HPE Community
Security e-Series
1751854 Members
5431 Online
108782 Solutions
New Discussion юеВ

Re: QinQ configuration being provider and customer edge on same switch

 
SOLVED
Go to solution
Joepske
Occasional Advisor

тАО02-24-2016 06:01 AM

тАО02-24-2016 06:01 AM

QinQ configuration being provider and customer edge on same switch

Hi,

I'm configuringing my coreswitches 2x HP5800 in the datacenter of my customer.

On the coreswitches there will be connected some Servers, Firewall's and connections. One of the connections is from Equinix datacenter, called Cloud Exchange. Via this fiber connection, we are going to connect to Microsft Azure, via the Microsoft Express route.

To make this possible, Equinix requires QinQ, where I can define the S-VLAN myselfe, this one is passed trough to Microsoft. For each microsoft service (Private / Public / office365) I can than assign an C-VLAN.

The question is, how can I have for Example, VLAN 200 as C-VLAN on the 5800 (and also on microsoft side) and than add the S-TAG (for eg VLAN1000) before sending it to the fiber-uplink.

Normally the provider add's the S-VLAN when I send my tagged frames into their port, but know in this specific configuration, my core will be provider and customer switch. The only solution I can think of, is to create a port wich add's the S-TAG, and than use a patch cable from for example interface g1/0/1 to g1/0/20 where g1/0/1 is a trunk port with vlan 200 and and g1/0/20 is an QinQ port wich add's the S-TAG vlan 1000. The uplink port to Equinix is than tagged as vlan 1000.. 

Does someone know how to do this without using a physical cable? 

 

1 person had this problem.
18 REPLIES 18
Mike_ES
Valued Contributor

тАО02-24-2016 06:29 AM - edited тАО02-24-2016 06:30 AM

тАО02-24-2016 06:29 AM - edited тАО02-24-2016 06:30 AM

Re: QinQ configuration being provider and customer edge on same switch

Hi,

Could you attach your switches current configs?

Michal

Joepske
Occasional Advisor

тАО02-24-2016 06:40 AM - edited тАО02-24-2016 06:43 AM

тАО02-24-2016 06:40 AM - edited тАО02-24-2016 06:43 AM

Re: QinQ configuration being provider and customer edge on same switch

Hi Michal,

In the current config, there's still no QinQ configuration active, because I'm stuck with this question.

Next month we will migrate to the datacenter and the configuration has to work. For now I'm using an temporary HP E3500 switch to test this setup, but it looks like this switch is very limited in QinQ configuration (have it in mixed mode) and have it configured with the loop cable. See attached drawing for this.

But I need to add an S-VLAN tag on a C-VLAN before sending it on the L2 fiber link....

So attached image is work-arround and not what I want.

 

Mike_ES
Valued Contributor

тАО02-25-2016 01:52 AM

тАО02-25-2016 01:52 AM

Re: QinQ configuration being provider and customer edge on same switch

Joepske,

Some time ago I configured simple QinQ topology based on the 5800 as my IRF and Procurve vlans transparent transporting. When I started, I used this info:

http://datacenterfun.com/comware-configuring-qinq/

So, in my case  int the middle I put Procurve switch to simulate ISP core (access ports only!). As I remember, on the Procurve I had to configure only access vlans, but on the 5800 uplinks ports trunks were needed (with "qinq enable" command).

It was only staging setup  but tested and worked fine, so unfortunatelly I cannot put the congigs to you (I lost it).

Michal

 

 

 

 

Joepske
Occasional Advisor

тАО02-25-2016 02:30 AM - edited тАО02-25-2016 02:31 AM

тАО02-25-2016 02:30 AM - edited тАО02-25-2016 02:31 AM

Re: QinQ configuration being provider and customer edge on same switch

Hi Michal,

thanks for your reply.

The situation you describe, uses also a customer switch, connected to your 5800. In that particular situation, it is not that hard to create QinQ because the port on the 5800 connected to a customer switch, add's the S-tag (qinq). 

My question, is how can I do it, without a customer switch. The 5800 has de Customer VLAN's and has to add a QinQ S-VLAN tag before sending it on the fiber, connected to the other side.. And this without creating a fysical link attached to 2 port's on the same 5800... 

I attached a new Visio drawing to explain it better... Hope someone can answer.

 

 

qinq explained.jpg

 

0 Kudos
Mike_ES
Valued Contributor

тАО02-25-2016 03:22 AM

тАО02-25-2016 03:22 AM

Re: QinQ configuration being provider and customer edge on same switch

Ok, Thx for the drawing. It's really helpful :-)

In summary what you trying to do is to impose S-VLAN Tag (vlan 10000) for output direction toward your ISP right?

Not really sure, if QinQ in general can do it for outgoing interface in general...

But let's begin from scratch, here is the Cisco-based well explained tutorial of your case:

http://netcerts.net/q-in-q-tunneling/

Typically, ISP should do tunneling configuration on their edge switched ports.

Michal

0 Kudos
Joepske
Occasional Advisor

тАО02-25-2016 06:16 AM - edited тАО02-25-2016 06:17 AM

тАО02-25-2016 06:16 AM - edited тАО02-25-2016 06:17 AM

Re: QinQ configuration being provider and customer edge on same switch

Michal,

thanks for your reply.

I understand that a typical scenario prescribes that the provider add's the S-TAG con the Customer-Edge device. In this case (Equinix datacenters and their Cloud-Exchange service) they don't do that.

