Switching

Expand all | Collapse all

Q-in-Q QFX 5100

  • 1.  Q-in-Q QFX 5100

    Posted 05-08-2017 06:40

    I have been struggling with Q-inQ on my QFX 5100 switches all day and despite reading all the forum posts and KB articles I could find, was not able to find a complete configuration that would work for me on 14.1X53-D42.3. All seemed to be missing the complete S-VLAN interface.

     

    Some of the resources I found are listed below.

     

    http://www.netscreen-support.com/documentation/en_US/junos/topics/task/configuration/qinq-tunneling-qfx-series-dual-tag-rewrite-els.html

    https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/qinq-tunneling-qfx-series-els.html

    https://eising.wordpress.com/2015/08/26/juniper-els-and-qinq/

     

    I suspect something has changed as of the latest release, because nothing seemed to work and the example configs don't have the uplink configuration.

     

    My setup is pretty simple, using some test switches with SVIs as the traffic initiators on either side of the Q-in-Q tunnel.

     

    TestSW1 <-> QFX5100SW1 <-> QFX5100SW2 <-> TestSW2

     

    QFX5100SW1

    set interfaces ge-0/0/0 description "Connection to TestSW1"

    set interfaces ge-0/0/0 flexible-vlan-tagging

    # Native VLAN ID here refers to the customer's native VLAN

    # Some documentation implies this is actually the VLAN ID that will be pushed onto the packet in a new DOT1Q header, but that is not the case
    set interfaces ge-0/0/0 native-vlan-id 1

    # Probably don't need jumbo frames, but I thought maybe the extra header might push it over 1500 bytes
    set interfaces ge-0/0/0 mtu 9216
    set interfaces ge-0/0/0 encapsulation extended-vlan-bridge

    # What customer VLANs are allowed on the Q-in-Q tunnel

    # For my purposes, whatever the customer wants to do is fine by me so I am accepting all VLANs
    set interfaces ge-0/0/0 unit 100 vlan-id-list 1-4094

    # This is the interesting bit, push VLAN ID 100 onto any frames received on this interface
    set interfaces ge-0/0/0 unit 100 input-vlan-map push

    # Without the line below nothing worked, I assume because the switch didn't know which VLAN to use for the outer tag
    set interfaces ge-0/0/0 unit 100 input-vlan-map vlan-id 100

    # Pop the outer VLAN off again before sending out frames with their original VLAN header (or not) intact
    set interfaces ge-0/0/0 unit 100 output-vlan-map pop

     

    # I have an AE interface configured, which I figure would be the norm for most people with QFX switches

    set interfaces xe-0/0/44 ether-options 802.3ad ae46
    set interfaces xe-0/0/45 ether-options 802.3ad ae46
    set interfaces ae46 description "L2 interconnect"

    # The line below is required or else you can't have a VLAN ID against a unit other than 0
    set interfaces ae46 flexible-vlan-tagging
    set interfaces ae46 mtu 9216

    # I chose flexible-ethernet-services because you can still have a unit 0 with non S-VLANs as members (or so it seems to me)

    # Note that this does mean that you have to specify the encapsulation for all units other than 0 and that 0 must be family ethernet switching (again as far as I can tell)
    set interfaces ae46 encapsulation flexible-ethernet-services
    set interfaces ae46 aggregated-ether-options link-speed 10g
    set interfaces ae46 aggregated-ether-options lacp active
    set interfaces ae46 aggregated-ether-options lacp periodic fast

    # This is where I tell the switch that for unit 100 it should encapsulate as a vlan-bridge
    set interfaces ae46 unit 100 encapsulation vlan-bridge
    set interfaces ae46 unit 100 vlan-id 100

     

    # The lines below initially confused me since there is no ID listed against the VLAN

    # But it seems that JunOS with ELS generates the VLAN ID based on the unit number of the C-VLAN interface

    # The purpose of these lines seems to be to stitch together the two logical interfaces to become a kind of switch

    # I agree with EISING in his linked article that this is inelegant and shared some of his expletives at the lack of documentation from Juniper

    set vlans TEC001_qinq_100 interface ge-0/0/0.100
    set vlans TEC001_qinq_100 interface ae46.100

     

