Cisco: Is it possible to see an EFP path within an EVC

ciscoevclayer2

The topology diagram below shows multiple CPE devices, each has multiple WAN sub-interface that are dot1q tagged as VLAN 10 and 20 in this example. The PE ME3600 devices has an SVI with an IP address in a /24 range in VLAN 20 and each CPE has a WAN interface encapsualted in VLAN 20 within the same /24. This topology is all configured an working just fine. A CPE can ping .1 and the PE can ping .10 for example.

The layer 2 aggregation device adds a QinQ outer tag to each CPE connection so that at the PE device each layer 2 connection can be differenciated between despite trunking the same VLANs to each CPE with their IPs being in a /24.

enter image description here

The config the ME3600 port is as follows;

interface GigabitEthernet0/1
 switchport trunk allowed vlan none
 switchport mode trunk
 service instance 11 ethernet
  description cust1-LAN
  encapsulation dot1q 101 second-dot1q 10
  rewrite ingress tag pop 2 symmetric
  bridge-domain 10
 !
 service instance 101 ethernet
  description cust1-MGMT
  encapsulation dot1q 101 second-dot1q 20
  rewrite ingress tag pop 2 symmetric
  bridge-domain 20
 !
 service instance 12 ethernet
  description cust2-LAN
  encapsulation dot1q 102 second-dot1q 10
  rewrite ingress tag pop 2 symmetric
  bridge-domain 10
 !
 service instance 102 ethernet
  description cust21-MGMT
  encapsulation dot1q 102 second-dot1q 20
  rewrite ingress tag pop 2 symmetric
  bridge-domain 20
 !
interface Vlan20
 ip address 10.10.10.1 255.255.255.0

What I want to know is;

How can I see the outer tag the ME3600 will apply to frames sent out towards one of the CPEs, lets say 10.10.10.10? Something like show ip cef exact-route or show ip arp that shows the path the traffic will take through the EFPs and EVC back towards the CPE?

The test scenario is that I want to see what outer tag will be applied by the PE device when sending taffic to 10.10.10.15, the 2nd CPE (which allows me to verify that 10.10.10.15 came in on VLAN 102 and was correctly encapsulated from the downstream layer 2 aggregation device which is not Cisco and out of the scope of this question – I'm looking solely at the ME3600)

If I look at the ARP entry for the CPE 10.10.10.10 for example I get output like the following;

show ip arp 10.10.10.10
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.10.10.10             4   0001.1111.1111  ARPA   Vlan20

With the QinQ scenario above the sevice instance under gi0/1 strips off outer VLAN 100 and inner VLAN 20 then bridges to SVI 20. The 3600 must have recorded the way that traffic came in through the EVC to send it back, where can I see that?

Best Answer

As soon as I offer a bounty I find the answer, typical!

The magic commaned I needed is show mac-address-table bridge-domain 20

ME3600#show mac-address-table bridge-domain 20
          Mac Address Table
-------------------------------------------

BD      Mac Address       Type        Ports
----    -----------       --------    -----
20      1111.2222.96e2    DYNAMIC     Gi0/1+Efp101
20      1111.2222.3c8e    DYNAMIC     Gi0/1+Efp20
20      1111.2222.4b59    DYNAMIC     Gi0/1+Efp102

Here we can see the first MAC is learnt from customer one via service instance 101 (buy looking at service instance 101 on gi0/1 I can see the outer tag will be VLAN ID 101).
The second MAC is learnt from a native VLAN 20 on the interface without QinQ
The last MAC is learnt from customer 2 via service instance 102 (again by looking at service instance 102 on gi0/1 I see the outer tag will be VLAN ID 102).

Related Solutions

Cisco – Using RADIUS to restrict SSID on Cisco Aironet

Try changing the operator in the freeradius config to "=~" :

ospite-5vh Cisco-AVPair =~ "ssid=Interactive_Ospiti"

Cisco – Configure Cisco ASA in Transparent mode: Layer2 DMZ w/ Vlan translation

I don't have SUP7 to test, but it works on SUP6 and SUP32, I would presume SUP7 retains this functionality.

I've tested between JNPR M320 <-> SUP32, and 'vlan mapping JNPR SUP32' works just fine.

There is no need for QinQ, what the QinQ option does is it adds top tag to one particularly tag. So switchport vlan mapping 1042 dot1q-tunnel 42 would map incoming [1042] stack to [42 1042] stack. As opposed to switchport vlan mapping 1042 42 which maps incoming dot1q Vlan [1042] to dot1q Vlan [42].

