802.1q Tunneling

One of the enterprise's business requirements can entail sending multiple VLANs across the service provider's Metro Ethernet network. The enterprise can accomplish this via 802.1q tunneling, also known as QinQ. This chapter uses both names interchangeably.

802.1q tunneling is a tunneling mechanism that service providers can use to provide secure Ethernet VPN services to their customers. Ethernet VPNs using QinQ are possible because of the two-level VLAN tag scheme that QinQ uses. The outer VLAN tag is referred to as the service provider VLAN and uniquely identifies a given customer within the network of the service provider. The inner VLAN tag is referred to as the customer VLAN tag because the customer assigns it. QinQ's use of double VLAN tags is similar to the label stack used in MPLS to enable Layer 3 VPNs and Layer 2 VPNs. It is also possible for multiple customer VLANs to be tagged using the same outer or service provider VLAN tag, thereby trunking multiple VLANs among customer sites. Note that by using two VLAN tagsouter and inner VLANyou achieve a demarcation point between the domain of the customer and the domain of the service provider. The service provider can use any VLAN scheme it decides upon to identify a given customer within his provider network. Similarly, the enterprise customer can independently decide on a VLAN scheme for the VLANs that traverse the service provider network without consulting the service provider.

In summary, 802.1q tunneling allows service providers to use a single VLAN to support multiple VLANs of customers, while preserving customer VLAN IDs and keeping traffic in different customer VLANs segregated. At the same time, it significantly reduces the number of VLANs required to support the VPNs. QinQ encapsulates the VLANs of the enterprise customers into a VLAN of the service provider.

QinQ accomplishes the following:

Enterprise customers receive transparent Layer 2 links between sites within a metro area, such as a link from a branch office to a main campus.
Service providers can separate or group traffic on a per-customer basis using outer VLAN tags as it traverses the common infrastructure so that the same infrastructure can provide service to multiple customers.
The VLAN ID of the enterprise and the VLAN ID of the service provider do not have to match.
The customers can treat the switching infrastructure in a remote site as if it were part of the local site. They can use the same VLAN space and run protocols such as STP across the provider infrastructure through 802.1q.

The QinQ model allows the customer edge switch on each side of the tunnel to view the service provider infrastructure as nothing more than a transparent bridge. The following sections talk about the 802.1q tunneling underlying processes.

802.1. q and 802.1p Tagging

802.1q tagging refers to modifications made to the original Ethernet frame described earlier in the chapter. In 802.1q tagging, additional bytes are inserted into the Ethernet frame.

Altogether, the Ethernet frame is inserted with four additional bytes that turn it into the 802.1q frame, and FCS is recalculated. The new fields are illustrated in Figure 4-5.

Figure 4-5. 802.1q Frame

Following are the new fields inserted by "tagging":

Ethertype 2 bytes that identify an 802.1q frame and equal 0x8100. Ethertype is also called Tag Protocol Identifier (TPID).
TCI 2 bytes of Tag Control Information that in turn contain the following:
Priority 3 bits that define the 802.1p user priority. They are also referred to as the class of service (CoS) bits.
CFI 1-bit Canonical Format Identifier (CFI) for compatibility issues between Ethernet-type networks and Token Ringtype networks.
VLAN ID A 12-bit field that identifies the VLAN.

IEEE 802.1p is a supplement to the IEEE 802.1d specification. It is intended for QoS implementation on LANs, analogous to the three precedence bits in IP. 802.1p describes mechanisms in switches for handling the time-sensitive traffic and reducing the impact of high-bandwidth traffic within a LAN.

The IEEE 802.1p is needed because Ethernet, unlike Token Ring, does not inherently provide support for priority levels in frames. Based on the MAC frame information, 802.1p provides an in-band QoS signaling method for traffic classification. 802.1p also provides an optional mechanism in switches for supporting end-to-end time-critical frame delivery.

Under IEEE 802.1p, eight CoSs are supported. The higher the value is, the higher the priority of the frame. Zero, the lowest, stands for routine service with no priority specified. You can configure switches in a LAN and different ports of a switch for several different priority levels.

Sometimes high-speed LANs do not require QoS capabilities. However, when backbone networks are involved, QoS methods become necessary on service provider and enterprise networks. You will learn more of the QoS in Layer 2 VPN implementations in Chapters 9, "Advanced AToM Case Studies," and 13, "Advanced L2TPv3 Case Studies." Now it is time to examine the innerworkings of 802.1q tunneling.

Understanding How 802.1q Tunneling Works

A tunnel port is a port that is configured to support 802.1q tunneling. Each customer comes in on a dedicated customer-facing port on the service provider switch where a VLAN that is dedicated to tunneling is assigned. The service provider assigns each customer an outer VLAN tag or a service provider VLAN tag that uniquely identifies him within the network. The service provider VLAN also keeps the customer traffic isolated from other customer traffic that is traversing the same service provider network. That service provider VLAN supports all the VLANs of the customer.

802.1q tunneling refers to multiple tagging of dot1Q frames as they enter a service provider switch from a client switch. QinQ can tag or untag any frames that it receives from the customer tag. 802.1q also has native VLAN frames that are untagged. The service provider switch adds the outer VLAN tag.

Tagged and untagged customer traffic comes from a port on a customer device and enters the service-provider edge switch through a tunnel port. Each customer edge port that is connected to an 802.1q tunnel port is typically configured as a trunk port. The customer trunk port is unaware of the provider 802.1q tunnel and can communicate with all of its other trunk ports that are connected to the metro network of the provider as if they were directly connected. This makes the process transparent to the switching network of the enterprise.

A hub customer edge might have connectivity to two remote spoke sites and have only half of the VLANs from the hub site go to one site and the remaining to the second remote site. This is possible using two service provider VLANs for this enterprise customer when certain sites need to see only some and not all of the VLAN traffic from the hub site.

