WeOSIEEE 802.1Q Tunneling
About
This application note describes how to configure IEEE 802.1Q VLAN tunneling (Q-in-Q) in WeOS. The concept can be used over any core network where VLAN trunking is already used, regardless of any underlying layer-2 redundancy protocol; e.g. RSTP, FRNT, MRP.
Figure 1 shows the basic setup that will be used in the document. It depicts two customers, which use identical VLANs on each respective network, that want to connect their two sites over a shared provider network.
Introduction
Throughout this document we will use terms like customer and service provider. Customers connect to access ports on the provider network. The provider network has service ports, which are VLAN trunks.
The chosen example may at first glance only apply to traditional Internet Service Providers (ISP). However, the same model can also be applied to industrial networks where isolation and tunneling over a shared network infrastructure is required.
Please note, this document describes Q-in-Q using stacked IEEE 802.1Q VLAN tags, not provider tagging according to IEEE 802.1ad, which may also be referred to as Q-in-Q.
In IEEE 802.1Q tunneling we encapsulate frames by adding an .1Q tag to all ingressing frames. The new tag is added before the first one, to ensure that simpler layer-2 switches use the encapsulating outer tag. When adding a new (outer) VLAN we push a tag, when frames are decapsulated we pop a tag.
.-------------. .--------------.
| | | |
| Customer A1 | | Customer A2 |
| VLANs 1..60 | | VLANs 1..60 |
| | | |
| eth1 | | eth1 |
'------+------' '-------+------'
| |
| Customer A Network |
.~- .~-|.~- .~- .~- .~- ..~- .~- .~- .~-~-| .~- .~-
| Provider Network |
| |
.------+--- ---. .-------+------.
| eth1 | | eth1 |
| |eth3 eth3 | |
| Switch C1 +==================+ Switch C2 |
| | VLAN 10, 20 | |
| eth2 | | eth2 |
'------+--- ---' '-------+------'
| |
| |
.~- .~- .~- .~- ..~- .~- .~- .~- .~- .~-.~-|.~- .~- .~-
| CustomerB Network |
| |
.------+------. .-------+------.
| eth1 | | eth1 |
| | | |
| Customer B1 | | Customer B2 |
| VLANs 1..90 | | VLANs 1..90 |
| | | |
'-------------' '--------------'
--------- VLAN Trunk
========= Tunnel connection
Figure 1: Q-in-Q Tunneling Setup Overview.
A VLAN tagged frame, figure 1, encapsulate the frame from the EtherType/Length field. The C-VID naming used here refer to the leading two bytes 8100 of the VLAN tag, which identifies the frame as an IEEE 802.1Q VLAN EtherType. Here VLAN ID (VID) between 1- 60 for customer A and between 1- 90 for customer B is used.
Ingress Policy
This allows the customer to use any VLAN ID on their internal network. All ingressing traffic on these access ports will be encapsulated with a second VLAN tag, VID 10 and 20, respectively. The encapsulating VLAN is the default vlan of the access port.
Egress Policy
This allows the traffic egressing on access port to restore to its customer VID (C-VID), the service vlan ID (VID 10 and 20) will be removed from the frame and the packet will egress with C-VID tag.
Configuration
Switch C1
C1:/#> configure C1:/config/#> vlan 10 C1:/config/vlan-10/#> untagged eth1 C1:/config/vlan-10/#> nest eth1 C1:/config/vlan-10/#> tagged eth3 C1:/config/#> vlan 20 C1:/config/vlan-20/#> untagged eth2 C1:/config/vlan-20/#> nest eth2 C1:/config/vlan-20/#> tagged eth3 C1:/config/#>
Switch C2
C2:/#> configure C2:/config/#> vlan 10 C2:/config/vlan-10/#> untagged eth1 C2:/config/vlan-10/#> nest eth1 C2:/config/vlan-10/#> tagged eth3 C2:/config/#> vlan 20 C2:/config/vlan-20/#> untagged eth2 C2:/config/vlan-20/#> nest eth2 C2:/config/vlan-20/#> tagged eth3 C2:/config/#>
Customer A1, A2, B1, B2
Customer VID (CVID) can be any value from 1 to 4095
example:/#> configure example:/config/#> vlan CVID example:/config/vlan-CVID/#> tagged eth1 example:/config/#>
Tunnel Isolation
To ensure complete isolation of the Q-in-Q tunnels, we remove the core switch CPU connection from each of the customer VLANs:
Switch C1
C1:/#> configure C1:/config/#> iface vlan10 C1:/config/vlan-10/#> no enable C1:/config/vlan-10/#> end C1:/config/#> iface vlan20 C1:/config/vlan-20/#> no enable C1:/config/vlan-20/#> end C1:/config/#>
Switch C2
C2:/#> configure C2:/config/#> iface vlan10 C2:/config/vlan-10/#> no enable C2:/config/vlan-10/#> end C2:/config/#> iface vlan20 C2:/config/vlan-20/#> no enable C2:/config/vlan-20/#> end C2:/config/#>
Layer-2 Services
Note
services like IGMP snooping, LLDP, etc. are currently not supported for such VLAN configurations and should be disabled.
The tunnel isolation step (above) only disables the switch CPU layer-3 connection, we also need to disable WeOS default layer-2 services like
IGMP snooping:
example:/#> configure example:/config/#> vlan 10 example:/config/vlan-10/#> no igmp example:/config/vlan-10/#> end example:/config/#> vlan 20 example:/config/vlan-20/#> no igmp example:/config/vlan-20/#> end example:/config/#>
And LLDP
example:/config/#> lldp example:/config/lldp/#> port eth1,eth2,eth3 example:/config/lldp/port-eth1..3/#> no enable example:/config/lldp/port-eth1..3/#> leave example:/#>
Note
services like IGMP snooping, LLDP, etc. are currently not supported for such VLAN configurations and should be disabled.