JNPR M320 config:

{master}[edit interfaces ge-0/1/0 unit 1042]
user@m320# show 
vlan-id 1042;
family inet {
    address 10.42.42.1/24;
}
{master}[edit interfaces ge-0/1/0 unit 1042]
user@m320# run show interfaces ge-0/1/0               
Physical interface: ge-0/1/0, Enabled, Physical link is Up
  Interface index: 135, SNMP ifIndex: 506
  Description: B: SUP32 ge5/1
  Link-level type: Flexible-Ethernet, MTU: 9192, Speed: 1000mbps, BPDU Error: None,
  MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled,
  Auto-negotiation: Enabled, Remote fault: Online
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x4000
  CoS queues     : 8 supported, 8 maximum usable queues
  Current address: 00:12:1e:d5:90:7f, Hardware address: 00:12:1e:d5:90:7f
  Last flapped   : 2013-02-19 09:14:29 UTC (19w6d 21:12 ago)
  Input rate     : 4560 bps (5 pps)
  Output rate    : 6968 bps (4 pps)
  Active alarms  : None
  Active defects : None
  Interface transmit statistics: Disabled

SUP32 config:

SUP32#show run int giga5/1
Building configuration...

Current configuration : 365 bytes
!
interface GigabitEthernet5/1
 description F: M320 ge-0/1/0
 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate
 switchport vlan mapping enable
 switchport vlan mapping 1042 42
 mtu 9216
 bandwidth 1000000
 speed nonegotiate
 no cdp enable
 spanning-tree portfast edge trunk
 spanning-tree bpdufilter enable
end

SUP32#show ru int vlan42
Building configuration...

Current configuration : 61 bytes
!
interface Vlan42
 ip address 10.42.42.2 255.255.255.0
end

SUP32#sh int GigabitEthernet5/1 vlan mapping  
State: enabled
Original VLAN Translated VLAN
------------- ---------------
  1042           42  

SUP32#sh int vlan42                           
Vlan42 is up, line protocol is up 
  Hardware is EtherSVI, address is 0005.ddee.6000 (bia 0005.ddee.6000)
  Internet address is 10.42.42.2/24
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:09, output 00:01:27, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
  L2 Switched: ucast: 17 pkt, 1920 bytes - mcast: 0 pkt, 0 bytes
  L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes mcast
  L3 out Switched: ucast: 0 pkt, 0 bytes mcast: 0 pkt, 0 bytes
     38 packets input, 3432 bytes, 0 no buffer
     Received 21 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles 
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     26 packets output, 2420 bytes, 0 underruns
     0 output errors, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out

And

SUP32#ping 10.42.42.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.42.42.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
SUP32#sh arp | i 10.42.42.1
Internet  10.42.42.1             12   0012.1ed5.907f  ARPA   Vlan42
SUP32#show mac address-table dynamic address 0012.1ed5.907f
Legend: * - primary entry
        age - seconds since last seen
        n/a - not available

  vlan   mac address     type    learn     age              ports
------+----------------+--------+-----+----------+--------------------------
Active Supervisor:
*  450  0012.1ed5.907f   dynamic  Yes          0   Gi5/1
*   50  0012.1ed5.907f   dynamic  Yes          0   Gi5/1
*   40  0012.1ed5.907f   dynamic  Yes          0   Gi5/1
*   42  0012.1ed5.907f   dynamic  Yes          5   Gi5/1


user@m320# run ping 10.42.42.2 count 2 
PING 10.42.42.2 (10.42.42.2): 56 data bytes
64 bytes from 10.42.42.2: icmp_seq=0 ttl=255 time=0.495 ms
64 bytes from 10.42.42.2: icmp_seq=1 ttl=255 time=0.651 ms

--- 10.42.42.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.495/0.573/0.651/0.078 ms

{master}[edit interfaces ge-0/1/0 unit 1042]
user@m320# run show arp no-resolve |match 10.42.42.2 
00:05:dd:ee:60:00 10.42.42.2      ge-0/1/0.1042        none

Best Answer

Related Solutions

Cisco – Using RADIUS to restrict SSID on Cisco Aironet

Cisco – Configure Cisco ASA in Transparent mode: Layer2 DMZ w/ Vlan translation

Related Topic