09-23-2019 11:20 AM
In the middle of an expressroute deployment that is a little different from your standard microsoft example configs, we are treating azure cloud as a DMZ and terminating it onto a palo alto, but i have ran into some pitfalls.
CURRENTLY I am running this UNTAGGED with a single C-VLAN rolling across which makes this circuit up and operational, but we don't get the IP SLA 99.99995 support from microsoft that management wants. Has anyone in this community ever setup QinQ on a 2960XR series ? Everything im reading online says this needs to land on our ASR but we are treating Azure as a DMZ instance so that complicates our configuration, and to top it off we are out of ports on our ASR at the data center.
05-25-2020 08:30 AM
Hello
We had the same issue with our express route circuit and we are able to solve it in this way.
As the ISP provider indicate us, there is 2 outer VLANs (in our case, 15 and 16) and 1 QinQ inner VLAN (vlan 300)
The circuit was connected in our ASR1002X cisco router.
interface GigabitEthernet0/0/0
description Azure_circuit
no ip address
negotiation auto
!
interface GigabitEthernet0/0/0.15
encapsulation dot1Q 15 second-dot1q 300
!
interface GigabitEthernet0/0/0.16
encapsulation dot1Q 16 second-dot1q 300
We connect the ASR through a switch to the Palo Alto, using a port channel
We configure 2 subinterfaces in this port channel, in the same vlans (15 and 16).
interface Port-channel60
no ip address
!
interface Port-channel60.15
encapsulation dot1Q 15
!
interface Port-channel60.16
encapsulation dot1Q 16
Finally we binded the vlans from the 2 fisical interfaces using xconnect:
connect main Port-channel60.15 GigabitEthernet0/0/0.15
connect backup Port-channel60.16 GigabitEthernet0/0/0.16
I hope this will help you
Bes regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide