Virtual LAN Commands

This section describes the commands used to configure virtual LANs in Layer 2 VPNs.


Note


All commands applicable for the Cisco NCS 5500 Series Router are also supported on the Cisco NCS 540 Series Router that is introduced from Cisco IOS XR Release 6.3.2. References to earlier releases in Command History tables apply to only the Cisco NCS 5500 Series Router.



Note


  • Starting with Cisco IOS XR Release 6.6.25, all commands applicable for the Cisco NCS 5500 Series Router are also supported on the Cisco NCS 560 Series Routers.

  • Starting with Cisco IOS XR Release 6.3.2, all commands applicable for the Cisco NCS 5500 Series Router are also supported on the Cisco NCS 540 Series Router.

  • References to releases before Cisco IOS XR Release 6.3.2 apply to only the Cisco NCS 5500 Series Router.

  • Cisco IOS XR Software Release 7.0.1 specific updates are not applicable for the following variants of Cisco NCS 540 Series Routers:

    • N540-28Z4C-SYS-A

    • N540-28Z4C-SYS-D

    • N540X-16Z4G8Q2C-A

    • N540X-16Z4G8Q2C-D

    • N540X-16Z8Q2C-D

    • N540-12Z20G-SYS-A

    • N540-12Z20G-SYS-D

    • N540X-12Z16G-SYS-A

    • N540X-12Z16G-SYS-D


For detailed information about concepts and configuration, see the Configure Virtual LANs in Layer 2 VPNs chapter in the L2VPN and Ethernet Services Configuration Guide for Cisco NCS 5500 Series RoutersL2VPN and Ethernet Services Configuration Guide for Cisco NCS 540 Series RoutersL2VPN and Ethernet Services Configuration Guide for Cisco NCS 560 Series Routers.

encapsulation default

To configure the default service instance on a port, use the encapsulation default command in the Interface configuration mode. To delete the default service instance on a port, use the no form of this command.

encapsulation default

Syntax Description

This command has no keywords or arguments.

Command Default

No matching criteria are defined.

Command Modes

Interface configuration

Command History

Release

Modification

Release 6.0.1

This command was introduced.

Usage Guidelines

If the default service instance is the only one configured on a port, the encapsulation default command matches all ingress frames on that port. If the default service instance is configured on a port that has other non-default service instances, the encapsulation default command matches frames that are unmatched by those non-default service instances (anything that does not meet the criteria of other services instances on the same physical interface falls into this service instance).

Only a single default service instance can be configured per interface. If you attempt to configure more than one default service instance per interface, the encapsulation default command is rejected.

Only one encapsulation command must be configured per service instance.

Examples

The following example shows how to configure a service instance on a port:


Router(config-if)# encapsulation default

encapsulation dot1q

To define the matching criteria to map 802.1Q frames ingress on an interface to the appropriate service instance, use the encapsulation dot1q command in the interface configuration mode. To delete the matching criteria to map 802.1Q frames ingress on an interface to the appropriate service instance, use the no form of this command.

encapsulation dot1q{ any | vlan-id [,vlan-id[ -vlan-id] ]} second-dot1q vlan-id

no encapsulation dot1q{ any | vlan-id [,vlan-id[ -vlan-id] ]} second-dot1q vlan-id

Syntax Description

vlan-id

VLAN ID, can be given as single ID.

From Release 6.6.2 onwards, VLAN ID can be given as ranges also.

Command Default

No matching criteria are defined.

Command Modes

Interface configuration

Command History

Release

Modification

Release 6.0.1

This command was introduced.

Release 6.6.2

VLAN ID ranges are introduced for inner and outer VLAN tags.

Usage Guidelines

Only one encapsulation statement can be applied to a sub-interface. Encapsulation statements cannot be applied to main interfaces.

A single encapsulation dot1q statement specifies matching for frames with a single VLAN ID.

Examples

The following example shows how to map 802.1Q frames ingress on an interface to the appropriate service instance:

Router(config-if)# encapsulation dot1q 10
The following example shows how to map 802.1Q frames ingress on an l2transport sub-interface:

Router# configure
Router(config)# interface TenGigE 0/1/0/3.10 l2transport
Router(config-subif)# encapsulation dot1q 10

encapsulation dot1ad

To define the matching criteria to map 802.1ad frames ingress on an interface to the appropriate service instance, use the encapsulation dot1ad command in the interface configuration mode. To delete the matching criteria to map 802.1ad frames ingress on an interface to the appropriate service instance, use the no form of this command.

encapsulation dot1ad vlan-id [second-dot1ad vlan-id]

no encapsulation dot1ad

Syntax Description

vlan-id

VLAN ID, can be given as single ID.

Command Default

No matching criteria are defined.

Command Modes

Interface configuration

Command History

Release

Modification

Release 6.0.1

This command was introduced.

Usage Guidelines

Only one encapsulation statement can be applied to a sub-interface. Encapsulation statements cannot be applied to main interfaces.

A single encapsulation dot1ad statement specifies matching for frames with a single VLAN ID.

