Q-in-Q tunnel and access ports

My understanding of access ports is that the switch strips the vlan id tag when forwarding traffic down an access port.  I always thought that access ports could not be used with tunnel ports for this reason.  How is it that you are able to use access ports with tunnel ports?  Wouldn't it show up at the tunnel port without a tag?

Comments

  • This is pretty interesting, I looked into this a little and found the following snippet in a Cisco Document.

    "You can also enable Layer 2 protocol tunneling on access ports on the edge switch connected to access ports on the customer switch. In this case, the encapsulation and de-encapsulation behavior is the same as described in the previous paragraph, except that the packets are not double-tagged in the service-provider network. The single tag is the customer-specific access VLAN tag."

    So I guess what is happening is the ingress tunnel port receives the traffic untagged and it slaps the metro tag on.  So now it has a single metro tag and it gets forwarded out the trunk ports where it arrives at the egress port which strips the metro tag and sends the untagged frame out the access port.  the switch then delivers this frame like it normally would to all the access ports that belong to this vlan and trunk ports that are trunking it.

    http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/configuration/guide/swtunnel.html#wp1004019

  • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">






    There's a difference between L2 Protocol Tunneling and
    actual Q-in-Q.  If you are tunneling between two ports on the same switch,
    or are simply passing CDP traffic,  there's no place multiple tags will
    ever occur.  Therefore access-mode ports are just fine.

     

    If you are sending a trunk inside a VLAN between multiple
    "inside" switches, you'll have need an outside tag and an inside tag. 
    Here, access-mode will not be very helpful.

     

    HTH,

     





    Scott Morris, CCIE
    4 #4713, JNCIE-M #153, JNCIS-ER, CISSP, et al.
    CCSI/JNCI-M/JNCI-ER
    Senior CCIE Instructor

    <?xml:namespace
    prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />[email protected]

     

    <?xml:namespace prefix = o ns =
    "urn:schemas-microsoft-com:office:office" />
    Internetwork Expert, Inc.
    http://www.InternetworkExpert.com
    Toll
    Free: 877-224-8987
    Outside US: 775-826-4344
    Online Community:
    http://tinyurl.com/6dmnsu
    CCIE Blog:
    http://tinyurl.com/2nxxaq


    Knowledge is power.
    Power corrupts.

    Study hard and be
    Eeeeviiiil......





    From: [email protected] [mailto:[email protected]]
    On Behalf Of [email protected]
    Sent: Tuesday, December 16,
    2008 1:01 PM
    To: [email protected]networkexpert.com
    Subject:
    [CCIE R&S] Q-in-Q tunnel and access ports


    My understanding of access ports is that the switch strips the vlan id tag
    when forwarding traffic down an access port.  I always thought that access
    ports could not be used with tunnel ports for this reason.  How is it that
    you are able to use access ports with tunnel ports?  Wouldn't it show up at
    the tunnel port without a tag?




    Internetwork
    Expert - The Industry Leader in CCIE
    Preparation
    http://www.internetworkexpert.com

    Subscription information
    may be found
    at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • Hmmm thats funny I was actually looking at lab 16 1.4 which asks you to tunnel V45 over 2 switches and to use access ports.  So this is an example of a situation where we are sending a vlan (45) inside another vlan (100,200) accross multiple switches.  But it wouldn't technically be "Q-in-Q" because the access ports are stripping off the V45 tag. 

    So I am not sure what you would call this!  I just thought it was interesting because you aren't transporting that V45 tag but because access ports are used on both ends the result is the same. 

  • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">






    Because the two endpoint switches (in vlan 45) are not
    sending anything tagged.

     

    HTH,

     

    Scott





    From: [email protected] [mailto:[email protected]]
    On Behalf Of [email protected]
    Sent: Tuesday, December 16,
    2008 6:56 PM
    To: [email protected]
    Subject: Re:
    [CCIE R&S] RE: Q-in-Q tunnel and access ports


    Hmmm thats funny I was actually looking at lab 16 1.4 which asks you to
    tunnel V45 over 2 switches and to use access ports.  So this is an example
    of a situation where we are sending a vlan (45) inside another vlan (100,200)
    accross multiple switches.  But it wouldn't technically be "Q-in-Q" because
    the access ports are stripping off the V45 tag. 

    So I am not sure what you would call this!  I just thought it was
    interesting because you aren't transporting that V45 tag but because access
    ports are used on both ends the result is the same. 




    Internetwork
    Expert - The Industry Leader in CCIE
    Preparation
    http://www.internetworkexpert.com

    Subscription information
    may be found
    at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx
Sign In or Register to comment.