Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
693
Views
0
Helpful
1
Replies

2960XR - 15.2(6)E - QinQ Support ? (Azure ExpressRoute)

dreeves01
Level 1
Level 1

‎09-23-2019 11:20 AM

In the middle of an expressroute deployment that is a little different from your standard microsoft example configs, we are treating azure cloud as a DMZ and terminating it onto a palo alto, but i have ran into some pitfalls.

  • Azure ExpressRoute uses QinQ natively.
  • PALO ALTO does not support QinQ natively...
  • have a switch @ the datacenter that i was hoping to land ExpressRoute on and then tag the (c) tags down to the palo alto.
  • 2960XR im finding conflicting information, some forum posts say the 2960XR supports traditional QinQ but not selective, and im having a hard time understanding if i need strictly traditionally or if i need selective ? (first time using QinQ)
  • basic diagram of what i am trying to achieve

CURRENTLY I am running this UNTAGGED with a single C-VLAN rolling across which makes this circuit up and operational, but we don't get the IP SLA 99.99995 support from microsoft that management wants. Has anyone in this community ever setup QinQ on a 2960XR series ? Everything im reading online says this needs to land on our ASR but we are treating Azure as a DMZ instance so that complicates our configuration, and to top it off we are out of ports on our ASR at the data center.

2960XR - Layer 2 & Tunneling Config Guide

Azure Router Config Sample

Forum Post asking about QinQ on 2960XR

Labels:
0 Helpful
1 Reply 1

budsornic
Level 1
Level 1

‎05-25-2020 08:30 AM

Hello

 

We had the same issue with our express route circuit and we are able to solve it in this way.

 

As the ISP provider indicate us, there is 2 outer VLANs (in our case, 15 and 16)  and 1 QinQ inner VLAN (vlan 300)

 

The circuit was connected in our ASR1002X cisco router.

 

interface GigabitEthernet0/0/0
description Azure_circuit
no ip address
negotiation auto

!

interface GigabitEthernet0/0/0.15
encapsulation dot1Q 15 second-dot1q 300

!

interface GigabitEthernet0/0/0.16
encapsulation dot1Q 16 second-dot1q 300

 

 

We connect the ASR through a switch to the Palo Alto, using a port channel

We configure 2 subinterfaces in this port channel, in the same vlans (15 and 16).

 

interface Port-channel60
no ip address

!

interface Port-channel60.15
encapsulation dot1Q 15

!

interface Port-channel60.16
encapsulation dot1Q 16

 

 

Finally we binded the vlans from the 2 fisical interfaces using xconnect:

 

connect main Port-channel60.15 GigabitEthernet0/0/0.15
connect backup Port-channel60.16 GigabitEthernet0/0/0.16

 

I hope this will help you

 

Bes regards

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card