Table Of Contents

Configuring 4-Port Gigabit Ethernet WAN Optical Services Modules

Supported Features

Saving your Configuration Before Upgrading from an OSM-4GE-WAN-GBIC to an OSM-2+4GE-WAN+

Gigabit Ethernet WAN Port Configuration

Basic Interface Configuration

Configuring Strict Priority Low Latency Queuing (LLQ) Support on the OSM-2+4GE-WAN+

Examples

Quality of Services

Advanced QinQ Service Mapping

QinQ Translation—Double Tag to Single Tag Translation

QinQ Transparent Tunneling—Double Tag to Double Tag Translation

Out-of-Range and Unspecified In-Range Packets

Per VLAN Load Balancing for Advanced QinQ Service Mapping

Configuring Advanced QinQ Service Mapping

Enabling IEEE 802.1Q-in-802.1Q Translation on a Gigabit Ethernet WAN Interface

Prerequisites

Restrictions

Examples

Enabling IEEE 802.1Q-in-802.1Q Translation on a QinQ Link Bundle

Prerequisites

Restrictions

Examples

Configuring the Service Provider Edge Router

Prerequisites

Examples

Configuring QinQ Translation—Double Tag to Single Tag Translation

Prerequisites

Restrictions

Examples

Configuring QinQ Transparent Tunneling—Double Tag to Double Tag Translation

Prerequisites

Restrictions

Examples

Configuring a Policy Map to Use the Inner COS Bits

Prerequisites

Restrictions

Examples

Disabling IEEE 802.1Q-in-802.1Q Mapping and Translation

Configuration Examples for Advanced QinQ Service Mapping

QinQ Translation Configuration Example—Two-Tag to One-Tag Translation

QinQ Transparent Tunneling Configuration Example

QinQ Translation Using Port-Channel Interfaces Example

Configuring 4-Port Gigabit Ethernet WAN Optical Services Modules

---

This chapter provides an overview of the features supported on the 4-port Gigabit Ethernet WAN Optical Services Modules (OSM-2+4GE-WAN+ and OSM-4GE-WAN-GBIC) supported on Cisco Catalyst 6500 series switches and Cisco 7600 series routers.

This chapter consists of these sections:

•Supported Features

•Saving your Configuration Before Upgrading from an OSM-4GE-WAN-GBIC to an OSM-2+4GE-WAN+

•Gigabit Ethernet WAN Port Configuration

•Quality of Services

•Advanced QinQ Service Mapping

Supported Features

The following Layer 3 features are supported on the Gigabit Ethernet WAN optical services modules (OSMs):

•Forwarding of distributed IP services

•Multiprotocol Label Switching (MPLS)

•Ethernet over Multiprotocol Label Switching (EoMPLS)

•Frame Relay over MPLS

•ATM cell relay over MPLS VC-Mode

•ATM AAL5 over MPLS

•IOS Modular QoS Command Line Interface (MQC) QoS

•Flow control

•802.1Q VLAN trunking

•Advanced 802.1Q-to-802.1Q (QinQ) Service Mapping

•Hot Standby Routing Protocol (HSRP)

•Jumbo frames

•Support for up to 32,000 MAC addresses per port

•Support for up to 32,000 simultaneous ACL entries

•Support for up to 32,000 simultaneous QoS entries

•SNMP I and II

•Four RMON groups per port: statistics, history, alarms, and events

•Online insertion and removal (OIR)

•Inter-Switch Link (ISL)

---

Note The OSM-2+4GE-WAN+ module supports ISL on the Layer 2 Gigabit Ethernet LAN ports but does not support ISL on the Layer 3 Gigabit Ethernet WAN ports.

---

The Layer 2 Gigabit Ethernet ports on the OSMs are configured from the supervisor engine of the Cisco Catalyst 6500 series switch or the Cisco 7600 series router. For feature support and configuration information for the OSM Layer 2 Gigabit Ethernet ports, refer to the links in the "Layer 2 Software Features" section on page 1-5.

Saving your Configuration Before Upgrading from an OSM-4GE-WAN-GBIC to an OSM-2+4GE-WAN+

When you upgrade from OSM-4GE-WAN-GBIC to an OSM-2+4GE-WAN+, the existing configuration will not be saved and applied to the new OSM-2+4GE-WAN+.

To save your configuration when upgrading from an OSM-4GE-WAN-GBIC to an OSM-2+4GE-WAN+, perform this task:

---

Step 1 Enter the write memory command before removing the OSM-4GE-WAN-GBIC.

Step 2 Install the new OSM-2+4GE-WAN+.

Step 3 Enter the copy startup-config running-config command.

Step 4 Enter the write memory command.

---

Warning The orientation of the GBIC in OSM-4GE-WAN-GBIC ports is reversed (upside down) from those of the LAN ports for OSM-2+4GE-WAN+.

---

---

Gigabit Ethernet WAN Port Configuration

The four Gigabit Ethernet WAN ports on the 4-port Gigabit Ethernet WAN OSMs are controlled by Cisco IOS software and support all standard Cisco IOS features. For configuration information for standard Cisco IOS features and routing protocols supported on the GE-WAN ports, refer to the appropriate Cisco IOS configuration guide and command reference publications at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/index.htm

Basic Interface Configuration

After you verify that the 4-port Gigabit Ethernet WAN OSM is installed correctly, use the configure command to configure the Gigabit Ethernet WAN interfaces.

The following procedure is for creating a basic configuration—enabling an interface and specifying IP routing. You might also need to enter other configuration subcommands, depending on the requirements for your system configuration.

---

Note Subinterfaces on the 4-port Gigabit Etherent WAN module cannot share HSRP group numbers. As a result, only 16 HSRP groups per Gigabit Ethernet WAN port are supported.

---

---

Note The MTU size you specify on a main Gigabit Ethernet WAN interface will also apply to all subinterfaces you configure on the main interface. It is not possible to specify an MTU size on a subinterface that is different from the MTU size specified for the main interface.

---

To configure the Gigabit Ethernet WAN interfaces, perform this task:

---

Step 1 Confirm that the system recognizes the module by entering the show version command:

Router# show version

Step 2 Check the status of each port by entering the show interface command:

Router# show interface

Step 3 Enter configuration mode and specify that the console terminal will be the source of the configuration subcommands:

Router# configure terminal 

Step 4 Enable IP routing by entering the ip routing command:

Router(config)# ip routing

Step 5 At the prompt, specify the new interface to configure by entering the interface command, followed by the type (ge-wan) and slot/port number. The example that follows is for a Gigabit Ethernet WAN OSM in slot 3:

Router(config)# interface ge-wan 3/0

Step 6 Assign an IP address and subnet mask to the interface with the ip address configuration subcommand, as in the following example:

Router(config-if)# ip address 10.1.2.3 255.255.255.255 

By default, a GE-WAN interface is configured for automatic negotiation of link parameters, such as duplex, speed, and flow control. To disable flow control and to force the interface for 1000/full-duplex mode, turn off automatic negotiation with the command:

Router(config-if)# no negotiation auto

---

Note Changing the negotiation mode of an active interface flaps the interface by bringing it down and then back up, so as to implement the new negotiation mode. For this reason, we recommend changing the negotiation mode only when the interface is shutdown.

---

---

Tip Use the negotiation auto command to restore the default of automatic negotiation of link parameters.

---

Step 7 Change the shutdown state to up and enable the interface:

Router(config-if)# no shutdown 

The no shutdown command passes an enable command to the Gigabit Ethernet module. It also causes the module to configure itself based on the most recent configuration commands received by the module.

Step 8 Write the new configuration to memory:

Router# copy running-config startup-config

When the configuration is stored, an OK message appears.

---

Configuring Strict Priority Low Latency Queuing (LLQ) Support on the OSM-2+4GE-WAN+

Starting with Cisco IOS Release 12.2(18)SXE, the Low Latency Queuing feature is changed for the OSM-2+4GE-WAN+ Optical Services Module. With this change, priority queue policing is supported on the module. Using Hiearchical Queuing Framework (HQF), the police command is combined with strict priority in a class on the OSM.

---

Note The priority percent % and priority kbps commands from previous releases are no longer supported.

If a second priority police class is included in the policy, police must be configured first.

---

To configure strict priority LLQ support, perform the following tasks, starting in global configuration mode:

	Command or Action	Purpose
Step 1	Router(config)# policy-map policy-name Example: Router(config)# policy-map policy11	Specifies the name of the policy map to be created or modified.
Step 2	Router(config-pmap)# class class-name Example: Router(config)# class class204	Specifies the name of a predefined class included in the service policy.
Step 3	Router(config-pmap-c)# priority Example:Router(config)# priority	Configures the strict priority class.
Step 4	Router(config-pmap-c)# police rate Example: Router(config-pmap-c) # police 1000000#	Sets the policing rate (in bps).

Examples

The following example shows a typical configuration and verification for the OSM-2+4GE-WAN+ OSM.

!

 Policy Map child

   Class dscp-ef

     priority

    police cir 1000000 bc 31250 be 31250 conform-action transmit exceed-action drop

   Class dscp-af21

     bandwidth remaining 35 (%)

   Class dscp-af31

     bandwidth remaining 30 (%)

   Class class-default

     bandwidth remaining 25 (%)

!

 Policy Map parent

   Class vlan-2

     bandwidth 5000 (kbps)

     shape average 6000000 24000 24000

     service-policy child

!

interface ge-wan7/1

no ip address

negotiation auto

mls qos trust dscp

service-policy output parent

end

!

interface ge-wan7/1.2

encapsulation dot1Q 2

ip address 10.10.10.1 255.255.255.0

mls qos trust dscp

no cdp enable

end

The following show command verifies the configuration:

Router#show policy interface ge-wan7/1

GE-WAN7/1

Service-policy output: parent

Class-map: vlan-2 (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: vlan 2

Queueing

queue limit 1250 (packets)

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts queued/bytes queued) 0/0

bandwidth 5000 kbps

shape (average) cir 6000000, bc 24000, be 24000

target shape rate 6000000

(shape parameter is rounded to 5952000 bps due to granularity)

Service-policy : child

Class-map: dscp-ef (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: ip dscp ef

Priority: b/w exceed drops: 0

police:

cir 1000000 bps, bc 31250 bytes

(Police cir is rounded to 983040 bps due to granularity)

Class-map: dscp-af21 (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: ip dscp af21

Queueing

queue limit 350 (packets)

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts queued/bytes queued) 0/0

bandwidth remaining 35% (1400 kbps)

(bandwidth parameter is rounded to 1392 kbps due to granularity)

Class-map: dscp-af31 (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: ip dscp af31

Queueing

queue limit 300 (packets)

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts queued/bytes queued) 0/0

bandwidth remaining 30% (1200 kbps)

(bandwidth parameter is rounded to 1196 kbps due to granularity)

Class-map: class-default (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

Queueing

queue limit 250 (packets)

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts queued/bytes queued) 0/0

bandwidth remaining 25% (1000 kbps)

Class-map: class-default (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

queue limit 248750 (packets)

(queue depth/total drops/no-buffer drops) 0/0/0

      (pkts queued/bytes queued) 0/0

Router#

Quality of Services

The Gigabit Ethernet WAN modules support the following QoS implementations:

•Differentiated Services Code Point (DSCP) classification

•IP-precedence classification

•Class-based traffic shaping

•Class-based weighted fair queuing (CBWFQ)—Supported on the OSM-2+4GE-WAN+ only

•Low latency queuing (LLQ)—Supported on the OSM-2+4GE-WAN+ only

•Weighted Random Early Detection (WRED)—Supported on the OSM-2+4GE-WAN+ only

•Hierarchical traffic shaping for dot1q encapsulations—Supported for egress traffic on subinterfaces on the OSM-2+4GE-WAN+ only

•EoMPLS Support with CBWFQ, LLQ and WRED - CBWFQ, LLQ or WRED are applied to the EoMPLS uplink interface. Supported on the OSM-2+4GE-WAN+ only

For QoS configuration information and examples for the WAN OSM ports, see the "Configuring QoS on the OSMs" section on page 9-2.

