What is the functional difference between these two TPID values?
0x8100
This TPID is used in 802.1Q - its your average, everyday VLAN tagging. A common use for VLANs is for enterprises to organize their network into functional groups (like research, finance, or management).
0x88a8
This TPID is used in 802.1ad - its used for provider bridging (also known as QinQ, stacked VLANs, or double tagging). QinQ allows multiple VLAN tags in an Ethernet frame.
QinQ is used when a customer has to transport VLAN tagged traffic across a service provider network. The service provider will have its own set of VLAN tags, perhaps a tag per customer. So we have customer VLAN tags, and service provider VLAN tags, appropriately called C-TAGs and S-TAGs.
S-TAGs are correlated with the 0x88a8 TPID to signify the existence of the inner C-TAG which uses TPID 0x8100 (S-TAGs are inserted before C-TAGs).
Why would Juniper use a different default TPID than the IEEE reserved TPID for the S-TAG?
They're not, here is a list of the common IEEE TPIDs.
To be more specific, the default is 0x8100 because 802.1Q is used WAY more commonly than 802.1ad/Provider Bridging.
To be even more specific to what I assume is a quote from the JNCIS documentation, is just really poor wording. I believe it's saying that the default TPID is 0x8100 (to imply that 802.1q is default).
Thanks to @ar_ the solution is :
- configure ip addresses on lo0.0 with /32 mask
- set a discarded static route to /28 (network will then be propagated by BGP)
To go further :
- add lo0.0 in untrust zone
- set an intra-zone policy to allow 'external' traffic (ex. ping) since lo0.0 won't be the incoming traffic interface.
# show interfaces lo0
unit 0 {
family inet {
address X.X.6.97/32;
address X.X.6.98/32;
}
}
# show routing-options
static {
route X.X.6.96/28 discard;
}
[ยทยท]
# show security zones security-zone untrust
[..]
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
ge-7/0/0.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
lo0.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
}
# show security policies from-zone untrust to-zone untrust
policy permit-ping {
match {
source-address any;
destination-address any;
application junos-ping;
}
then {
permit;
}
}
Best Answer
Enhanced Layer-2 Switching (ELS)
Juniper has a couple of different product lines (routers, switches, firewalls) that theoretically run the same operating system (Junos). However, software for these product lines is developed separately from each other, and as a result the configuration syntax for similar features (mainly layer-2 stuff) ended up being different on routers (MX platform) and switches (EX platform). This is obviously a bit confusing for people running both types of devices.
In 2013, Juniper introduced a new configuration syntax for EX switches (starting with Junos 13.2) to remedy this: Enhanced Layer-2 Software (ELS). This syntax is similar to the syntax used on MX routers. One of the changes in the new syntax is renaming vlan interfaces from
vlan.xx
toirb.xx
. You can find a complete list of all changes on the juniper.net website.In general, older EX switches (EX-2200, EX-3300, EX-4200, ...) still use the old style configuration syntax. Newer devices (EX-2300, EX-4300, ...) use the new syntax. The same is true for branch SRX firewalls: SRX-2xx uses the old style, SRX-3xx uses ELS syntax. Check the Juniper Feature Explorer for an authoritative list of all devices and software releases that use the ELS syntax.
Integrated Routing and Bridging (IRB)
Integrated Routing and Bridging (IRB) is a pretty common term used by both Cisco and Juniper for layer-3 VLAN interfaces. Other terms for pretty much the same concept are: