In this article I will show you how to configure V-Lans on a Juniper Router. VLANs are virtual networks defined by the IEEE Standard 802.1q.

The idea is to run separated networks on the same physical infrastructure. This gets accomplished by adding another 32Bit to the frame on layer 2, containing the V-Lan related information.

It is important that all devices that are supposed to forward tagged frames do support 802.1q. If a device is unable to handle frames of that size it will simply destroy them.

Creating a VLAN

First we check if V-Lans on that device already exist.

#show vlans

Now we define two V-Lans named first und second. First is going to be assigned the VLAN-ID 10. Second is going to be assigned the VLAN-ID 20.

# set vlans first vlan-id 10 # set vlans second vlan-id 20

Lets take a look at the V-Lan config.

root# show vlans default { _    l3-interface vlan.0;_ } first { _    vlan-id 10;_ } second { _    vlan-id 20;_ }

This output should be pretty self explanatory. Before making an interface become a member in one of these V-Lans we should take a look at the difference between tagged and untagged interfaces.

Tagged and untagged interfaces

V-Lans can be configured in two modes on an interface.

Access (native / untagged):

• Every interface can only be of type Access for one V-Lan
• An Access Interface receives untagged traffic and attaches a V-Lan tag to that traffic before forwarding it
• You will usually use this setting to connect clients or devices that are unable of speaking V-Lan

Example: Gigabit Ethernet Interface 10 This interface will receive untagged (normal) traffic and forward it with the V-Lan Tag “10”. The V-Lan Tag will removed before sending traffic outbound. For example broadcast traffic for V-Lan 10 or traffic for a device located behind this interface (ARP table). This way the device on the other end can understand the traffic and does not even know it ever had a V-Lan tag attached to it.

ge-0/0/10 { unit 0 { family ethernet-switching { vlan { members first; } }

Trunk (tagged):

• If an Interface is defined as a trunk it receives and sends tagged frames for certain V-Lans
• Usually interfaces that have other V-Lan capable devices on the other end get defined that way

Example: Gigabit Ethernet Interface 12 This interface receives tagged traffic for the V-Lans 10 and 20. If traffic that is supposed to be sent to that network, the V-Lan Tag will be attached to the frame.

Important: A Trunk Interface does not need to be a member in all V-Lans!

ge-0/0/12 { _    unit 0 {_ _      family ethernet-switching {_ _         port-mode trunk;_ _            vlan {_ _               members [ first second ];_ _            }_ _         }_ _      }_ _   }_

Setting up an IP address on a V-Lan Interface Please make sure to make the Unit ID the same as th VLAN ID to minimize confusion!! Your colleagues will hate you if you don’t.

At first we will configure a virtual interface with an IPv4 address

#set interface irb unit <UNIT ID> family inet address <IP/subnetmask>

Then we make that interface a member of a V-Lan # set vlans <VLAN NAME> l3interface irb.<Interface ID>

Then we define this interface to be of type access in this V-Lan

# set interface ge-0/0/2.20 family ethernet-swtiching port mode access

In this case the commands could look like this:

# set interface irb unit 10 family inet address 10.0.10.1 # set vlans 10 l3interface irb.10 # set interface ge-0/0/2.10 family ethernet-swtiching port mode access

If we now connect a cable to the interface ge-0/0/2 our traffic will be sent to V-Lan 10. Since the we configured the router to have an IP address on the layer 3 interface irb.10, we can now connect to it via ssh on 10.0.10.1.

Cheers, Ori