[AusNOG] Cisco Q-in-Q config on AAPT e-Line

Graeme Allen gallen at mytelecom.com.au
Thu Dec 13 13:47:38 EST 2012 

Yes, I was assuming a router.....


On Thu, 2012-12-13 at 13:29 +1100, Reuben Farrelly wrote:
> Hi James
> 
> In short:  assuming your core switch is a 3750-X - you can't.  The 
> 3550/3560/3750 series is targeted as an enterprise/floor switch and 
> doesn't have some extra goodies that exist in infrastructure that is 
> designed for a service provider environment.
> 
> Your 3750-X will be able to pass through double tagged frames to 
> something else to terminate them, but itself won't be able to terminate 
> VLANs based on the inner tag.
> 
> Equipment which can however do this includes:
> 
> - Almost all IOS based routers, from 1941s up to 7200s, including 
> ASR1k's etc
> - ME3600X and ME3800X (I've deployed a number of these, they are very 
> good at this and not overly expensive)
> - Catalyst Switches starting from the 6500/7600 line, with SIP cards
> 
> The example sent to the list already is valid but only works on routers 
> not switches.  For a router, subinterfaces are the way to do it, for the 
> ME3600/ME3800 and big switches you'd be configuring Service Instances 
> (EFP's) matching on inner and outer dot1q tags, and then bound to SVIs.
> 
> If you're after a Cisco switching platform to do this I can highly 
> recommend the ME3600X.
> 
> I would HIGHLY recommend you read up, test in a lab and understand this 
> stuff before you start deploying it, there are some security caveats you 
> need to be aware of when handling double tagged frames that aren't 
> neceesarily obvious if you're not used to the concepts.
> 
> Many other vendors do this quite well too, but for most I would suggest 
> you're going to be looking for equipment capable and having "Metro 
> Ethernet" features.
> 
> Reuben
> 
> On 13/12/2012 12:19 PM, James Mcintosh wrote:
> > Hi Noggers,
> >
> > I'm hoping one of the many smart people on the list can help me with
> > my Q-in-Q issue on AAPT's e-Line (Ethernet).
> >
> > We have an AAPT Ethernet Trunk Access at our core that terminates
> > various customer Single Access services. Config on the trunk port
> > that terminates the various single access services looks like so:
> >
> > sh run interface GigabitEthernet1/0/21 Building configuration...
> >
> > Current configuration : 217 bytes ! interface GigabitEthernet1/0/21
> > description AAPT Trunk switchport trunk encapsulation dot1q
> > switchport trunk allowed vlan 215-218,320,321,398 switchport mode
> > trunk load-interval 30 end
> >
> > Pretty standard stuff. However here's where it gets complicated (to
> > me). VLAN 320 needs to do Q-in-Q, encapsulating 3 other VLAN's within
> > it (VLAN 8, 91 and 22)
> >
> > Quoting from the AAPT product definition:
> >
> > "AAPT e-Line services delivered end-to-end on AAPT infrastructure
> > support customer VLANs transparently. e-Line services are designed to
> > allow customers to configure and run multiple VLANs without any need
> > to co-ordinate with AAPT.
> >
> >
> > To enable multiple VLANs across an AAPT e-Line service where one end
> > is an Ethernet Trunk Access and the other end is either Ethernet
> > Single-Service Access, the customer should configure the CPE at the
> > Ethernet Trunk Access end with 802.1QinQ encapsulation and the CPE at
> > the other end with 802.1Q encapsulation."
> >
> >
> > So my question is, how do I get visibility on the core switch of VLAN
> > 8, 91 and 22 which are encapsulated within VLAN 320?
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

More information about the AusNOG mailing list