See Chapter 10, "Configuring Destination Sensitive Services on the Optical Services Modules" for configuration information.

Advanced QinQ Service Mapping

The IEEE 802.1Q VLAN specification provides for a trunking option that tags packets with two VLAN tags:

•An inner tag that specifies the customer tag

•An outer tag that specifies the service provider tag—to allow multiple VLANs to be trunked together across an intermediate network.

This type of double-tagged tunnel is referred to as IEEE 802.1Q-in-802.1Q (Q-in-Q) tunneling.

Standard QinQ tunneling, however, is limited. Although double-tagged VLANs can identify different customers, they cannot easily distinguish different service flows for the same customer. You can use separate VLANs for each service flow, but IEEE 802.1Q VLANs are limited to a maximum of 1,024 VLANs. Extended VLANs have a maximum of 4,096 per router, but even this larger number could be exhausted if many customers are using multiple services.

The Advanced QinQ Service Mapping feature solves these problems by enabling the Gigabit Ethernet WAN (GE-WAN) interfaces on the OSM-2+4GE-WAN+ Optical Services Module (OSM) to act as a QinQ access gateway. The access gateway enhances QinQ tunneling by using the combination of inner and outer VLAN tags as a unique identifier for a particular customer's service flows. This allows the interface to perform the following:

•Translates packets that are tagged with an inner CE VLAN tag and an outer PE VLAN tag to a specifying outgoing trunk VLAN on the basis of the unique combination of CE and PE VLAN tags. Two types of packet translation are supported:

–QinQ Translation (also known as double-tag to single-tag translation)—The CE and PE tags from the original incoming packet are replaced with a single trunk VLAN tag when the outgoing packet is transmitted.

–QinQ Transparent Tunneling (also known as double-tag to double-tag translation)—The outer PE tag from the original incoming packet is replaced with an outer trunk VLAN tag when the outgoing packet is transmitted. The inner CE VLAN tag is left unchanged in the outgoing packet.

•Supports traffic shaping on the basis of the unique combination of CE and PE VLAN tags.

•Sets the IEEE 802.1P prioritization bits (P bits) in the outgoing trunk VLAN tag by copying the P bits either from the original packet's outer PE VLAN tag or from the original packet's inner CE VLAN tag.

In Cisco IOS Release 12.2(18)SXE and later releases, you can also combine multiple GE-WAN interfaces into a virtual QinQ link bundle (also known as a port-channel). This simplifies configuration and allows the system to automatically load balance the traffic moving across the physical interfaces.

See the following sections for more details on the QinQ translation process and on using QinQ link bundles.

QinQ Translation—Double Tag to Single Tag Translation

In a double-tag-to-single-tag translation, the Advanced QinQ Service Mapping feature replaces both the inner customer edge (CE) VLAN tag and the outer provider edge (PE) VLAN tag with a single trunk VLAN tag. The following shows the format of both the incoming original packet and the outgoing translated packet.

Original Incoming Packet
DA	SA	ETYPE= 0x8100	PE VLAN Tag	ETYPE=1 0x8100	CE VLAN1 Tag	Data	FCS
Outgoing Translated Packet
DA	SA	ETYPE= 0x8100	Trunk VLAN Tag	Data	FCS

1 The CE VLAN tag might not be present if the customer did not tag this packet with a VLAN ID before transmitting it to the service provider. The PE VLAN tag should always be present.

When the interface receives a packet, the following occurs:

•Examines the inner CE VLAN tag and outer PE VLAN tag, and uses that unique combination to perform the quality of service processing, rate shaping, and switching that is specified by the attached service policy map.

If the packet includes a PE VLAN tag, but no mapping has been configured for this particular CE VLAN tag, or if the incoming packet does not contain any inner CE VLAN tag, the interface drops the packet (unless a subinterface has been configured for out-of-range packets).

•Removes the inner and outer VLAN tags and replaces them with the trunk VLAN tag that has been configured on the VLAN's subinterface.

•Sets the 802.1P bits (P bits) on the trunk VLAN tag in one of the following ways, depending on the service policy map being used:

–Copies the P bits that were in the outer PE VLAN tag to the trunk VLAN tag (default).

–Copies the P bits that were in the inner CE VLAN tag to the trunk VLAN tag (if the set cos cos-inner command was used in the service policy map).

–Zeroes out the P bits if the interface or subinterface has been marked as untrusted.

•Forwards the translated single-tagged packet to the appropriate destination or service.

QinQ Transparent Tunneling—Double Tag to Double Tag Translation

When you configure the Advanced QinQ Service Mapping feature for double-tag-to-double-tag conversion, the Gigabit Ethernet WAN interface replaces the outer PE VLAN tag with the trunk VLAN tag. The inner CE VLAN tag remains unchanged. The following shows the format of both the incoming original packet and the outgoing translated packet:

Original Incoming Packet
DA	SA	ETYPE= 0x8100	PE VLAN Tag	ETYPE=1 0x8100	CE VLAN1 Tag	Data	FCS
Outgoing Translated Packet
DA	SA	ETYPE= 0x8100	Trunk VLAN Tag	ETYPE= 0x8100	CE VLAN Tag	Data	FCS

1 The CE VLAN tag might not be present if the customer did not tag this packet with a VLAN ID before transmitting it to the service provider, in which case this becomes a single-tag to single-tag translation.

When the interface receives a packet, the following occurs:

•Examines the inner CE VLAN tag and outer PE VLAN tag, and uses that unique combination to perform the quality of service processing, rate shaping, and switching that is specified by the attached service policy map.

If the packet includes a PE VLAN tag, but no mapping has been configured for this particular CE VLAN tag, or if the incoming packet does not contain any inner CE VLAN tag, the interface drops the packet (unless a subinterface has been configured for out-of-range packets).

•Removes the outer PE VLAN tag and replaces it with the trunk VLAN tag that is configured on the VLAN's subinterface. The inner CE VLAN tag is left unchanged.

•Sets the 802.1P bits (P bits) on the trunk VLAN tag in one of the following ways, depending on the service policy map being used:

–Copies the P bits that were in the outer PE VLAN tag to the trunk VLAN tag (default).

–Copies the P bits that were in the inner CE VLAN tag to the trunk VLAN tag (if the set cos cos-inner command was used in the service policy map).

–Zeroes out the P bits if the interface or subinterface has been marked as untrusted.

•Forwards the translated double-tagged packet to the appropriate destination or service.

Out-of-Range and Unspecified In-Range Packets

Each PE VLAN supports a maximum of 32 CE VLANs, which must be in a contiguous block that starts on a number divisible by 32 (for example: 0, 32, 64, and so on). When you specify the first CE VLAN ID for a PE VLAN (using the bridge-domain command), the Cisco IOS software automatically associates the corresponding block of 32 IDs with that PE VLAN. Any other CE VLANs are considered out-of-range for that particular PE VLAN.

For example, specifying a CE VLAN ID of 131 automatically associates the CE VLAN IDs from 128 to 159 with that particular PE VLAN. Any CE VLANs that are outside of that block (from 1 to 127 and from 160 to 4094) are considered out-of-range. In addition, if a packet arrives without a CE VLAN tag, it is also considered to be out-of-range.

The default behavior is to drop all out-of-range packets that are received on an interface that has been configured for QinQ translation. You can change this behavior by configuring a subinterface to match out-of-range packets.

The QinQ access gateway interface also drops any packets with a CE VLAN that is in-range (within the block of 32 VLAN IDs) but not explicitly mapped on a subinterface. This behavior cannot be changed. For example, if you specify a CE VLAN of 32 and no other CE VLANs for a particular PE VLAN, the interface drops packets for that PE VLAN that have CE VLANs from 33 and 63.

Per VLAN Load Balancing for Advanced QinQ Service Mapping

In Cisco IOS Release 12.2(18)SXE and later releases, you can combine multiple GE-WAN interfaces into a QinQ link bundle, which is a virtual interface that you configure in the same way as the physical GE-WAN interfaces. Using QinQ link bundles has the following advantages:

•Simplifies configuration because you do not have to configure the individual GE-WAN physical interfaces. Instead, you configure only the one virtual interface with the required QinQ parameters, and those parameters are used for all of the physical interfaces in the bundle.

•Increases bandwidth by allowing you to aggregate individual physical interfaces into a single logical interface.

•Increases availability because if one link in the bundle goes down, the traffic is reallocated among the remaining interfaces until the link is reestablished.

•Enables load-balancing of PE VLANs among the physical interfaces. When the PE VLANs are created, they are automatically distributed among the physical interfaces in the bundle in a round-robin fashion. Adding or removing a physical interface to the QinQ link bundle automatically reallocates the PE VLANs among the physical interfaces, with a minimal interruption of the traffic flows along those VLANs.

---

Note The load-balancing algorithm is based only on the number of PE VLANs, where all of the packets for a particular PE VLAN are sent through the same physical interface. The load-balancing does not take into account the bandwidth or the number of the individual CE VLANs that are being transported in each PE tunnel. The assignment of a particular PE VLAN is determined when the PE VLAN is first created, and this assignment does not change unless interfaces are added or removed from the QinQ link bundle.

---

•Allows you to logically group physical interfaces according to your management needs, such as application or location. You can obtain aggregate interface statistics by displaying the interface statistics for the bundle's virtual interface, as well as displaying the statistics for each of the individual physical interfaces in the bundle.

•Simplifies network management by allowing you to perform OIR and other maintenance operations on interfaces and cards in the QinQ link bundle without stopping the traffic flows. Instead, the traffic is automatically redistributed among the remaining physical interfaces. When the card and its interfaces are brought back up, the traffic is again redistributed among all of the slots in the bundles.

•Allows you to move OSM-2+4GE-WAN+ modules between slots without having to re-enter the complete interface configuration. Instead, you only have to remove the old interfaces from the QinQ link bundle and then add the new interfaces to the bundle. The bundle's configuration is then automatically applied to the card in its new location.

