[AusNOG] Cisco Q-in-Q config on AAPT e-Line

Thu Dec 13 13:29:08 EST 2012

Hi James

In short:  assuming your core switch is a 3750-X - you can't.  The 
3550/3560/3750 series is targeted as an enterprise/floor switch and 
doesn't have some extra goodies that exist in infrastructure that is 
designed for a service provider environment.

Your 3750-X will be able to pass through double tagged frames to 
something else to terminate them, but itself won't be able to terminate 
VLANs based on the inner tag.

Equipment which can however do this includes:

- Almost all IOS based routers, from 1941s up to 7200s, including 
ASR1k's etc
- ME3600X and ME3800X (I've deployed a number of these, they are very 
good at this and not overly expensive)
- Catalyst Switches starting from the 6500/7600 line, with SIP cards

The example sent to the list already is valid but only works on routers 
not switches.  For a router, subinterfaces are the way to do it, for the 
ME3600/ME3800 and big switches you'd be configuring Service Instances 
(EFP's) matching on inner and outer dot1q tags, and then bound to SVIs.

If you're after a Cisco switching platform to do this I can highly 
recommend the ME3600X.

I would HIGHLY recommend you read up, test in a lab and understand this 
stuff before you start deploying it, there are some security caveats you 
need to be aware of when handling double tagged frames that aren't 
neceesarily obvious if you're not used to the concepts.

Many other vendors do this quite well too, but for most I would suggest 
you're going to be looking for equipment capable and having "Metro 
Ethernet" features.

Reuben

On 13/12/2012 12:19 PM, James Mcintosh wrote:
> Hi Noggers,
>
> I'm hoping one of the many smart people on the list can help me with
> my Q-in-Q issue on AAPT's e-Line (Ethernet).
>
> We have an AAPT Ethernet Trunk Access at our core that terminates
> various customer Single Access services. Config on the trunk port
> that terminates the various single access services looks like so:
>
> sh run interface GigabitEthernet1/0/21 Building configuration...
>
> Current configuration : 217 bytes ! interface GigabitEthernet1/0/21
> description AAPT Trunk switchport trunk encapsulation dot1q
> switchport trunk allowed vlan 215-218,320,321,398 switchport mode
> trunk load-interval 30 end
>
> Pretty standard stuff. However here's where it gets complicated (to
> me). VLAN 320 needs to do Q-in-Q, encapsulating 3 other VLAN's within
> it (VLAN 8, 91 and 22)
>
> Quoting from the AAPT product definition:
>
> "AAPT e-Line services delivered end-to-end on AAPT infrastructure
> support customer VLANs transparently. e-Line services are designed to
> allow customers to configure and run multiple VLANs without any need
> to co-ordinate with AAPT.
>
>
> To enable multiple VLANs across an AAPT e-Line service where one end
> is an Ethernet Trunk Access and the other end is either Ethernet
> Single-Service Access, the customer should configure the CPE at the
> Ethernet Trunk Access end with 802.1QinQ encapsulation and the CPE at
> the other end with 802.1Q encapsulation."
>
>
> So my question is, how do I get visibility on the core switch of VLAN
> 8, 91 and 22 which are encapsulated within VLAN 320?