Examples

The following example shows how to map 802.1ad frames ingress on an interface to the appropriate service instance:

Router(config-if)# encapsulation dot1ad 10

The following example shows how to map 802.1ad frames ingress on an l2transport sub-interface:

Router# configure
Router(config)# interface TenGigE 0/1/0/3.10 l2transport
Router(config-subif)# encapsulation dot1ad 10

encapsulation dot1q second-dot1q

To define the matching criteria to map Q-in-Q ingress frames on an interface to the appropriate service instance, use the encapsulation dot1q second-dot1q command in the interface configuration mode. To remove the configuration, use the no form of this command.

encapsulation dot1q{ any | vlan-id [,vlan-id[ -vlan-id] ]} second-dot1q vlan-id [,vlan-id[ -vlan-id] ]

no encapsulation dot1q{ any | vlan-id [,vlan-id[ -vlan-id] ]} second-dot1q vlan-id [,vlan-id[ -vlan-id] ]

Syntax Description

vlan-id

VLAN ID, can be given as single ID.

From Release 6.6.2 onwards, VLAN ID can be given as ranges also.

second-dot1q

(Optional) Specifies IEEE 802.1Q VLAN tagged packets.

Command Default

No matching criteria are defined.

Command Modes

Interface configuration

Command History

Release

Modification

Release 6.0.1

This command was introduced.

Release 6.6.2

VLAN ID ranges are introduced for inner and outer VLAN tags.

Usage Guidelines

The following restrictions are applicable for this command:

  • The outer tag must be unique and the inner tag may be a single VLAN.

  • QinQ service instance, allows single or multiple on second-dot1q.

  • Only one encapsulation command must be configured per service instance.

  • Overlapping inner VLAN ranges are not supported.

  • VLAN ID ranges cannot be used for both outer and inner tags, simultaneously.

    For example:

    encaps dot1q 10-20 second-dot1q 30-40, is not allowed.

    But either dot1q 10-20 second-dot1q 30 or dot1q 10 second-dot1q 30-40 is allowed.

Restrictions for NCS 5700 routers and line cards:

  • A configuration where the inner VLAN tag is set to any is not supported.

  • All Attachment Circuits (ACs) under a given Flexible Cross-Connect (FXC) should have the same number of VLAN tags after a rewrite operation. For example, the router does not support a configuration that contains one AC with two VLAN tags, and another AC with a single VLAN tag.

Examples

The following example shows how to map ingress frames to a service instance:

Router(config-if)# encapsulation dot1q 10 second-dot1q 20

Examples

The following example shows how to map ingress frames to a service instance, using VLAN ID ranges:


Router(config-if)# encapsulation dot1q 10-20 second-dot1q 30

encapsulation dot1ad dot1q

To define the matching criteria to be used in order to map single-tagged 802.1ad frames ingress on an interface to the appropriate service instance, use the encapsulation dot1ad dot1q command in sub-interface configuration mode. To remove the configuration, use the no form of this command.

encapsulation dot1ad vlan-id dot1q vlan-id

no encapsulation dot1ad vlan-id dot1q vlan-id

Syntax Description

dot1ad

Indicates that the IEEE 802.1ad provider bridges encapsulation type is used for the outer tag.

dot1q

Indicates that the IEEE 802.1q standard encapsulation type is used for the inner tag.

vlan-id

VLAN ID, can be given as single ID.

Command Default

No matching criteria are defined.

Command Modes

Sub-interface configuration

Command History

Release

Modification

Release 6.0.1

This command was introduced.

Usage Guidelines

The outer VLAN tag is an 802.1ad VLAN tag, instead of an 802.1Q tag. An 802.1ad tag has an ethertype value of 0x88A8, instead of 0x8100 that 802.1Q uses.

Some of the fields in the 802.1ad VLAN header are interpreted differently per 802.1ad standard.

A tunneling ethertype command applied to the main interface does not apply to an 802.1ad sub-interface. An interface with encapsulation dot1ad causes the router to categorize the interface as an 802.1ad interface. This causes special processing for certain protocols and other features:

  • MSTP uses the IEEE 802.1ad MAC STP address instead of the STP MAC address.
  • Certain QoS functions may use the Drop Eligibility (DE) bit of the IEEE 802.1ad tag.

Examples

The following example shows how to map single-tagged 802.1ad ingress frames to a service instance:


Router(config-subif)# encapsulation dot1ad 100 dot1q 20

encapsulation list-extended dot1q

To configure up to 64 VLAN-IDs, either on the outer or on the inner VLAN list, use the encapsulation list-extended dot1q command in the interface configuration mode. To remove the VLAN-ID configuration, use the no form of this command.

encapsulation list-extended dot1q vlan-id

no encapsulation list-extended dot1q vlan-id

Syntax Description

vlan-id

VLAN ID, can be given as single ID. A comma-separated list of VLAN ranges in the form a-b, c, d, e-f, g and so on.You can configure up to 64 VLAN-IDs.

Command Default

If encapsulation command is not configured, then no matching criteria is defined for that subinterface.

Command Modes

Interface configuration

Command History

Release

Modification

Release 7.8.1

This command was introduced.

Usage Guidelines

Do not use both the encapsulation default and encapsulation list-extended commands, on the same subinterface.