•Requires a minimal learning curve to learn, because QinQ link bundles are created using the same port-channel and channel-group commands that are used on LAN interfaces to create Ether Channels. The same monitoring and maintenance procedures that are used for Ether Channels can be used for QinQ link bundles.

Configuring Advanced QinQ Service Mapping

This section describes the following configuration tasks that are needed to enable and configure the Advanced QinQ Service Mapping feature:

•Enabling IEEE 802.1Q-in-802.1Q Translation on a Gigabit Ethernet WAN Interface

•Enabling IEEE 802.1Q-in-802.1Q Translation on a QinQ Link Bundle

•Configuring the Service Provider Edge Router

•Configuring QinQ Translation—Double Tag to Single Tag Translation

•Configuring QinQ Transparent Tunneling—Double Tag to Double Tag Translation

•Configuring a Policy Map to Use the Inner COS Bits

•Disabling IEEE 802.1Q-in-802.1Q Mapping and Translation

Enabling IEEE 802.1Q-in-802.1Q Translation on a Gigabit Ethernet WAN Interface

To use the Advanced QinQ Service Mapping feature, you must first enable IEEE 802.1Q-in-802.1Q translation on the Gigabit Ethernet WAN interface that is connected to the provider edge router through the Metro Ethernet network. You can also optionally configure the interface as trusted, if you want to preserve the IEEE 802.1P bits (P bits) that are in the IEEE 802.1Q header of incoming packets.

To enable IEEE 802.1Q-in-802.1Q translation on a Gigabit Ethernet WAN interface, and optionally configure the interface as trusted, use the following procedure.

Prerequisites

•This feature requires a Cisco Catalyst 6500 series switch or Cisco 7600 series router with a Cisco Supervisor Engine 2 or Supervisor Engine 720 module that is running Cisco IOS Release 12.2(18)SXD or later.

•This feature is supported only on the Gigabit Ethernet WAN (GE-WAN) interfaces on the OSM-2+4GE-WAN+ Gigabit Ethernet Enhanced Optical Services Module (OSM). This feature is not supported on other port adapter modules or on LAN Gigabit Ethernet (GE) interfaces.

•The Cisco IOS software image must support the OSM-2+4GE-WAN+ Gigabit Ethernet Enhanced OSM card.

•You must remove all IP, MPLS, and other Layer 3 configuration on the main interface before enabling IEEE 802.1Q-in-802.1Q translation.

---

Note When a GE-WAN interface is configured for QinQ operation, the Cisco IOS command-line interface (CLI) blocks any IP configuration, but it is still possible to configure other Layer 3 features. All such configuration must be removed from the interface before QinQ can operate successfully.

---

Restrictions

•This configuration is supported only on the Gigabit Ethernet WAN interfaces on the OSM-2+4GE-WAN+ enhanced Optical Services Module (OSM).

•Only the main interface can be configured as an QinQ access gateway. Subinterfaces are then configured to specify the specific VLAN mappings.

•A Gigabit Ethernet WAN interface that is configured as a QinQ access gateway cannot also be configured with any IP, MPLS, or other Layer 3 configurations. Adding such configuration to the interface can interfere with the QinQ operation.

•Multiprotocol Label Switching (MPLS) Experimental (EXP) bit mappings and hierarchical QoS are not supported on the Gigabit Ethernet WAN interface being used for QinQ translation.

•Each provider edge (PE) VLAN (or outer VLAN) supports a a maximum of 32 consecutive customer edge (CE) VLANs (or inner VLANs). This range of CE VLANs must start on a boundary that is divisible by 32 (for example, 32 to 63, 64 to 95, and so on, up to 4000 to 4031, 4032 to 4063, and 4064 to 4094). The invalid or reserved VLANs are excluded from this rule. For example, the first range is 2 to 31 because VLAN 0 is not valid and VLAN 1 is, by default, reserved for a native VLAN. Each PE VLAN also supports one default function that is applied to VLANs that fall outside of this range of 32 VLANs.

•A PE VLAN can be configured on only one Gigabit Ethernet WAN interface in the router.

•A PE VLAN cannot have the same ID as the native VLAN that is also being used on any interface in the router. The default native VLAN for interfaces is VLAN ID 1, and we recommend using this default to simplify the use of QinQ tagging on the router.

•A PE VLAN cannot have the same ID as an MPLS-related VLAN ID being used on the same interface or on its paired interface. GE-WAN interfaces 1 and 2 constitute one pair, and GE-WAN interfaces 3 and 4 constitute another pair.

For example, if interface 1 assigns VLAN ID 200 to an MPLS-based feature (such as MPLS VPN, AToM, or VPLS), you cannot use VLAN 200 as a PE VLAN on either interface 1 or 2. However, you still can use VLAN 200 on interface 3 or 4, because those interfaces are a separate interface pair.

•VLAN 4095 is reserved and cannot be used as a CE VLAN. Packets that contain a CE VLAN ID of 4095 are automatically dropped by subinterfaces that are configured for QinQ translation. VLAN 4095, however, can continue to be used as a native (non-QinQ) VLAN.

•VLAN IDs from 1006 to 4094 can be used for either PE VLANs or internal VLANs. Since internal VLANs are automatically allocated for certain features such as Layer 3 LAN ports, WAN interfaces, and WAN subinterfaces, you must coordinate your use of PE VLANs with the system's use of internal VLANs. In particular, be sure to reserve some of the VLAN IDs between 1006 and 4094 for use as internal VLANS, because internal VLANs cannot use IDs between 1 and 1005. If you run out of VLANs for use as internal VLANs, you might not be able to install new cards or use certain software features.

The router, by default, allocates internal VLANs starting with 1006 and ascending sequentially. We recommend that you change this behavior with the vlan internal allocation policy descending global configuration command, so that the router allocates internal VLANs starting with 4094 and descending sequentially.

---

Note If you change the allocation method, you must reboot the router before the changes take effect. This is because a number of internal VLANs are automatically allocated at router startup.

---

---

Tip To display the number of internal VLANs that are currently in use, use the show vlan internal usage command.

---

•The match vlan command is not supported in this feature.

SUMMARY STEPS

1. enable

2. configure terminal

3. vlan internal allocation policy descending

4. interface ge-wan slot/port

5. no ip address

6. mode dot1q-in-dot1q access-gateway

7. description string

8. no shutdown

9. end

---

Tip You do not need to configure the mls qos trust command to preserve the CoS bits in the VLAN translation, because this command has no effect on a GE-WAN interface that has been configured with the mode dot1q-in-dot1q access-gateway command. When an interface or port-channel group has been configured for QinQ translation, it always trusts the VLAN Class of Service (CoS) bits.

---

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable Router#	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal Router(config)#	Enters global configuration mode.
Step 3	vlan internal allocation policy descending Example: Router(config)# vlan internal allocation policy descending Router(config)#	(Optional) Allocates internal VLANs starting with 4094 and descending sequentially. We recommend this configuration to avoid conflicts with the PE VLAN ID assignment. Note If you change the allocation method, you must reboot the router before the changes take effect. This is because a number of internal VLANs are automatically allocated at router startup.
Step 4	interface ge-wan slot/port Example: Router(config)# interface ge-wan 5/1 Router(config-if)#	Enters interface configuration mode for the specified Gigabit Ethernet WAN interface on the OSM-2+4GE-WAN+ Gigabit Ethernet WAN port.
Step 5	no ip address Example: Router(config-if)# no ip address Router(config-if)#	(Optional) Removes the IP address that might be configured on the interface. This step is required if the interface has been configured previously with an IP address.
Step 6	mode dot1q-in-dot1q access-gateway Example: Router(config-if)# mode dot1q-in-dot1q access-gateway Router(config-if)#	Enables IEEE 802.1Q-in-802.1Q translation on the interface, enabling the Advanced QinQ Service Mapping feature.
Step 7	description string Example: Router(config-if)# description Connected to ISP ABC Port SJ-2 Router(config-if)#	(Optional) Provides a description of this interface. The string parameter can be any arbitrary text that describes the interface, its neighbor, its purpose, or any other information that might be useful for maintaining and troubleshooting problems with this interface and configuration.
Step 8	no shutdown Example: Router(config-if)# no shutdown Router(config-if)#	Activates the interface and enables it to pass traffic.
	Note Repeat Step 4 through Step 8 for each Gigabit Ethernet WAN interface to be configured.
Step 9	end Example: Router(config-if)# end Router#	Exits interface configuration mode and returns to privileged EXEC mode.

Examples

The following example shows a sample configuration for a Gigabit Ethernet WAN interface:

!

interface GE-WAN3/4

 description connected to SJ QinQ Tunnel

 no ip address

 logging event link-status

 negotiation auto

 mode dot1q-in-dot1q access-gateway

Enabling IEEE 802.1Q-in-802.1Q Translation on a QinQ Link Bundle

To use the Advanced QinQ Service Mapping feature on a QinQ link bundle, you must create a virtual port-channel interface and enable IEEE 802.1Q-in-802.1Q translation on that interface. You then must assign Gigabit Ethernet WAN interfaces to the port-channel group. To perform these tasks, use the following procedure.

Prerequisites

•The QinQ link bundle feature requires a Cisco Catalyst 6500 series switch or Cisco 7600 series router with a Cisco Supervisor Engine 2 or Supervisor Engine 720 module that is running Cisco IOS Release 12.2(18)SXE or later.

•When using the QinQ link bundle feature, the port-channel group must include only Gigabit Ethernet WAN (GE-WAN) interfaces on the OSM-2+4GE-WAN+ Gigabit Ethernet Enhanced Optical Services Module (OSM). This feature is not supported on other port adapter modules or on LAN Gigabit Ethernet (GE) interfaces.

•The Cisco IOS software image must support the OSM-2+4GE-WAN+ Gigabit Ethernet Enhanced OSM card.

Restrictions

•All restrictions listed for the Gigabit Ethernet WAN interfaces also apply to the use of QinQ link bundling. See the "Restrictions" section for a list of those restrictions.

•Channel groups that are being used for QinQ link bundling can contain only GE-WAN interfaces on the OSM-2+4GE-WAN+ Optical Services Module (OSM) card.

•Port-channel interfaces that are being used for QinQ link bundling must not be configured for a Maximum Transmission Unit (MTU) value greater than 9170 bytes, which is the maximum MTU that is supported on the OSM-2+4GE-WAN+ OSM card.

•Only the mode on option is supported when using the channel-group command with GE-WAN interfaces on the OSM-2+4GE-WAN+ Optical Services Module for advanced QinQ translation. The other mode options are not supported on a QinQ link bundle.

•You cannot use the channel-group command on GE-WAN interfaces if Multiprotocol Label Switching (MPLS) is configured. You must remove all mpls configuration commands from the interface before using the channel-group command.

