Q n Q Tunneling
Q n Q Tunneling
December 16, 2009
By David Clark, CCIE# 14742 (Routing and Switching), CCSI# 31937
Service providers often have multiple customers with overlapping VLAN ranges. Q-in-Q tunneling or 802.1Q tunneling is the mechanism that allows service providers to preserve customer VLANS being transported through the service provider networks. Q-in-Q tunneling uses a two-level VLAN tag structure. Each customer is assigned a unique VLAN within the service providers network, this unique tag is added to all incoming frames from the customer network. The original frame from the customer remains untouched. The inner frame is often referred to as the customer VLAN tag because the customer originally assigns it.
Q-in-Q tunneling significantly reduces the number of VLAN required within a customer network as each customer is assigned a unique VLAN. To the customer the service provider network appears as a transparent bridge connecting their sites together.
When configuring Q-in-Q tunneling the ports connected directly to the customer switch are configured with the command “switchport trunk encapsulation dot1q”. The customer ports are configured as per normal and require no extra configuration.
interface FastEthernet0/20
description customer
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
end
Interface FastEthernet0/21
description service provider
switchport access vlan 21
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable
end
In the above example Fast 0/20 resides on the customer switch, while Fast 0/21 is on the service provider switch and configured as a tunnel port. VLAN 21 becomes the outer tag and is added to all frames from Fast 0/20 sent down to Fast 0/21. The service provider port is specifically configured also to carry CDP, STP and VTP frames. The configuration can be verified with the command “show l2protocol-tunnel interface fast 0/21”
If the customer is running a negotiated EtherChannel a slightly different configuration is required. On the customer side a normal EtherChannel is configured.
interface Fastethernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode desirable
interface Fastethernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode desirable
The service provider configuration is slightly different from the previous example.
interface Fastethernet0/1
switchport access vlan 17
switchport mode dot1q-tunnel
l2protocol-tunnel point-to-point pagp
end
interface fastethernet0/2
switchport access vlan 18
switchport mode dot1q-tunnel
l2protocol-tunnel point-to-point pagp
end
In this case we use the “l2protocol-tunnel point-to-point pagp” command to carry the PagP frames across the service provider network. Also one customer VLAN is assigned per incoming from port from the customer switch. For LACP the ““l2protocol-tunnel point-to-point LACP” would be used.
Article Source: http://www.ccbootcamp.com/support-resources/resources/articles-by-ccbootcamp.html
Tags: ccie, cisco, computer training, VLAN
. 17 Dec 08 | Uncategorized | Comments (0)
iCOD Arrival!! Watch the iCOD in action on YouTube.
iCOD Arrival!! Watch the iCOD in action on YouTube:
http://www.youtube.com/watch?v=2KYjpvP56sE
Tags: ccbootcamp, ccie, CCIE Training, cisco, computer training, IPOD
Configuring a Router to Support SDM
Configuring a Router to Support SDM
November 10, 2008
By Luke Foster
Cisco SDM (Security Device Manager) is a web based management tool that works with the Cisco IOS to aid in the configuration and management of Cisco routers. The GUI (Graphical User Interface) allows engineers with little experience to configure Cisco routers, and stage large deployments. SDM is also powerful enough to help experienced engineers efficiently implement advanced security measures such as an IPS (intrusion Prevention System).
There are two types of SDM, SDM and SDM Express. The express version is just a limited form of SDM for routers that do not have enough flash memory to support the full SDM (SDM requires 6MB of flash, SDM Express requires only 2MB of flash). SDM is factory installed on the 1800 series, 2800 series, and 3800 series routers. SDM is also factory installed on router platforms with the (K9) security bundle. If a router does not have SDM installed, the software can be downloaded for free from Cisco. When downloading the SDM software from Cisco, make sure to verify the IOS version of the router can support SDM.
SDM provides several wizards to walk an engineer through configuring a router. These wizards range from interface configurations, to VPN (Virtual Private Network), and even QoS (Quality of Service) configurations. The Security Device Manager also provides real time monitoring, logging, and security audit features. It will even notify an engineer if it notices conflicting configuration parameters and suggest resolutions.
Note - SDM can be enabled on deployed routers without affecting the network
To configure a router to support SDM:
First, enable the HTTP or HTTPS server on the router.
Router# configure terminal
Router(config)# ip http server
Router(config)# ip http secure-server
Router(config)# ip http authentication local
Router(config)# ip http timeout-policy idle 600 life 86400 requests 10000
Next, create a user who has enable privileges
Router(config)# username username privilege 15 secret 0 password
Finally, configure the vty lines to support telnet / ssh local login and privileged level 15 users
Router(config)# line vty 0 4
Router(config-line)# privilege level 15
Router(config-line)# login local
Router(config-line)# transport input telnet ssh
Note – If your router supports 16 vty lines, enter the commands above for vty line 5-15 as well
Article Source: http://www.ccbootcamp.com/support-resources/resources/articles-by-ccbootcamp.html
Tags: ccbootcamp, ccie, cisco, computer training, Network Learning, Routers
. 17 Nov 08 | ccbootcamp | Comment (1)