They create a L2 link with Microsoft (Express route) and I define the S-TAG in the Equinix portal. So eventuallly I send my S-VLAN1000 into their CE-Switch. and Microsoft also has VLAN1000 defined on the Expres-route Circuit. At the end of the circuit I can create in MS Azure Virtual networks, / BGP connection points for diffrent netwerk types (one for the private Azure environment, one for the public (saas) environment and one for Office 365 as an environment) so there are a maximum of 3 VLAN's (C-VLAN's) transfering over the express route connection, embedded in S-VLAN 1000.

The downsite is, that Equinix expects me to send de S-VLAN (and thus do the QinQ config myself).

I Can solve this by adding 2 switches wich connect to the Equinix fiber (cloud exchange) and call them the Provider-Customer-edge switches. But why should I add 2 extra switches in the rack, while being able to do this all on the same coreswitches... 

I think it aint possible to do the tunneling on the same switch without using an physical patch cable to do the trick. (illustrated below)

 

svlan cvlan.jpg

0 Kudos
Mike_ES
Valued Contributor

тАО02-25-2016 07:16 AM

тАО02-25-2016 07:16 AM

Re: QinQ configuration being provider and customer edge on same switch

OK, good drawing, again! :-)

Your developed QinQ workaround is just fine, but this is returned confirmation of my previous statement:

To encapsulate your production vlans into transport VLAN (S-VLAN, ID 1000) you can do it only for INPUT L2 interface, and you are trying to find solution to configure such thing using output switch interface. I don't know if it possible.

Anyone could advise?

Br,

Michal

 

0 Kudos
tdeserranno
Occasional Advisor

тАО03-04-2016 12:14 AM

тАО03-04-2016 12:14 AM

Re: QinQ configuration being provider and customer edge on same switch

 

Did you try to simulate in HCL Comware simulator ?

As I'm facing a similar demand from one of my customers, I have quickly tried to simulate it.

I intended to do this with HP 5510 HI switches which I have at my customer as edge switch

See below the setup I created in HCL.  I patched gi1/0/2 and gi1/0/3 on each of the switches.

QinQtest.jpg

Configurations of both Cust edge and MSAzure edge switches

 

===========================================================================================

<Cust>dis cur
#
 version 7.1.059, Alpha 7159
#
 sysname Cust
#
 irf mac-address persistent timer
 irf auto-update enable
 undo irf link-delay
 irf member 1 priority 1
#
 lldp global enable
#
 system-working-mode standard
 xbar load-single
 password-recovery enable
 lpu-type f-series
#
vlan 1
#
vlan 200 to 201
#
vlan 1000
#
 stp global enable
#
interface NULL0
#
interface Vlan-interface200
 ip address 192.168.0.1 255.255.255.252
#
interface Vlan-interface201
 ip address 192.168.1.1 255.255.255.252
#
interface FortyGigE1/0/53
 port link-mode bridge
#
interface FortyGigE1/0/54
 port link-mode bridge
#
interface GigabitEthernet1/0/1
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan 1 1000
 combo enable fiber
#
interface GigabitEthernet1/0/2
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan 1 200 to 201
 combo enable fiber
#
interface GigabitEthernet1/0/3
 port link-mode bridge
 port access vlan 1000
 qinq enable
 combo enable fiber
 undo stp enable
#

=========================================================================================
 sysname MSAzure
#
 irf mac-address persistent timer
 irf auto-update enable
 undo irf link-delay
 irf member 1 priority 1
#
 lldp global enable
#
 system-working-mode standard
 xbar load-single
 password-recovery enable
 lpu-type f-series
#
vlan 1
#
vlan 200 to 201
#
vlan 1000
#
 stp global enable
#
interface NULL0
#
interface Vlan-interface200
 ip address 192.168.0.2 255.255.255.252
#
interface Vlan-interface201
 ip address 192.168.1.2 255.255.255.252
#
interface FortyGigE1/0/53
 port link-mode bridge
#
interface FortyGigE1/0/54
 port link-mode bridge
#
interface GigabitEthernet1/0/1
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan 1 1000
 combo enable fiber
#
interface GigabitEthernet1/0/2
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan 1 200 to 201
 combo enable fiber
#
interface GigabitEthernet1/0/3
 port link-mode bridge
 port access vlan 1000
 combo enable fiber
 undo stp enable

UNFORTUNATELY I CAN'T PING FROM ONE VLAN INT 200 or 201 to the other side ...yet.

Anyone suggestions or comments ?

 

0 Kudos
Mike_ES
Valued Contributor

тАО03-04-2016 03:07 AM

тАО03-04-2016 03:07 AM

Re: QinQ configuration being provider and customer edge on same switch

@tdeserranno,

I tested HLC lab but cannot setup port for IRF membership on the S5820V2 - do you had chance to configure it?

My output:

<H3C>dis irf
MemberID    Role    Priority  CPU-Mac         Description
 *+1        Master  32        182d-bfc9-0400  ---
--------------------------------------------------
 * indicates the device is the master.
 + indicates the device through which the user logs in.

 The Bridge MAC of the IRF is: 182d-bfc9-0400
 Auto upgrade                : yes
 Mac persistent              : 6 min
 Domain ID                   : 100

 

[H3C]irf-port 1 ?
              ^
 % Wrong parameter found at '^' position.
[H3C]irf-port 1

 

Michal

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.