•You cannot attach a service policy to the main port-channel interface or to the individual member interfaces of the port-channel group. Instead, you must attach the service policy to the appropriate port-channel subinterfaces. Also, input service policies are not supported on port-channels being used for QinQ link bundling.

•Service policies for QinQ port-channel interfaces support only the shaping and set cos cos-inner commands. You cannot use other commands, such as the bandwidth command, on QinQ port-channel interfaces.

•Port-channel interface counters can be displayed with the show interface port-channel {number | number.subif} command. However, the show interface port-channel counters and show counters interface port-channel commands are not supported for channel groups that are using GE-WAN interfaces for QinQ link bundling.

SUMMARY STEPS

1. enable

2. configure terminal

3. vlan internal allocation policy descending

4. interface port-channel number

5. no ip address

6. mode dot1q-in-dot1q access-gateway

7. description string

8. no shutdown

9. interface ge-wan slot/port

10. no ip address

11. channel-group number mode on

12. no shutdown

13. end

---

Tip You do not need to configure the mls qos trust command to preserve the CoS bits in the VLAN translation, because this command has no effect on a GE-WAN interface or port-channel group that has been configured with the mode dot1q-in-dot1q access-gateway command. When an interface or port-channel group has been configured for QinQ translation, it always trusts the VLAN Class of Service (CoS) bits.

---

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable Router#	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal Router(config)#	Enters global configuration mode.
Step 3	vlan internal allocation policy descending Example: Router(config)# vlan internal allocation policy descending Router(config)#	(Optional) Allocates internal VLANs starting with 4094 and descending sequentially. We recommend this configuration to avoid conflicts with the assignment of IDs for the PE VLANs. Note If you change the allocation method, you must reboot the router before the changes take effect. This is because a number of internal VLANs are automatically allocated at router startup.
Step 4	interface port-channel number Example: Router(config)# interface port-channel 5 Router(config-if)#	Creates a virtual port-channel interface and enters interface configuration mode. The valid range for number is from 1 to 256.
Step 5	no ip address Example: Router(config-if)# no ip address Router(config-if)#	(Optional) Removes the IP address that might be configured on the interface. This step is required if the interface has been configured previously with an IP address.
Step 6	mode dot1q-in-dot1q access-gateway Example: Router(config-if)# mode dot1q-in-dot1q access-gateway Router(config-if)#	Enables IEEE 802.1Q-in-802.1Q translation on the interface, enabling the Advanced QinQ Service Mapping feature. Note This command cannot be used on a port-channel that already contains a channel group member that is not a GE-WAN interface on a OSM-2+4GE-WAN+ card.
Step 7	description string Example: Router(config-if)# description QinQ Link Bundle connected to LA-10/1 Router(config-if)#	(Optional) Provides a description of this interface. The string parameter can be any arbitrary text that describes the interface, its neighbor, its purpose, or any other information that might be useful for maintaining and troubleshooting problems with this interface and configuration.
Step 8	no shutdown Example: Router(config-if)# no shutdown Router(config-if)#	Activates the interface and enables it to pass traffic.
Step 9	interface ge-wan slot/port Example: Router(config)# interface ge-wan 5/1 Router(config-if)#	Enters interface configuration mode for either the specified Gigabit Ethernet WAN interface on the OSM-2+4GE-WAN+ Gigabit Ethernet WAN port.
Step 10	no ip address Example: Router(config-if)# no ip address Router(config-if)#	(Optional) Removes the IP address that might be configured on the interface. This step is required if the interface has been configured previously with an IP address.
Step 11	channel-group number mode on Example: Router(config-if)# channel-group 5 mode on Router(config-if)#	Adds this physical interface to the specified channel group. The number should be the same as that specified for the port-channel interface in Step 4. Note The mode on option is the only one allowed for port-channels that are being configured on GE-WAN interfaces for QinQ link bundling.
Step 12	no shutdown Example: Router(config-if)# no shutdown Router(config-if)#	Activates the interface and enables it to pass traffic.
	Note Repeat Step 9 through Step 12 for each Gigabit Ethernet WAN interface to be added to the port-channel group.
Step 13	end Example: Router(config-if)# end Router#	Exits interface configuration mode and returns to privileged EXEC mode.

---

Note If after removing the last inner VLAN in a bridge domain, you want to perform a load rebalancing, issue the shutdown and no shutdown commands on the port-channel.

---

Examples

The following example shows a sample configuration for a port-channel interface that has two GE-WAN physical interfaces as part of its channel group:

!

interface Port-channel3

 no ip address

 logging event link-status

 speed nonegotiate

 mode dot1q-in-dot1q access-gateway 

!

interface GE-WAN2/1

 no ip address

 logging event link-status

 negotiation auto

 channel-group 3 mode on

!

interface GE-WAN2/3

 no ip address

 logging event link-status

 negotiation auto

 channel-group 3 mode on

The following sample configuration shows the error message that appears if you attempt to enable QinQ translation on a port-channel interface that contains one or more invalid interfaces:

Router# configure terminal 

Router(config)# interface port-channel 30 

7600-2(config-if)# mode dot1q-in-dot1q access-gateway 

% 'mode dot1q-in-dot1q access-gateway' is not supported on Port-channel30 

% Port-channel30 contains 2 Layer 2 Gigabit Ethernet interface(s)

Router(config-if)# 

To display the status of the port-channel interface, as well as the members of its channel group, use the show interface command. For example, this command would show the following output for the configuration listed above.

Router# show interface Port-channel 3 

 Port-channel1 is up, line protocol is up (connected)

  Hardware is EtherChannel, address is 0007.8508.474a (bia 000d.edb5.7d7b)

  MTU 1500 bytes, BW 2000000 Kbit, DLY 10 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Full-duplex, Auto-speed

  input flow-control is off, output flow-control is unsupported

  Members in this channel: GE2/1 Pseudo GE2/3 Pseudo 

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input never, output never, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     0 packets input, 0 bytes, 0 no buffer

     Received 0 broadcasts (0 IP multicast)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog, 0 multicast, 0 pause input

     0 input packets with dribble condition detected

     0 packets output, 0 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier, 0 PAUSE output

     0 output buffer failures, 0 output buffers swapped out

Router# 

To display the inner, outer, and trunk VLANs that are used in a QinQ translation, use the show cwan qinq command. The following examples show the resulting output for the port-channel interface using the show cwan qinq command alone and with each of the following optional keywords:

•configured—Displays statistics for all configured bridge domains.

•detail—Displays the details of the inner VLAN configurations for each bridge domain.

•list—Displays the currently configured assignments.

---

Caution The show cwan qinq [configured | detail | list] command applies to port-channel interfaces only. Using this command with physical interfaces may provide incorrect results.

---

Router#show cwan qinq

Bridge-domain Interface Egress-if Inner-start Total Active

3 Po1 GE3/1 0 1 1

Sub-Interface Trunk-vlan Inner-vlan Service State

Po1.2 2 4 dot1q up/up

Router#show cwan qinq configured

Port-channel1 has total 2 bridge-domain vlan(s)

Po1 - GE-WAN3/1 has 1 bridge-domain vlan(s) egress configured

13

Po1 - GE-WAN3/2 has 1 bridge-domain vlan(s) egress configured

3

Router#show cwan qinq detail

Port-channel1 has total 2 bridge-domain vlan(s)

Po1 - GE-WAN3/1 has 1 bridge-domain vlan(s) detail

Bridge-domain Inner Configured Active

------------- ------ ---------- ------

13 active 1 1

Po1 - GE-WAN3/2 has 1 bridge-domain vlan(s) detail

Bridge-domain Inner Configured Active

------------- ------ ---------- ------

3 active 1 1

Router#show cwan qinq list

Port-channel1 has total 2 bridge-domain vlan(s)

Po1 - GE-WAN3/1 has 1 bridge-domain vlan(s) egress active

13

Po1 - GE-WAN3/2 has 1 bridge-domain vlan(s) egress active

3

The related show cwan qinq load-balance commands also apply to port-channel interfaces only.

Router#show cwan qinq load-balance

Port-channel1 has total 2 bridge-domain vlan(s)

Po1 - GE-WAN3/1 has 1 bridge-domain vlan(s)

Po1 - GE-WAN3/2 has 1 bridge-domain vlan(s)

Router#show cwan qinq load-balance detail

Port-channel1 has total 2 bridge-domain vlan(s)

Po1 - GE-WAN3/1 has 1 bridge-domain vlan(s) detail

Bridge-domain Inner Configured Active

------------- ------ ---------- ------

13            active 1          1

Po1 - GE-WAN3/2 has 1 bridge-domain vlan(s) detail

Bridge-domain Inner Configured Active

------------- ------ ---------- ------

3             active 1          1

The following related show commands can be applied to both port-channel and physical interfaces:

Router#show cwan qinq bridge-domain

GE-WAN3/1, group 1, total_rate_active 1

13

GE-WAN3/2, group 1, total_rate_active 1

3

Port-channel1, group 1, total_rate_active 2

Router#show cwan qinq interface

Interface Status Egress op PE CE TRNK Input packets/       Output packets/

Input bytes          Output bytes

---------------- --------- ------ -- ---- ---- ---- -------------------- ----------------

Po1.2 up/up GE3/2 1 3 4 2 0 0

0 0

Po1.12 up/up GE3/1 1 13 14 12 0 0

0 0

---

Note For additional information regarding these related commands, see the Cisco 7600 Router Cisco IOS Command Reference—Release 12.2SX.

---

Configuring the Service Provider Edge Router

This section describes the procedure to configure the Gigabit Ethernet interface on the service provider edge router that is connected to the Gigabit Ethernet WAN interface that is acting as the IEEE 802.1Q-in-802.1Q (QinQ) access gateway.

Prerequisites

• The service provider edge router must be using a Gigabit Ethernet interface.

