cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
641
Views
0
Helpful
12
Replies

Problem QinQ

Baptiste-rsi
Level 1
Level 1

Hello,
I try to make a QinQ tunnel between 2 routers (mikrotik and cisco). Between them there are 2 Aruba2930F.
But from the Mikrotik, I can t ping the cisco and I don t know why.

Baptistersi_0-1722412513955.png

Here is the diagram of the lab

This is the configuration of the Cisco :

 

! Last configuration change at 10:21:22 PARIS Wed Jul 31 2024
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco-cogent
!
no aaa new-model
clock timezone PARIS 1 0
clock summer-time PARIS recurring 1 Sun Apr 2:00 last Sun Oct 3:00
ip domain name rsi-informatique.fr
ip name-server 8.8.8.8
ip cef
ipv6 unicast-routing
ipv6 cef
multilink bundle-name authenticated
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.10
 encapsulation dot1Q 10
 ip address 10.0.10.254 255.255.255.0
!
interface GigabitEthernet0/1
 ip address 192.168.1.2 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed autoip forward-protocol nd
!
ip bgp-community new-format
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip ssh pubkey-chain
!
ip access-list standard admin
 permit X.X.X.X
 deny   any log
!
!
kron occurrence SauvegardeAuto at 23:00 recurring
 policy-list SauvegardeAuto
!
kron policy-list SauvegardeAuto
 cli sh run | redirect tftp://X.X.X.X/cisco-cogent.txt
!
logging facility local0
logging source-interface GigabitEthernet0/0
snmp-server community cisco RO
!
control-plane
!
!
 vstack
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class admin in
 login local
 length 0
 transport input ssh
!
scheduler allocate 20000 1000
ntp logging
no ntp allow mode control 0
ntp peer fr.pool.ntp.org
end

 

 

This is the configuration of SW-HBGT-06 :

 

 

; JL258A Configuration Editor; Created on release #WC.16.11.0001
hostname "SW-HBGT-06"
module 1 type jl258a
qinq mixedvlan
svlan 10
   name "VLAN10"
   tagged 1,7
   exit
job "backup" at 23:00 config-save "copy run tftp X.X.X.X SW-HBGT-06.cnf"
logging 192.168.86.222
logging facility local7
logging severity info
timesync sntp
sntp unicast
sntp 300
time daylight-time-rule western-europe
interface 1
   name "CISCO-cogent"
   unknown-vlans disable
   exit
interface 2
   unknown-vlans disable
   exit
interface 3
   unknown-vlans disable
   exit
interface 4
   unknown-vlans disable
   exit
interface 5
   unknown-vlans disable
   exit
interface 6
   unknown-vlans disable
   exit
interface 7
   name "SW-HBGT-07 QinQ"
   unknown-vlans disable
   exit
interface 8
   unknown-vlans disable
   exit
interface 9
   unknown-vlans disable
   exit
interface 10
   unknown-vlans disable
   exit
snmp-server community "public" unrestricted
vlan 1
   name "DEFAULT_VLAN"
   untagged 3-6,10
   exit
no spanning-tree bpdu-throttle
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url
password manager

 

 

This is the configuration of SW-HBGT-07 :

 

 

; JL258A Configuration Editor; Created on release #WC.16.11.0001
hostname "SW-HBGT-07"
module 1 type jl258a
qinq mixedvlan
svlan 10
   name "VLAN10"
   tagged 1
   untagged 2
   exit
job "backup" at 23:00 config-save "copy run tftp X.X.X.X SW-HBGT-07.cnf"
logging 192.168.86.222
logging facility local7
logging severity info
timesync sntp
sntp unicast
sntp 300
time daylight-time-rule western-europe
interface 1
   name "SW-HBGT-06"
   unknown-vlans disable
   exit
interface 2
   name "Mikrotik"
   unknown-vlans disable
   qinq port-type customer-network
   exit
interface 3
   unknown-vlans disable
   exit
interface 4
   unknown-vlans disable
   exit
interface 5
   unknown-vlans disable
   exit
interface 6
   unknown-vlans disable
   exit
interface 7
   unknown-vlans disable
   exit
interface 8
   unknown-vlans disable
   exit
interface 9
   unknown-vlans disable
   exit
interface 10
   unknown-vlans disable
   exit
snmp-server community "public" unrestricted
vlan 1
   name "DEFAULT_VLAN"
   untagged 3-6,9-10
   ipv6 enable
   ipv6 address dhcp full
   exit
no spanning-tree bpdu-throttle
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url
password manager

 

 

 

12 Replies 12

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @Baptiste-rsi ,

the Q in Q configuration is performed on the Aruba check the aruba documentation to verify if your configuration is correct.

The Cisco router and the other router are just like "end user devices" for the Q in Q service nothing special about the Cisco router configuration.

>>

interface GigabitEthernet0/0.10
 encapsulation dot1Q 10
 ip address 10.0.10.254 255.255.255.0
!

 is the VLAN 10 supposed to be the customer facing VLAN or the external VLAN ?

if it is the external VLAN your router should use a different VLAN and different encapsulation in the subinterface.

