Juniper EX4200 QinQ Configuration and Troubleshooting

juniperjuniper-exjuniper-junosqinq

newbie here with a very similar question to one that was posted a couple of years back … only slightly different (so, as the original question was asked so perfectly, I've copied it nearly verbatim and just edited it slightly … terribly lazy I know!)

How do I tell Juniper EX4200 to push specific S-VLAN based on C-VLAN on q-in-q (dot1q-tunneling) port?

For instance I want to instruct EX4200 to perform Q-in-Q using these rules:

1) If a single-tag frame is received on ge-0/0/0 with C-VLAN=41, DO NOT PUSH S-VLAN*

2) If a single-tag frame is received on ge-0/0/0 with C-VLAN=42, push S-VLAN=5.

3) If a single-tag frame is received on ge-0/0/0 with C-VLAN=51, push S-VLAN=5.

4) If a single-tag frame is received on ge-0/0/0 with C-VLAN=52, push S-VLAN=5.

Conversely, whenever a double-tag frame is to be sent out on ge-0/0/0, the outer S-VLAN ought to be removed (popped).

"DO NOT PUSH S-VLAN" means "leave as a single tagged frame with vlan-id 41 as the only tag"

Can this be done on a Juniper EX4200? If so, please point out the specific configuration commands.

Best Answer

Q-in-Q on the 4200 is super non-intuitive, but here is the configuration that will work for you:

If you're mixing Q-in-Q and dot1q, you need to set the dot1q tunnelling ethertype to be 0x8100

set ethernet-switching-options dot1q-tunneling ether-type 0x8100

Now, configure the interface you'll be receiving the C-TAGs on - note that you will only configure it as an untagged interface (very non-intuitive):

set interfaces ge-0/0/7 unit 0 family ethernet-switching

Now create your S-VLAN 5 and "C-VLAN" 41 and apply them to interface ge-0/0/7.0 - note that because the interface is not tagged in the previous step, you have to apply the interface within the VLAN configuration as per below (other interfaces in VLAN 41 can be applied in the normal way):

set vlans SV5 vlan-id 5
set vlans SV5 interface ge-0/0/7.0
set vlans SV5 dot1q-tunneling customer-vlans 42
set vlans SV5 dot1q-tunneling customer-vlans 51
set vlans SV5 dot1q-tunneling customer-vlans 52
set vlans CV41 vlan-id 41
set vlans CV41 interface ge-0/0/7.0

The last piece is how to deal with the dot1q tag being received; if you leave things as they are, the dot1q traffic for VLAN 41 will be dropped on ingress to port ge-0/0/7.0, so you need to create a VLAN swap action which essentially swaps 41 with 41 (like I said, it's super non-intuitive):

set vlans CV41 interface ge-0/0/7.0 mapping 41 swap

Now you should be able to handle both dot1q and q-in-q frames on the same interface.

One caveat to be aware of is that you can't have an S-VLAN ID the same as any of your C-VLAN IDs, since you need to create the VLAN on the switch to tunnel.

Related Solutions

VLAN Selection – How to Select S-VLAN from C-VLAN on Juniper EX4200?

This should do what you are after:

    set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access
    set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members SVID4
    set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members SVID5
    set vlans SVID4 vlan-id 4
    set vlans SVID4 dot1q-tunneling customer-vlans 41-42
    set vlans SVID4 dot1q-tunneling layer2-protocol-tunneling all
    set vlans SVID5 vlan-id 5
    set vlans SVID5 dot1q-tunneling customer-vlans 51-52
    set vlans SVID5 dot1q-tunneling layer2-protocol-tunneling all

Cheers,

Juniper EX4200 – Reading SNMP Traffic Counters for Specific VLAN ID

Sadly the EX4200 (or any EX) is not able to do this. You would need a separate logical unit for the VLAN which has its own VLAN counters. This works for example on Junipers MX routers but not on EX.

What you can do however is count the packets and bytes with a firewall filter.

I have an working example here, for VLANS 14, 571, 572. You can of course use any VLAN IDs.

Here is the filter:

firewall {
    family ethernet-switching {
        filter vlan-counters {
            interface-specific;
            term vlan-14 {
                from {
                    dot1q-tag 14;
                }
                then {
                    accept;
                    count vlan-14;
                }
            }
            term vlan-571 {
                from {
                    dot1q-tag 571;
                }
                then {
                    accept;
                    count vlan-571;
                }
            }
            term vlan-572 {
                from {
                    dot1q-tag 572;
                }
                then {
                    accept;
                    count vlan-572;
                }
            }
            term default {
                then accept;
            }
        }
    }
}

As you can see we have a separate term for each VLAN we want to count and a default term at the end. This is important as without that last term traffic for other VLANs would be dropped. The interface-specific keyword tells the switch to generate separate counters for each interface.

You can apply this filter to your interfaces:

set interfaces ae0.0 family ethernet-switching filter input vlan-counters 
set interfaces ae0.0 family ethernet-switching filter output vlan-counters

After that you can see the counters in the show firewall output. Note that they have interface-specific extensions:

Filter: vlan-counters-ae1.0-i                                  
Counters:
Name                                                Bytes              Packets
vlan-14-ae1.0-i                                   7474383                 8504
vlan-571-ae1.0-i                                        0                    0
vlan-572-ae1.0-i                                        0                    0

Filter: vlan-counters-ae1.0-o                                  
Counters:
Name                                                Bytes              Packets
vlan-14-ae1.0-o                                   2651051                 4919
vlan-571-ae1.0-o                                  2057853                14731
vlan-572-ae1.0-o                                      644                   10

Last but not least the SNMP part.

The packet and byte counters displayed above are visible in SNMP under the JUNIPER-FIREWALL-MIB::jnxFWCounterPacketCount and JUNIPER-FIREWALL-MIB::jnxFWCounterByteCount tree.

For example:

$ snmpget -v2c -cpublic 10.1.2.3 'JUNIPER-FIREWALL-MIB::jnxFWCounterByteCount."vlan-counters-ae1.0-o"."vlan-571-ae1.0-o".counter
JUNIPER-FIREWALL-MIB::jnxFWCounterByteCount."vlan-counters-ae1.0-o"."vlan-571-ae1.0-o".counter = Counter64: 298848

If your program does not understand the encoded form of the OID you can translate it to the numeric form with the snmptranslate utility:

$ snmptranslate -On 'JUNIPER-FIREWALL-MIB::jnxFWCounterByteCount."vlan-counters-ae1.0-o"."vlan-571-ae1.0-o".counter'
.1.3.6.1.4.1.2636.3.5.2.1.5.21.118.108.97.110.45.99.111.117.110.116.101.114.115.45.97.101.49.46.48.45.111.16.118.108.97.110.45.53.55.49.45.97.101.49.46.48.45.111.2

Best Answer

Related Solutions

VLAN Selection – How to Select S-VLAN from C-VLAN on Juniper EX4200?

Juniper EX4200 – Reading SNMP Traffic Counters for Specific VLAN ID

Related Topic