802.1Q Tunneling (Q-in-Q)

Q&Q Tunnelling

I am trying to setup Dot1q tunnelling between an “A” end and “B” end over a Vodafone NTE
Both A and B ends are Cisco catalysts 3750s

Here is the configuration for the A end side.

interface FastEthernet0/24
 description trunk to Vodafone NTE
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 400,2000-2003
 switchport mode trunk
 switchport no negotiate

interface Vlan2000
 description Customer 1
 ip address 123.123.123.0 255.255.255.254

interface Vlan2001
 description Customer 2
 ip address 123.123.123.6 255.255.255.254

interface Vlan2002
 description Customer 3
 ip address 123.123.123.4 255.255.255.254

interface Vlan2003
description Customer 4
ip address 123.123.123.2 255.255.255.254

So everything is currently trunked to the Vodafone NTE


Here is the configuration for the B end side

interface GigabitEthernet1/0/1
description Customer 1
 ip address 123.123.123.1 255.255.255.254
 
interface GigabitEthernet1/0/2
description Customer 2
 ip address 123.123.123.7 255.255.255.254
 
interface GigabitEthernet1/0/3
description Customer 3
 ip address 123.123.123.5 255.255.255.254

interface GigabitEthernet1/0/4
description Customer 4
ip address 123.123.123.3 255.255.255.254


LAB Vodafone NTE

interface  FastEthernet0/1
 description Customer 1
 switchport access vlan 2000
 switchport mode access
 
interface FastEthernet0/2
 description Customer 2
 switchport access vlan 2001
 switchport mode access

interface FastEthernet0/3
description Customer 3
switchport access vlan 2002
switchport mode access
 
interface FastEthernet0/4
description Customer 4
 switchport access vlan 2003
 switchport mode access

So at the moment I have 3 switches the A end is trunked to the Vodafone NTE
The B end is connected to the NTE with 4 access ports one per customer.
 
I basically want to have a layer 2 tunnel over the NTE. I have found configurations but none which match this setup.

I know the following needs to be applied

switchport mode dot1q-tunnel
vlan dot1q tag native

But not sure how this sits with my setup.

Any assistance would be greatly appreciated.
LVL 1
brasso_42Asked:
Who is Participating?
 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
I don't believe you will be able to achieve what you need.

One of the requirements is that q-in-q is supported end to end.

You might be able to encapsulate your packets using a l2oip technology, however that will add overhead to each packet and require more packet fragmentation.

Edit: Further clarification, if you send a Q-in-Q tunnel over a access link (which is what you would have to do to sent to Vodafone), Vodafone would only see your vlans and would think that you are sending a vlan trunk to their access port.  Nothing would get through most likely.
0
 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
First off, bear in mind that I have not done any Q-in-Q yet, however I believe you do the following:

On your "lab" switch, you would set your dot1q-tunnel on all customer access ports.
On the customer switch, you would trunk any ports going to Vodafone.




I am assuming you are a third party and are trying to enable a vpls like service?  Basically, Vodaphone itself has to provide the Q-in-Q tunnel in *most* circumstances.  Unless I am completely misreading what you are trying to do here.

Just to confirm:
- "A" is at site 1
- "B" is at site 2
- "NTE" is at the "Service Provider" (Lab)
- You want to trunk VLANs from site 1 to site 2 over NTE


If that is correct, you would want:

"A"
(1) Trunk to Vodaphone with all VLAN's tagged
(4) Access Ports for your customers

"B"
(1) Trunk to Vodaphone with all VLAN's tagged
(4) Access Ports for your customers

"LAB" (Vodaphone)
(2) Dot1Q Tunnels with "switchport access vlan <your SP assigned VLAN>"




If you want to deploy this in real-life, you will unfortunately not be able to.  Vodaphone would have to initiate the dot1q-tunnel on their end as they take the VLAN's tags, preserve them, and add their own tag in front.
0
 
LukeMoCommented:
I'd avoid use of subnet zero (255.255.255.254 mask) until you have your vlan trunking resolved.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
brasso_42Author Commented:
Hi Daniel,

Thanks for the prompt responce.

I can confirm  A end is the hub site where we termintate all our customers connectivity. In most cases customers have a vlan at the A end and are RAW at the B end. In this case we have one customer who requires connectivity to private services on vlan 200 so I need to provide 2 vlans 1 for public internet and one for private connectivity. The carrier does not support dot1q trunking so i need to implement q in q for this one customer.

I hope this clarifys the configuration requirement.
0
 
LukeMoCommented:
Are VPNs or GRE tunnels not an option?
0
 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
A VPN would be an option, however you would need to segregate every customer to a specific VPN otherwise you would have all routes available to all customers.

Since it is Cisco, I would recommend using VRF for the segregation
0
 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
The reason I didn't mention VPNs was he did not ask about VPNs.  He specifically asked about Q-in-Q
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.