  • If you migrate from encapsulation command to encapsulation list-extended command, then no encapsulation command must precede the encapsulation list-extended command.

  • If you migrate from encapsulation list-extended command to encapsulation command, then no encapsulation list-extended command must precede the encapsulation command.

The encapsulation list-extended dot1q command supports only comma-separated list of outer and inner VLAN tags or VLAN ranges along with untagged Ethernet frames (no spaces allowed between the tags).

Examples

The following example shows how to configure the maximum number of VLAN IDs, on an L2 subinterface:

Router(config)#interface TenGigabitEthernet 0/0/0/1.101 l2transport
Router(config-subif)#encapsulation list-extended dot1q 66-67,68-69,70-71,118-119,120-121,122-123,229,230,231

encapsulation untagged

To define the matching criteria to map untagged ingress Ethernet frames on an interface to the appropriate service instance, use the encapsulation untagged command in the Interface configuration mode. To delete the matching criteria to map untagged ingress Ethernet frames on an interface to the appropriate service instance, use the no form of this command.

encapsulation untagged [ ingress source-mac mac-address ]

no encapsulation untagged

Syntax Description

ingress source-mac

(Optional) Performs MAC-based matching.

mac-address

Specifies the source MAC address.

Command Default

No matching criteria are defined.

Command Modes

Interface configuration

Command History

Release

Modification

Release 6.0.1

This command was introduced.

Usage Guidelines

Only one service instance per port is allowed to have untagged encapsulation. The reason is to be able to unambiguously map the incoming frames to the service instance. However, it is possible for a port that hosts an service instance matching untagged traffic to host other service instances that match tagged frames. Only one encapsulation command may be configured per service instance.

Only one subinterface may be configured as encapsulation untagged. This interface is referred to as the untagged subinterface or untagged EFP (incase of an L2 interface).

The untagged subinterface has a higher priority than the main interface; all untagged traffic, including L2 protocol traffic, passes through this subinterface rather than the main interface. If the ethernet filtering command is applied to a main interface having an untagged subinterface, the filtering is applied to the untagged subinterface.

Examples

The following example shows how to map untagged ingress Ethernet frames to a service instance:

Example 1:


Router# configure
Router(config-if)# encapsulation untagged

Example 2:


Router# configure
Router(config)# interface GigabitEthernet 0/1/1/0.100 l2transport
Router(config-subif)# encapsulation untagged

rewrite ingress tag

To specify the encapsulation adjustment that is to be performed on the frame ingress to the service instance, use the rewrite ingress tag command in the interface configuration mode. To delete the encapsulation adjustment that is to be performed on the frame ingress to the service instance, use the no form of this command.

rewrite ingress tag {push {dot1q vlan-id} | pop {1} | translate {1-to-1 {dot1q vlan-id} | 1-to-2 {dot1q vlan-id } | 2-to-2 {dot1q vlan-id dot1q vlan-id} | 2-to-1 dot1q vlan-id}} [symmetric]

no rewrite ingress tag {push {dot1q vlan-id} | pop {1} | translate {1-to-1 {dot1q vlan-id} | 1-to-2 {dot1q vlan-id } | 2-to-2 {dot1q vlan-id dot1q vlan-id} | 2-to-1 dot1q vlan-id}} [symmetric]

Syntax Description

vlan-id

VLAN ID, can be given as single ID.

push dot1q vlan-id

Pushes one 802.1Q tag with vlan-id .

pop {1}

One tag is removed from the packet. This command can be combined with a push (pop N and subsequent push vlan-id ).

translate 1-to-1 dot1q vlan-id

Replaces the incoming tag (defined in the encapsulation command) into a different 802.1Q tag at the ingress service instance.

translate 1-to-2 dot1q vlan-id dot1q vlan-id

Replaces the incoming tag defined by the encapsulation command by a pair of 802.1Q tags.

translate 2-to-2 dot1q vlan-id second-dot1q vlan-id

Replaces the pair of tags defined by the encapsulation command by a pair of VLANs defined by this rewrite.

symmetric

(Optional) A rewrite operation is applied on both ingress and egress. The operation on egress is the inverse operation as ingress.

Note

 
Symmetric is the default behavior. Hence, it cannot be disabled.

Command Default

The frame is left intact on ingress.

Command Modes

Interface configuration

Command History

Release

Modification

Release 6.0.1

This command was introduced.

Usage Guidelines

The symmetric keyword is accepted only when a single VLAN is configured in encapsulation. If a list of VLANs is configured in encapsulation, the symmetric keyword is accepted only for push rewrite operations; all other rewrite operations are rejected.

The pop command assumes the elements being popped are defined by the encapsulation type.

The rewrite ingress tag translate command assume the tags being translated from are defined by the encapsulation type. In the 2-to-1 option, the “2” means 2 tags of a type defined by the encapsulation command. The translation operation requires at least “from” tag in the original packet. If the original packet contains more tags than the ones defined in the “from”, then the operation should be done beginning on the outer tag.

Examples

The following example shows how to specify the encapsulation adjustment that is to be performed on the frame ingress to the service instance:


Router(config-if)# rewrite ingress tag push dot1q 200