SUMMARY STEPS

1. enable

2. configure terminal

3. vlan vlan-id

4. interface GigabigEthernet slot/port

5. no ip address

6. mls qos trust [cos | dscp | ip-precedence]

7. switchport

8. switchport trunk encapsulation dot1q

9. switch trunk allowed vlan {vlan-list | vlan-range}

10. switchport mode trunk

11. description string

12. no shutdown

13. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable Router#	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal Router(config)#	Enters global configuration mode.
Step 3	vlan vlan-id Example: Router(config)# vlan 22 Router(config)#	Add the VLAN ID to be used as the provider edge (PE) VLAN to the router's VLAN database (if not already entered). The valid range for vlan-id is either 1 to 1023, or from 1 to 4094, depending on the Cisco IOS software image being used on the router or switch.
Step 4	interface GigabitEthernet slot/port Example: Router(config)# interface GigabitEthernet3/1 Router(config-if)#	Enters interface configuration mode for the specified Gigabit Ethernet interface.
Step 5	no ip address Example: Router(config-if)# no ip address Router(config-if)#	Removes the IP address that might be configured on the interface.
Step 6	mls qos trust [cos | dscp | ip-precedence] Example: Router(config-if)# mls qos trust dscp Router(config-if)#	(Optional) Specifies which quality of service (QoS) bits in incoming frames can be trusted. •cos—(Optional) Specifies that the CoS bits in incoming frames are trusted and derives the internal DSCP value from the CoS bits. •dscp—(Optional, default) Specifies that the ToS bits in the incoming packets contain a DSCP value. •ip-precedence—(Optional) Specifies that the IP precedence bits (found in the ToS bits) of incoming packets are trusted, and derives the internal DSCP value from the IP precedence bits. Note To configure the interface as untrusted, use the no mls qos trust command. The interface then zeroes out the P bits of all incoming packets.
Step 7	switchport Example: Router(config-if)# switchport Router(config-if)#	Configures the interface for Layer 2 switching.
Step 8	switchport trunk encapsulation dot1q Example: Router(config-if)# switchport trunk encapsulation dot1q Router(config-if)#	Configures the trunk link to use IEEE 802.1Q encapsulation.
Step 9	switch trunk allowed vlan {vlan-list | vlan-range} Example: Router(config-if)# switch trunk allowed vlan 3001-4000 Router(config-if)#	(Optional) Configures the list of provider edge (PE) VLANs allowed on the trunk. All VLANs are allowed by default. You can either specify a list of individual VLAN IDs separated by commas, or you can specify a range of VLAN IDs separated by a hyphen.
Step 10	switchport mode trunk Example: Router(config-if)# switchport mode trunk Router(config-if)#	Puts the interface into permanent trunking mode.
Step 11	description string Example: Router(config-if)# description Connected to Metro interface SJ-3 Router(config-if)#	(Optional) Provides a description of this interface. The string parameter can be any arbitrary text that describes the interface, its neighbor, its purpose, or any other information that might be useful for maintaining and troubleshooting problems with this interface and configuration.
Step 12	no shutdown Example: Router(config-if)# no shutdown Router(config-if)#	Activates the interface and enables it to pass traffic.
	Note Repeat Step 4 through Step 12 for each interface to be configured.
Step 13	end Example: Router(config-if)# end Router#	Exits interface configuration mode and returns to privileged EXEC mode.

Examples

The following example shows a sample configuration for a Gigabit Ethernet interface that is connected to the Gigabit Ethernet WAN port that is providing IEEE 802.1Q-in-802.1Q translation. VLAN ID 3001 is being used as the PE VLAN.

vlan 3001

...

!

interface GigabitEthernet3/1

 description connected to Metro SJ-3 (QinQ tunnel)

 no ip address

 logging event link-status

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 3001-4000

 switchport mode trunk

Configuring QinQ Translation—Double Tag to Single Tag Translation

When you configure the Advanced QinQ Service Mapping feature for QinQ translation, also known as double-tag-to-single-tag translation, the outgoing interface replaces both the inner customer edge (CE) VLAN tag and the outer provider edge (PE) VLAN tag with a Trunk VLAN tag. Use the following procedure to configure a subinterface for double-tag-to-single-tag translation.

---

Note Cisco IOS Release 12.2(18)SXD used the bridge-vlan command to configure the QinQ translation, but Cisco IOS Release 12.2(18)SXE and later releases have changed this to bridge-domain. Earlier configurations that use bridge-vlan are automatically configured to bridge-domain when the configuration is loaded.

---

Prerequisites

•You must have previously enabled IEEE 802.1Q-in-802.1Q VLAN translation on either a Gigabit Ethernet WAN interface, or on a port-channel interface. See either the "Enabling IEEE 802.1Q-in-802.1Q Translation on a Gigabit Ethernet WAN Interface" section and the "Enabling IEEE 802.1Q-in-802.1Q Translation on a QinQ Link Bundle" section.

Restrictions

•You can configure a maximum of 32 inner CE VLANs for each outer PE VLAN. The inner CE VLANs must be in a contiguous block that starts on a 32-block boundary (32, 64, and so on), excluding invalid or reserved VLANs.

•You cannot specify an out-of-range configuration for a PE VLAN until you have first configured at least one specific inner CE VLAN ID for that particular PE VLAN. This is required so that the system can determine which VLAN IDs should be considered in-range and out-of-range.

•VLAN 4095 is reserved and cannot be used as a CE VLAN. Packets that contain a CE VLAN ID of 4095 are automatically dropped by subinterfaces that are configured for QinQ translation. VLAN 4095, however, can continue to be used as a native (non-QinQ) VLAN.

•A PE VLAN cannot have the same ID as a native (non-QinQ) VLAN that is also being used on the router.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface {ge-wan slot/port.subinterface | port-channel number.subinterface}

4. encapsulation dot1q trunk-vlan-id

5. bridge-domain vlan-id dot1q inner-vlan-id
or
bridge-domain vlan-id dot1q-tunnel out-range

6. mls qos trust [cos | dscp | ip-precedence]

7. service policy input policy-name

8. service policy output policy-name

9. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable Router#	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal Router(config)#	Enters global configuration mode.
Step 3	interface {ge-wan slot/port.subinterface | port-channel number.subinterface} Example: Router(config)# interface ge-wan 5/1.64 Router(config-subif)#	Enters subinterface mode for the specified subinterface.
Step 4	encapsulation dot1q trunk-vlan-id Example: Router(config-subif)# encapsulation dot1q 2 Router(config-subif)#	Configures the subinterface to use the specified IEEE 802.1Q trunk VLAN on outgoing packets: •trunk-vlan-id—Specifies the trunk VLAN ID to be used for this traffic. The valid range is any VLAN from 1 to 4094, except for the numbers already allocated and the numbers in the range from 1002 to 1005, which are reserved.
Step 5	bridge-domain vlan-id dot1q inner-vlan-id or bridge-domain vlan-id dot1q-tunnel out-range Example: Router(config-subif)# bridge-domain 2 dot1q 64 Router(config-subif)# or Router(config-subif)# bridge-domain 2 dot1q-tunnel out-range Router(config-subif)#	Creates a table map for the specified outer (provider) VLAN ID to the specified inner (customer) VLAN ID, specifying that these VLAN tags should be replaced by the trunk VLAN tag when the packet is output. •vlan-id—VLAN ID for the provider edge (PE), or outer, VLAN. The valid range is 1 to 4094, except for the native VLAN (which defaults to 1) and the numbers in the range from 1002 to 1005, which are reserved. This value must match the VLAN that is actually configured on the provider edge router. •dot1q inner-vlan-id—VLAN ID for the customer edge (CE), or inner, VLAN that is to be mapped to this PE VLAN. The valid range is 1 to 4094, except for the numbers in the range from 1002 to 1005, which are reserved. •dot1q-tunnel out-range—Creates a table map for all inner (customer) VLAN IDs that are outside of the previously mapped block of 32 VLANs for this particular provider VLAN. If you do not specify an out-range mapping for a PE VLAN, the interface drops all packets for that PE VLAN that either do not have a CE VLAN tag, or that have a CE VLAN outside of the mapped block. Note You must configure at least one subinterface with a specific CE VLAN ID for a PE VLAN, before you can use the dot1q-tunnel out-range option.
	Note When you specify the first inner-vlan-id for a PE VLAN, the interface automatically associates the correct block of 32 VLANs with that PE VLAN, and those CE VLANs cannot be used for any other purpose. For example, specifying a CE VLAN of 98 associates the VLANs from 96 to 127 with that PE VLAN. Any other CE VLANs received on that PE VLAN are considered out of range.
Step 6	mls qos trust [cos | dscp | ip-precedence] Example: Router(config-subif)# mls qos trust dscp Router(config-subif)#	(Optional) Specifies which quality of service (QoS) bits in incoming frames can be trusted. •cos—(Optional) Specifies that the CoS bits in incoming frames are trusted and derives the internal DSCP value from the CoS bits. •dscp—(Optional, default) Specifies that the ToS bits in the incoming packets contain a DSCP value. •ip-precedence—(Optional) Specifies that the IP precedence bits (found in the ToS bits) of incoming packets are trusted, and derives the internal DSCP value from the IP precedence bits. Note To configure the interface as untrusted, use the no mls qos trust command. The Layer 2 interface then zeroes out the P bits of all incoming packets before any QoS processing is done.
Step 7	service policy input policy-name Example: Router(config-subif)# service policy input policy-in1 Router(config-subif)#	(Supported only on physical GE-WAN interfaces, not port-channel interfaces) Specifies a policy map that should be used on incoming packets when they are received on the Gigabit Ethernet WAN interface.
Step 8	service policy output policy-name Example: Router(config-subif)# service policy output cos-xlat1 Router(config-subif)#	Specifies a policy map that should be used on outgoing packets before they leave the Gigabit Ethernet WAN interface. Note Policy maps that use set cos cos-inner command must be applied as the output policy on the subinterface.
	Note Repeat Step 3 through Step 8 for each subinterface/VLAN mapping to be configured.
Step 9	end Example: Router(config)# end Router#	Exits global configuration mode and returns to privileged EXEC mode.

Examples

The following shows a typical configuration that creates two double-tag-to-single-tag mappings on a subinterface. The first subinterface configuration creates a specific PE/CE mapping, and the second subinterface configuration creates an out-of-range configuration:

interface GE-WAN 3/3

 no ip address

 mode dot1q-indot1q access-gateway

...

!

interface GE-WAN3/3.42

 encapsulation dot1Q 2

 bridge-domain 133 dot1q 42

 mls qos trust dscp

end

...

!

interface GE-WAN3/3.5032

 encapsulation dot1Q 31

 bridge-domain 133 dot1q-tunnel out-range

 mls qos trust dscp

end

These QinQ mappings operate as follows:

•The first subinterface matches incoming packets that are tagged with a PE VLAN ID of 133 and a CE VLAN ID of 42, and translates those packets into an outgoing packet with a single trunk VLAN ID of 2. This configuration also automatically associates the block of CE VLANs from 32 to 63 with PE VLAN 133. Any packets with a CE VLAN ID in that range that also have a PE VLAN ID of 133, and are not explicitly mapped by another subinterface, are dropped. Any other CE VLANs that are received on PE VLAN 133 are considered out of range.

•The second subinterface matches incoming packets that are tagged with a PE VLAN ID of 133, and that either do not have a CE VLAN, or that have a CE VLAN ID that is out of range (that is ranging from 1 to 31 or from 64 to 4094). These packets are translated into an outgoing packet with a trunk VLAN ID of 31 as the outer tag and an unchanged CE VLAN inner tag (if present).

