Ambassador Insights
, Regular Visitor
Ambassador Insights
Configuring Q-in-Q Tunneling (ELS)
Dec 27, 2018

Webp.net-resizeimage (1).jpg

 

In Q-in-Q tunneling, as a packet travels from a customer VLAN (C-VLAN) to a service provider's VLAN, a customer-specific 802.1Q tag is added to the packet. This additional tag is used to segregate traffic into service-provider-defined service VLANs (S-VLANs). The original customer 802.1Q tag of the packet remains and is transmitted transparently, passing through the service provider's network. As the packet leaves the S-VLAN in the downstream direction, the extra 802.1Q tag is removed.

 

Having not configured Q-in-Q for 5 years and the last time being on an old EX4200 I was somewhat surprised to learn the command line had changed – a lot.  The evolution of JUNOS and the introduction of ELS (Enhanced Layer 2 Software) meant my old configuration notes were no longer valid.

 

So I set about building a LAB to test this solution.  My topology is two EX4600’s simulating inter-data center connectivity.  A single EX4300 downstream of each EX4600 and an SRX in each data Center allowing me to test connectivity (ping) between the locations traversing the Q-in-Q configuration.

 

The best part of my job is testing solutions and configurations in the lab.  I like doing the hard work in a lab environment where there is no pressure.  It’s a great place to learn and to get a full understanding of what you are doing.  And I always like to test any network configuration thoroughly.

 

Q-in-Q lab setup.PNG

 Figure 1.1 Lab Topology

 

There is nothing unusual about the configuration of the CE routers or the EX4300’s.  I’m simply trunking vlans from the router to the EX4300’s and the EX4300’s trunk vlans towards the EX4600’s.  That’s standard configuration.

 

For completeness the configuration of the EX4300’s and the SRX is shared below:-

 

----- EX4300 Configuration -----

EX4300-A# show interfaces ge-0/0/0

unit 0 {

    family ethernet-switching {

        interface-mode trunk;

        vlan {

            members VLAN108;

        }

        storm-control default;

    }

}

EX4300-A# show interfaces ge-0/2/0

unit 0 {

    family ethernet-switching {

        interface-mode trunk;

        vlan {

            members VLAN108;

        }

        storm-control default;

    }

}

EX4300-A# show vlans

VLAN108 {

    vlan-id 108;

}

 

----- SRX CE Router Configuration -----

CE-A# show interfaces ge-0/0/0

vlan-tagging;

unit 108 {

    vlan-id 108;

    family inet {

        address 192.168.1.1/30;

    }

}

 

I’ve chosen to configure Q-in-Q tunneling using the all-in-one bundling method, which forwards all packets that ingress on a C-VLAN interface to an S-VLAN. (Packets are forwarded to the S-VLAN regardless of whether they are tagged or untagged prior to ingress.) Using this approach saves you the effort of specifying a specific mapping for each C-VLAN.

 

----- EX4600 inter Data Center configuration -----

EX4600-A# show interfaces ge-0/0/0

flexible-vlan-tagging;

encapsulation extended-vlan-bridge;

ether-options {

    ethernet-switch-profile {

        tag-protocol-id 0x8100;

    }

}

unit 95 {

    vlan-id 95;

}

 

So – what is the relevance of vlan 95 and the other configuration items?  Well, let’s break it down item by item.

 

flexible-vlan-tagging

Support simultaneous transmission of 802.1Q VLAN single-tag and dual-tag frames on logical interfaces on the same Ethernet port, and on pseudowire logical interfaces.

 

encapsulation extended-vlan-bridge

Use extended VLAN bridge encapsulation on Ethernet interfaces that have IEEE 802.1Q VLAN tagging and bridging enabled and that must accept packets carrying TPID 0x8100 or a user-defined TPID.

 

ether-options {

    ethernet-switch-profile {

        tag-protocol-id 0x8100;

    }

}

 

Tag protocol identifier (TPID) is a 16-bit field set to a value of 0x8100 in order to identify the frame as an IEEE 802.1Q-tagged frame. This field is located at the same position as the EtherType field in untagged frames, and is thus used to distinguish the frame from untagged frames.

 

Vlan 95 is configured to forward all packets that ingress on a C-VLAN interface to an S-VLAN. (Packets are forwarded to the S-VLAN regardless of whether they are tagged or untagged prior to ingress.) Using this approach saves you the effort of specifying a specific mapping for each C-VLAN.

 

EX4600-A# show vlans

VLAN95 {

    interface ge-0/0/0.95;

    interface ge-0/0/1.95;

}

 

Note: Do not include the vlan-id in the vlan configuration otherwise the configuration will not commit. 

 

Now for the EX4600 interface facing the EX4300.  Again let’s break it down item by item.

 

----- EX4600 downstream access switch configuration -----

EX4600-A# show interfaces ge-0/0/1

flexible-vlan-tagging;

native-vlan-id 150;

encapsulation extended-vlan-bridge;

unit 95 {

    vlan-id-list 100-200;

    input-vlan-map push;

    output-vlan-map pop;

}

 

flexible-vlan-tagging

Support simultaneous transmission of 802.1Q VLAN single-tag and dual-tag frames on logical interfaces on the same Ethernet port, and on pseudowire logical interfaces.

 

native-vlan-id 150; 

When the native-vlan-id statement is included with the flexible-vlan-tagging statement, untagged packets are accepted on the same mixed VLAN-tagged port and on the interfaces that are configured for Q-in-Q tunneling.

