Juniper EX mac-based VLANs
Hi All,
Imagine that you have to assign a VLAN to a device that is not capable of sending a tagged frames. You can assign VLAN based on a MAC address or a MAC address OUI (first 3 octets), or mask. An example could be a VoIP phone or a set-top-box. Yes, for VoIP, you have a great functionality called Voice VLAN that could suits your scenario. But for my scenario it was not an option.
On a picture you can see three devices connected to unmanaged switch that send untagged frames. Unmanaged switch is connected to EX2200. On EX2200 you have a configuration that assign particular VLAN to specific frames:
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members 10;
}
}
}
}
}
protocols {
dot1x {
authenticator {
static {
00:15:c5:f5:d1:d1/48 {
vlan-assignment 11;
}
00:1c:c4:00:00:00/24 {
vlan-assignment 78;
}
}
interface {
ge-0/0/0.0 {
supplicant multiple;
} }
}
}
}
vlans {
v11 {
description "PHONE";
vlan-id 11;
v78 {
description "VIDEO";
vlan-id 78;
}
}
This will "set" vlan 11 to a device with MAC 00:15:c5:f5:d1:d1 and vlan 78 to addresses 00:1c:c4:00:00:00/24. Interface is configured for mode access so PC is automatically taged to default vlan 10. Uplink port configuration is not included. To show a vlan assigment use show vlans, show dot1x interface
Here are some references.
- My older forum post: http://forums.juniper.net/t5/Ethernet-Switching/mac-based-vlans/td-p/78548.
- Junos static mac-based vlan assigment http://www.juniper.net/techpubs/en_US/junos12.2/topics/task/configuration/authentication-static-mac-bypass-ex-series-cli.html
- Vlan could be set via Radius. I googled and found this http://daemonkeeper.net/638/configure-mac-based-vlan-assignment-with-freeradius-and-junos/. Search for Configure MAC-Auth and EX Configuration and this: Junos reference http://www.juniper.net/techpubs/en_US/junos9.4/topics/concept/802-1x-pnac-guest-vlan-understanding.html and https://kb.juniper.net/InfoCenter/index?page=content&id=KB12688&cat=EX8216_1&actp=LIST&showDraft=false
End notes:
- I was not successful with setting bidirectional untagged vlan on port for particular mac-address with firewall filters. (on EX2200).
- Mac-based vlans are compatible with other features like multicast-igmp snooping and QoS-per queue (VLAN) shaping
- This should works on some devices. I didn't tested it: ... vlan mapping policy + firewall filter http://forums.juniper.net/t5/Ethernet-Switching/quot-filter-based-VLANs-quot/td-p/141799
- There is a new functionality on 11.1. I didn't tested it: http://juniper.tw/techpubs/en_US/junos12.2/topics/reference/configuration-statement/next-hop-edit-ethernet-switching-options-static.html