QnQ and trunking over the same switch port with HPE Comware and Huawei VRP

The other day I have an idea that I want to explore for QnQ just out of fun. We all know how QnQ works. In the QnQ termination switch, we configure the switch port which applies the extra vlan tag for QnQ, we configure that port as access port, allow our QnQ vlan as access vlan on the port and enable QnQ.

With the setup above, the QnQ port is in access mode and we can only have that QnQ vlan active on that switch port. But I want to run that switch port in both trunk and QnQ mode, so that I can carry some extra vlan which will not be double vlan tagged with QnQ. Those vlan will pass QnQ enabled switch port with their original vlan tag (with only one and the original vlan tagg applied). May be explained better with some pictures - 

I have vlan 11, 12 and 13 which will be double tagged with QnQ vlan 201. And have vlan 101, which will pass the switch port without QnQ just with original vlan tag 101. If we draw a picture it will look below - 

Outer Vlan
Inner Vlan
Comment
201
11, 12, 13
Apply QnQ with outer vlan 201

101
Do not apply QnQ, pass with only with the inner vlan

So, let's start playing with our topology - 

Selective QnQ Topology
We have three switches - Core-Sw-01, Core-Sw-02 and Core-Sw-03. Two switches - Core-Sw-01 and Core-Sw-03 take care of the QnQ. Core-Sw-02 is not aware of any QnQ, this just forwards packets based on outermost vlan tag. And Edge-Rtr-01 and Edge-Rtr-02 are our end devices which we will use for verification of configuration.

Let's setup basic QnQ first, then we will change the basic QnQ configuration to selective QnQ where only certain vlans are double tagged (vlan 11-13) and other vlans are allowed to pass as it is (vlan 101, without QnQ double tagging).

Basic QnQ Configuration in Huawei VRP 

Let's configure our end devices first -

Both routers and switches are running Huawei VRP software.

Edge-Rtr-01

interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/0.11
 !!! The command to enable vlan processing on a sub-interface in VRP
 dot1q termination vid 11
 ip address 192.168.11.1 255.255.255.0 
 !!! VRP does not allow ARP on subinterface, we must manually enable it
 arp broadcast enable
#
interface GigabitEthernet0/0/0.12
 dot1q termination vid 12
 ip address 192.168.12.1 255.255.255.0 
 arp broadcast enable
#
interface GigabitEthernet0/0/0.13
 dot1q termination vid 13
 ip address 192.168.13.1 255.255.255.0 
 arp broadcast enable
#

Edge-Rtr-02

interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/0.11
 dot1q termination vid 11
 ip address 192.168.11.2 255.255.255.0 
 arp broadcast enable
#
interface GigabitEthernet0/0/0.12
 dot1q termination vid 12
 ip address 192.168.12.2 255.255.255.0 
 arp broadcast enable
#
interface GigabitEthernet0/0/0.13
 dot1q termination vid 13
 ip address 192.168.13.2 255.255.255.0 
 arp broadcast enable
#

Core-Sw-01

vlan 201
 description Qnq_Vlan
#
interface GigabitEthernet0/0/24
 !!! Interface type dot1q-tunnel, activates double vlan tagging
 port link-type dot1q-tunnel
 !!! Outer vlan will be 201 which is defined as default vlan of that port 
 port default vlan 201
#
interface GigabitEthernet0/0/1
 !!! No special configuration needed, just forwards packets based on outer vlan
 port link-type trunk
 port trunk allow-pass vlan 201
#

Core-Sw-02

vlan 201
 description Qnq_Vlan
#
interface GigabitEthernet0/0/1
 !!! No special configuration needed, just forwards packets based on outer vlan
 port link-type trunk
 port trunk allow-pass vlan 201
#
interface GigabitEthernet0/0/2
 !!! No special configuration needed, just forwards packets based on outer vlan
 port link-type trunk
 port trunk allow-pass vlan 201
#

Core-Sw-03

vlan 201
 description Qnq_Vlan
#
interface GigabitEthernet0/0/2
 !!! No special configuration needed, just forwards packets based on outer vlan
 port link-type trunk
 port trunk allow-pass vlan 201
#
interface GigabitEthernet0/0/24
 !!! Interface type dot1q-tunnel, activates double vlan tagging
 port link-type dot1q-tunnel
 !!! Outer vlan will be 201 which is defined as default vlan of that port 
 port default vlan 201
#

That's it we are done with basic QnQ configuration.
  