    QFX5100SW2 (no comments as it is the same)

    set interfaces ge-0/0/0 description "Connection to VasilySwitch"
    set interfaces ge-0/0/0 flexible-vlan-tagging
    set interfaces ge-0/0/0 native-vlan-id 1
    set interfaces ge-0/0/0 mtu 9216
    set interfaces ge-0/0/0 encapsulation extended-vlan-bridge
    set interfaces ge-0/0/0 unit 100 vlan-id-list 1-4094
    set interfaces ge-0/0/0 unit 100 input-vlan-map push
    set interfaces ge-0/0/0 unit 100 input-vlan-map vlan-id 100
    set interfaces ge-0/0/0 unit 100 output-vlan-map pop

     

    set interfaces xe-0/0/44 ether-options 802.3ad ae46
    set interfaces xe-0/0/45 ether-options 802.3ad ae46

    set interfaces ae46 description "L2 interconnect"
    set interfaces ae46 flexible-vlan-tagging
    set interfaces ae46 mtu 9216
    set interfaces ae46 encapsulation flexible-ethernet-services
    set interfaces ae46 aggregated-ether-options link-speed 10g
    set interfaces ae46 aggregated-ether-options lacp active
    set interfaces ae46 aggregated-ether-options lacp periodic fast
    set interfaces ae46 unit 100 encapsulation vlan-bridge
    set interfaces ae46 unit 100 vlan-id 100

     

    set vlans TEC001_qinq_100 interface ge-0/0/0.100
    set vlans TEC001_qinq_100 interface ae46.100

     

    TestSW1

    vlan 10
    name CVLAN10
    !
    vlan 11
    name CVLAN11

    !

    interface GigabitEthernet0/1
    switchport mode trunk
    switchport nonegotiate
    spanning-tree bpdufilter enable
    !
    interface Vlan1
    ip address 192.168.1.10 255.255.255.0
    no ip route-cache
    !
    interface Vlan10
    ip address 192.168.10.10 255.255.255.0
    !
    interface Vlan11
    ip address 192.168.11.10 255.255.255.0
    !

     

    TestSW1#ping 192.168.1.10

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
    TestSW1#ping 192.168.10.10

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
    TestSW1#ping 192.168.11.10

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.11.10, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

     

     

    TestSW2

    vlan 10
    name CVLAN10
    !
    vlan 11
    name CVLAN11

    !

    interface GigabitEthernet0/1
    switchport mode trunk
    switchport nonegotiate
    spanning-tree bpdufilter disable
    !
    interface Vlan1
    ip address 192.168.1.20 255.255.255.0
    no ip route-cache
    !
    interface Vlan10
    ip address 192.168.10.20 255.255.255.0
    !
    interface Vlan11
    ip address 192.168.11.20 255.255.255.0
    !

     

     

    TestSW2#ping 192.168.1.20

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.1.20, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
    TestSW2#ping 192.168.10.20

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.20, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
    TestSW2#ping 192.168.11.20

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.11.20, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

     

     

    Hopefully this helps someone else out with their Q-in-Q/QFX/ELS woes.



  • 2.  RE: Q-in-Q QFX 5100

     
    Posted 05-08-2017 06:51

    And to take this one step further, how to do L2PT in addition to QinQ:

     

    http://nextheader.net/2016/09/09/qinq-and-l2pt-on-junos-els/


    =====

    If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.



  • 3.  RE: Q-in-Q QFX 5100

    Posted 05-08-2017 11:30

    Hi Parau,

     

    I haven't looked at your Q-in-Q configuration but I can tell you that L2PT isn't supported on the QFX5100 series - not that the hardware isn't capable but PM has apparantly decided to keep this feature on ACX5000 series.

     

    https://pathfinder.juniper.net/feature-explorer/feature-info.html?fKey=1133&fn=Layer+2+protocol+tunneling+(L2PT)

     

     


    #l2pt
    #QFX5100
    #acx5000


  • 4.  RE: Q-in-Q QFX 5100

     
    Posted 05-09-2017 01:34

    Yes, this is correct, L2PT is not supported at this moment on QFX5100/EX4600.


    =====

    If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.



  • 5.  RE: Q-in-Q QFX 5100

    Posted 05-11-2017 21:32

    Hope this helps.

