Solved: Re: DOT1Q Tunnelling (Q in Q) selectiv vlan

etxnreg · ‎05-03-2010

Hi,

Have a number of receiving vlans (t) on an interface, all of them should be tunneled with dot1q expect one vlan.

This vlan is for multicast and therefor should not have an additional tag.

Have only found solutions where the entire interface is tunneled.
Can I use native vlan any way?
Has anyone any ideas?
Configuration example?

Thanks Niklas

Giuseppe Larosa · ‎05-04-2010

Hello Niklas,

if the Vlan simply does not need to be propagated just use the allowed vlan list on CE side to skip it.

if you want the vlan to be propagated but without double tagging I would use a separate link for this.

I think it is safer and also easier to troubleshoot.

Note also that you have linked an ME 3400 configuration guide and your customer has a C4500.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/46sg/configuration/guide/tunnel.html

there are restrictions about the type of supervisor and image feature set

Edit:

however, the use of native vlan for L3 services could be possible:

>> IP routing is not supported on a VLAN that includes 802.1Q ports. Packets received from a tunnel port are forwarded based only on Layer 2 information. If routing is enabled on a switch virtual interface (SVI) that includes tunnel ports, untagged IP packets received from the tunnel port are recognized and routed by the switch. Customers can access the Internet through the native VLAN. If this access is not needed, you should not configure SVIs on VLANs that include tunnel ports.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/46sg/configuration/guide/tunnel.html

the only limit you can only handle one vlan in this way. if later another vlan should be propagated without double 802.1Q tag you will a second link that is not an 802.1Q tunnel.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎05-03-2010

Hello Niklas,

generally speaking filtering on Vlan-id is not possible.

However, with some specific platform and recent IOS this would be possible.

see

selective QinQ mapping on Me 3400

http://www.cisco.com/en/US/docs/switches/metro/me3400e/software/release/12.2_50_se/configuration/guide/swtunnel.html#wp1059629

>>This example shows how to configure selective QinQ mapping on the port so that traffic with a C-VLAN ID of 1 to 5 enters the switch with an S-VLAN ID of 100. The traffic of any other VLAN IDs is dropped.

Switch(config)# interface gigabiethernet0/1

Switch(config-if)# switchport vlan mapping 1-5 dot1q-tunnel 100

Switch(config-if)# switchport vlan mapping drop default

Switch(config-if)# exit

and on C3750 ME

http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.2_52_se/configuration/guide/swtunnel.html#wp1021922

these features allows also to map a specific customer vlan to a service provider vlan and this would allow to use a single port as an 802.1Q tunnel for some vlans and as a "normal" port for other vlan(s)

if you don't have these platforms you should deploy two links:

one with dot1q tunnel with the list of permitted vlans tuned on CE side to deny the vlan of the multicast traffic.

a dedicated link for the multicast traffic vlan not configured as a tunnel dot1q

Hope to help

Giuseppe

etxnreg · ‎05-04-2010

Hi,

Thanks for the response.

The customer has c4500 hw, and if I have understood right vlan-mapping is not supported on this platform.

The following document talk about using native vlan to solve this problem, maybe I have completely wrong.

http://www.cisco.com/en/US/docs/switches/metro/me3400e/software/release/12.2_44_ey/configuration/guide/swtunnel.pdf

Have tried following config:

incoming interface

interface GigabitEthernet1/0/10

switchport access vlan 1000

switchport trunk native vlan 40

switchport mode dot1q-tunnel

load-interval 30

srr-queue bandwidth share 25 25 25 20

priority-queue out

mls qos trust dscp

no cdp enable

tunnel interface:

interface GigabitEthernet1/0/25

switchport trunk encapsulation dot1q

switchport trunk native vlan 40

switchport trunk allowed vlan 32,40,102,1000,2388

switchport mode trunk

load-interval 30

srr-queue bandwidth share 25 25 25 20

priority-queue out

mls qos trust dscp

no cdp enable

BR Niklas

Giuseppe Larosa · ‎05-04-2010

Hello Niklas,

if the Vlan simply does not need to be propagated just use the allowed vlan list on CE side to skip it.

if you want the vlan to be propagated but without double tagging I would use a separate link for this.

I think it is safer and also easier to troubleshoot.

Note also that you have linked an ME 3400 configuration guide and your customer has a C4500.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/46sg/configuration/guide/tunnel.html

there are restrictions about the type of supervisor and image feature set

Edit:

however, the use of native vlan for L3 services could be possible:

>> IP routing is not supported on a VLAN that includes 802.1Q ports. Packets received from a tunnel port are forwarded based only on Layer 2 information. If routing is enabled on a switch virtual interface (SVI) that includes tunnel ports, untagged IP packets received from the tunnel port are recognized and routed by the switch. Customers can access the Internet through the native VLAN. If this access is not needed, you should not configure SVIs on VLANs that include tunnel ports.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/46sg/configuration/guide/tunnel.html

the only limit you can only handle one vlan in this way. if later another vlan should be propagated without double 802.1Q tag you will a second link that is not an 802.1Q tunnel.

Hope to help

Giuseppe