This configuration performs the following mapping on packets that have a PE VLAN ID of 133:

Table 1-1 Example Double-Tag-to-Single-Tag Mappings 

PE VLAN ID	CE VLAN ID	Action
133	1 to 31	Mapped to trunk VLAN 31, CE VLAN 1 to 31 (out of range)
133	32 to 41	Dropped (because not explicitly mapped)
133	42	Mapped to trunk VLAN 2 (explicitly mapped by GE-WAN3/3.42)
133	43 to 63	Dropped (because not explicitly mapped)
133	64 to 4094	Mapped to trunk VLAN 31, CE VLAN 64 to 4094 (out of range)
133	(none)	Mapped to trunk VLAN 31 (out of range)

Configuring QinQ Transparent Tunneling—Double Tag to Double Tag Translation

When you configure the Advanced QinQ Service Mapping feature for QinQ transparent tunneling, as known as double-tag-to-double-tag translation, the Gigabit Ethernet WAN interface replaces the outer (provider edge or PE) VLAN tag with the trunk VLAN tag. The inner CE VLAN tag (if present) remains unchanged. Use the following procedure to configure a subinterface for double-tag-to-double-tag translation.

---

Note Cisco IOS Release 12.2(18)SXD used the bridge-vlan command to configure the QinQ translation, but Cisco IOS Release 12.2(18)SXE and later releases have changed this to bridge-domain. Earlier configurations that use bridge-vlan are automatically configured to bridge-domain when the configuration is loaded.

---

Prerequisites

•You must have previously enabled IEEE 802.1Q-in-802.1Q VLAN translation on either a Gigabit Ethernet WAN interface, or on a port-channel interface. See either the "Enabling IEEE 802.1Q-in-802.1Q Translation on a Gigabit Ethernet WAN Interface" section and the "Enabling IEEE 802.1Q-in-802.1Q Translation on a QinQ Link Bundle" section.

Restrictions

•You can configure a maximum of 32 inner CE VLANs for each outer PE VLAN. The inner VLANs must be in a contiguous block that starts on a 32-block boundary (0, 32, 64, and so on).

•VLAN 4095 is reserved and cannot be used as a CE VLAN. Packets that contain a CE VLAN ID of 4095 are automatically dropped by subinterfaces that are configured for QinQ translation. VLAN 4095, however, can continue to be used as a native (non-QinQ) VLAN.

•You cannot specify an out-of-range configuration for a PE VLAN until you have first configured at least one specific inner CE VLAN ID for that particular PE VLAN. This is required so that the system can determine which VLAN IDs are considered in-range or out-of-range.

•A PE VLAN cannot have the same ID as a native (non-QinQ) VLAN that is also being used on the router.

•Input service policies (the service-policy input command) are not supported on port-channels being used for QinQ link bundling.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface {ge-wan slot/port.subinterface | port-channel number.subinterface}

4. encapsulation dot1q trunk-vlan-id

5. bridge-domain vlan-id dot1q-tunnel {inner-vlan-id | out-range}

6. mls qos trust [cos | dscp | ip-precedence]

7. service policy input policy-name

8. service policy output policy-name

9. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable Router#	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal Router(config)#	Enters global configuration mode.
Step 3	interface {ge-wan slot/port.subinterface | port-channel number.subinterface} Example: Router(config)# interface ge-wan 5/1.64 Router(config-subif)#	Enters subinterface mode for the specified subinterface.
Step 4	encapsulation dot1q trunk-vlan-id Example: Router(config-subif)# encapsulation dot1q 2 Router(config-subif)#	Configures the subinterface to use the specified IEEE 802.1Q trunk VLAN on outgoing packets: •trunk-vlan-id—Specifies the trunk VLAN ID to be used for this traffic. The valid range is any VLAN from 1 to 4094, except for the numbers already allocated and the numbers in the range from 1002 to 1005, which are reserved.
Step 5	bridge-domain vlan-id dot1q-tunnel {inner-vlan-id | out-range} Example: Router(config-subif)# bridge-domain 2 dot1q 64 Router(config-subif)# or Router(config-subif)# bridge-domain 2 dot1q out-range Router(config-subif)#	Creates a table map for the specified outer (provider) VLAN ID to the specified inner (customer) VLAN ID, specifying that the outer VLAN tag should be replaced by the trunk VLAN tag when the packet is output (leaving the inner tag unchanged): •vlan-id—VLAN ID for the provider edge (PE), or outer, VLAN. The valid range is 1 to 4094, except for the native VLAN (which defaults to 1) and the numbers in the range from 1002 to 1005, which are reserved. This value must match the VLAN that is actually configured on the provider edge router. •inner-vlan-id—VLAN ID for the customer edge (CE), or inner, VLAN that is to be mapped to this PE VLAN. The valid range is 1 to 4094, except for the numbers in the range from 1002 to 1005, which are reserved. •out-range—Matches all inner VLAN IDs that are outside of the previously mapped block of 32 VLANs for this particular provider VLAN. If you do not specify an out-range mapping for a PE VLAN, the interface drops all packets for that PE VLAN with a CE VLAN outside of the mapped block. Note You must configure at least one subinterface for a specific CE VLAN ID for a PE VLAN, before you can use the out-range command.
	Note When you specify the first inner-vlan-id for a PE VLAN, the interface automatically associates the correct block of 32 VLANs with that PE VLAN, and those CE VLANs cannot be used for any other purpose. For example, specifying a CE VLAN of 98 associates the VLANs from 96 to 127 with that PE VLAN. Any other CE VLANs received on that PE VLAN are considered out of range.
Step 6	mls qos trust [cos | dscp | ip-precedence] Example: Router(config-subif)# mls qos trust dscp Router(config-subif)#	(Optional) Specifies which quality of service (QoS) bits in incoming frames can be trusted. •cos—(Optional) Specifies that the CoS bits in incoming frames are trusted and derives the internal DSCP value from the CoS bits. •dscp—(Optional, default) Specifies that the ToS bits in the incoming packets contain a DSCP value. •ip-precedence—(Optional) Specifies that the IP precedence bits (found in the ToS bits) of incoming packets are trusted, and derives the internal DSCP value from the IP precedence bits. Note To configure the interface as untrusted, use the no mls qos trust command. The Layer 2 interface then zeroes out the P bits of all incoming packets before any QoS processing is done.
Step 7	service policy input policy-name Example: Router(config-subif)# service policy input policy-in1 Router(config-subif)#	(Supported only on physical GE-WAN interfaces, not port-channel interfaces) Specifies a policy map that should be used on incoming packets when they are received on the Gigabit Ethernet WAN interface.
Step 8	service policy output policy-name Example: Router(config-subif)# service policy output cos-xlat1 Router(config-subif)#	Specifies a policy map that should be used on outgoing packets before they leave the Gigabit Ethernet WAN interface.
	Note Repeat Step 3 through Step 8 for each subinterface/VLAN mapping to be configured.
Step 9	end Example: Router(config)# end Router#	Exits global configuration mode and returns to privileged EXEC mode.

Examples

The following shows a typical configuration that creates two double-tag-to-double-tag mappings on a subinterface. The first subinterface configuration creates a specific PE/CE mapping, and the second subinterface configuration creates an out-of-range configuration:

!

interface GE-WAN1/1.98

 encapsulation dot1Q 12

 bridge-domain 65 dot1q-tunnel 98

 mls qos trust dscp

end

...

!

interface GE-WAN1/1.5096

 encapsulation dot1Q 31

 bridge-domain 65 dot1q-tunnel out-range

 mls qos trust dscp

end

These QinQ mappings operate as follows:

•The first subinterface matches incoming packets that are tagged with a PE VLAN ID of 65 and a CE VLAN ID of 98, and translates those packets into an outgoing packet with a trunk VLAN ID of 12 and a CE VLAN ID of 98. This configuration also automatically associates the block of CE VLANs from 96 to 127 with PE VLAN 65. Any packets with a CE VLAN ID in that range that also have a PE VLAN ID of 65, and are not explicitly mapped by another subinterface, are dropped. Any other CE VLANs that are received on PE VLAN 65 are considered out of range.

•The second subinterface matches incoming packets that are tagged with a PE VLAN ID of 65, and that either do not have a CE VLAN tag, or that have a CE VLAN ID that is out of range (that is ranging from 1 to 95 or from 128 to 4094). These packets are translated to an outgoing packet that has a trunk VLAN ID of 31 and an unchanged CE VLAN tag (if present).

This configuration performs the following mapping on packets that have a PE VLAN ID of 65:

Table 1-2 Example Double-Tag-to-Double-Tag Mappings 

PE VLAN ID	CE VLAN ID	Action
65	1 to 95	Mapped to trunk VLAN 31, CE VLAN 1 to 31 (out of range)
65	96 to 97	Dropped (because not explicitly mapped)
65	98	Mapped to trunk VLAN 12, CE VLAN 98 (explicitly mapped by GE-WAN3/3.42)
65	99 to 127	Dropped (because not explicitly mapped)
65	128 to 4094	Mapped to trunk VLAN 31, CE VLAN 128 to 4094 (out of range)
65	(none)	Mapped to trunk VLAN 31 (out of range)

Configuring a Policy Map to Use the Inner COS Bits

By default, the IEEE 802.1Q-to-IEEE 802.1Q translation sets the IEEE 802.1P bits (P bits) in the IEEE 802.1Q header of the outgoing packet's trunk VLAN tag by copying the P bits from the outer PE VLAN tag. To change this behavior, create a policy map with a class map that contains the set cos cos-inner command. The system then copies the P bits from the inner CE VLAN tag to the trunk VLAN tag that is put on the outgoing packet.

Prerequisites

•After creating the policy map, you must apply it to the appropriate VLAN's subinterface by using the service-policy output command in subinterface configuration mode. See the following sections for more details:

–Configuring QinQ Translation—Double Tag to Single Tag Translation

–Configuring QinQ Transparent Tunneling—Double Tag to Double Tag Translation

Restrictions

•The set cos cos-inner command is supported only for subinterfaces that are configured with an inner CE VLAN. The set cos cos-inner command is not supported on subinterfaces that use the out-range option with the bridge-domain command.

•You cannot use these policy maps on a main Gigabit Ethernet WAN interface or on a main port-channel interface.

•For the set cos cos-inner command to have any effect, you must configure an interface or subinterface to be a trusted interface, using the mls qos trust command. Otherwise, if the interface or subinterface is untrusted, the interface zeroes out the 802.1P bits of incoming packets before the bits can be copied to the outgoing packets.