 

encapsulation extended-vlan-bridge

Use extended VLAN bridge encapsulation on Ethernet interfaces that have IEEE 802.1Q VLAN tagging and bridging enabled and that must accept packets carrying TPID 0x8100 or a user-defined TPID.

 

unit 95 {

    vlan-id-list 100-200;

    input-vlan-map push;

    output-vlan-map pop;

}

 

vlan-id-list

Specify a VLAN identifier list to use for a bridge domain or VLAN in trunk mode.

 

input-vlan-map push

Specify the VLAN rewrite operation to add a new VLAN tag to the top of the VLAN stack. An outer VLAN tag is pushed in front of the existing VLAN tag.

 

output-vlan-map pop

Specify the VLAN rewrite operation to remove a VLAN tag from the top of the VLAN tag stack. The outer VLAN tag of the frame is removed.

 

This solution is really neat because it means my customer can add vlans as they please (within the specified range) and I don’t need to make any changes on the EX4600 Data Center switches.

 

The configuration makes interface ge-0/0/1.95 a member of S-VLAN VLAN95, enables Q-in-Q tunneling, maps packets from C-VLANs 100 through 200 to S-VLAN 95, and enables ge-0/0/1 to accept untagged packets. If a packet originates in C-VLAN 108 and needs to be sent across the S-VLAN, a tag with VLAN ID 95 is added to the packet. When a packet is forwarded (internally) from the S-VLAN interface to interface ge-0/0/1, the tag with VLAN ID 95 is removed.

 

Let’s test it - below are the results of the ping tests and show arp outputs.  The focus is on vlan 108 - I have a second vlan also configured using vlan 116 which enters the EX4300 on a separate physical interface hence it's not in the above configuration example.

 

CE-A# run show arp

MAC Address               Address            Name                         Interface                Flags

00:31:46:9d:43:80      192.168.1.2     192.168.1.2               ge-0/0/0.108        none

00:31:46:9d:43:81      192.168.1.6     192.168.1.6               ge-0/0/1.116        none

Total entries: 2

 

CE-A# run ping 192.168.1.2 rapid

PING 192.168.1.2 (192.168.1.2): 56 data bytes

!!!!!

--- 192.168.1.2 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max/stddev = 0.570/0.625/0.742/0.068 ms

 

Finally - one of the things I like to do is produce a “solution on a page” which I can refer back to at any time.  Below is the complete topology and configuration in a single document.

 Q-in-Q.PNG

 

Figure 1.2 Q-in-Q solution on a page

 

@PaulClarkeJNCIP

Fujitsu Customer Solutions Architect

Juniper Networks Ambassador

Jan 2, 2019
anthonye

Good job and well explained.

 

Jan 3, 2019
Lee F

Great article. Clear and concise and I will definitely utilise the ‘Solutions in a page’ for my future topology designs and configurations

 

Keep them coming!

Jan 11, 2019
Gurpreet singh

Awesome write up Paul. Very timely for me as I have some DC/L2 work coming up and like yourself it's been a while since I had done any qinq Config. Solution on a page is extremely useful, I will be adopting that when making my own notes.. Way to go!!

Looking forward to future posts

Feb 14, 2019

Really useful article which has helped me already.

Thanks Paul.

Feb 25, 2019

Great article Paul!

I have a doubt. Suppose that in the EX4300 switches we have 10 customers with Q-in-Q service with different S-VLANs (i.e. 95,105,300,206,344, 2000-2005)
How should I configure the trunk port between EX4600 switches? Do we need to create each unit per vlan service?

I have several access switches with a large number of Q-in-Q services, and I think it's a difficult scenario to scale.
How do you think they solve these cases?

 

Thank you,

Regards,

 

Javier Rodriguez.

Feb 25, 2019

Hi Javier, are you referring to the vlan-id-list?

Feb 25, 2019

Hi Poul,

No sorry, let's suppose that there are several EX4300 connected to the EX4600. What would happen if the EX4600 had 10 ports like the one it has against the EX4300 but in different vlans (qinq)? How should the ge-0/0/0 port of the EX4600 be configured?

 

Thank you,

Regards,

 

Javier Rodriguez.

Feb 25, 2019

Hi Javier,

 

Like below for example?

 

show interfaces ge-0/0/0
description "Data Center Interconnect";
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
ether-options {
ethernet-switch-profile {
tag-protocol-id 0x8100;
}
}
unit 90 {
description "802.1q trunk";
family ethernet-switching {
interface-mode trunk;
vlan {
members 90;
}
}
}
unit 95 {
description "Q-in-Q for vlans 130, 132 and 134";
encapsulation vlan-bridge;
vlan-id 95;
}
unit 97 {
description "Q-in-Q for vlans 230, 232 and 234"
encapsulation vlan-bridge;
vlan-id 97;
}
unit 98 {
description "Q-in-Q for vlans 330, 332 and 334"
encapsulation vlan-bridge;
vlan-id 98;
}

Feb 26, 2019

Hi Poul,

Yes, it is a possibility. But , for example, in some scenarios, we have trunks where we should allow 50 or 100 services vlans. I mean, Should we create 50 or 100 units per vlan on each trunk? Is there a summary way to do it? We have already tried to give a solution to this, but we could not do it. That's why we did not upgrade to the ELS version; beside that, they were now removed it from the download page.

 

Thank you, 

Regards,

 

Javier Rodriguez.

Feb 28, 2019

Hi Javier, I haven't seen anything on that scale before.  Do you have a lab environment you could test in?

Feedback