ASR 9010 switchport mode dot1q-tunnel QinQ Access

Similar Messages

• Dot1q-tunneling and native frames ( untagged )

  hi all I have the following setup:
  tunnel Port:
  interface GigabitEthernet1/0/2
  switchport access vlan 784
  switchport mode dot1q-tunnel
  switchport nonegotiate
  l2protocol-tunnel cdp
  l2protocol-tunnel stp
  l2protocol-tunnel vtp
  no cdp enable
  spanning-tree portfast
  Trunk Port - Into Carrier Network
  interface GigabitEthernet1/0/25
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 4094
  switchport mode trunk
  switchport nonegotiate
  load-interval 30
  speed nonegotiate
  spanning-tree bpdufilter enable
  the Native Port on the tunnel interface = 1 and native vlan tagging is enabled on the switch.
  what happens to untagged frames that hit the tunnel port from the customer? Imagine that they dont have their port as a trunk and are instead emitting untagged frames?
  are these dropped or simply have a single Q-tag pushed and are then tunnelled through the carrier network?
  I have followed the recommendation of making the trunk port have a native vlan that is not the native vlan of any of the tunnel ports.
  thanks

  Normally double-tag traffic is seen as NON-IP traffic by metro devices, since they cannot see beyond first tag.
  Untagged customer traffic will behave like IP traffic in metro network, since it will have only one tag.
  You can use a trick - create an IP access list on trunk port with "deny ip any any" - basically denying all IP traffic. That should stop all traffic that was not tagged by the customer. Ofcourse that will disable your management - so you need to plan this.
  If more than one customer is using same S-VLAN, and one customer has e.g. VLAN 3 untagged, and other one has VLAN 5 untagged, their VLANs will be interconnected.

• Me3400 mep on dot1q-tunnel interface

  Hi
  Just wanted to get someone to give me some quick pointers on the following task:
  I have an me3400 with fa0/1 as a UNI.
  also I have Gig0/1 as NNI.
  I have set the commands on the switch as
  ethernet cfm ieee
  ethernet cfm global
  ethernet cfm domain testnet level 4
  ethernet evc cust1
     oam protocol cfm svlan 10 domain testnet
  interface FastEthernet0/1
    switchport access vlan 10
    switchport mode dot1q-tunnel
    speed 100
    duplex full
    l2protocol-tunnel cdp
    l2protocol-tunnel lldp
    l2protocol-tunnel stp
    l2protocol-tunnel vtp
  interface GigabitEthernet0/1
    port-type nni
    switchport mode trunk
    ethernet cfm mip level 4 vlan 10
  so this is the minimal functionality that I am after.
  What else do I need to do to link the fa0/1 port to the EVC and enable an UP MEP and CC on it?
  the end goal initially is to propagate link loss when the UNI is disconnected so that the remote me3400 brings down its UNI.
  any help please.

  It's difficult for Cisco Cat 6500.Why don't you consider products from other vendors?

• Dot1q-tunnel rejection

  Hello,
  I am trying to setup a dot1q-tunnel on a Catalyst 6506 running IOS 12.2 and am running into trouble. I have followed everything in the manual and from other's examples, but I continually get the error:
  Command rejected: Gi1/1 doesn't support 802.1q tunneling.
  To get there I have done:
  Router(config)#vlan dot1q tag native
  Router(config)#interface range gig 1/1-48
  Router(config-if-range)#spanning-tree bpdufilter enable
  Router(config-if-range)#spanning-tree portfast
  Router(config-if-range)#switchport mode dot1q-tunnel
  and it says command rejected for all 48 ports.
  If anyone has any insight it would be greatly appreciated. Thank you for your time

