Private Vlan Configuration Guidelines | Juniper Networks EX2500

EX2500 Ethernet Switch Configuration Guide

Private VLAN Configuration Guidelines

The following guidelines apply when configuring private VLANs:

The default VLAN 1 cannot be a private VLAN.

The management VLAN 4095 cannot be a private VLAN. The management port cannot be a member of a private VLAN.

IGMP Snooping must be disabled on isolated VLANs.

Each secondary port’s (isolated port and community ports) PVID must match its corresponding secondary VLAN ID.

Ports within a secondary VLAN cannot be members of other VLANs.

All VLANs that make up the private VLAN must belong to the same Spanning Tree Group.

Private VLAN Configuration Example

Follow this procedure to configure a private VLAN.

1.Select a VLAN and define the private VLAN type as primary.

ex2500(config)# vlan 100 ex2500(config-vlan)# enable ex2500(config-vlan)# member 2 ex2500(config-vlan)# private-vlan type primary ex2500(config-vlan)# private-vlan enable ex2500(config-vlan)# exit

2.Configure a secondary VLAN and map it to the primary VLAN.

ex2500(config)# vlan 110 ex2500(config-vlan)# enable ex2500(config-vlan)# member 3 ex2500(config-vlan)# member 4 ex2500(config-vlan)# private-vlan type isolated ex2500(config-vlan)# private-vlan map 100 ex2500(config-vlan)# private-vlan enable ex2500(config-vlan)# exit

3.Verify the configuration.

ex2500(config)# show		private-vlan
Private-VLAN	Type	Mapped-To Status	Ports

------------ ---------		---------- ---------- -----------------
100	primary		110	ena	2
110	isolated		100	ena	3-4

30 Private VLANs

Image 44

Juniper Networks EX2500 manual Private Vlan Configuration Guidelines, Private Vlan Configuration Example