     

    QinQ ELS Configs

    +------------------+         +------------------+         +--------------------+         +--------------------+
    |  EX2200          +---------+  QFX-5100        +---------+  EX3300            +---------+  EX2200            |
    |                  |         |                  |         |                    |         |                    |
    +----------------0/1/0      0/0/0-------------0/0/23     0/1/0-----------------0/0/0    0/1/0-----------------+
                                 +

    EX2200

    root@2200-Left> show configuration vlans
    v200 {
        vlan-id 200;
        interface {
            ge-0/1/0.0;
        }
        l3-interface vlan.200;
    }
    vlans {
        vlan-id 100;
        interface {
            ge-0/0/0.0;
            ge-0/1/0.0;
        }
    }

    {master:0}
    root@2200-Left> show configuration interfaces vlan.200
    family inet {
        address 20.20.20.1/24;
    }

    QFX5100

    root@5100# show interfaces ge-0/0/0
    flexible-vlan-tagging;
    encapsulation extended-vlan-bridge;
    unit 4000 {
        vlan-id-list 100-200;
        input-vlan-map push;
        output-vlan-map pop;
    }

    {master:0}[edit]
    root@5100# show interfaces ge-0/0/23
    flexible-vlan-tagging;
    encapsulation extended-vlan-bridge;
    unit 4000 {
        vlan-id 4000;
    }

    {master:0}[edit]
    root@5100# show vlans
    Svlan {
        interface ge-0/0/23.4000;
        interface ge-0/0/0.4000;
    }

    EX3300

    "root@3300# show interfaces ge-0/1/0
    unit 0 {
        family ethernet-switching {
            port-mode trunk;
            vlan {
                members 4000;
            }
        }
    }

    {master:0}[edit]
    root@3300# show interfaces ge-0/0/0    
    unit 0 {
        family ethernet-switching {
            port-mode access;
            vlan {
                members 4000;
            }
        }
    }

    {master:0}[edit]
    root@3300# show vlans
    Svlan {
        vlan-id 4000;
        ##
        ## Warning: requires 'dot1q-tunneling' license
        ##
        dot1q-tunneling {
            customer-vlans 100 200;
            layer2-protocol-tunneling {
                all;
            }
        }
    }

    {master:0}[edit]
    root@3300# show ethernet-switching-options
    dot1q-tunneling {
        ether-type 0x8100;
    }
    storm-control {
        interface all;
    }

    EX2200

    root@2200-Right# show interfaces ge-0/1/0
    unit 0 {
        family ethernet-switching {
            port-mode trunk;
            vlan {
                members all;
            }
        }
    }

    [edit]
    root@2200-Right# show vlans
    v200 {
        vlan-id 200;
        l3-interface vlan.200;
    }

    [edit]
    root@2200-Right# show interfaces vlan.200
    family inet {
        address 20.20.20.2/24;
    }


    QinQ with PC directly connected to PE Devices.

         +---------------+           +-----------------+         +------------------+        +-----------------+
         |               |           |                 |         |                  |        |                 |
         |          0/0/0+-----------+0/0/1        0/0/0---------+0/0/0        0/0/1+--------+0/0/0            |
         +---------------+           +-----------------+         +------------------+        +-----------------+
              2200-A                       4300-A                      4300-B                      2200-B
     
    0/0/0-30.30.30.1                  svlan 4000                   svlan 4000                     0/0/0-30.30.30.2
                                      cvlan 100 200                cvlan 100 200                  


    2200-A

    set interfaces ge-0/0/0 unit 0 family inet address 30.30.30.1/24
    set interfaces vlan unit 100 family inet address 10.10.10.1/24
    set interfaces vlan unit 200 family inet address 20.20.20.1/24
    set ethernet-switching-options storm-control interface all
    set vlans v100 vlan-id 100
    set vlans v100 interface ge-0/0/0.0
    set vlans v100 l3-interface vlan.100
    set vlans v200 vlan-id 200
    set vlans v200 interface ge-0/0/0.0
    set vlans v200 l3-interface vlan.200
                                  