Basic QnQ Verification in Huawei VRP

Let's do a ping from vlan 13 between -  Edge-Rtr-01 (192.168.13.1/24) to Edge-Rtr-02 (192.168.13.2/24) -

<Edge-Rtr-01>ping 192.168.13.2
  PING 192.168.13.2: 56  data bytes, press CTRL_C to break
    Reply from 192.168.13.2: bytes=56 Sequence=1 ttl=255 time=90 ms
    Reply from 192.168.13.2: bytes=56 Sequence=2 ttl=255 time=80 ms
    Reply from 192.168.13.2: bytes=56 Sequence=3 ttl=255 time=90 ms
    Reply from 192.168.13.2: bytes=56 Sequence=4 ttl=255 time=90 ms

Let's verify the basic things like mac-address table, vlan status from one of the switch involved in QnQ -

<Core-Sw-01>display mac-address vlan 201
MAC address table of slot 0:
-----------------------------------------------------------------
MAC Address    VLAN/      Port                 Type       
                       VSI/SI                                              
-----------------------------------------------------------------
00e0-fc75-5bcc 201        GE0/0/24        dynamic         
00e0-fc52-624c 201        GE0/0/1         dynamic    
-----------------------------------------------------------------

<Core-Sw-01>display vlan 201
--------------------------------------------------------------------------------
U: Up;         D: Down;         TG: Tagged;         UT: Untagged;
MP: Vlan-mapping;               ST: Vlan-stacking;
#: ProtocolTransparent-vlan;    *: Management-vlan;
--------------------------------------------------------------------------------

VID  Type    Ports                                                          
--------------------------------------------------------------------------------
201  common  UT:GE0/0/24(U)                                                     
                      TG:GE0/0/1(U)                                                      

We can see that we have learned two mac-address on the switch (two Rtrs involved in ping test). And most important the status of vlan 201 is untagged over QnQ enabled interface ge/0/0/24.

Now we will convert our QnQ enabled port from an access port of vlan 201, to a trunk port. And in this trunk port we will double tagg vlan 10-13 so that QnQ works as before, and create a new vlan 101 which will be carried outside of QnQ vlan, only with single vlan tag (101).

How we will test it - We will create a sub-interface of vlan 11 in Edge-Rtr-01, a vlan interface in Core-Sw-02 and try to ping between them.

Selective QnQ Configuration in Huawei VRP

Edge-Rtr-01

!!! Configure a new sub-interface for vlan 101
interface GigabitEthernet0/0/0.101
 dot1q termination vid 101
 ip address 192.168.101.1 255.255.255.0 
 arp broadcast enable
#

Core-Sw-01

vlan 101
 description Outside_Qnq
#
interface GigabitEthernet0/0/24
 !!! Port will not longer be access port
 !!! It carries both QnQ vlan (201) and non QnQ vlan (101)
 port link-type trunk
 !!! But our QnQ vlan must be native vlan on our trunk
 port trunk pvid vlan 201
 !!! We will allow both QnQ and non QnQ vlan over the trunk
 port trunk allow-pass vlan 101 201 
 !!! We must enable QnQ translation
 qinq vlan-translation enable
 !!! Our vlan stacking rule, another name for QnQ (multiple vlan tag in a frame)
 !!! Rule is if incoming packet has vlan 11 -13, double tag it with outer vlan 201
 !!! For other vlan do not do anything, let is pass as it is (vlan 101)
 port vlan-stacking vlan 11 to 13 stack-vlan 201
#
interface GigabitEthernet0/0/1
 port link-type trunk
 !!! We are allowing that new vlan 101 over our trunk
 port trunk allow-pass vlan 101 201
#

Core-Sw-02

vlan 101
 description Outside_Qnq
#
!!! We create a vlan interface so that we can ping from Edge-Rtr-01
interface Vlanif101
 ip address 192.168.101.3 255.255.255.0
#
interface GigabitEthernet0/0/1
 port link-type trunk
 !!! Allowing vlan 101 over the trunk
 port trunk allow-pass vlan 101 201
#
interface GigabitEthernet0/0/2
 port link-type trunk
 !!! Allowing vlan 101 over the trunk
 port trunk allow-pass vlan 101 201
#

Core-Sw-03

vlan 101
 description Outside_Qnq
#
!!! QnQ interface is configured same as other Core-Sw-01
interface GigabitEthernet0/0/24
 port link-type trunk
 port trunk pvid vlan 201
 port trunk allow-pass vlan 101 201 
 qinq vlan-translation enable
 port vlan-stacking vlan 11 to 13 stack-vlan 201
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 101 201
#

Selective QnQ Verification in Huawei VRP
 
Let's do a ping from Edge-Rtr-01 to Core-Sw-02 over vlan 101 - 

<Edge-Rtr-01>ping 192.168.101.3
  PING 192.168.101.3: 56  data bytes, press CTRL_C to break
    Reply from 192.168.101.3: bytes=56 Sequence=1 ttl=255 time=270 ms
    Reply from 192.168.101.3: bytes=56 Sequence=2 ttl=255 time=40 ms
    Reply from 192.168.101.3: bytes=56 Sequence=3 ttl=255 time=60 ms
    Reply from 192.168.101.3: bytes=56 Sequence=4 ttl=255 time=50 ms

Now let's see what is happening in Core-Sw-01 -

As expected we have learnt two mac-adress in vlan 101 (Edge-Rtr-01 and Core-Sw-02) -

<Core-Sw-01>display mac-address vlan 101
MAC address table of slot 0:
--------------------------------------------------------
MAC Address    VLAN/       Port              Type       
                       VSI/SI                                               
--------------------------------------------------------
4c1f-cc5b-1f8c 101          GE0/0/1         dynamic       
00e0-fc75-5bcc 101         GE0/0/24       dynamic  
---------------------------------------------------------

<Core-Sw-01>display vlan 101
--------------------------------------------------------------------------------
U: Up;         D: Down;         TG: Tagged;         UT: Untagged;
MP: Vlan-mapping;               ST: Vlan-stacking;
#: ProtocolTransparent-vlan;    *: Management-vlan;
--------------------------------------------------------------------------------

VID  Type    Ports                                                          
--------------------------------------------------------------------------------
101  common  TG:GE0/0/1(U)      GE0/0/24(U)                                     

       
<Core-Sw-01>display vlan 201
--------------------------------------------------------------------------------
U: Up;         D: Down;         TG: Tagged;         UT: Untagged;
MP: Vlan-mapping;               ST: Vlan-stacking;
#: ProtocolTransparent-vlan;    *: Management-vlan;
--------------------------------------------------------------------------------

VID  Type    Ports                                                          
--------------------------------------------------------------------------------
201  common  UT:GE0/0/24(U)                                                     
             TG:GE0/0/1(U)                                                      
             ST:GE0/0/24(U)                                                     

Look at the status of vlan 201 over ge0/0/24 interface, it is both untagged (U) and vlan-stacking (ST). It means that for outgoing packets through ge0/0/24 will be stripped of vlan tag 201 (U) and incoming packets towards ge0/0/24 will be double tagged with vlan 201 (ST). And of course it will be according to the rule we have defined, applicable only to vlan 11-13.

As I like to work with multi vendor environments, where the implemented technology only matters for me, let's try our exact same setup in a HPE Comware switch.

Basic QnQ Configuration in HPE Comware

Edge-Rtr-01

interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/1.11
 !!! The command to enable vlan processing on a sub-interface in VRP 
 vlan-type dot1q vid 11
 ip address 192.168.11.1 255.255.255.0
#
interface GigabitEthernet0/1.11
 vlan-type dot1q vid 11
 ip address 192.168.12.1 255.255.255.0
#
interface GigabitEthernet0/1.11
 vlan-type dot1q vid 11
 ip address 192.168.13.1 255.255.255.0

Edge-Rtr-02

interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/1.11
 !!! The command to enable vlan processing on a sub-interface in VRP 
 vlan-type dot1q vid 11
 ip address 192.168.11.2 255.255.255.0
#
interface GigabitEthernet0/1.11
 vlan-type dot1q vid 11
 ip address 192.168.12.2 255.255.255.0
#
interface GigabitEthernet0/1.11
 vlan-type dot1q vid 11
 ip address 192.168.13.2 255.255.255.0

Core-Sw-01

vlan 201
 name Qnq_Vlan
#
interface GigabitEthernet0/0/24
 !!! HPE comware QnQ port stays in access mode, with QnQ vlan as access vlan
 port link-type access
 port access vlan 201
 !!! Activate QnQ vlan tagging over the access port
 qinq enable
#
interface GigabitEthernet0/0/1
 !!! No special configuration needed, just forwards packets based on outer vlan
 port link-type trunk
 port trunk permit vlan 201
#

Core-Sw-02

vlan 201
 name Qnq_Vlan
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk permit vlan 201
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk permit vlan 201
#

Core-Sw-03

vlan 201
 name Qnq_Vlan
#
interface GigabitEthernet0/0/2
  port link-type trunk
 port trunk permit vlan 201
#
interface GigabitEthernet0/0/24
  port link-type access
 port access vlan 201
 !!! Activate QnQ vlan tagging over the access port
 qinq enable
#

That's it we are done with basic QnQ configuration.