SUMMARY STEPS

1. enable

2. configure terminal

3. policy-map policy-map-name

4. class {class-name | class-default}

5. set cos cos-inner

6. shape {average | peak} mean-rate [bc [be]]

7. (other configuration commands as desired)

8. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable Router#	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal Router(config)#	Enters global configuration mode.
Step 3	policy-map policy-map-name Example: Router(config)# policy-map pmap1 Router(config-pmap)#	Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy, and enters policy-map configuration mode. •policy-map-name—Name of the policy map. The name can be a maximum of 40 alphanumeric characters.
Step 4	class {class-name | class-default} Example: Router(config-pmap)# class class-default Router(config-pmap-c)#	Creates or modifies a policy class, and enters policy map class configuration mode. •class-name—Name of the class to be configured or modified. •class-default—Specifies the default class that should be used when no other class has been specified.
Step 5	set cos cos-inner Example: Router(config-pmap-c)# set cos cos-inner Router(config-pmap-c)#	(Optional) Sets the IEEE 802.1 prioritization bits (P bits) of the trunk VLAN tag of an IEEE 802.1Q-in-802.1Q translated outgoing packet with the priority value from the incoming packet's inner (customer edge) VLAN tag. The default value is the no form of this command, which uses the P bits from the incoming packet's outer (provider edge) VLAN tag.
Step 6	shape {average | peak} mean-rate [bc [be]] Example: Router(config-pmap-c)# shape average 4000000 16000 16000 Router(config-pmap-c)#	(Optional) Specifies the traffic shaping rates to be used with this policy: •average—(Optional) Maximum number of bits sent out in each interval is equal to the committed burst size (Bc). •peak—(Optional) Specifies that the maximum number of bits sent out in each interval is equal to the burst size (Bc) plus the excess burst size (Be). •mean-rate—(Optional) Also called committed information rate (CIR). Indicates the bit rate used to shape the traffic, in bits per second. •bc—(Optional) The number of bits in a measurement interval burst size (Bc). •be—(Optional) The number of bits permitted to go over the excess burst size (Be).
Step 7	end Example: Router(config-pmap-c)# end Router#	Exits policy-map class configuration mode and returns to privileged EXEC mode.

Examples

The following example shows a typical policy map configuration using the set cos cos-inner command:

!

policy-map pmap1

  class class-default

    shape average 4000000 

    set cos cos-inner 

Disabling IEEE 802.1Q-in-802.1Q Mapping and Translation

To disable the mapping and translation of IEEE 802.1Q-in-802.1Q double-tagged packets on the Gigabit Ethernet interface or on one of its subinterfaces, use one of the following procedures:

•Disabling All IEEE 802.1Q-to-802.1Q Translation on An Interface

•Disabling IEEE 802.1Q-to-802.1Q Translation on One Subinterface

Disabling All IEEE 802.1Q-to-802.1Q Translation on An Interface

To disable all IEEE 802.1Q-to-802.1Q translation on a Gigabit Ethernet WAN interface or a port-channel interface, use the following procedure. This procedure also removes all subinterfaces and their configurations from the interface, which then allows the associated VLANs to be used for other purposes or on other cards.

---

Tip Be sure to save the configuration before you begin this procedure if you want to move the configuration to another interface.

---

---

Note Removing the interface card from the router does not remove the interface configuration, because the Cisco IOS software assumes you will be performing an online insertion and removal (OIR) operation. You must disable IEEE 802.1Q-in-802.1Q translation from all interfaces on a card before removing the card from the chassis, before the VLANs that are configured on the card can become available for use by other interfaces.

---

---

Note You should perform online insertion and removal (OIR) in a redundant route processor system only after the standby state reaches a terminal state of the configured High Availability mode.

---

.Prerequisites

If you have previously attached a service policy that contains a set cos cos-inner command to the interface, you must first remove that service policy before you can use the no mode dot1q-in-dot1q access-gateway command.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface {ge-wan slot/port | port-channel number}

4. shutdown

5. no mode dot1q-in-dot1q access-gateway

6. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable Router#	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal Router(config)#	Enters global configuration mode.
Step 3	interface {ge-wan slot/port | port-channel number} Example: Router(config)# interface ge-wan 5/1 Router(config-if)#	Enters interface configuration mode for the specified Gigabit Ethernet WAN interface or port-channel interface.
Step 4	shutdown Example: Router(config-if)# shutdown Router(config-if)#	(Optional) Disables the interface and prevents it from passing traffic.
Step 5	no mode dot1q-in-dot1q access-gateway Example: Router(config-if)# no mode dot1q-in-dot1q access-gateway Router(config-if)#	Disables IEEE 802.1Q-in-802.1Q translation on the interface. This disables the Advanced QinQ Service Mapping feature, and removes all subinterface configuration from the interface. Note Be sure to save the configuration before giving this command if you plan to move the configuration to another interface.
Step 6	end Example: Router(config-if)# end Router#	Exits global configuration mode and returns to privileged EXEC mode.

Disabling IEEE 802.1Q-to-802.1Q Translation on One Subinterface

Use the following procedure to disable IEEE 802.1Q-to-802.1Q translation on an individual subinterface. You can either completely delete the subinterface, or you can remove just the bridge-domain configuration on the subinterface, depending on whether you want to use the subinterface to continue passing other traffic. Both methods release the CE and PE VLANs being used on the subinterface.

Prerequisites

If you have previously attached a service policy that contains a set cos cos-inner command to the interface, you must first remove that service policy before you can use the no bridge-domain command.

SUMMARY STEPS

1. enable

2. configure terminal

3. no interface {ge-wan slot/port.subinterface | port-channel number.subinterface}

or

4. interface {ge-wan slot/port.subinterface | port-channel number.subinterface}

5. no bridge-domain vlan-id dot1q {inner-vlan-id | out-range}

6. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable Router#	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal Router(config)#	Enters global configuration mode.
Step 3	no interface {ge-wan slot/port.subinterface | port-channel number.subinterface} Example: Router(config)# no interface ge-wan 5/1.64 Router(config-subif)#	Completely removes the subinterface and its configuration. All traffic passing through this interface stops. Note After entering this command, proceed to Step 6.
or
Step 4	interface {ge-wan slot/port.subinterface | port-channel number.subinterface} Example: Router(config)# interface ge-wan 5/1.64 Router(config-subif)#	Enters subinterface mode for the specified subinterface.
Step 5	no bridge-domain vlan-id dot1q {inner-vlan-id | out-range} Example: Router(config-subif)# no bridge-domain 2 dot1q 64 Router(config-subif)#	Removes the table mapping for this subinterface, disabling the IEEE 802.1Q-to-IEEE802.1Q translation for this particular combination of VLANs. Traffic continues to pass, depending on the remaining configuration of the subinterface.
Step 6	end Example: Router(config-subif)# end Router#	Exits subinterface configuration mode and returns to privileged EXEC mode.

Configuration Examples for Advanced QinQ Service Mapping

This section provides the following sample configurations:

•QinQ Translation Configuration Example—Two-Tag to One-Tag Translation

•QinQ Transparent Tunneling Configuration Example

•QinQ Translation Using Port-Channel Interfaces Example

QinQ Translation Configuration Example—Two-Tag to One-Tag Translation

The following excerpt from a configuration file shows the configuration for a simple QinQ translation, in which incoming packets are received with inner customer edge (CE) and outer provider edge (PE) VLAN tags. The packets are then output, using the configured policy map, with a single trunk VLAN tag.

This configuration configures Gigabit Ethernet WAN interface 4/1 as the QinQ access gateway, and shows two PE-to-CE mappings:

•The first set of subinterfaces is configured for a PE VLAN ID of 2 and CE VLAN IDs in the range of 32 to 46. These subinterfaces are all configured as trusted (mls qos trust dscp) and use policy maps that use the set cos cos-inner command, so that the 802.1P bits in the customer's original CE VLAN tag are copied to the outgoing trunk VLAN tag.

Subinterface 47 is configured to match any packets that arrive with a PE VLAN ID of 2 and an out-of-range CE VLAN ID (between 47 and 63). Note that the set cos cos-inner command has no effect on out-of-range packets, even when using a policy map that includes this command.

•The second set of subinterfaces is configured for a trunk VLAN ID of 100 and a PE VLAN ID of 45. These subinterfaces accept incoming CE VLAN IDs in the range of 1237 to 1240. This configuration does not include an out-of-range subinterface, so any packets that arrive with a PE VLAN ID of 45 and an out-of-range CE VLAN ID (from 1216 to 1236 and from 1241 to 1247) are dropped. All subinterfaces use a policy map that does not include the set cos cos-inner command, which means that the trunk VLAN tag uses the 802.1P bits in the original PE VLAN tag.

!

vlan internal allocation policy descending

!

vlan 1-1240 

!

policy-map pmap1

  class class-default

    shape average 4000000 

   set cos cos-inner

policy-map pmap2

  class class-default

    shape average 8000000 32000 32000

   set cos cos-inner

policy-map pmap3

  class class-default

    shape average 20000000 80000 80000

   set cos cos-inner

policy-map pmap4

  class class-default

    shape average 2000000 16000 16000

!

!

interface GigabitEthernet4/1

 description connected to SP GE1/3

 no ip address

 logging event link-status

 switchport

 switchport trunk encapsulation dot1q

 switchport mode trunk

!

interface GigabitEthernet4/2

 no ip address

 shutdown

!

!--This is the QinQ Access Gateway interface 

interface GE-WAN4/1

 description connected to PE-4 GigabitEthernet0/3 

 no ip address

 logging event link-status

 negotiation auto

 mode dot1q-in-dot1q access-gateway

!--This command configures the interface as trusted, which 

!--is required to be able to use the original packet's 802.1P CoS bits. 

 mls qos trust dscp

!--First set of PE/CE mappings 

!

interface GE-WAN4/1.32

 encapsulation dot1Q 32 

!--note that this bridge-domain command automatically configures the 

!--CE VLAN range for this PE VLAN to be from 32 to 63 

 bridge-domain 2 dot1q 32 

 mls qos trust dscp

 service-policy output pmap3

!

interface GE-WAN4/1.33

 encapsulation dot1Q 33 

 bridge-domain 2 dot1q 33

 mls qos trust dscp

 service-policy output pmap2

!

interface GE-WAN4/1.34

 encapsulation dot1Q 34

 bridge-domain 2 dot1q 34

 mls qos trust dscp

 service-policy output pmap1

!

interface GE-WAN4/1.35

 encapsulation dot1Q 35

 bridge-domain 2 dot1q 35

 mls qos trust dscp

 service-policy output pmap2

!

interface GE-WAN4/1.36

 encapsulation dot1Q 36

 bridge-domain 2 dot1q 36

 mls qos trust dscp

 service-policy output pmap3

!

interface GE-WAN4/1.37

 encapsulation dot1Q 37

 bridge-domain 2 dot1q 37

 mls qos trust dscp

 service-policy output pmap1

!

interface GE-WAN4/1.38

 encapsulation dot1Q 38

 bridge-domain 2 dot1q 38

 mls qos trust dscp

 service-policy output pmap1

!

interface GE-WAN4/1.39

 encapsulation dot1Q 39

 bridge-domain 2 dot1q 39

 mls qos trust dscp

 service-policy output pmap2

!

interface GE-WAN4/1.40

 encapsulation dot1Q 40

 bridge-domain 2 dot1q 40

 mls qos trust dscp

 service-policy output pmap3

!

interface GE-WAN4/1.41

 encapsulation dot1Q 41

 bridge-domain 2 dot1q 41 

 mls qos trust dscp

 service-policy output pmap2

!

interface GE-WAN4/1.42

 encapsulation dot1Q 42

 bridge-domain 2 dot1q 42

 mls qos trust dscp

 service-policy output pmap1

!

interface GE-WAN4/1.43

 encapsulation dot1Q 43

 bridge-domain 2 dot1q 43

 mls qos trust dscp

 service-policy output pmap2

!