Contents

Configuration Guide North Mathilda Avenue Sunnyvale, CA Ii „ Table of Contents Chapter VLANs Chapter Ports and Trunking Rmon Overview Rmon Group 1-Statistics Rmon Group 2-History Indexes Port Mirroring Overview Configuring Port MirroringAppendixes Default Vlan Settings Port-Based Vlan AssignmentPage List of Tables EX2500 Ethernet Switch Configuration Guide „ List of Tables About This Guide ObjectivesAudience Supported Platforms Documentation Conventions Icon Meaning Description Requesting Technical Support List of Technical PublicationsDocumentation Feedback Self-Help Online Tools and Resources Opening a Case with Jtac EX2500 Ethernet Switch Applications Page Accessing the Switch Configuring the Management Interface Dynamic Host Configuration Protocol Configure the default gateway. Enable the gateway Using Telnet Using the EX2500 Web Device Manager Configuring EX2500 Web Device Manager Access via Http Configuring EX2500 Web Device Manager Access via Https Using Snmp SNMPv1, SNMPv2 SNMPv3 Default ConfigurationUser Configuration Configuring Snmp Trap Hosts SNMPv1 Trap Host ConfigurationSNMPv2 Trap Host Configuration Configure an entry in the notify table Securing Access to the Switch SNMPv3 Trap Host Configuration Radius Authentication and Authorization How Radius Authentication WorksConfiguring Radius on the Switch Configure the Radius secret Radius Authentication Features in the EX2500 Switch Switch User Accounts Radius Attributes for EX2500 User Privileges TACACS+ Authentication Features in the EX2500 Switch TACACS+ AuthenticationHow TACACS+ Authentication Works „ starttime „ stoptime „ elapsedtime „ disccause Configure the TACACS+ secret and second secret Command Authorization and LoggingConfiguring TACACS+ Authentication on the Switch Configuring SSH Features on the Switch Generating RSA Host and Server Keys for SSH AccessSecure Shell SSH Encryption of Management Messages End User Access Control SSH Integration with Radius and TACACS+ Authentication Considerations for Configuring End User Accounts User Access Control Listing Current Users Logging In to an End User Account VLANs Vlan Overview „ Port configuration VLANs and Port Vlan ID NumbersVlan Numbers Pvid Numbers Illustrates the default Vlan settings on the switch Vlan Tagging Default Vlan Settings Port-Based Vlan Assignment Vlan Configuration Rules Vlan Topologies and Design Considerations Multiple VLANs Configuration Example Multiple VLANs example in is described in Table Enable tagging on uplink ports that support multiple VLANs Private VLANs Private Vlan Ports Private Vlan Configuration Guidelines Private Vlan Configuration ExampleConfigure a secondary Vlan and map it to the primary Vlan Verify the configuration Spanning Tree Protocol Spanning Tree Overview Bridge Priority Bridge Protocol Data Units BPDUsDetermining the Path for Forwarding BPDUs Spanning Tree Group Configuration Guidelines Changing the Spanning Tree ModePort Priority Port Path Cost Adding and Removing Ports from STGs Creating a VlanRules for Vlan Tagged Ports Rapid Spanning Tree Protocol Port State Changes Rstp Configuration Guidelines Rstp Configuration ExamplePort Type and Link Type Edge Port Per Vlan Rapid Spanning Tree Default Spanning Tree ConfigurationWhy Do We Need Multiple Spanning Trees? Pvrst Configuration Guidelines Configuring Pvrst Mstp Configuration Guidelines Multiple Spanning Tree ProtocolMstp Region Common Internal Spanning Tree Multiple Spanning Tree Groups Configuration Example Implementing Multiple Spanning Tree Groups Fast Uplink Convergence Vlan Configuration Guidelines Configuring Fast Uplink Convergence Statistical Load Distribution Ports and TrunkingTrunking Overview Trunk Group Configuration Rules Built-In Fault ToleranceBefore Configuring Static Trunks Port Trunking Configuration Example Port Trunk Group Configuration Example Follow these steps on the EX2500 switch Define a trunk group Configurable Trunk Hash Algorithm Link Aggregation Control Protocol„ Destination MAC Dmac „ Destination IP DIP 48 „ Link Aggregation Control Protocol Lacp Configuration Guidelines Configuring LacpOptionally Reducing Lacp Timeout Set the Lacp mode Ex2500config-if# lacp timeout short ex2500config-if# exit Quality of Service QoS Overview Using ACL Filters COS MAC Extended ACLs IP Standard ACLsTo delete a MAC Extended ACL To delete an IP Standard ACL IP Extended ACLs To delete an IP Extended ACL Understanding ACL Priority TCP/UDP ACL Configuration Examples Assigning ACLs to a PortViewing ACL Statistics ACL Example 1-Blocking Traffic to a Host ACL Example 3-Blocking Http Traffic Add the ACL to a port ACL Example 4-Blocking All Except Certain Packets Assign the ACLs to a port Broadcast Storms Using Storm Control FiltersConfiguring Storm Control Using Dscp Values to Provide QoS Differentiated Services Concepts Per Hop Behavior Assured Forwarding Drop Precedence Class Dscp Mapping Use the following command to perform Dscp mappingQoS Levels Using 802.1p Priority to Provide QoS Shows the priority bits in a VLAN-tagged packet Queuing and Scheduling Remote Monitoring Rmon Overview Configure the Rmon statistics on a port Rmon Group 1-Statistics Configuring Rmon History Configure the Rmon History parameters for a portThis configuration enables Rmon History collection on port Rmon Group 2-History Rmon Group 3-Alarms Alarm MIB ObjectsConfiguring Rmon Alarms Configure the Rmon Alarm parameters to track Icmp messages Ex2500config# rmon event 110 type log-only Rmon Group 9-EventsPage Igmp Igmp Snooping FastLeave Igmp Snooping Configuration Example IGMPv3 Snooping Static Multicast Router Ex2500# show ip igmp groups High Availability Through Uplink Failure Detection High Availability Overview Spanning Tree Protocol with UFD UFD Configuration Guidelines Failure Detection Pair UFD Configuration Example Monitoring UFDPage Appendixes EX2500 Ethernet Switch Configuration Guide 80 „ Appendixes „ Port Mirroring Overview on „ Configuring Port Mirroring on Port Mirroring Overview Configuring Port Mirroring Indexes „ Index on EX2500 Ethernet Switch Configuration Guide 84 „ Indexes Index Numerics Management interface, configuring Multi-links between switches, port trunkingPhysical. See switch ports Internet Group Management Protocol. See Igmp Quality of Service. See QoS QoSSecurity Segmentation. See IP subnets Segments. See IP subnets Virtual Local Area Networks. See VLANs Example showing multiple VLANs