802.1Q Tunneling (Q-in-Q)

Q&Q Tunnelling

I am trying to setup Dot1q tunnelling between an “A” end and “B” end over a Vodafone NTE
Both A and B ends are Cisco catalysts 3750s

Here is the configuration for the A end side.

interface FastEthernet0/24
 description trunk to Vodafone NTE
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 400,2000-2003
 switchport mode trunk
 switchport no negotiate

interface Vlan2000
 description Customer 1
 ip address 123.123.123.0 255.255.255.254

interface Vlan2001
 description Customer 2
 ip address 123.123.123.6 255.255.255.254

interface Vlan2002
 description Customer 3
 ip address 123.123.123.4 255.255.255.254

interface Vlan2003
description Customer 4
ip address 123.123.123.2 255.255.255.254

So everything is currently trunked to the Vodafone NTE


Here is the configuration for the B end side

interface GigabitEthernet1/0/1
description Customer 1
 ip address 123.123.123.1 255.255.255.254
 
interface GigabitEthernet1/0/2
description Customer 2
 ip address 123.123.123.7 255.255.255.254
 
interface GigabitEthernet1/0/3
description Customer 3
 ip address 123.123.123.5 255.255.255.254

interface GigabitEthernet1/0/4
description Customer 4
ip address 123.123.123.3 255.255.255.254


LAB Vodafone NTE

interface  FastEthernet0/1
 description Customer 1
 switchport access vlan 2000
 switchport mode access
 
interface FastEthernet0/2
 description Customer 2
 switchport access vlan 2001
 switchport mode access

interface FastEthernet0/3
description Customer 3
switchport access vlan 2002
switchport mode access
 
interface FastEthernet0/4
description Customer 4
 switchport access vlan 2003
 switchport mode access

So at the moment I have 3 switches the A end is trunked to the Vodafone NTE
The B end is connected to the NTE with 4 access ports one per customer.
 
I basically want to have a layer 2 tunnel over the NTE. I have found configurations but none which match this setup.

I know the following needs to be applied

switchport mode dot1q-tunnel
vlan dot1q tag native

But not sure how this sits with my setup.

Any assistance would be greatly appreciated.
LVL 1
brasso_42Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
First off, bear in mind that I have not done any Q-in-Q yet, however I believe you do the following:

On your "lab" switch, you would set your dot1q-tunnel on all customer access ports.
On the customer switch, you would trunk any ports going to Vodafone.




I am assuming you are a third party and are trying to enable a vpls like service?  Basically, Vodaphone itself has to provide the Q-in-Q tunnel in *most* circumstances.  Unless I am completely misreading what you are trying to do here.

Just to confirm:
- "A" is at site 1
- "B" is at site 2
- "NTE" is at the "Service Provider" (Lab)
- You want to trunk VLANs from site 1 to site 2 over NTE


If that is correct, you would want:

"A"
(1) Trunk to Vodaphone with all VLAN's tagged
(4) Access Ports for your customers

"B"
(1) Trunk to Vodaphone with all VLAN's tagged
(4) Access Ports for your customers

"LAB" (Vodaphone)
(2) Dot1Q Tunnels with "switchport access vlan <your SP assigned VLAN>"




If you want to deploy this in real-life, you will unfortunately not be able to.  Vodaphone would have to initiate the dot1q-tunnel on their end as they take the VLAN's tags, preserve them, and add their own tag in front.
0
LukeMoCommented:
I'd avoid use of subnet zero (255.255.255.254 mask) until you have your vlan trunking resolved.
0
brasso_42Author Commented:
Hi Daniel,

Thanks for the prompt responce.

I can confirm  A end is the hub site where we termintate all our customers connectivity. In most cases customers have a vlan at the A end and are RAW at the B end. In this case we have one customer who requires connectivity to private services on vlan 200 so I need to provide 2 vlans 1 for public internet and one for private connectivity. The carrier does not support dot1q trunking so i need to implement q in q for this one customer.

I hope this clarifys the configuration requirement.
0
How the Cloud Can Help You as an MSSP

Today, every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. Register today to learn more!

Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
I don't believe you will be able to achieve what you need.

One of the requirements is that q-in-q is supported end to end.

You might be able to encapsulate your packets using a l2oip technology, however that will add overhead to each packet and require more packet fragmentation.

Edit: Further clarification, if you send a Q-in-Q tunnel over a access link (which is what you would have to do to sent to Vodafone), Vodafone would only see your vlans and would think that you are sending a vlan trunk to their access port.  Nothing would get through most likely.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LukeMoCommented:
Are VPNs or GRE tunnels not an option?
0
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
A VPN would be an option, however you would need to segregate every customer to a specific VPN otherwise you would have all routes available to all customers.

Since it is Cisco, I would recommend using VRF for the segregation
0
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
The reason I didn't mention VPNs was he did not ask about VPNs.  He specifically asked about Q-in-Q
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Operations

From novice to tech pro — start learning today.