02-21-2017 11:02 PM - edited 03-08-2019 09:27 AM
Hi,
Our company is trying to implement Microsoft ExpressRoute. Microsoft gives the solution as a Q-in-Q
From what I understand, I would have to configure another port on this switch for the Q-in-Q tunnelling viz.,
Here 456 is the S-Tag which is a normal
Switch 2 (with 3 Vlans) --> Trunk (with 3 Vlans) --> Switch 1 port with Q-in-Q config --> Switch 1 with trunk port to Service Provider --> Service provicder network.
Is there a way to get this done without switch 2, stripping out the 3
Regards,
02-22-2017 12:28 AM
This doesn't sound right. If you are only using a single outer tag why would you even use QinQ. Are you sure the service provider is not stripping out the outer tag already for you?
Only reasonably serious Cisco kit can do "full" QinQ. What sort of kit do you have? The config should look something like:
interface GigabitEthernet<Interface_Number>.<Number>
encapsulation dot1Q <s-tag> seconddot1Q <c-tag>
ip address ...
I am not all confident your tunnel approach will work.
02-22-2017 12:28 AM
01-10-2018 06:45 PM
Hi,
I didn't see your update. I managed to get this done using 1 switch. Basically we are configuring the port to the service provider as a trunk port.Then the two ports connected to our internal devices are configured as a dot1q tunnel port.
Router/Switch on private peering interface (access port Vlan 10 C-Tag Vlan) <--> Switch Port 1 (Dot1q tunnel with S-Tag Vlan 900) <--> Switch port 10 (Regular trunk port with S-Tag Vlan 900) <--> Service Provider Switch <--> Microsoft Switch.
Router/Switch on public peering interface (access port Vlan 20 C-Tag Vlan) <--> Switch Port 1 (Dot1q tunnel with S-Tag Vlan 900) <--> Switch port 10 (Regular trunk port with S-Tag Vlan 900) <--> Service Provider Switch <--> Microsoft Switch.
So a single switch is being used between the service provider network and ours. It's been running for quite a few months now.
01-10-2018 07:02 PM
Hi,
I forgot to give you the details.
For private peering the configs are,
Internal Switch <--> DMZ Switch <--> Provider device <--> Microsoft Devices.
Internal Switch
interface GigabitEthernet1/1/2
description Connected to ExpressRoute DMZ Switch Private Peering
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1500 <-- C-Tag for private peering Vlan
switchport mode trunk
DMZ Switch
interface GigabitEthernet1/0/1
description Connected to internal switch for MS ExpressRoute public peering
switchport access vlan 900 <-- S-Tag Vlan
switchport mode dot1q-tunnel
no cdp enable
!
interface GigabitEthernet1/0/3
description Connected to internal switch for private peering
switchport access vlan 900 <-- S-Tag Vlan
switchport mode dot1q-tunnel
!
interface GigabitEthernet1/1/1
description Connected to L2 service provider swtich
switchport trunk allowed vlan 900 <-- S-Tag Vlan
switchport mode trunk
speed nonegotiate
!
The config for the public peering is exactly the same except that the C-Tag is 1520 and our internal switch is different. The DMZ switch is exactly the same. G1/0/1 on our DMZ switch is used for public peering (S-Tag: 900, C-Tag: 1520), G1/0/3 is used for private peering with Microsoft ExpressRoute (S-Tag: 900, C-Tag: 1500).
Regards,
Deepu Abraham.
08-11-2018 11:46 AM
Hi... getting 2 switches to do the job, seems an overkill. Cant it be do by using 1 switch, which has the svi for private peering and MS peering? Then it s a trunk to the SP and they push the s-tag on their side and switch it ! ?
08-12-2018 05:37 PM
Hi,
I doubt it, as the VLAN on taken out from the trunk port is the S-Tag. This is then connected to our internal switches using access ports (S-Tag VLAN), the internal switch has the MS Private Peering VLAN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide