QinQ with Cisco Catalyst switches

QinQ with Cisco Catalyst switches

Below a simple topology using QinQ tagging (officially known as IEEE 802.1ad or unofficially IEEE 802.1 QinQ )
 on Cisco Catalyst C3550 switches.










C-VLANS 10 and 20 come from customer side and are encapsulated in the S-VLAN 1800.

This feature is also called VLAN double tagging or Vlan stacking, or Nested VLANs (Allied Telesis) or vMAN
 technology ( Extreme Networks).


To simulate the two end clients, I use two Linux computers that allows easy creation of VLANs on ethernet ports.



Network configuration on Linux computers

LINUX PC1

  $ sudo vconfig add eth5 1800   
  Added VLAN with VID == 1800 to IF -:eth5:- 
  
  $ sudo vconfig add eth5.1800 10   
  Added VLAN with VID == 10 to IF -:eth5.1800:-   

  $ sudo vconfig add eth5.1800 20   
  Added VLAN with VID == 20 to IF -:eth5.1800:-   

  $ sudo ip addr add 10.10.10.1/24 dev eth5.1800.10   
  $ sudo ip addr add 20.20.20.1/24 dev eth5.1800.20   
 
$ ip addr  
 14: eth5.1800@eth5: <broadcast> mtu 1500 qdisc noqueue state UP   
 link/ether 00:e0:4c:36:00:0a brd ff:ff:ff:ff:ff:ff  
 inet6 fe80::2e0:4cff:fe36:a/64 scope link   
 valid_lft forever preferred_lft forever  

 15: eth5.1800.10@eth5.1800: <broadcast> mtu 1500 qdisc noqueue state UP   
 link/ether 00:e0:4c:36:00:0a brd ff:ff:ff:ff:ff:ff  
 inet 10.10.10.1/24 scope global eth5.1800.10  
 valid_lft forever preferred_lft forever  
 inet6 fe80::2e0:4cff:fe36:a/64 scope link   
 valid_lft forever preferred_lft forever  

 16: eth5.1800.20@eth5.1800: <broadcast> mtu 1500 qdisc noqueue state UP   
 link/ether 00:e0:4c:36:00:0a brd ff:ff:ff:ff:ff:ff  
 inet 20.20.20.1/24 scope global eth5.1800.20  
 valid_lft forever preferred_lft forever  
 inet6 fe80::2e0:4cff:fe36:a/64 scope link   
 valid_lft forever preferred_lft forever  


LINUX PC2

 $ sudo vconfig add eth4 1800   
  Added VLAN with VID == 1800 to IF -:eth4:-   

  $ sudo vconfig add eth4.1800 10   
  Added VLAN with VID == 10 to IF -:eth4.1800:-   

  $ sudo vconfig add eth4.1800 20   
  Added VLAN with VID == 20 to IF -:eth4.1800:-   

  $ sudo ip addr add 10.10.10.2/24 dev eth4.1800.10   
  $ sudo ip addr add 20.20.20.2/24 dev eth4.1800.20   

$ ip addr  
 8: eth4.1800@eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP   
   link/ether 00:10:a3:09:e6:bb brd ff:ff:ff:ff:ff:ff  
   inet6 fe80::210:a3ff:fe09:e6bb/64 scope link   
     valid_lft forever preferred_lft forever  

 9: eth4.1800.10@eth4.1800: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP   
   link/ether 00:10:a3:09:e6:bb brd ff:ff:ff:ff:ff:ff  
   inet 10.10.10.2/30 scope global eth4.1800.10  
   inet6 fe80::210:a3ff:fe09:e6bb/64 scope link   
     valid_lft forever preferred_lft forever  

 10: eth4.1800.20@eth4.1800: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP   
   link/ether 00:10:a3:09:e6:bb brd ff:ff:ff:ff:ff:ff  
   inet 20.20.20.2/30 scope global eth4.1800.20  
   inet6 fe80::210:a3ff:fe09:e6bb/64 scope link   
     valid_lft forever preferred_lft forever  


Cisco Catalyst switches configuration

SW1

#show system mtu 
System MTU size is 1546 bytes

interface FastEthernet0/2  
  description --dot1q-tunnel_SW1--  
  switchport access vlan 1800  
  switchport mode dot1q-tunnel  
  no ip address  
  l2protocol-tunnel cdp  
  l2protocol-tunnel stp  
  l2protocol-tunnel vtp  
  no cdp enable  
  spanning-tree bpdufilter enable  
 end  

 interface FastEthernet0/19  
  description --To SW2 Fa0/19--  
  switchport trunk encapsulation dot1q  
  switchport mode trunk  
 end  

SW2

#show system mtu 
System MTU size is 1546 bytes

interface FastEthernet0/2  
  description --dot1q-tunnel_SW2--  
  switchport access vlan 1800  
  switchport mode dot1q-tunnel  
  no ip address  
  l2protocol-tunnel cdp  
  l2protocol-tunnel stp  
  l2protocol-tunnel vtp  
  no cdp enable  
  spanning-tree bpdufilter enable  
 end  

 interface FastEthernet0/19  
  description --To SW1 Fa0/19--  
  switchport trunk encapsulation dot1q  
  switchport mode trunk  
 end  


Verifying 

a) From Linux computer

On the linux computers I'm using tcpdump to capture the packets on interface eth5 ( Linux PC 1) . In the packets we see that it contains the S-VLAN 1800 and C-VLANs 10 and 20. 

 $ sudo tcpdump -i eth5 -ne vlan -c 10  
 23:10:43.282757 00:10:a3:09:e6:bb > 00:e0:4c:36:00:0a, ethertype 802.1Q (0x8100), length 1450: vlan 1800, p 0, ethertype 802.1Q, vlan 20, p 0, ethertype IPv4, 20.20.20.2 > 20.20.20.1: ICMP echo request, id 8509, seq 524, length 1408  
 23:10:43.284015 00:e0:4c:36:00:0a > 00:10:a3:09:e6:bb, ethertype 802.1Q (0x8100), length 1450: vlan 1800, p 0, ethertype 802.1Q, vlan 20, p 0, ethertype IPv4, 20.20.20.1 > 20.20.20.2: ICMP echo reply, id 8509, seq 524, length 1408  
 23:10:43.323901 00:e0:4c:36:00:0a > 00:10:a3:09:e6:bb, ethertype 802.1Q (0x8100), length 1350: vlan 1800, p 0, ethertype 802.1Q, vlan 10, p 0, ethertype IPv4, 10.10.10.1 > 10.10.10.2: ICMP echo request, id 5068, seq 196, length 1308  
 23:10:43.324633 00:10:a3:09:e6:bb > 00:e0:4c:36:00:0a, ethertype 802.1Q (0x8100), length 1350: vlan 1800, p 0, ethertype 802.1Q, vlan 10, p 0, ethertype IPv4, 10.10.10.2 > 10.10.10.1: ICMP echo reply, id 5068, seq 196, length 1308  


b) Configuring the Catalyst Switched Port Analyzer

Using the SPAN feature, we can mirror the traffic from the trunk port F0/19 to interface Fa0/3.

 SW2(config)#monitor session 1 source interface Fa0/19  
 SW2(config)#monitor session 1 destination interface Fa0/3 encapsulation dot1q  

 SW2#sh monitor session 1  
 Session 1  
 ---------  
 Type : Local Session  
 Source Ports :  
 Both : Fa0/19  
 Destination Ports : Fa0/3  
 Encapsulation : DOT1Q  
 Ingress : Disabled  

Can also use the following : 

 SW2(config)#monitor session 1 source interface Fa0/19  
 SW2(config)#monitor session 1 filter vlan 1800  
 SW2(config)#monitor session 1 destination interface Fa0/3 encapsulation dot1q  


 SW2#show monitor session 1  
 Session 1  
 ---------  
 Type : Local Session  
 Source Ports :  
 Both : Fa0/19  
 Destination Ports : Fa0/3  
 Encapsulation : DOT1Q  
 Ingress : Disabled  
 Filter VLANs : 1800  

Using wireshark we capture the mirrored traffic on interface  Fa0/3.
Analyzing the packets we see both VLANs ( highlighted blue).



Comments

Popular Posts