Transparent mode: VLAN rewrite – retagging
In this blog post we will discuss the SRX VLAN retagging feature and show you how to configure it.
SRX devices are also capable to operate in transparent mode. In transparent mode forwarding decisions are based on layer 2 information, instead on layer 3 information. In transparent mode SRX devices act like a layer 2 switch and support tagged and untagged interfaces.
For certain layer 2 designs it is required to change the VLAN ID between interfaces. For example a tagged ingress frame with VLAN ID 10 must be changed to VLAN ID 20 on the egress interface (and vice versa).
Obviously VLAN retagging cannot be configured on access ports. Only trunk ports support this feature. However, keep in mind that it is possible to map untagged traffic received on a trunk interface to a VLAN.
Please see below an example configuration
As you can see the interface is configured as a normal layer 2 trunk interface. What is new in this configuration is the “vlan-rewrite translate” command.
Two values must be specified when configuring the “vlan-rewrite translate” feature
The 1st value represents the “incoming” VLAN ID, i.e. the VLAN ID used in the received frame
. The 2nd value represents the “target “ VLAN ID, i.e. the VLAN ID the frame header will be rewritten to.
Simply put, the 1st value is the input VLAN ID and 2nd value is the output VLAN id.
Keep in mind that that there is a restriction that both of these VLAN ids must be different than the “native-vlan-id” value. In Junos the “native-vlan-id” statement defines the VLAN for received untagged frames.
For correct configuration the “target” VLAN IDs needs to be defined in the vlan-id-list (either explicitly or as a member of the range) on the interface.
VLAN retagging / translation happens of course in two directions. Frames with the target VLAN ID are send out the interface with the “incoming” VLAN id.
In the example shown above VLAN ID 999 is rewritten to VLAN ID 1000. This means a frame with the VLAN ID value 999 received on the ge-0/0/5 interface is rewritten to VLAN ID 1000. The SRX device then processes the frame as a member of the VLAN 1000. In the opposite direction – a frame with VLAN ID 1000 leaves interface ge-0/0/5 tagged with VLAN ID 999.
A small reminder: Do not forget that each VLAN requires a bridge domain configuration under the [edit bridge-domains] stanza. Otherwise the device will not forward frames in that VLAN. However a bridge domain is not needed for the “incoming” VLAN
The command below is useful for troubleshooting because it shows the rewriting statistics. Either the interface or the “incoming” VLAN ID can be specified as the command parameters.
In this post we described the SRX VLAN rewrite functionality when the devices is operation in transparent mode. This feature is very helpful and often used in migration scenario’s.
Categorised in: JNCIE-SEC