    4300-A

    set interfaces ge-0/0/0 flexible-vlan-tagging
    set interfaces ge-0/0/0 encapsulation extended-vlan-bridge
    set interfaces ge-0/0/0 unit 4000 vlan-id 4000
    set interfaces ge-0/0/1 flexible-vlan-tagging
    set interfaces ge-0/0/1 native-vlan-id 50
    set interfaces ge-0/0/1 encapsulation extended-vlan-bridge
    set interfaces ge-0/0/1 unit 4000 vlan-id-list 50
    set interfaces ge-0/0/1 unit 4000 vlan-id-list 100-200
    set interfaces ge-0/0/1 unit 4000 input-vlan-map push
    set interfaces ge-0/0/1 unit 4000 output-vlan-map pop
    set vlans Svlan interface ge-0/0/0.4000
    set vlans Svlan interface ge-0/0/1.4000
    set vlans v50 vlan-id 50

    4300-B

    set interfaces ge-0/0/0 flexible-vlan-tagging
    set interfaces ge-0/0/0 encapsulation extended-vlan-bridge
    set interfaces ge-0/0/0 unit 4000 vlan-id 4000
    set interfaces ge-0/0/1 flexible-vlan-tagging
    set interfaces ge-0/0/1 native-vlan-id 50
    set interfaces ge-0/0/1 encapsulation extended-vlan-bridge
    set interfaces ge-0/0/1 unit 4000 vlan-id-list 50
    set interfaces ge-0/0/1 unit 4000 vlan-id-list 100-200
    set interfaces ge-0/0/1 unit 4000 input-vlan-map push
    set interfaces ge-0/0/1 unit 4000 output-vlan-map pop
    set vlans Svlan interface ge-0/0/0.4000
    set vlans Svlan interface ge-0/0/1.4000
    set vlans v50 vlan-id 50

    2200-B

    set interfaces ge-0/0/0 unit 0 family inet address 30.30.30.2/24
    set interfaces vlan unit 100 family inet address 10.10.10.2/24
    set interfaces vlan unit 200 family inet address 20.20.20.2/24
    set vlans v100 vlan-id 100
    set vlans v100 interface ge-0/0/0.0
    set vlans v100 l3-interface vlan.100
    set vlans v200 vlan-id 200
    set vlans v200 interface ge-0/0/0.0
    set vlans v200 l3-interface vlan.200



  • 6.  RE: Q-in-Q QFX 5100

    Posted 06-29-2017 13:23
      |   view attached

    Hi Partha

     

    i m trying to configure qinq wiith QFX5100 and MX. its not working; i tried many example given on juniper.net but no result, even i try your given example its not working with me. attached is my topology,. 

     

    Thanks

     

    Abdul



  • 7.  RE: Q-in-Q QFX 5100

     
    Posted 08-30-2017 06:58
      |   view attached

    Hi Abdul,

     

    On CE devices:

    root# show vlans                                            >>>> Customer VLAN

    CVLAN {

        vlan-id 100;

    }

     

    root# show interfaces ge-0/0/7                                  >>>> Interface connected to PE

    unit 0 {

        family ethernet-switching {

            interface-mode trunk;

            vlan {

                members CVLAN;

            }

        }

    }

     

    On PE devices:

    root# show interfaces ge-0/0/0                                  >>>> Interface connected to PE

    flexible-vlan-tagging;

    encapsulation extended-vlan-bridge;

    ether-options {

        ethernet-switch-profile {

            tag-protocol-id 0x88a8;

        }

    }

    unit 10 {

        vlan-id 100;

    }

     

    root# show interfaces ge-0/0/7                                  >>>> Interface connected to CE

    flexible-vlan-tagging;

    encapsulation extended-vlan-bridge;

    unit 10 {

        vlan-id-list 100;

        input-vlan-map push;                          /*Add a new VLAN tag to the top of the VLAN stack*/

        output-vlan-map pop;            /*Remove the VLAN tag from the top of the VLAN tag stack*/

    }

     

    root# show vlans                                            >>>> SP VLAN

    SVLAN {

        interface ge-0/0/0.100;

        interface ge-0/0/7.100;

    }

     

    root# run show vlans

    Routing instance        VLAN name             Tag          Interfaces

    default-switch             SVLAN                        NA     ge-0/0/0.100

                                                                            ge-0/0/7.100*

     

    input-vlan-map:        define the rewrite profile to be applied to incoming frames on this logical interface.

    output-vlan-map:      define the rewrite operation to be applied to outgoing frames on this logical interface.