  if you can't make tunnel with dot1q, check the capability of the module using follow command..
  [example]
  Swith#show interfaces gigabitEthernet 0/1 capabilities
  GigabitEthernet0/1
  Model: WS-C3550-24
  Type: unknown
  Speed: 1000
  Duplex: full
  Trunk encap. type: 802.1Q,ISL <<<--- capability
  Trunk mode: on,off,desirable,nonegotiate
  Channel: yes
  Broadcast suppression: percentage(0-100)
  Flowcontrol: rx-(off,on,desired),tx-(off,on,desired)
  Fast Start: yes
  QOS scheduling: rx-(1q0t),tx-(4q2t),tx-(1p3q2t)
  CoS rewrite: yes
  ToS rewrite: yes
  UDLD: yes
  Inline power: no
  SPAN: source/destination
  PortSecure: yes
  Dot1x: yes

• Dot1q tunnel VPLS support

  Hello Guys,
  I am configuring a dot1q tunnel VPLS since it suited our need for the client's requirements. To my surprise the 48 port tx we are using on our 7600 doesn't support this
  7609-PPE1(config-if)#switchport mode dot1q-tunnel
  Command rejected: Gi2/4 doesn't support 802.1q tunneling.
  IOS is s72033-pk9sv-mz.122-18.SXD5.bin
  Hardware is 48 SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX
  For me to establish a good VPLS in dot1q (dot1q in dot1q) multipoint connection, what hardware with port density is available for this one?
  I didn't have any problem with OSM modules, but we have to be practical with the port density.
  Your insights will be greatly appreciated.
  Thanks.

  For vpls to work the core facing should be a osm module.Configure IP routing in the core so that the PE routers can reach each other via IP. Configure MPLS in the core so that a label switched path (LSP) exists between the PE routers.For more info refer
  http://www.cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a00801e5c06.html#wp1338115.

• Native VLAN problem when using dot1q tunnel on ME3600

  We have problems with a VPLS service for a Customer. The edge devices are Cat3560 and ME3600 (where the Customers sites are connected).
  When the edge device are ME3600 we have problems getting the traffic on the Native VLAN from the Customer out in the VPLS cloud.
  No problems using Cat3560
  No problems using ME3600 and tagged VLAN
  Config on ME3600
  interface GigabitEthernet0/2
  description VPLS_CustomerA
  switchport access vlan 888
  switchport trunk allowed vlan none
  switchport mode trunk
  mtu 9800
  storm-control broadcast level 0.10 0.05
  storm-control action trap
  no cdp enable
  spanning-tree bpdufilter enable
  service instance 64 ethernet
    encapsulation untagged , dot1q 1-4094
    bridge-domain 64
  Any ideas?
  /Jorgen

  Can you remove this line from your configuration "
  switchport access vlan 888" since it is an invalid configuration for EVC.
  Reconfigure the port after making the above change. What kind of traffic you are expecting on the native vlan?
  L2 protocol is dsable by default so STP, CDP and other control protocols will not work unless you enable L2PT forward or tunnel.

• Dot1q tunnel

  Hi guys.
  I'm trying to setup a dot1q tunnel on a 3560X, but the option does not seem available.
  SW02#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  SW02(config)#int gig 0/1
  SW02(config-if)#sw mode ?
    access   Set trunking mode to ACCESS unconditionally
    dynamic  Set trunking mode to dynamically negotiate access or trunk mode
    trunk    Set trunking mode to TRUNK unconditionally
  SW02(config-if)#sw mode
  I'm sure I have seen this command visible previously so it could be configuration or VTP related, but obviously am now doubting myself.
  For reference the IOS version is;
  c3560e-universalk9-mz.122-55.SE5/c3560e-universalk9-mz.122-55.SE5.bin
  Its not an advipservices feature is it?
  Thanks for your help.
  Mike

  Hi Mike,
  according to the Configuration Guide, 802.1Q protocol tunneling is not supported on switches running the LAN base feature set.
  Do you have at least an IP Base license activated (show license detail)?
  Cisco Catalyst 3560-X Series Switches - Cisco IOS Software Packaging and Licensing White Paper
  HTH
  Rolf

