Wednesday, December 17, 2008



     It’s been a bit since I last updated the blog.( 2 days only ): ). Today I was reviewing some switching topics with my 3560 configuration guide . The bad news with switching is that we may forget key features of some of  the technologies if we are not reviewing it frequently  .     QinQ is such a topic for me .

QinQ tunneling is a feature that is  asked  occassionaly in CCIE LAB . Though the chances of getting this task in CCIE lab is rare  ,  you are supposed to be familiar with this one also. 

Cisco 802.1Q Tunneling enables service providers to use a single VLAN to securely transport most or all of a single customer’s VLANs across their MAN or WAN backbone. In this case, the software adds an extra 802.1Q tag to customer traffic in the switch at the edge of the service provider’s network. This tag assigns a unique VLAN ID number to each customer to keep each customer’sVLAN traffic segregated and private.


Points to remember.

1. Use the vlan dot1q tag native global configuration command to configure the edge switch so that all packets going out an IEEE 802.1Q trunk, including the native VLAN, are tagged. 

2.A tunnel port cannot be a routed port.

3.Tunnel ports do not support IP access control lists (ACLs).

4.Layer 3 quality of service (QoS) ACLs and other QoS features related to Layer 3 information are not supported on tunnel ports. MAC-based QoS is supported on tunnel ports.

5.EtherChannel port groups are compatible with tunnel ports as long as the IEEE 802.1Q configuration is consistent within an EtherChannel port group.

6.Port Aggregation Protocol (PAgP) and Unidirectional Link Detection (UDLD) Protocol are not supported on IEEE 802.1Q tunnel ports.

7.Dynamic Trunking Protocol (DTP) is not compatible with IEEE 802.1Q tunneling because you must manually configure asymmetric links with tunnel ports and trunk ports.

8.Loopback detection is supported on IEEE 802.1Q tunnel ports.

9.When a port is configured as an IEEE 802.1Q tunnel port, spanning tree bridge protocol data unit (BPDU) filtering is automatically disabled on the interface.

Configuration Example:

Switch1(config)# interface gigabitethernet0/4
Switch1(config-if)# switchport access vlan 40
Switch1(config-if)# switchport mode dot1q-tunnel
Switch1(config-if)# exit
Switch1(config)# vlan dot1q tag native
Switch1(config)# end


Switch1# show vlan dot1q tag native
Switch1# show dot1q-tunnel interface gigabitethernet0/7

Layer 2 Protocol Tunneling

Points to remember.

1.Layer 2 protocol tunneling can be used independently or can enhance IEEE 802.1Q tunneling.

2.If protocol tunneling is not enabled on IEEE 802.1Q tunneling ports, remote switches at the receiving end of the service-provider network do not receive the PDUs and cannot properly run STP, CDP, and VTP.  It also supports PAgP, LACP, and UDLD protocols. 

 3.You cannot enable Layer 2 protocol tunneling on ports configured in either switchport mode dynamic auto (the default mode) or switchport mode dynamic desirable.
4.DTP is not compatible with layer 2 protocol tunneling.
5.Loopback detection is not supported on Layer 2 protocol tunneling of PAgP, LACP, or UDLD packets.

6.When protocol tunneling is enabled on an interface, you can set a per-protocol, per-port, drop threshold for the PDUs generated by the customer network. If the limit is exceeded, the port drops PDUs until the rate at which it receives them is below the drop threshold.

Configuration Example:

Switch1(config)# interface fastethernet0/5
Switch1(config-if)# l2protocol-tunnel cdp
Switch1(config-if)# l2protocol-tunnel stp
Switch1(config-if)# l2protocol-tunnel vtp
Switch1(config-if)# l2protocol-tunnel shutdown-threshold 1500
Switch1(config-if)# l2protocol-tunnel drop-threshold 1000
Switch1(config-if)# exit
Switch1(config)# l2protocol-tunnel cos 5


Switch1# show l2protocol