Ambassador Insights
paulclarke , Regular Visitor
Ambassador Insights
Configuring Q-in-Q Tunneling (ELS)
Dec 27, 2018

Webp.net-resizeimage (1).jpg

 

In Q-in-Q tunneling, as a packet travels from a customer VLAN (C-VLAN) to a service provider's VLAN, a customer-specific 802.1Q tag is added to the packet. This additional tag is used to segregate traffic into service-provider-defined service VLANs (S-VLANs). The original customer 802.1Q tag of the packet remains and is transmitted transparently, passing through the service provider's network. As the packet leaves the S-VLAN in the downstream direction, the extra 802.1Q tag is removed.

 

Having not configured Q-in-Q for 5 years and the last time being on an old EX4200 I was somewhat surprised to learn the command line had changed – a lot.  The evolution of JUNOS and the introduction of ELS (Enhanced Layer 2 Software) meant my old configuration notes were no longer valid.

 

So I set about building a LAB to test this solution.  My topology is two EX4600’s simulating inter-data center connectivity.  A single EX4300 downstream of each EX4600 and an SRX in each data Center allowing me to test connectivity (ping) between the locations traversing the Q-in-Q configuration.

 

The best part of my job is testing solutions and configurations in the lab.  I like doing the hard work in a lab environment where there is no pressure.  It’s a great place to learn and to get a full understanding of what you are doing.  And I always like to test any network configuration thoroughly.

 

Q-in-Q lab setup.PNG

 Figure 1.1 Lab Topology

 

There is nothing unusual about the configuration of the CE routers or the EX4300’s.  I’m simply trunking vlans from the router to the EX4300’s and the EX4300’s trunk vlans towards the EX4600’s.  That’s standard configuration.

 

For completeness the configuration of the EX4300’s and the SRX is shared below:-

 

----- EX4300 Configuration -----

EX4300-A# show interfaces ge-0/0/0

unit 0 {

    family ethernet-switching {

        interface-mode trunk;

        vlan {

            members VLAN108;

        }

        storm-control default;

    }

}

EX4300-A# show interfaces ge-0/2/0

unit 0 {

    family ethernet-switching {

        interface-mode trunk;

        vlan {

            members VLAN108;

        }

        storm-control default;

    }

}

EX4300-A# show vlans

VLAN108 {

    vlan-id 108;

}

 

----- SRX CE Router Configuration -----

CE-A# show interfaces ge-0/0/0

vlan-tagging;

unit 108 {

    vlan-id 108;

    family inet {

        address 192.168.1.1/30;

    }

}

 

I’ve chosen to configure Q-in-Q tunneling using the all-in-one bundling method, which forwards all packets that ingress on a C-VLAN interface to an S-VLAN. (Packets are forwarded to the S-VLAN regardless of whether they are tagged or untagged prior to ingress.) Using this approach saves you the effort of specifying a specific mapping for each C-VLAN.

 

----- EX4600 inter Data Center configuration -----

EX4600-A# show interfaces ge-0/0/0

flexible-vlan-tagging;

encapsulation extended-vlan-bridge;

ether-options {

    ethernet-switch-profile {

        tag-protocol-id 0x8100;

    }

}

unit 95 {

    vlan-id 95;

}

 

So – what is the relevance of vlan 95 and the other configuration items?  Well, let’s break it down item by item.

 

flexible-vlan-tagging

Support simultaneous transmission of 802.1Q VLAN single-tag and dual-tag frames on logical interfaces on the same Ethernet port, and on pseudowire logical interfaces.

 

encapsulation extended-vlan-bridge

Use extended VLAN bridge encapsulation on Ethernet interfaces that have IEEE 802.1Q VLAN tagging and bridging enabled and that must accept packets carrying TPID 0x8100 or a user-defined TPID.

 

ether-options {

    ethernet-switch-profile {

        tag-protocol-id 0x8100;

    }

}

 

Tag protocol identifier (TPID) is a 16-bit field set to a value of 0x8100 in order to identify the frame as an IEEE 802.1Q-tagged frame. This field is located at the same position as the EtherType field in untagged frames, and is thus used to distinguish the frame from untagged frames.

 

Vlan 95 is configured to forward all packets that ingress on a C-VLAN interface to an S-VLAN. (Packets are forwarded to the S-VLAN regardless of whether they are tagged or untagged prior to ingress.) Using this approach saves you the effort of specifying a specific mapping for each C-VLAN.

 

EX4600-A# show vlans

VLAN95 {

    interface ge-0/0/0.95;

    interface ge-0/0/1.95;

}

 

Note: Do not include the vlan-id in the vlan configuration otherwise the configuration will not commit. 

 

Now for the EX4600 interface facing the EX4300.  Again let’s break it down item by item.

 

----- EX4600 downstream access switch configuration -----

EX4600-A# show interfaces ge-0/0/1

flexible-vlan-tagging;

native-vlan-id 150;

encapsulation extended-vlan-bridge;

unit 95 {

    vlan-id-list 100-200;

    input-vlan-map push;

    output-vlan-map pop;

}

 

flexible-vlan-tagging

Support simultaneous transmission of 802.1Q VLAN single-tag and dual-tag frames on logical interfaces on the same Ethernet port, and on pseudowire logical interfaces.