• How to disable AUX port in ASR 9010

  Hi All,
  How to disable the AUX port in ASR 9010. Inside "line aux" I can't configure anything except "login authentication" (which is used for aaa authentication).
  Also after IOS XR 3.2 the configuration for AUX port has been removed
  Platform used: ASR 9010
  Version: IOS-XR 4.1.2
  Best Regards
  Saikat Chakraborty

  Hi Saikat,
  AUX has the same authentication method as we have on the system.  From this perspective, AUX is protected the same way as the Console port and only those who have an account can login via AUX (same way as via console). Any attempts to log on AUX will be logged:
  Successful:
  ksh[65902]: Successfully authenticated user 'XXX' for ksh access via 'aux' on '0/RSP0/CPU0'
  Incorrect:
  ksh[65902]: Failed authentication attempt by user 'YYY' for ksh access via 'aux' on '0/RSP0/CPU0
  But if anyone has a physical access to the device, that would be even bigger threat compare to system protected AUX login.
  BTW, tacacs authentication should work for AUX too. We’d need to define a template for it.
  Example:
  aaa authentication login tacacs_template group tacacs+ local
  line template aux
        login authentication tacacs_template
  Regards,
  /A

• Cisco catalyst 3850 switch won't take command: "switchport mode trunk encapsulation dot 1q"

  Hi all,
      I'am working on this switch's configuration. when I typed "switchport mode trunk encapsulation dot 1q", I got an error " invavid input". I'm guessing that this model already set encapsulation type to dot 1q, and that's why the switch won't take it, right? 
     Please help!

  According to the documents it supports both.
  You are however using the wrong command, it should be -
  "switchport trunk encapsulation dot1q"
  ie. no "mode" keyword.
  If it doesn't take that then do a "sh int <x> capabilities" and it should show you which encapsulation methods are supported.
  Jon

• MVR over DOT1Q-TUNNEL

  Is it possible to use MVR for delivering multicast to customers over dot1q-tunnel interface ?
  Can QinQ and MVR work together ?

  I think the muticast vlan registration shortly termed MVR is not supported in dot1Q tunnelling interface.Because, there is a criteria for configuring MVR.That is, while configuring MVR, receiver ports cannot be trunk ports. Since, do11q is a trunking protocol,I believe MVR can't be transmitted over trunk port, and hence over dot1q tunnel interface.For detailed info on this mvr,
  refer to the configuration guidelines sections of mvr at:
  http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a008007e8d9.html#xtocid14

• Remote Access VPN, no split tunneling, internet access. NAT translation problem

  Hi everyone, I'm new to the forum.  I have a Cisco ASA 5505 with a confusing (to me) NAT issue.
  Single external IP address (outside interface) with multiple static object NAT translations to allow port forwarding to various internal devices.  The configuration has been working without issues for the last couple years.
  I recently configured a remote access VPN without split tunneling and access to the internet and noticed yesterday that my port forwarding had stopped working.
  I reviewed the new NAT rules for the VPN and found the culprit. 
  I have been reviewing the rules over and over and from everything I can think of, and interpret, I'm not sure how this rule is affecting the port forwarding on the device or how to correct it.
  Here are the NAT rules I have in place: (The "inactive" rule is the culprit.  As soon as I enable this rule, the port forwarding hits a wall)
  nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source static VPN_Subnet VPN_Subnet destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source dynamic VPN_Subnet interface inactive
  object network obj_any
  nat (inside,outside) dynamic interface
  object network XXX_HTTP
  nat (inside,outside) static interface service tcp www www
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  Any help would be appreciated.

