With introduction of layer 2 ethernet backbones, customers can connect their different sites at layer 2 level. What should service providers do to transport the customer’s vlans and send it across their layer 2 backbone to the other site. There is a conventional solution of not doing any special config and sending everything on their current trunks but that raises a lot of concerns:
- Two different customers won’t be able to use same vlan IDs
- If vlans from different customers are carried without any encapsulation, all customers can see other customer’s vlan which is a big security breach.
- Service provider’s network is open to all vlans, again a security breach.
Hence we need a solution where we can transport customer’s vlan in an encrypted format. That gave birth to Q-in-Q tunnels. Q-in-Q tunnels mean transporting a 802.1Q frame in another 802.1Q frame. Please consider the following example:
CP1: Customer switch at site1
SP1: Service Provider’s switch at site1
Sp2: Service Provider’s switch at site2
CP2: Customer’s switch at site2
Customer wants to transport vlan10 and vlan 20 from site 1 to site 2. If service provider don’t do any tunneling and transport it over their core network trunks, there is a good chance that 2 customers might use the same vlan IDs which will create chaos in the core. So QinQ tunnel will prefix another tag in front of tagged frame and will transport this double tagged frame over the Service provider core preserving the original vlan information. As with most of the technologies of Cisco, concept is difficult to understand but configuration is very simple.
On both the Customer switches, configure the link to Service provider as trunk:
CP1#
interface FastEthernet0/13
switchport trunk encapsulation dot1q
switchport mode trunk
CP2#
interface FastEthernet0/19
switchport trunk encapsulation dot1q
switchport mode trunk
On Service provider switches, configure customer’s trunk port in vlan 89(vlan of your choice) and enable the dot1q-tunnel mode:
SP1#
interface GigabitEthernet0/13
switchport access vlan 89
switchport mode dot1q-tunnel
SP2#
interface FastEthernet0/19
switchport access vlan 89
switchport mode dot1q-tunnel
This configuration will transport and preserve all the vlan information of the customer. Here in example, As fa0/13 is a trunk port, CP1 will transmit all the tagged frames on it. On SP1, all tagged frames will be received on interface Gi0/13 and it will add another tag 89 (as shown in figure) to the frames. In service provider network, all the switching will be done on the basis of vlan tag 89 and once it reaches SP2, tag 89 will be taken off from the frame and original frame will be delivered to CP2.
By default CDP and STP is not supported over QinQ tunneling, you need to configure those.
Here is the output of show cdp neighbor from CP2 which does not show CP1 as its cdp neighbor:
CP2# sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route BridgeS - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
SP2 Fas 0/19 47 S I WS-C3550- Fas 0/19
R2 Fas 0/2 137 R S I 2811 Fas 0/1
You can configure that by adding following commands on the Service provider’s access interfaces:
SP1#
interface GigabitEthernet0/13
switchport access vlan 89
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel point-to-point pagp
l2protocol-tunnel point-to-point lacp
l2protocol-tunnel point-to-point udld
SP2#
interface FastEthernet0/19
switchport access vlan 89
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel point-to-point pagp
l2protocol-tunnel point-to-point lacp
l2protocol-tunnel point-to-point udld
Now check the status of l2protocol or 802.1Q tunneling:
SP1#sh l2protocol-tunnel
COS for Encapsulated Packets: 5
Drop Threshold for Encapsulated Packets: 0
Port Protocol Shutdown Drop Encapsulation Decapsulation Drop
Threshold Threshold Counter Counter Counter
---------- -------- --------- --------- ------------- ------------- -------------
Gi0/13 cdp ---- ---- 2 1 0
stp ---- ---- 724 31 0
--- ---- ---- ---- ---- ----
pagp ---- ---- 0 0 0
lacp ---- ---- 0 0 0
udld ---- ---- 0 0 0
and lets check cdp status now on CP2:
Cp2#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route BridgeS - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
R2 Fas 0/2 148 R S I 2811 Fas 0/1
CP1 Fas 0/19 134 S I WS-C3560- Fas 0/13
Also remember that a vlan tag is 4 bytes long and having QinQ tunneling will add another 4 bytes to the original frame. So if CP1 sends a frame of 1500 bytes, a 4 byte QinQ tunneling tag will increase the frame size to 1504. And if your network has maximum MTU set to 1500 bytes, all these packets might be dropped. Hence you need to increase the MTU size to 1504 on all the switches in core network. You can do it by global config command:
system mtu 1504
QinQ tunneling/ 802.1Q tunneling/ Q-tunneling/ stacked vlans can be used to transport layer 2 information over the layer2 ethernet backbone. It helps Service provider to hide their network from customer as well.
Note: This can be implemented in pure layer2 ethernet backbone.