From bryan at shout.net Fri May 10 12:19:27 2024 From: bryan at shout.net (Bryan Holloway) Date: Fri, 10 May 2024 18:19:27 +0200 Subject: [a-nsp] Terminating a Q-in-Q L3 interface? Message-ID: <2a5f305d-6d57-495a-8508-20a0d24863a4@shout.net> So in Cisco (IOSXR)-land, it's trivial to terminate double-tagged traffic on an SVI like so: interface Bundle-Ether3.900 ipv4 address 10.11.12.13 255.255.255.252 encapsulation dot1q 900 second-dot1q 100 ... where 900 is the outer-tag, and 100 is the inner-tag. I've been trying to figure out a way to do this on Arista. Since there's no built-in way to do it on standard SVIs, I thought I'd take a look at their double-tag VLAN translation feature, which looks like it'll do the trick. So I created the following: interface Ethernet49/1 switchport trunk allowed vlan 900 switchport mode trunk switchport vlan translation 900 inner 100 200 ... which purports to dump double-tagged 900:100 traffic into the VLAN 200 bridge domain. To wit: "On ingress, specified double-tagged packets are mapped to the bridging VLAN, and on egress packets with the ID of the bridging VLAN are double tagged as specified." So I created VLAN 200 and an SVI: interface Vlan200 ip address 10.11.12.14/30 But it doesn't work. Notably, the SVI doesn't even come up because there are no interfaces using VLAN 200. Fine ... so I added 200 to another unrelated trunk, which caused my VLAN200 interface to come up. But still no joy. I know this is a bit kludge-y, but shouldn't it work as advertised? Has anyone succeeded in something like this? I'm open to suggestions, thank you! - bryan P.S.: Running 4.25.4M on the Arista, which is admittedly a little long in the tooth. From Tyler at tgconrad.com Fri May 10 12:31:10 2024 From: Tyler at tgconrad.com (Tyler Conrad) Date: Fri, 10 May 2024 09:31:10 -0700 Subject: [a-nsp] Terminating a Q-in-Q L3 interface? In-Reply-To: <2a5f305d-6d57-495a-8508-20a0d24863a4@shout.net> References: <2a5f305d-6d57-495a-8508-20a0d24863a4@shout.net> Message-ID: Hey Bryan, Have you already looked through the flexencap TOI? https://www.arista.com/en/support/toi/eos-4-24-2f/14551-flexible-interface-encapsulation-flexencap On Fri, May 10, 2024 at 09:19 Bryan Holloway via arista-nsp < arista-nsp at puck.nether.net> wrote: > So in Cisco (IOSXR)-land, it's trivial to terminate double-tagged > traffic on an SVI like so: > > interface Bundle-Ether3.900 > ipv4 address 10.11.12.13 255.255.255.252 > encapsulation dot1q 900 second-dot1q 100 > > ... where 900 is the outer-tag, and 100 is the inner-tag. > > I've been trying to figure out a way to do this on Arista. > > Since there's no built-in way to do it on standard SVIs, I thought I'd > take a look at their double-tag VLAN translation feature, which looks > like it'll do the trick. > > So I created the following: > > interface Ethernet49/1 > switchport trunk allowed vlan 900 > switchport mode trunk > switchport vlan translation 900 inner 100 200 > > ... which purports to dump double-tagged 900:100 traffic into the VLAN > 200 bridge domain. > > To wit: > > "On ingress, specified double-tagged packets are mapped to the bridging > VLAN, and on egress packets with the ID of the bridging VLAN are double > tagged as specified." > > So I created VLAN 200 and an SVI: > > interface Vlan200 > ip address 10.11.12.14/30 > > But it doesn't work. Notably, the SVI doesn't even come up because there > are no interfaces using VLAN 200. > > Fine ... so I added 200 to another unrelated trunk, which caused my > VLAN200 interface to come up. > > But still no joy. I know this is a bit kludge-y, but shouldn't it work > as advertised? > > Has anyone succeeded in something like this? I'm open to suggestions, > thank you! > > - bryan > > P.S.: Running 4.25.4M on the Arista, which is admittedly a little long > in the tooth. > -- > arista-nsp mailing list > arista-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/arista-nsp > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bryan at shout.net Fri May 10 12:51:14 2024 From: bryan at shout.net (Bryan Holloway) Date: Fri, 10 May 2024 18:51:14 +0200 Subject: [a-nsp] Terminating a Q-in-Q L3 interface? In-Reply-To: References: <2a5f305d-6d57-495a-8508-20a0d24863a4@shout.net> Message-ID: <98a0750b-2719-4a00-b560-904c2a2ee513@shout.net> Interesting. Lemme dig into that. Thank you, Tyler! On 5/10/24 18:31, Tyler Conrad wrote: > Hey Bryan, > > Have you already looked through the flexencap TOI? > > https://www.arista.com/en/support/toi/eos-4-24-2f/14551-flexible-interface-encapsulation-flexencap > > > On Fri, May 10, 2024 at 09:19 Bryan Holloway via arista-nsp > > wrote: > > So in Cisco (IOSXR)-land, it's trivial to terminate double-tagged > traffic on an SVI like so: > > interface Bundle-Ether3.900 > ? ipv4 address 10.11.12.13 255.255.255.252 > ? encapsulation dot1q 900 second-dot1q 100 > > ... where 900 is the outer-tag, and 100 is the inner-tag. > > I've been trying to figure out a way to do this on Arista. > > Since there's no built-in way to do it on standard SVIs, I thought I'd > take a look at their double-tag VLAN translation feature, which looks > like it'll do the trick. > > So I created the following: > > interface Ethernet49/1 > ? ? switchport trunk allowed vlan 900 > ? ? switchport mode trunk > ? ? switchport vlan translation 900 inner 100 200 > > ... which purports to dump double-tagged 900:100 traffic into the VLAN > 200 bridge domain. > > To wit: > > "On ingress, specified double-tagged packets are mapped to the bridging > VLAN, and on egress packets with the ID of the bridging VLAN are double > tagged as specified." > > So I created VLAN 200 and an SVI: > > interface Vlan200 > ? ? ip address *MailScanner warning: numerical links are often > malicious:* 10.11.12.14/30 > > But it doesn't work. Notably, the SVI doesn't even come up because > there > are no interfaces using VLAN 200. > > Fine ... so I added 200 to another unrelated trunk, which caused my > VLAN200 interface to come up. > > But still no joy. I know this is a bit kludge-y, but shouldn't it work > as advertised? > > Has anyone succeeded in something like this? I'm open to suggestions, > thank you! > > ? ? ? ? ? ? ? ? - bryan > > P.S.: Running 4.25.4M on the Arista, which is admittedly a little long > in the tooth. > -- > arista-nsp mailing list > arista-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/arista-nsp > > From bryan at shout.net Fri May 10 13:31:09 2024 From: bryan at shout.net (Bryan Holloway) Date: Fri, 10 May 2024 19:31:09 +0200 Subject: [a-nsp] Terminating a Q-in-Q L3 interface? In-Reply-To: <98a0750b-2719-4a00-b560-904c2a2ee513@shout.net> References: <2a5f305d-6d57-495a-8508-20a0d24863a4@shout.net> <98a0750b-2719-4a00-b560-904c2a2ee513@shout.net> Message-ID: Well, that was easy. Can we just delete this thread? :) On 5/10/24 18:51, Bryan Holloway via arista-nsp wrote: > Interesting. Lemme dig into that. Thank you, Tyler! > > > On 5/10/24 18:31, Tyler Conrad wrote: >> Hey Bryan, >> >> Have you already looked through the flexencap TOI? >> >> https://www.arista.com/en/support/toi/eos-4-24-2f/14551-flexible-interface-encapsulation-flexencap >> >> >> On Fri, May 10, 2024 at 09:19 Bryan Holloway via arista-nsp >> > wrote: >> >> ??? So in Cisco (IOSXR)-land, it's trivial to terminate double-tagged >> ??? traffic on an SVI like so: >> >> ??? interface Bundle-Ether3.900 >> ???? ? ipv4 address 10.11.12.13 255.255.255.252 >> ???? ? encapsulation dot1q 900 second-dot1q 100 >> >> ??? ... where 900 is the outer-tag, and 100 is the inner-tag. >> >> ??? I've been trying to figure out a way to do this on Arista. >> >> ??? Since there's no built-in way to do it on standard SVIs, I thought >> I'd >> ??? take a look at their double-tag VLAN translation feature, which looks >> ??? like it'll do the trick. >> >> ??? So I created the following: >> >> ??? interface Ethernet49/1 >> ???? ? ? switchport trunk allowed vlan 900 >> ???? ? ? switchport mode trunk >> ???? ? ? switchport vlan translation 900 inner 100 200 >> >> ??? ... which purports to dump double-tagged 900:100 traffic into the >> VLAN >> ??? 200 bridge domain. >> >> ??? To wit: >> >> ??? "On ingress, specified double-tagged packets are mapped to the >> bridging >> ??? VLAN, and on egress packets with the ID of the bridging VLAN are >> double >> ??? tagged as specified." >> >> ??? So I created VLAN 200 and an SVI: >> >> ??? interface Vlan200 >> ???? ? ? ip address *MailScanner warning: numerical links are often >> ??? malicious:* 10.11.12.14/30 >> >> ??? But it doesn't work. Notably, the SVI doesn't even come up because >> ??? there >> ??? are no interfaces using VLAN 200. >> >> ??? Fine ... so I added 200 to another unrelated trunk, which caused my >> ??? VLAN200 interface to come up. >> >> ??? But still no joy. I know this is a bit kludge-y, but shouldn't it >> work >> ??? as advertised? >> >> ??? Has anyone succeeded in something like this? I'm open to suggestions, >> ??? thank you! >> >> ???? ? ? ? ? ? ? ? ? - bryan >> >> ??? P.S.: Running 4.25.4M on the Arista, which is admittedly a little >> long >> ??? in the tooth. >> ??? -- ??? arista-nsp mailing list >> ??? arista-nsp at puck.nether.net >> ??? https://puck.nether.net/mailman/listinfo/arista-nsp >> ??? >>