  Try by changing the nat rule to nat (outside,outside) after-auto source dynamic VPN_Subnet interface
  With Regards,
  Safwan

• Dot1q tunneling and security

  Hi,
  I don't understand how to make to improve the security of dot1q tunneling. If the client makes some errors by example by disabling the spanning-tree on a vlan and he creates a loop between differents sites (L2VPN). What are the safety standards for Q-in-Q to protect the provider ?
  Thank you for your help.
  Regards.
  David

  It depends upon which switch you are using , If you are using a L3 capable switch , routing can be done on the switch it self , or if its a pure L2 switch you may have to create VLANs and route using sub-interfaces in the routers.Use these links for more details.
  http://cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801cdf50.html#1008908
  http://cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a0080161137.html

• IPv6 on ASR 9010

  Which IPv6 features are available on the Cisco ASR 9010 platform and is there a specific license/line card needed?
  Thanks
  Manuel

  Hi Manuel,
  there's no need in a specific card and therefore in a license. The list of features is big and most of core ones is there, and it is growing! It would be better to check feature by feature to learn whether it will suit your requirements.
  For all further questions please do use the newly created forum for IOX -
  https://supportforums.cisco.com/community/netpro/service-providers/ios-xr?view=discussions
  See you there!
  Regards,
  Ivan.

• Dot1Q tunneling and routing

  I am in the process of designing a dot1q-tunnel-based service backbone. Basically client switches will uplink with tunnelled ports on the provider backbone.
  Cl-SW1 |----|P-SW1|----|P-SW2|-----|Cl-SW2|
  Assume that the CL-SW1 is at the headquarters of the client and some traffic from the client should be sent off-premisess (Internet for example) using the same link (Gig Ethernet).
  What are my options?
  P-SW1 and P-SW2 will not be able to see layer 3 information from the client switches since traffic is layer2-tunnelled. How can I route traffic off the backbone?
  I thought about trunking a single port on P-SW1 and connecting it to a router. On the router sub-interfaces will do the job. But the problem is that trunked traffic will reach the router encapsulated with dot1q tunneling? Does a 7600 series router do the job, since it understands tunneling?
  Any ideas will be appreciated.

  It depends upon which switch you are using , If you are using a L3 capable switch , routing can be done on the switch it self , or if its a pure L2 switch you may have to create VLANs and route using sub-interfaces in the routers.Use these links for more details.
  http://cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801cdf50.html#1008908
  http://cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a0080161137.html

• ASR 9010 licensing question

  Hi,
  any good cisco reference for installing licenses for ASR 9010 router?
  we need to "move" license to oper state
  (admin)#sho license
  Mon May 28 15:44:08.686 UTC
  FeatureID: A9K-AIP-LIC-B (Slot based, Permanent) 
    Total licenses 2
    Available for use         2
    Allocated to location     0
    Active                    0
    Store name             Permanent
    Store index               1
      Pool: Owner
        Total licenses in pool: 2
        Status: Available     2    Operational:    0
  thanks for help
  miro

  I have the same problem on asr 9001. A can't activate license regardless of the location.
  (admin)#sh license
  FeatureID: A9K-9001-AIP-LIC (Slot based, Permanent)
    Total licenses 1
    Available for use         1
    Allocated to location     0
    Active                    0
    Store name             Permanent
    Store index               1
      Pool: Owner
        Total licenses in pool: 1
        Status: Available     1    Operational:    0
  license A9K-9001-AIP-LIC
   location 0/RSP0/CPU0
  (admin)#sh platform
  Wed Oct  1 14:45:47.427 CEST
  Node            Type                      State            Config State
  0/RSP0/CPU0     ASR9001-RP(Active)        IOS XR RUN       PWR,NSHUT,MON
  0/FT0/SP            ASR-9001-FAN-V2           READY
  0/0/CPU0            ASR9001-LC                IOS XR RUN       PWR,NSHUT,MON
  0/0/0                  A9K-MPA-4X10GE            OK               PWR,NSHUT,MON
  0/0/1                 A9K-MPA-20X1GE            OK               PWR,NSHUT,MON
  0/PM0/SP        A9K-750W-AC               READY            PWR,NSHUT,MON
  0/PM1/SP        A9K-750W-AC               FAILED           PWR,NSHUT,MON
  Any suggestion?
  Regards,
  Nenad