VLAN Mapping – Double to Single-Tagged Interface Guide

ciscoswitchvlan

Is it possible to map C-VLANs from single-tagged interface to S-VLANs on double-tagged interface while retaining capability for all customers to access the service on different tagged switch port?

The figure below probably better illustrates what I'm trying to achieve here. I've been told by multiple people that this is not quite possible without secondary switch, but they couldn't really explain why. The switch in place is Cisco Nexus 3548, but I'd like know the opinion in general what are possibilities to do all this on a single machine.

Best Answer

What you're proposing is not going to be possible in a single box.

If we focus just on C-TAG 300, then from the switch port perspective traffic on the Customer-facing/left-most port in your diagram will require ingress frames to have the outer (S-Tag) popped off and traffic dropped into C-VLAN 300 on the switch (so it can be passed to other tagged member interfaces).

When traffic is returning towards this interface however, you will only be able to push a single S-TAG onto C-TAG 300 frames that egress this port either 500 OR 600. The switch has no way of differentiating traffic back to each customer, as any MAC being learnt from this port would be in VLAN 300 from the switch point of view, and not an associated S-VLAN.

It would be possible using two switches (or dare I suggest it, one switch with a cable looped back to itself), but not particularly scalable as the number of S-Tags increases.

Below is a very ghetto ASCII network diagram of how this would work:

                           Switch 1           Switch 2
                         +----------+         +-------+
 --[600 300]--[500 300]--|-+-(500)--|--[300]--|-(300)-|---[ ]---
     Customer-facing     | +-(600)--|--[300]--|-(   )-|--[300]-- 
                         +----------+         +-------+

From the left, You would have the port facing your customers trunked for both S-Tags, and then define VLANs on the switch for both S-VLANs (500 and 600).

You would then have a port in each S-VLAN untagged connected to Switch 2 - this would send out frames with only the payload of each Q-in-Q frame which in this example would be a frame with single C-Tag 300 on it.

On switch 2, you would define VLAN 300 (and other C-VLANs) and have tagged-ports allowing VLAN 300 facing Switch 1.

It may not be immediately obvious from my masterpiece diagram, but Switch 2 has just one big VLAN 300 with four physical interfaces.

Now you can have your other ports with VLAN 300 singly tagged (or untagged) going off to your various services.

As it turns out, it doesn't look like the Nexus 3548 is capable of Q-in-Q:

From Cisco Documentation:

The ability to configure Q-in-Q is available only for Cisco Nexus 3000 and 3100 Series switches. Q-in-Q is automatically enabled when you configure a VLAN ID for an edge port, if the VLAN ID is maintained on the edge port.

Best Answer

Related Solutions

VLAN membership – Tagged and Untagged

Cisco VLAN – How to Prevent VLAN Traffic Flooding on All Interfaces

Related Topic