Configuring Packet Bridging Between Different QinQ S-TAG/C-TAG Pairs on the Same Bridge Domain Port

Starting from NetVisor OS release 7.0.2, an enhancement is implemented to support packet bridging between bridge domain logical ports, i.e., between different QinQ S-TAG/C-TAG pairs on the same physical port for a given bridge domain. This capability allows configurations to use different (S-TAG, C-TAG) BD pairs on the same port and to enable connected endpoints to communicate with each other (even if using different TAG pairs).  Ports that support multiple TAG pair combinations (currently up to two) can be host ports as well as redundant trunk or vLAG ports (as shown in the figures below).


Note: This capability requires newer forwarding ASICs for the rewriting of both the S-TAG and C-TAG packet fields while performing packet bridging. So it is supported only on the NRU03, NRU-S0301, AS7726-32X/F9432-C, AS7326-56X/F9480-V, AS5835-54X/F9460-X, AS5835-54T/F9460-T platforms and on the Dell S5200 Series.


Note: For QinQ ports the default TPID is 0x88a8.


To add up to two TAG pairs (i.e., inner and outer VLAN ID pairs), you can use the command sequence shown in the following example:


CLI (network-admin@switch*) > bridge-domain-port-add name BD1 port 17 outer-vlan 106 inner-vlan 41

CLI (network-admin@switch*) > bridge-domain-port-add name BD1 port 17 outer-vlan 107 inner-vlan 42


Trying to add an additional pair to the same port and to the same BD yields an error (since the limit has been reached):


CLI (network-admin@switch*) > bridge-domain-port-add name BD1 port 17 outer-vlan 108 inner-vlan 43

bridge-domain-port-add: cannot add BD port as max Q-in-Q BD port number 2 exceeded for bridge-domain BD1 on port 17


The configuration for BD1 can be displayed like so:


CLI (network-admin@switch*) > bridge-domain-port-show name BD1

name    port outer-vlan single-bum-domain inner-vlan l2-learning

------- ---- ---------- ----------------- ---------- -----------

BD1     17   900        false             880        none

BD1     17   901        false             881        none


To remove the BD port configuration:


CLI (network-admin@switch*) > bridge-domain-port-remove name BD1 port 17


Note: This feature is supported with the auto or remove-tags mode of bridge domains. Transparent mode configuration is rejected in conjunction with this feature, as it is not applicable.


CLI (network-admin@switch*) > bridge-domain-create name BD1 scope fabric vxlan 300900 rsvd-vlan 4009 vxlan-inner-packet transparent


CLI (network-admin@switch*) > bridge-domain-port-add name BD1 port 17 outer-vlan 1060 inner-vlan 410

bridge-domain-port-add: bridge-domain BD1 in TRANSPARENT mode, does not support Untagged or QinQ port with both tags


Applicable Network Topologies


This feature’s main use case is to interconnect different endpoints (for example VMs on the same server) configured with different S-TAGs and C-TAGs. The endpoints are configured in the same subnet and can communicate at Layer 2 by bridging traffic between them.


A server may be connected to the leaf switch with a single link as shown below:




Figure 9-7: Single-homed Host Connected to a BD with Multiple (S-TAG, C-TAG) Pairs


Two endpoints within the same subnet can communicate using the following configuration:


CLI (network-admin@switch) > bridge-bridge-domain-create name BD1 scope fabric vxlan 300300 rsvd-vlan 4002


CLI (network-admin@switch) > bridge-domain-port-add name BD1 port 17 outer-vlan 106 inner-vlan 41


CLI (network-admin@switch) > bridge-domain-port-add name BD1 port 17 outer-vlan 107 inner-vlan 42

 

The inter-endpoint unicast and BUM traffic is bridged within BD1 and is tagged with the (106, 41) and (107, 42) TAG pairs accordingly based on the destination:


CLI (network-admin@switch) > l2-table-show bd BD1


mac               bd   vlan inner-vlan vxlan  ip         ports state  status

----------------- ---- ---- ---------- ------ ---------- ----- ------ ------

00:12:c0:80:36:a1 BD1  107  42         300300 100.1.1.61 17    active host

00:12:c0:80:33:1e BD1  106  41         300300 100.1.1.51 17    active host


Instead of a single link, a multi-link trunk can be used too for single-homed devices and can be configured like so:


CLI (network-admin@switch*) > trunk-show name trunk1 format name,ports,hash-mode,enable,lacp-mode,lacp-timeout,status


trunk-id name   ports hash-mode enable lacp-mode lacp-timeout status

-------- ------ ----- --------- ------ --------- ------------ -------------------------------

272      trunk1 1,125 enhanced  on     off       slow         up,PN-switch,PN-other,STP-BPDUs


CLI (network-admin@switch*) > bridge-domain-create name BD1 scope fabric vxlan 12000004 auto-vxlan rsvd-vlan 4019


CLI (network-admin@switch*) > bridge-domain-port-add name BD1 port 272 outer-vlan 510 inner-vlan 61

CLI (network-admin@switch*) > bridge-domain-port-add name BD1 port 272 outer-vlan 610 inner-vlan 51

CLI (network-admin@switch*) > l2-table-show bd BD1

mac               bd  vlan inner-vlan vxlan    ip         ports state  status

----------------- --- ---- ---------- -------- ---------- ----- ------ ------

00:12:c0:80:33:1e BD1 510  61         12000004 109.1.1.51 1,125 active host

00:12:c0:80:36:a1 BD1 610  51         12000004 109.1.1.61 1,125 active host


For redundancy purposes, a switch cluster pair can be configured with two QinQ ports as a vLAG for the same BD, as shown below, to connect to a dual-homed server:



Figure 9-8: Dual-homed Host Connected to a BD with Multiple (S-TAG, C-TAG) Pairs


Note: This BD configuration works also with Cluster-over-Layer 3.