Selective QnQ Configuration in HPE Comware

Edge-Rtr-01

!!! Configure a new sub-interface for vlan 101
interface GigabitEthernet0/0/0.101
 vlan-type dot1q vid 101
 ip address 192.168.101.1 255.255.255.0 
#

Core-Sw-01

vlan 101
 name Outside_Qnq
#
interface GigabitEthernet0/0/24
 !!! Port will not longer be access port
 !!! It carries both QnQ vlan (201) and non QnQ vlan (101)
 port link-type trunk
 !!! But our QnQ vlan must be native vlan on our trunk
 port trunk pvid vlan 201
 !!! We will allow both QnQ and non QnQ vlan over the trunk
 port trunk permit vlan 101 201 
 !!! Enable QnQ over the port
 qinq enable
 !!! Made an exception, vlan 101 is excluded from QnQ (double tagging)
 qinq transparent-vlan 101

#
interface GigabitEthernet0/0/1
 port link-type trunk
 !!! We are allowing that new vlan 101 over our trunk
 port trunk permit vlan 101 201
#

Core-Sw-02

vlan 101
 name Outside_Qnq
#
!!! We create a vlan interface so that we can ping from Edge-Rtr-01
interface Vlan-interface 101
 ip address 192.168.101.3 255.255.255.0
#
interface GigabitEthernet0/0/1
 port link-type trunk
 !!! Allowing vlan 101 over the trunk
 port trunk permit vlan 101 201
#
interface GigabitEthernet0/0/2
 port link-type trunk
 !!! Allowing vlan 101 over the trunk
 port trunk permit vlan 101 201
#

Core-Sw-03

vlan 101
 name Outside_Qnq
#
!!! QnQ interface is configured same as other Core-Sw-01
interface GigabitEthernet0/0/24
 port link-type trunk
 port trunk pvid vlan 201
 port trunk permit vlan 101 201 
 qinq enable
 qinq transparent-vlan 101
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk permit vlan 101 201
#

That's it now we have made the exactly same setup with HPE Comware switches. Vlan 11-13 will be double tagged with outer vlan 201. But vlan 101 will continue throughout the network with the original and single vlan tag 101.

I hope it helps someone. For my case I was connecting two switches towards core of the network. Now I was able to decommission one of the switch, because now I need only one switch towards upstream, and upstream/core switch port is configured as trunk and carries both QnQ and not QnQ vlans.
Location: Sundsvall, Sweden

Comments

Post a Comment

Popular posts from this blog

Fortigate firewall AAA Configuration for management with TACACS+ protocol and Cisco ISE

Image
In this blog I will write about how to implement AAA services in Fortigate firewalls using Cisco ISE as an authentication server with TACACS+ protocol. First good to know our limitations. AAA means - Authentication (supported by ISE TACACS+), Authorization (partially supported by ISE TACACS+; Fortigate implements Admin-Profiles; so what a user can/cannot do is defined locally in the firewall with "Admin Profiles"; ISE just instructs the firewall to allocate one of those profiles), Accounting (not supported; instead configure syslog to get accounting data, Fortigate firewalls generate syslog messages for configuration changes made by a user). Let's jump to our configuration. Our topology is very simple; one Fortigate firewall and Cisco ISE server connected with the same management network which looks like below -  01 - Network Topology We have a management network 192.168.199.0/24. The firewall is at  .230  and Cisco ISE is at  .49  IP address. We are running the lates
Read more

Stacking switches Part - VI (Dell OS10 VLT - Virtual Link Trunking)

Image
In this blog I will configure MLAG (multi chassis link aggregation) for Dell OS10 switches. As every other vendor choses a fancy name of their implementation of MLAG; Dell is no exception to this. Dell calls their implementation VLT - Virtual Link Trunking . Let's look at our network topology - Two Dell OS10 switches will run peering between them and will run VLT/MLAG between them. Two Debian 10 linux machine will be connected with LACP bonding with both switches. They will simulate the client connection. Our topology looks like below - 01 - Dell OS10 VLT Topology Let's look at some terminology before configuration - VLT peer – The two switches participating in VLT are peer to each other. In a VLT domain a maximum of two switches are allowed. VLT interconnect (VLTi) – VLTi synchronizes state information between VLT peers. It synchronizes layer 2 and layer 3 control-plane information. These state/control-plane information includes MAC table, ARP table, IPv6 neighbors etc. VLT
Read more

Arista EOS AAA configuration for management with TACACS+ protocol and Cisco ISE (Part I)

Image
Today I will write about AAA configuration (SSH authentication, authorization and accounting) for Arista EOS switches with Cisco ISE as authentication server and AAA protocol will be TACACS . Our topology is very simple. One Arista switch and One Cisco ISE server is running on the same network. Our topology looks like below - 01 - Network Topology We have a management network 192.168.199.0/24. The switch is at .134 and Cisco ISE is at .49 IP address. We are running the latest version of ISE - version 3.0. Let's define our AAA requirements - Arista switches comes with two pre defined user roles - "network-admin" and "network-operator" . We will use those two roles. Every user after successful authentication from tacacs server (ISE), will be authorized as either "network-admin" or "network-operator" role. In turn these two roles will determine read-write or read-only access to the switch. N ote: With TACACS, we can also do individual cl
Read more