The link between the 802.1q trunk port on a customer device and the tunnel port is known as an asymmetrical link. One end is designated as an 802.1q trunk port, whereas the other end is configured as a tunnel port. The tunnel port is configured with an access VLAN ID that is unique to a customer, as shown in Figure 4-6.

Figure 4-6. Port Designation in a Service Provider Network

[View full size image]

When a tunnel port receives tagged customer traffic from an 802.1q trunk port, it does not strip the existing VLAN tag (imposed by the customer switch) from the frame header. Instead, it leaves the 802.1q tag intact and adds a 2-byte Ethertype field (0x8100) followed by a 2-byte field containing the priority (CoS) and the VLAN ID. The tunnel port treats the new tagged frame as a Layer 2 frame where the Ethertype is not known to the service provider because it is the bottom of the tag stack. It uses the outer or top VLAN tag for subsequent switching inside the service provider infrastructure. The tagging process is demonstrated in Figure 4-7. First, you see an original untagged frame (described in Figures 4-1 and 4-2), followed by a customer VLAN tagged frame. Finally, you see the addition of a provider's 802.1q tag.

Figure 4-7. 802.1q Tag Addition

[View full size image]

The tunnel port then puts the received customer traffic into the service provider VLAN that is assigned to the tunnel port. Subsequently, that VLAN transports the customer traffic to the next tunnel device. The customer VLAN (customer 802.1q tagged frames) is tunneled traffic that is carried in a service provider VLAN 802.1q tunnel. The ports in the tunnel are the ingress or egress points of the tunnel. The tunnel ingress and egress ports are not necessarily located on the same device. To reach a remote site in the customer network in the egress tunnel port, the tunnel can traverse multiple network links and multiple network devices (as many as required for a particular customer support).

When the frame reaches the other end of the provider network, an egress tunnel port at the edge switch strips the outermost tag before sending it to the customer network. Then the switch transmits the traffic out of the egress tunnel port with the original 802.1q tag of the enterprise to an 802.1q trunk port on a customer device. The 802.1q trunk port on the customer device strips the 802.1q tag and removes the traffic from the tunnel.

Note

An 802.1q trunk has an untagged native VLAN. When the port is in 802.1q trunk mode, the native VLAN is used for untagged traffic. Therefore, the native VLAN and all VLANs need to stay the same on both sides of the trunk.

802.1q Tunneling Guidelines and Restrictions

When you are configuring 802.1q tunneling, keep the following in mind:

Because 802.1q tunneled packets are processed as non-IP packets, Layer 3 packet classification does not apply. You can consider only Layer 2 match criteria (for instance, VLANs, source and destination MAC addresses, and 802.1p CoS bits) when filtering tunnel traffic. (Untagged packets that are sent to a tunnel do not have to adhere to this restriction inside the provider network.) Therefore, QoS for tunnel traffic can be provided only for Layer 2.
Dot1Q tunnel ports are essentially access ports that support double-tagging of incoming packets. Therefore, as far as Dynamic Trunking Protocol (DTP) is concerned, the port mode of an 802.1q tunnel port is not negotiable. Hence, DTP does not work with asymmetrical links because only one port on the link is configured as a trunk.
VTP does not work on an asymmetrical link or through a tunnel. To enable VTP between two customer ports across a tunnel, configure the protocol tunneling on the tunnel ports.
An asymmetrical link supports the following Layer 2 protocols:
UniDirectional Link Detection (UDLD) Allows devices to detect when a unidirectional link exists. Because unidirectional links can cause spanning-tree loops, UDLD shuts down a link when it detects unidirectional traffic.
Port aggregation protocol (PAgP) Used in the automatic creation of Fast EtherChannel links.
Cisco Discovery Protocol (CDP) Disabled by default on a QinQ tunnel port to prevent the service provider switch and the enterprise switch from seeing each other. To use CDP between customer edge devices across the provider tunnel, configure protocol tunneling for CDP on the tunnel ports.
As mentioned, traffic in the native VLAN is untagged and cannot be tunneled correctly. Therefore, make sure that the native VLAN of the 802.1q trunk port in an asymmetrical link does not carry traffic. Tag egress traffic in the native VLAN with 802.1q tags.
You can tunnel jumbo frames (that is, Ethernet frames in excess of the Ethernet frame MTU and up to 9216 bytes in length) in the core. However, you need to support them in a tunneled network (both in 802.1q tunnel ports and trunk ports in the provider network) for tunneling to work correctly with all packet sizes. Also, the total length of the frame plus 802.1q tag cannot exceed the maximum frame size.
If the VLAN of the tunnel port does not match the native VLAN of the 802.1q trunk, CDP reports a native VLAN mismatch. Because the 802.1q tunnel feature does not require that the VLANs match, you can ignore these messages in this case.
Enterprise and service provider switches should not participate in each other's STPs. To ensure this does not happen, STP BPDU filtering is enabled by default on 802.1q tunnel ports and access ports on provider switches. This makes BPDUs from the enterprise network invisible to the provider and vice versa. On the flip side, self-loops from back-to-back connection of the tunnel ports go undetected. To resolve this, all those ports on provider edge switches that interface with a customer should have the Root Guard feature enabled. This way, a customer switch does not mistakenly become an STP root. When you configure protocol tunneling on the customer edge ports, customer switches on either end of the tunnel can see STP BPDUs from other switches of that customer.
The maximum number of VLANs that the 802.1q standard allows in a Layer 2 domain is 4096, because the VLAN ID field is 12 bits and therefore permits 4096 variations (2¹² = 4096). Thus, the entire pure Layer 2 solution is bound to that number. It might or might not become a significant hindrance depending on the requirements placed on a particular service provider.