interface GE-WAN4/1.44

 encapsulation dot1Q 44

 bridge-domain 2 dot1q 44

 mls qos trust dscp

 service-policy output pmap3

!

interface GE-WAN4/1.45

 encapsulation dot1Q 45

 bridge-domain 2 dot1q 45 

 mls qos trust dscp

 service-policy output pmap3

!

interface GE-WAN4/1.46 

 encapsulation dot1Q 46 

 bridge-domain 2 dot1q 46 

 mls qos trust dscp

 service-policy output pmap1

!

interface GE-WAN4/1.47

 description out-of-range configuration for CE VLANs 47 to 63

 encapsulation dot1Q 47 

 bridge-domain 2 dot1q-tunnel out-range 

 mls qos trust dscp

!-- Although this policy map includes the set cos cos-inner command, 

!-- this command is not used for out-of-range packets 

 service-policy output pmap4 

!--Second set of PE/CE mappings 

!

interface GE-WAN4/1.1237

 encapsulation dot1Q 1237 

!--note that this bridge-domain command automatically configures the 

!--CE VLAN range for this PE VLAN to be from 1216 to 1247 

 bridge-domain 45 dot1q 1237

 no mls qos trust 

 service-policy output pmap4

!

interface GE-WAN4/1.1238

 encapsulation dot1Q 1238 

 bridge-domain 45 dot1q 1238

 no mls qos trust 

 service-policy output pmap4

!

interface GE-WAN4/1.1239

 encapsulation dot1Q 1239 

 bridge-domain 45 dot1q 1239

 no mls qos trust 

 service-policy output pmap4

!

interface GE-WAN4/1.1240

 encapsulation dot1Q 1240 

 bridge-domain 45 dot1q 1240

 no mls qos trust 

 service-policy output pmap4

...

QinQ Transparent Tunneling Configuration Example

The following excerpt from a configuration file shows a typical configuration for a simple QinQ transparent tunneling configuration, in which incoming packets are received with inner customer edge (CE) and outer provider edge (PE) VLAN tags. The packets are then output, using the configured policy map, with a new trunk VLAN tag and the original inner CE VLAN tag. This configuration is called two-tag to one-tag translation.

This configuration configures Gigabit Ethernet WAN interface 4/1 as the QinQ access gateway, and creates a PE/CE mapping with the following characteristics:

•PE VLAN ID of 152.

•CE VLAN IDs in the range from 2048 to 2079.

•Subinterface GE-WAN 4/1.15233 matches any packets that contain CE VLAN IDs that are outside of this range (either from 1 to 2047 or from 2080 to 4094).

•The interface and all subinterfaces, except for the out-of-range subinterface, are configured as trusted (mls qos trust dscp), which allows them to copy the 802.1P bits in the packet's original PE VLAN tag to the outgoing trunk VLAN tag. (The original CE VLAN tag is unchanged and includes its original 802.1P bits.)

!

vlan internal allocation policy descending

!

vlan 1-4094 

...

!--This is an IP LAN interface 

interface GigabitEthernet4/1

 description QinQ tunnel to Catalyst 3550 Gigabit Ethernet 0/6

 no ip address

 switchport

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 340

 switchport mode trunk

!

!

interface GigabitEthernet4/2

 no ip address

 shutdown

!

!--This is the QinQ Access Gateway interface 

interface GE-WAN4/1

 description connected to GSR Gigabit Ethernet 4/1

 no ip address

 logging event link-status

 no negotiation auto

 mode dot1q-in-dot1q access-gateway

 mls qos trust dscp

!

interface GE-WAN4/1.15201

 encapsulation dot1Q 180

!--note that this bridge-domain command automatically configures the 

!--CE VLAN range for this PE VLAN to be from 2048 to 2079 

 bridge-domain 152 dot1q-tunnel 2048 

 mls qos trust dscp

!

interface GE-WAN4/1.15203

 encapsulation dot1Q 182

 bridge-domain 152 dot1q-tunnel 2049 

 mls qos trust dscp

!

interface GE-WAN4/1.15204

 encapsulation dot1Q 183

 bridge-domain 152 dot1q-tunnel 2050 

 mls qos trust dscp

!

interface GE-WAN4/1.15205

 encapsulation dot1Q 184

 bridge-domain 152 dot1q-tunnel 2051 

 mls qos trust dscp

!

interface GE-WAN4/1.15206

 encapsulation dot1Q 185

 bridge-domain 152 dot1q-tunnel 2052 

 mls qos trust dscp

!

interface GE-WAN4/1.15207

 encapsulation dot1Q 186

 bridge-domain 152 dot1q-tunnel 2053 

 mls qos trust dscp

!

interface GE-WAN4/1.15208

 encapsulation dot1Q 187

 bridge-domain 152 dot1q-tunnel 2054 

 mls qos trust dscp

!

interface GE-WAN4/1.15209

 encapsulation dot1Q 188

 bridge-domain 152 dot1q-tunnel 2055 

 mls qos trust dscp

!

interface GE-WAN4/1.15210

 encapsulation dot1Q 189

 bridge-domain 152 dot1q-tunnel 2056 

 mls qos trust dscp

!

interface GE-WAN4/1.15211

 encapsulation dot1Q 190

 bridge-domain 152 dot1q-tunnel 2057 

 mls qos trust dscp

!

interface GE-WAN4/1.15212

 encapsulation dot1Q 191

 bridge-domain 152 dot1q-tunnel 2058 

 mls qos trust dscp

!

interface GE-WAN4/1.15213

 encapsulation dot1Q 192

 bridge-domain 152 dot1q-tunnel 2059 

 mls qos trust dscp

!

interface GE-WAN4/1.15214

 encapsulation dot1Q 193

 bridge-domain 152 dot1q-tunnel 2060 

 mls qos trust dscp

!

interface GE-WAN4/1.15215

 encapsulation dot1Q 194

 bridge-domain 152 dot1q-tunnel 2061 

 mls qos trust dscp

!

interface GE-WAN4/1.15216

 encapsulation dot1Q 195

 bridge-domain 152 dot1q-tunnel 2062 

 mls qos trust dscp

!

interface GE-WAN4/1.15217

 encapsulation dot1Q 196

 bridge-domain 152 dot1q-tunnel 2063 

 mls qos trust dscp

!

interface GE-WAN4/1.15218

 encapsulation dot1Q 197

 bridge-domain 152 dot1q-tunnel 2064 

 mls qos trust dscp

!

interface GE-WAN4/1.15219

 encapsulation dot1Q 198

 bridge-domain 152 dot1q-tunnel 2065 

 mls qos trust dscp

!

interface GE-WAN4/1.15220

 encapsulation dot1Q 199

 bridge-domain 152 dot1q-tunnel 2066 

 mls qos trust dscp

!

interface GE-WAN4/1.15221

 encapsulation dot1Q 200

 bridge-domain 152 dot1q-tunnel 2067 

 mls qos trust dscp

!

interface GE-WAN4/1.15222

 encapsulation dot1Q 201

 bridge-domain 152 dot1q-tunnel 2068 

 mls qos trust dscp

!

interface GE-WAN4/1.15223

 encapsulation dot1Q 202

 bridge-domain 152 dot1q-tunnel 2069 

 mls qos trust dscp

!

interface GE-WAN4/1.15224

 encapsulation dot1Q 203

 bridge-domain 152 dot1q-tunnel 2070 

 mls qos trust dscp

!

interface GE-WAN4/1.15225

 encapsulation dot1Q 204

 bridge-domain 152 dot1q-tunnel 2071 

 mls qos trust dscp

!

interface GE-WAN4/1.15226

 encapsulation dot1Q 205

 bridge-domain 152 dot1q-tunnel 2072 

 mls qos trust dscp

!

interface GE-WAN4/1.15227

 encapsulation dot1Q 206

 bridge-domain 152 dot1q-tunnel 2073 

 mls qos trust dscp

!

interface GE-WAN4/1.15228

 encapsulation dot1Q 207

 bridge-domain 152 dot1q-tunnel 2074 

 mls qos trust dscp

!

interface GE-WAN4/1.15229

 encapsulation dot1Q 208

 bridge-domain 152 dot1q-tunnel 2075

 mls qos trust dscp

!

interface GE-WAN4/1.15230

 encapsulation dot1Q 209

 bridge-domain 152 dot1q-tunnel 2076

 mls qos trust dscp

!

interface GE-WAN4/1.15231

 encapsulation dot1Q 210

 bridge-domain 152 dot1q-tunnel 2077

 mls qos trust dscp

!

interface GE-WAN4/1.15232

 encapsulation dot1Q 211

 bridge-domain 152 dot1q-tunnel 2078

 mls qos trust dscp

!

! This creates an out-of-range configuration that matches CE VLANs

! that are out of the configured CE VLAN range of 2048 to 2079

interface GE-WAN4/1.15233

 encapsulation dot1Q 212

 bridge-domain 152 dot1q-tunnel out-range

 no mls qos trust

!

...

QinQ Translation Using Port-Channel Interfaces Example

The following shows a sample configuration of a QinQ link bundle that contains two GE-WAN physical interfaces. Note that the bridge-domain commands are configured on the subinterfaces of the port-channel virtual interface.

vlan internal allocation policy ascending

!

vlan 1, 100-1000, 2976-3008 

!

policy-map pmap4

  class class-default

   set cos cos-inner

policy-map pmap1

  class class-default

    shape average 4000000 

   set cos cos-inner

policy-map pmap2

  class class-default

    shape average 8000000 32000 32000

policy-map pmap3

  class class-default

    shape average 20000000 80000 80000

!

!

interface Port-channel1

 no ip address

 logging event link-status

 mode dot1q-in-dot1q access-gateway

!

interface Port-channel1.101

 encapsulation dot1Q 101

 bridge-domain 101 dot1q 101 

 service-policy output pmap1

!

interface Port-channel1.102

 encapsulation dot1Q 102

 bridge-domain 102 dot1q 102 

 service-policy output pmap2

!

interface Port-channel1.103

  encapsulation dot1Q 103

  bridge-domain 103 dot1q 103

!

interface Port-channel1.104

  encapsulation dot1Q 104

  bridge-domain 104 dot1q 104

!

interface Port-channel1.201

  encapsulation dot1Q 201

  bridge-domain 201 dot1q 201

!

!

! GigabitEthernet interfaces are not used for QinQ

!  link bundling, but can be used for 

!  other purposes 

interface GigabitEthernet4/1

 no ip address

 shutdown

!

interface GigabitEthernet4/2

 no ip address

 shutdown

!

interface GE-WAN4/1

 no ip address

 logging event link-status

 negotiation auto

 mls qos trust dscp

 channel-group 1 mode on

!

interface GE-WAN4/2

 no ip address

 logging event link-status

 negotiation auto

 mls qos trust dscp

 channel-group 1 mode on

!

interface GE-WAN4/3

 no ip address

 shutdown 

!

interface GE-WAN4/4 

 no ip address

 shutdown 

...