The same consideration applies to the other router.

Hope to help

Giuseppe

 

Hi Giuseppe,

Thansk for your response.

Actually we have a 3COM 4800 who let pass the qinq directly in the cisco. We need to change this 4800 with the Aruba.

According to the documentation, the qinq on the Aruba is good.
On the Cisco, vlan 10 is an external vlan.
Still with a view to changing the 4800, we currently have both external and client vlan communicating with the Cisco.

It is possible ? 

Hello @Baptiste-rsi ,

with external VLAN I refer to the VLAN used on the Aruba switches in the Q in Q external in the 802.1Q header I mean

to be able to communicate on both this "external VLAN" and on one or more internal customer facing VLANs my guess is that you should connect two ports to two different ports in the Aruba switches.

However, my guess is based on how Q in Q is configured on  a cisco switch where the user facing port uses a command like

switchport mode dot1qtunnel    ( or similar just to give you an idea) and it is associated to vlan 10 so that the external header is created based on this.

I don't know Aruba switches enough to say the same can be done on them.

Hope to help

Giuseppe

 

to be more precise, we currently have a fibre arrival for our customers with vlan as well as vlan in another vlan. On our switch we have :

port trunk permit vlan X to Y

and on the cisco we have all the interfaces for the vlan:

interface GigabitEthernet0/0.1000
encapsulation dot1Q 1000
ip address X.X.X.X
interface GigabitEthernet0/0.1200
encapsulation dot1Q 1320
ip address X.X.X.X
interface GigabitEthernet0/0.1200101
encapsulation dot1Q 1200 second-dot1q 101
ip address X.X.X.X

So I assumed that it was coming in QinQ given the Cisco configuration because I don't know any other way of passing a vlan through another vlan.

But in view of my tests it wouldn't work if it was QinQ.

The problem is that the link between our equipment and our customers is necessarily via a VLAN per customer and that in certain VLANs we need to add one or more vlan.

 

Hello @Baptiste-rsi ,

ok the router has a mix of subinterfaces some of them with a single VLAN tag and some of them with two VLAN tags

Probably what you need is just a trunk carrying all the external VLAN-IDs on the Aruba switch not Q in Q

You may need to increase the MTU on the Aruba to accomodate the extra 4 bytes of the double tagged subifs

Hope to help

Giuseppe

 

I try to just tag in Aruba. With port mirroring, I capture packet so the "encapsulation vlan" pingging but not the "encapsulated vlan"

the config of cisco :

int gi0/0.1330
encapsulation dot1q 1330
ip add 10.13.30.254 255.255.255.0

int gi0/0.1330100
encapsulation dot1q 1330 second-dotq1q 100
ip add 10.133.100.254 255.255.255.0

I have tagged vlan 1330 and 100 on the 2 switches and untag 1330 and tag 100 on the port used for the other router.
I have launched a ping from the cisco and here is a packet sent :

Baptistersi_0-1722438592267.png

I have tried again by reactivating the qinq on the switches and here is the packet sent by the cisco :

Baptistersi_1-1722438763001.png

I don't understand why the is re-encapsulated in a 4095 vlan. Without that it should work

 

Hello @Baptiste-rsi ,

I think the external VLAN ID 4095 is introduced by the Aruba you are port mirroring a port in the Aruba configured for Q in Q.

It is not the Cisco that adds it.

Hope to help

Giuseppe

 

Hi Giuseppe,

To check this I connected my PC directly to the output of the switch with the same interface configuration as above.
I ran a frame capture and saw that the packets were never encapsulated in vlan 1330.

Baptistersi_0-1722496107566.pngBaptistersi_1-1722496131433.png

When I do port mirroring on the switch on the port connected to the cisco this is what I get

Baptistersi_3-1722496867412.pngBaptistersi_2-1722496835190.png

I don't know when vlan 4095 and 1330 were added and why vlan 1330 is not present when I connect my PC directly to the Cisco.

Hello @Baptiste-rsi ,

I think you should compare packet captures with port mirroring with the Cisco connected to the Aruba switch in two scenarios

a) with Q inQ active and we see it adds an external VLAN ID of 4095 and keeps the original stack VLAN 1330 - VLAN100

b) without Q in Q active

to make it work you need a chain like the following

Cisco router ------  Aruba Switch ---- inter switch link --- Aruba switch ---  Other router

Q in Q requires a symmetric setup

Hope to help

Giuseppe

 

QinQ use in SW I never see it use in router' the idea is keep vlan tag and add new vlan tag' the router remove completely the tag when receive frame.

MHM

Some advanced router like asr1k or asr9k support whay rewrite vlan in service instances' the idea here is push or remove vlan tag' you can push or remove one or more tag. But this not qinq like found in Sw.

MHM

lindarosee813
Level 1
Level 1

Thanks for your very helpful article, it helped me a lot and it is really easy to understand, besides that there are many different groups on Premium social networks
these groups are a collection of all users with the same interests, special concerns about the same issue. They form groups to be able to communicate, share, and express their personal views around the issues they care about.

Review Cisco Networking for a $25 gift card