 

native-vlan-id 150; 

When the native-vlan-id statement is included with the flexible-vlan-tagging statement, untagged packets are accepted on the same mixed VLAN-tagged port and on the interfaces that are configured for Q-in-Q tunneling.

 

encapsulation extended-vlan-bridge

Use extended VLAN bridge encapsulation on Ethernet interfaces that have IEEE 802.1Q VLAN tagging and bridging enabled and that must accept packets carrying TPID 0x8100 or a user-defined TPID.

 

unit 95 {

    vlan-id-list 100-200;

    input-vlan-map push;

    output-vlan-map pop;

}

 

vlan-id-list

Specify a VLAN identifier list to use for a bridge domain or VLAN in trunk mode.

 

input-vlan-map push

Specify the VLAN rewrite operation to add a new VLAN tag to the top of the VLAN stack. An outer VLAN tag is pushed in front of the existing VLAN tag.

 

output-vlan-map pop

Specify the VLAN rewrite operation to remove a VLAN tag from the top of the VLAN tag stack. The outer VLAN tag of the frame is removed.

 

This solution is really neat because it means my customer can add vlans as they please (within the specified range) and I don’t need to make any changes on the EX4600 Data Center switches.

 

The configuration makes interface ge-0/0/1.95 a member of S-VLAN VLAN95, enables Q-in-Q tunneling, maps packets from C-VLANs 100 through 200 to S-VLAN 95, and enables ge-0/0/1 to accept untagged packets. If a packet originates in C-VLAN 108 and needs to be sent across the S-VLAN, a tag with VLAN ID 95 is added to the packet. When a packet is forwarded (internally) from the S-VLAN interface to interface ge-0/0/1, the tag with VLAN ID 95 is removed.

 

Let’s test it - below are the results of the ping tests and show arp outputs.  The focus is on vlan 108 - I have a second vlan also configured using vlan 116 which enters the EX4300 on a separate physical interface hence it's not in the above configuration example.

 

CE-A# run show arp

MAC Address               Address            Name                         Interface                Flags

00:31:46:9d:43:80      192.168.1.2     192.168.1.2               ge-0/0/0.108        none

00:31:46:9d:43:81      192.168.1.6     192.168.1.6               ge-0/0/1.116        none

Total entries: 2

 

CE-A# run ping 192.168.1.2 rapid

PING 192.168.1.2 (192.168.1.2): 56 data bytes

!!!!!

--- 192.168.1.2 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max/stddev = 0.570/0.625/0.742/0.068 ms

 

Finally - one of the things I like to do is produce a “solution on a page” which I can refer back to at any time.  Below is the complete topology and configuration in a single document.

 Q-in-Q.PNG

 

Figure 1.2 Q-in-Q solution on a page

 

@PaulClarkeJNCIP

Fujitsu Customer Solutions Architect

Juniper Networks Ambassador

Dec 27, 2018
sipart

The solution on a page is a great addition to the blog post. Thanks!

Dec 27, 2018
Pompeymatt

Thanks Paul, great article. Probably been even longer for me since I configured stacked VLANs and certainly pre-ELS which made some of my googling confusion more understandable! Love the solution on a page too!

Dec 27, 2018

It was back in 2015 that I first got my hands on an EX4600 and had to configure Q-in-Q. I too found the ELS CLI for this feature to be substantially different to what I had become accustom to on the EX4200. There was little documentation on ELS Q-in-Q configuration at the time which resulted in many hours of lab time. It seems that the ELS allows greater flexibility, but as always this comes at a trade-off of more complexity. A concise document such as this would have been very helpful. Great work!

 

It might be nice to show the equivalent configuration of the EX4200 for those who have mixed environments or are migrating to ELS products. Smiley Happy

 

Dec 27, 2018
Trusted Contributor

Paul is writing more and more, and it's starting to show.  Way to go Paul!

 

Patrick Ames, Ed-in-Chief, Juniper Books

Dec 28, 2018
Ketan.patel@uk.fujitsu.com

Thank you for a clear and very informative Q-in-Q configuration article.

Dec 28, 2018
Chet1

 Great article Paul, the one pager really helps too!

 

Keep up the good work. 

Dec 29, 2018
md_fjs

well written post,  The one page diagram is a really useful addition.

Dec 31, 2018
jbus2018

Thanks for a very informative article.

Jan 1, 2019
Seyma

This is great article with clear explaination. But is it posible to do QinQ tunneling with ERP (Ethernet Ring Protection)? Because ERP require trunk to propagate VLANs while QinQ remove that option and use vlan-id instead. I feel like it could break ERP functionality.

 

Appreciate for advice

Seyma

Jan 1, 2019
paulclarke

Hi Seyma,

 

If you can provide some additional information and possibly a topology diagram I would be happy to try this in my lab.

 

Regards,

Paul

Top Kudoed Members