface ge-1/0/1
Under [edit bridge-domains EX bridge-options], you can set the 'mac-table-size' maximum. If the maximum is set, the default is to stop learning. The switch still forwards or floods traffic in the case of unkown destinations. Use the'packet action drop' to discard frames with unkown MACs.
On MX, L2 firewall filters can be used to accept or discard based upon;
Configured under [edit firewall family bridge]. Can be applied to:
- interface (input, output or both)
- bridge-domain (input)
- interface + bridge-domain (input) -> interface is processed before bridge-domain
set bridge-domains Vlan.100 forwarding-options filter input EXAMPLE
set interface ge-1/0/1 unit 0 family bridge filter input EXAMPLE
Through the use of 'filter-list', up to 16 filters can be applied.
Different types of routing-instances exist; virtual-router & virtual-switch.
set routing-instance V-SWITCH-EX instance-type virtual-switch
set routing-instance V-SWITCH-EX bridge-domains EXAMPLE vlan-id 100
set routing-instance V-SWITCH-EX bridge-domains EXAMPLE routing-interface irb.100
set routing-instance V-SWITCH-EX bridge-domains interface ge-1/0/11
Use 'show bridge domain' to verify routing-instance.
Provider Bridging (802.1ad).
802.1ad provides a standard for stacking VLAN-tags:
- outer tag (S-VLAN): represents customer 0x88A8 (Junos default is 0x8100)
- inner tag (C-VLAN): customer vlan, 0x8100
- ISP & customer runn different spanning-trees
- VLAN translation between sp-bridged networks
- PBN: network of provider bridges that provide EVC to customer.
- Provider Bridge: performs 802.1ad tagging and forwarding. Learn & store customer MACs.
- Provider Edge Bridge (PEB): 802.1q frames to and from customers. Also encapsulates customer frames using 802.1ad.
- S-VLAN Bridge: non-edge provider bridge, forwarding on S-tag.
- Provider Network Port: forwards based on S-tag.
- Customer Edge Port: receives and transmits on C-VLAN.
- Customer Network Port: just that.
- push: add outer tag
- pop: remove outer tag
- swap: swap outer tag
- pop-pop: remove outer & inner tag
- pus-pus: add 2 tags
- swap-swap: swap both tags
- pop-swap: pop outer, swap inner
- swap-push: swap inner, add outer
- rewrite vlan
- rewrite tag-protocol-id
Needs drawing of functions and operations.
Bridge domain learning modes;
1. Independant VLAN learning-mode: MAC-learning & BUM-traffic is per-VLAN
2. Shard VLAN learning-mode: VLANs share MAC-learning, BUM-traffic floods on all VLANs & interfaces of the bridge-domain