This is the first in a series of blog posts covering some of the basics of Junos. In this post I’ll be covering the process of creating VLAN’s on a Juniper switch and assigning interfaces to them. The model of switch I am using is an EX2200-C, running Junos 11.4R1.6.
Creating the VLANs’s is very simple. In this example we’ll create 2 VLAN’s, SALES and IT with VLAN ID’s 100 and 200 respectively.
In configuration mode:
set vlans SALES vlan-id 100 set vlans IT vlan-id 200
After committing the configuration we can now view our list of VLAN’s:
rich@EX2200C# show vlans IT { vlan-id 200; } SALES { vlan-id 100; }
Next we’ll assign an interface to each VLAN. There are two methods of doing this – you can configure the interface to be a member of a VLAN or you can configure a VLAN to have an interface as a member.
Method 1 – configure the interface:
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members SALES
This assigns the interface to the VLAN SALES which can be seen from the interface configuration:
rich@EX2200C> show configuration interfaces ge-0/0/0 unit 0 { family ethernet-switching { vlan { members SALES; } } }
Method 2 – Configure the VLAN:
set vlans IT interface ge-0/0/1.0
This method is much quicker and simpler than method 1 and the end result is the same. The difference is that the VLAN membership is not apparent when you view the configuration of the interface:
rich@EX2200C> show configuration interfaces ge-0/0/1 unit 0 { family ethernet-switching; }
Instead, to verify our configuration we need to view the list of VLAN’s again:
rich@EX2200C> show vlans Name Tag Interfaces IT 200 ge-0/0/1.0 SALES 100 ge-0/0/0.0 default ge-0/0/2.0, ge-0/0/3.0, ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0, ge-0/0/11.0, ge-0/1/0.0, ge-0/1/1.0
Another verification option is the “show ethernet-switching interfaces” command:
rich@EX2200C> show ethernet-switching interfaces Interface State VLAN members Tag Tagging Blocking ge-0/0/0.0 down SALES 100 untagged blocked by STP ge-0/0/1.0 down IT 200 untagged blocked by STP ge-0/0/2.0 down default untagged blocked by STP ge-0/0/3.0 down default untagged blocked by STP ge-0/0/4.0 down default untagged blocked by STP ge-0/0/5.0 down default untagged blocked by STP . .
Note also that now we have assigned some interfaces to VLAN’s, all the other interfaces appear as members of the “default” VLAN.
In my next post I’ll cover routing between the VLANS’s we’ve created here.
I hope this has been a useful explanation. Thanks for reading.
Rich
Follow Rich on Twitter
Hi Rich,
I saw your three posts on Vlan, Inter Vlan and Vlan Trunking, really it is very useful for me and I want to say thanks regarding this useful information, can we set up virtual Network Environment like GNS on Windows 7, if any process is there please send me on my email id.
Thanks,
Afsar
Hi Afsar. you should check out this link: http://routerjockey.com/2009/10/03/running-junos-under-vmware/
Hi Rich,
Thanks for the link, I am Reviewing it and will update you here.
Regards,
Afsar
Hi Rich,
On a ex2200 I have attached a management module of a server (for remote control and such which has a dedicated IP address). I would like to give only myself access to that IP (on port ge 0/0/1). If at all possible I could do this by using IP addresses (I have several of course, not to lock myself out) or via MAC addresses.
ps: I do not know if I need to add the IP from the -to be managed- server as well?
Also note, access may be via a local port (hard wired when I am at the data center, for instance ge 0/0/5) or via glass fibre (ge-0/1/1 I think).
Suppose the mgm module has ip 1.2.3.4 and I have 5.6.7.8 or 6.7.8.9 then I want those two ip addresses of mine to have access to 1.2.3.4. Note: ip 1.2.3.4 should have normal access to the internet to be able to send out emails.
Can this be done?
I am not smart enough (I guess) to do this.
ps: you may mail me about this as well, I am not sure if anybody is looking for this specific solution (although I could not find a fitting answer).
I am still here 😉
After reading and reading I think I should create a vlan. All I need to do is tag traffic from specific ip addresses and prevent other ip adrresses to have access to the vlan. I would not need to consider about the actual port. But thinking out loud is one. Getting this translated to a solution is two. And I am not sure if creating a vlan this way does actually prevent other ip addresses to access the ip I am trying to secure?
Could you please mail me on this issue and delete my messages on this forum (if you think it does not help other people having the same situation?)
Pingback: Junos Basics – Inter VLAN Routing – PingvinHund
Pingback: Junos Basics – Inter VLAN Routing | Mariusgate Leaks
Hey Rich,
Appreciate your time to write this Information. i find it very informative as am new to Juniper. searching for more info. Thank you
K
No worries! thanks for reading