Alternatively, instead of a server, a switch can also be connected to the vLAG member ports as shown below:


Figure 9-9: Dual-homed Switch Connected to a BD with Multiple (S-TAG, C-TAG) Pairs


Supported TAG Pairings on a Port for a Given BD


Not all TAG pairing schemes are supported:


1) Using different S-TAGs and C-TAGs in the pairings is supported as shown in this example:

CLI (network-admin@switch*) > bridge-domain-create name BD1 scope fabric vxlan 12000001 auto-vxlan rsvd-vlan 4002

CLI (network-admin@switch*) > bridge-domain-port-add name BD1 port 17 outer-vlan 106 inner-vlan 41

CLI (network-admin@switch*) > bridge-domain-port-add name BD1 port 17 outer-vlan 107 inner-vlan 42

CLI (network-admin@switch*) > l2-table-show bd BD1

mac               bd  vlan inner-vlan vxlan    ip         ports state  status

----------------- --- ---- ---------- -------- ---------- ----- ------ ------

00:12:c0:80:33:1e BD1 106  41         12000001 100.1.1.51 17    active host

00:12:c0:80:36:a1 BD1 107  42         12000001 100.1.1.61 17    active host


2) Using the same CTAG with different S-TAGs in the pairings is supported:


CLI (network-admin@switch*) > bridge-domain-create name BD1 scope fabric vxlan 12000002 auto-vxlan rsvd-vlan 4003


CLI (network-admin@switch*) > bridge-domain-port-add name BD1 port 17 outer-vlan 206 inner-vlan 32

CLI (network-admin@switch*) > bridge-domain-port-add name BD1 port 17 outer-vlan 207 inner-vlan 32

CLI (network-admin@switch*) > l2-table-show bd BD1

mac               bd  vlan inner-vlan vxlan    ip         ports state  status

----------------- --- ---- ---------- -------- ---------- ----- ------ ------

00:12:c0:80:36:a1 BD1 207  32         12000002 102.1.1.61 17    active host

00:12:c0:80:33:1e BD1 206  32         12000002 102.1.1.51 17    active host


3) On the other hand, reusing the same S-TAG is not a valid configuration:


CLI (network-admin@switch*) > bridge-domain-create name BD1 scope fabric  auto-vxlan rsvd-vlan 4009


CLI (network-admin@switch*) > bridge-domain-port-add name BD1 port 17 outer-vlan 306 inner-vlan 33


Trying to add another BD port with same S-TAG/outer VLAN ID is rejected (regardless of the chosen inner VLAN ID):


CLI (network-admin@switch*) > bridge-domain-port-add name BD1 port 17 outer-vlan 306 inner-vlan 35

bridge-domain-port-add: out-vlan 306 for BD port already configured for bridge-domain BD1 on port 17


CLI (network-admin@switch*) > bridge-domain-port-add name BD1 port 17 outer-vlan 306 inner-vlan 33

bridge-domain-port-add: out-vlan 306 for BD port already configured for bridge-domain BD1 on port 17


Configuration of Single and Double TAG on the Same Port 


It is also possible to configure on the same port a combination of a single C-TAG and a dual (S-TAG, C-TAG) pairing for the same BD.


In this case, the BD mode needs to be vxlan-inner-packet remove-tags. In other words, in auto or transparent mode the configuration is rejected with an error.


Here is an example of configuration of single and double TAG on the same port:


CLI (network-admin@switch*) > bridge-domain-create name BD1 scope fabric auto-vxlan rsvd-vlan 4005 vxlan-inner-packet remove-tags


CLI (network-admin@switch*) > bridge-domain-port-add name BD1 port 17 outer-vlan 109 inner-vlan 45

CLI (network-admin@switch*) > bridge-domain-port-add name BD1 port 17 vlans 81


CLI (network-admin@switch*) > l2-table-show bd BD1

mac               bd  vlan inner-vlan vxlan    ip         ports state  status

----------------- --- ---- ---------- -------- ---------- ----- ------ ------

00:12:c0:80:33:1e BD1 109  45         12000000 200.1.1.51 17    active host

00:12:c0:80:36:a1 BD1 81              12000000 200.1.1.61 17    active host


Outer TPID Setting


The standard TPID value for IEEE 802.1ad is 0x88a8 (default setting). In some cases, though, another TPID may be needed (such as 0x8100, called dot1q). Such configuration change means that all the BD ports with QinQ configuration can use 0x8100 as outer TPID. This is possible using port-level configuration like so:


CLI (network-admin@switch*) > port-tpid-modify ports 17 outer-tpid dot1q


CLI (network-admin@switch*) > bridge-domain-create name BD1 scope fabric vxlan 12000004 auto-vxlan rsvd-vlan 4019

CLI (network-admin@switch*) > bridge-domain-port-add name BD1 port 17 outer-vlan 510 inner-vlan 61

CLI (network-admin@switch*) > bridge-domain-port-add name BD1 port 17 outer-vlan 610 inner-vlan 51

north
    keyboard_arrow_up
    keyboard_arrow_down
    description
    print
    feedback
    support
    business
    rss_feed
    south