Options
dot1q tunnel
networker050184
Mod Posts: 11,962 Mod
in CCIE
This isn't really certification related, but figured its more on the CCIE level so I'd put it here. I'm also not sure if there are many others that work in the SP enviroment, but I'll throw it out there.
I'm thinking about trying to cut down on wasted ethernet ports on some 7200s for our MetroE solution. Currently we use one ethernet port connected for customer termination connected to a 6500 dot1q tunnel port and another connection for the actual management of the switch, both to a 7206. This takes up two gig ports on the 6500 and the 7206 while one of them is only used for management (I also have console conectivity, but I'm reffering to inband management). I'm trying to figure out a solution to be able to connect to the switch through the one port used for customer termination. The issue with this is that the dot1q tunnel port tags everything that comes in (as far as I know) and spits it out the other end of the tunnel not allowing to connect to the switch through that connection. I have come up with a couple scenarios I'm going to try out, but wondered if anyone had already done this or had some other ideas.
The first idea is to use the native VLAN on the 7206 and assing an ip address on the switch to thisVLAN for management. This solution was suggested to me, but I have doubts that this will actually work. I believe that all traffic regadles of tagged or not when entering the dot1q tunnel will have the tunnel tag pushed on. This will pretty much make this solution non valid.
The config for this would be something like the following.
Now back to studying
I'm thinking about trying to cut down on wasted ethernet ports on some 7200s for our MetroE solution. Currently we use one ethernet port connected for customer termination connected to a 6500 dot1q tunnel port and another connection for the actual management of the switch, both to a 7206. This takes up two gig ports on the 6500 and the 7206 while one of them is only used for management (I also have console conectivity, but I'm reffering to inband management). I'm trying to figure out a solution to be able to connect to the switch through the one port used for customer termination. The issue with this is that the dot1q tunnel port tags everything that comes in (as far as I know) and spits it out the other end of the tunnel not allowing to connect to the switch through that connection. I have come up with a couple scenarios I'm going to try out, but wondered if anyone had already done this or had some other ideas.
The first idea is to use the native VLAN on the 7206 and assing an ip address on the switch to thisVLAN for management. This solution was suggested to me, but I have doubts that this will actually work. I believe that all traffic regadles of tagged or not when entering the dot1q tunnel will have the tunnel tag pushed on. This will pretty much make this solution non valid.
The config for this would be something like the following.
7206 interface GigabitEthernet0/1 description connection to 6500 no ip address ! interface GigabitEthernet0/1.1 encapsulation dot1q 1 native ip address 10.0.0.1 255.255.255.252 ! interface GigabitEthernet0/1.2 customer termination on all other subs 6500 interface GigabitEthernet1/1 description connection to 7206 switchport access vlan 2000 switchport mode dot1q tunnel ! interface Vlan1 description management ip address 10.0.0.2 255.255.255.252The second idea I had was to use the actual tunnel VLAN itself on the 7206 and 6500 for management. If I'm correct, if the frame comes into the dot1q tunnel with the tunnel tag already on it the tunnel will not tag it with the same VLAN again. I'm not sure if this wll cause any issues though. The config for this solution would be like follows.
7206 interface GigabitEthernet0/1 description connection to 6500 no ip address ! interface GigabitEthernet0/1.2000 encapsulation dot1q 1000 ip address 10.0.0.1 255.255.255.252 ! interface GigabitEthernet0/1.2 customer termination on all other subs 6500 interface GigabitEthernet1/1 description connection to 7206 switchport access vlan 2000 switchport mode dot1q tunnel ! interface Vlan2000 description management ip address 10.0.0.2 255.255.255.252Please excuse any syntax errors as I just free handed those configs. I'm not sure if either of these solutions are very viable. I'm pretty sure the second will technically work, just not sure if there are any issues with actually using the tunnel VLAN. If anyone has any sugestion or would like more info let me know. I'll be testing these two scenarios out in the lab tomorrow so I'll post the results if anyone is interested.
Now back to studying
An expert is a man who has made all the mistakes which can be made.
Comments
-
Optionsnetworker050184
Mod Posts: 11,962 Mod
I haven't done this but I would take option #1 because you are using a seperate vlan than the customer.The native vlan would be on your trunk link connecting 6500 and 7200 together and not the trunk connecting to customer. .1q tunnel is basically a layer 2 VPN and I wouldn't mess with the tunnel vlan. Are you not advertising anything out the 6500 and 7200 at layer 3?
If number one works it is definitely the one to go with. I just don't think it will. The dot1q tunnel port tags everything on ingress (as far as I know). That means that anything with that tunnel tag just gets pushed through the 6500 with out being untagged. So the switch wouldn't know the frame is destined for it. The other issue is that these switches are 6524 so they can not terminate qinq or it would be too easy.
If you (or anyone else) can point me to some documentation that says the native VLAN is not tagged ingress on a dot1q tunnel port I'd like to see it. I just can't find anything saying it is or is not either way. Oh well, I'll know tomorrow.
Also I don't need to advertise anything L3 out the switch. All I need is one IP to access the switch. Either way if I'm advertising anything out or not I still need to figure this out. The two ports works like a charm, its just a waste of a gig port.An expert is a man who has made all the mistakes which can be made. -
Optionsnetworker050184
Mod Posts: 11,962 Mod
In case anyone is interested I got it worked out. Number one did not work for the reason I didn't think it would. Number two ended up working with a little tweak. I had to add the encapsulation dot1q 1000 native on the 7200 side. This still has me a little suspicious if it will cause any issues, but I think it should be good to go.
If anyone comes across this and has any other ideas feel free to post them and I'll give them a shot.An expert is a man who has made all the mistakes which can be made.