[c-nsp] Problematic Q-in-Q

Chris Knipe savage at savage.za.org
Thu Nov 10 06:27:27 EST 2011 

Hi All,

Image for reference sake: http://www.savage.za.org/QinQ.png

We are currently working on a large scale overhaul of our production
network, mainly consisting of 6500, 3750, and 3825 series Ciscos.

Our provider will be providing us with Layer II interconnects between
two separate data center locations, as well as provisioning internet
services on these Layer II trunks.  I'm a bit baffled as to how to
piece this together after spending about 3 days trying to figure out
the inner workings of QinQ...

What we are getting:
DC1 Location - Layer II Trunk Interface
  VLAN100 - Internet Services (Layer III connectivity)
  VLAN101 - Layer II Interconnect to Site A
  VLAN102 - Layer II Interconnect to Site B
  VLAN103 - Layer II Interconnect to DC2 (QinQ required)
DC2 Location - Layer II Trunk Interface
  VLAN103 - Layer II Interconnect to DC1 (QinQ required)

Now,up to here everything is fine.  I have an trunk port configured in
either DC location, and simply allow VLAN100-103 to pass through the
trunk to my provider.  As for VLAN101-102, it remains easy, I assign
an IP on either side and I should, in theory, happily be able to
communicate.

The problem comes in with the Interconnect between DC01 and DC02.  We
require to extend our internal VLANs (10-30 in the diagram per
example) across the different data centers.  This will include cdp,
vtp, spanning-tree, etc.  From my understanding, QinQ should be able
to accommodate this, but I am not sure about the configurations.

Most configurations for QinQ that I've seen so far seems to indicate
that your private vlans are encapsulated into another vlan associated
with an access port - this is where I am running into issues.

I need to encapsulate as follows:
VLAN10
VLAN20 -> VLAN103 -> Provider Trunk
VLAN30

Is this really as complicated as I am making it sound, or am I just
missing something obvious?  I am not understanding how VLAN100-103 can
be used on the trunk port, whilst only encapsulating VLAN10-30 inside
VLAN103, and not inside the entire trunk.  As the three VLANs
provisioned by the provider are completely different services and goes
to completely different locations - it's imperative that the correct
vlans are encapsulated into the correct provider vlans.

I would -really- appreciate it if someone can perhaps give me a basic
rundown of configurations to achieve this, as I am completely lost at
this stage.

Am I right in presuming:
Int gi1/0
  switchport mode trunk
  switchport trunk allowed vlans 100-103

Int gi1/1
  switchport mode access
  switchport access vlan 100

Int gi1/2
  switchport mode access
  switchport access vlan 101

Int gi1/3
  switchport mode access
  switchport access vlan 102

Int gi1/4
  switchport mode dot1q-tunnel
  switchport access vlan 10

Int gi1/5
  switchport mode dot1q-tunnel
  switchport access vlan 20

Int gi1/6
  switchport mode dot1q-tunnel
  switchport access vlan 30

Now what.. How do I get vlans 10-30 to be encapsulated inside vlan103
specifically?  Documentation suggests Int gi1/0 (trunk port) to be
configured as follows:
Int gi1/0
  switchport mode trunk
  switchport trunk allowed vlans 10,30-100-103

But how does this ensure that vlans 10-30 are encapsulated inside vlan 103 only?

Many thanks,
Chris.

More information about the cisco-nsp mailing list