VLAN Translation

VLAN translation involves replacing an ingress tag with another and vice-versa pn egress. It is used on an interface to configure a set of VLAN translation rules. When these rules are applied, VLAN-IDs in that interface's incoming and outgoing packets are mapped to the appropriate VLAN-IDs from the translation rules. This configuration is useful when the VLAN identifiers on the frames need to be changed at the interface.

VLAN Tunneling One-to-One

VLAN tunneling is a feature that extends the QinQ/Nested VLAN/Customer mode VLAN functionality. It enables service providers to support customers with multiple VLANs using a single VLAN while preserving customer VLAN IDs and segregating traffic in different customer VLANs. Packets that enter the tunnel port on the service-provider edge switch, which are already 802.1Q-tagged with the appropriate VLAN IDs, are encapsulated with another layer of an 802.1Q tag that contains a VLAN ID that is unique to the customer. The original 802.1Q tag from the customer is preserved in the encapsulated packet. Therefore, packets that enter the service-provider infrastructure are double-tagged.

This feature is known as "double tagging" or QinQ, because the switch adds a second ID tag known as a Service Tag (S-VLAN) in addition to the regular 802.1Q tag (Customer VLAN/C-VLAN) to forward traffic over the network. C-VLANs are mapped to S-VLANs on an edge interface, which is an interface where a customer network connects to the provider edge switch, and the original C-VLAN tags are kept as part of the payload. Untagged frames are eliminated.

The initial C-VLAN-ID of a frame is mapped to another layer of S-VLAN tag when it is delivered across a non-edge tagged interface. As a result, packets broadcast on frames with non-edge interfaces have two tags: an outside S-VLAN tag and an inside C-VLAN tag. While traffic is forwarded across the network service provider's infrastructure, the Service VLAN Tag is kept intact. When a frame is sent out on an edge interface of an egress device, the S-VLAN tag is removed. Frames without tags are dropped.

The VLAN tunneling feature offers the following capability over and above the basic QinQ/Nested VLAN implementation by using a separate set of commands:

  • Provides, per edge interface, multiple mappings of different C-VLANs to separate S-VLANs

  • Allows configuring a drop action for certain C-VLANs received on edge interfaces

  • Allows configuring the action for C-VLANs not specifically mapped to an S-VLAN (drop or map to certain S-VLANs)

  • Allows configuring, globally and per NNI interface (network node interfaces – backbone ports) the Ethertype of the S-VLAN tag. In the previous QinQ implementation, only the Ethertype of 0x8100 was supported for a S-VLAN tag.

The S-VLAN specified by the user must be created on the device before configuring it on an interface as an S-VLAN. If this VLAN does not exist, the command fails.

IPv4/IPv6 forwarding and VLAN tunneling are mutually exclusive. Meaning that if either IPv4 or IPv6 forwarding are enabled, an interface cannot be set to VLAN tunneling mode. And if any interface is set to VLAN tunneling mode, IPv4 and IPv6 forwarding cannot be enabled on that device.

The following features are also mutually exclusive with the VLAN tunneling feature:

  • Auto Voice VLAN

  • Auto Smartport

  • Voice VLAN

IPv4 and IPv6 interfaces cannot be defined on VLANs containing edge interfaces.

VLAN Translation

The following Layer 2 features are not supported on VLANs containing edge interfaces:

  • IGMP/MLD snooping

  • DHCP Snooping

  • IPv6 First Hop Security

The following protocols cannot be enabled on edge interfaces (UNI - user network interfaces):

  • STP

  • GVRP

The following features are not supported on edge interfaces (UNI - user network interfaces):

  • RADIUS VLAN assignment

  • 802.1x VLAN

  • SPAN/RSPAN – As a destination port with the network keyword or as a reflector port destination port with the network keyword or reflector port.

Applying VLAN tunneling on an interface requires the use of router TCAM rules. If there is not a sufficient number of router TCAM resources, the command will fail. Users can add/remove router TCAM resources allocation for VLAN tunneling (and mapping) purposes via the Administration> Routing Resources (this requires a system reboot).

The original QinQ implementation (customer mode-related commands) continues to exist alongside the new implementation of VLAN tunneling. The customer port mode is a particular case of VLAN-mapping tunnel port mode, and does not require allocation of TCAM resources.

Layer 2 Control Protocol (L2CP) BPDU Tunneling

By default, input L2 PDUs with the following destination MAC addresses are dropped (and not processed) on VLAN tunnel edge ports:

  • 01:80:C2:00:00:00-01:80:C2:00:00:FF (with the exception of LACP frames (destination MAC 01:80:C2:00:00:02) which are processed and not dropped)

  • 01:00:0C:00:00:00-01:00:0C:FF:FF:FF

As part of the VLAN tunnel settings you can define if to drop, or forward and encapsulate the following Layer 2 Control Protocol PDUs - CDP, LLDP, VTP and STP. This is known as L2CP tunneling. This feature creates a tunnel which enables forwarding specific untagged Layer 2 Protocol frames over a provider network (tagged frames are dropped). The feature is configured on a VLAN mapping interface. The L2CP tunneling feature is useful when connecting 2 customer sites on different sides of the provider network. This feature enables transferring packets of supported protocols across the ISP cloud between the 2 sites.

In order to tunnel such frames you need to define the VLAN which will be used as the VLAN ID (2nd tag) when the PDUs are forwarded across provider network. When PDUs are received on the remote customer site - the outer VLAN is stripped and the PDUs are processed on the remote customer network as if they were originated on that network. In addition to enabling per-interface L2CP tunnel forwarding, this feature also enables you to assign the S-VLAN to use for the encapsulation, the pre-defined CoS value for this traffic, and rate-limit the L2CP PDUs that the interface forwards.

VLAN Mapping One-to-One

The device supports VLAN one-to-one mapping in addition to VLAN tunneling. In VLAN one-to-one mapping, C-VLANs are mapped to S-VLANs on an edge interface (an edge interface is an interface where a customer network connects to the provider edge switch), and the original C-VLAN tags are replaced by the specified S-VLAN. Untagged frames are eliminated. When a frame is sent over a non-edge tagged interface, it contains only one VLAN tag, that of the specified S-VLAN. The Service VLAN Tag is preserved while traffic is routed through the infrastructure network of the service provider. When a frame is sent to an edge interface, the S-VLAN tag on the egress device is replaced with the C-VLAN tag. In the one-to-one VLAN-mapping mode, an interface belongs to all S-VLANs for which mapping is defined as an egress-tagged interface. The PVID of the interface is set to 4095.