Understanding 802.1Q Tunneling; C H A P T E R 13 Configuring Ieee 802.1Q And Layer 2 Protocol Tunneling - Cisco Catalyst 3750 Software Configuration Manual

Understanding 802.1Q Tunneling

Understanding 802.1Q Tunneling
Service-provider business customers often have specific requirements for VLAN IDs and the number of
VLANs to be supported. The VLAN ranges required by different customers in the same service-provider
network might overlap, and traffic of customers through the infrastructure might be mixed. Assigning a
unique range of VLAN IDs to each customer would restrict customer configurations and could easily
exceed the VLAN limit (4096) of the 802.1Q specification.
Using the 802.1Q tunneling feature, service providers can use a single VLAN to support customers who
have multiple VLANs. Customer VLAN IDs are preserved, and traffic from different customers is
segregated within the service-provider infrastructure, even when they appear to be on the same VLAN.
Using 802.1Q tunneling expands VLAN space by using a VLAN-in-VLAN hierarchy and tagging the
tagged packets. A port configured to support 802.1Q tunneling is called a tunnel port. When you
configure tunneling, you assign a tunnel port to a VLAN that is dedicated to tunneling. Each customer
requires a separate service-provider VLAN ID, but that VLAN ID supports all of the customer's VLANs.
Customer traffic tagged in the normal way with appropriate VLAN IDs come from an 802.1Q trunk port
on the customer device and into a tunnel port on the service-provider edge switch. The link between the
customer device and the edge switch is an asymmetric link because one end is configured as an 802.1Q
trunk port and the other end is configured as a tunnel port. You assign the tunnel port interface to an
access VLAN ID that is unique to each customer. See
Figure 13-1 802.1Q Tunnel Ports in a Service-Provider Network
Packets coming from the customer trunk port into the tunnel port on the service-provider edge switch
are normally 802.1Q-tagged with the appropriate VLAN ID. The tagged packets remain intact inside the
switch and, when they exit the trunk port into the service-provider network, are encapsulated with
another layer of an 802.1Q tag (called the metro tag) that contains the VLAN ID that is unique to the
customer. The original 802.1Q tag from the customer is preserved in the encapsulated packet. Therefore,
packets entering the service-provider infrastructure are double-tagged, with the outer tag containing the
customer's access VLAN ID, and the inner VLAN ID being the VLAN of the incoming traffic.
Catalyst 3750 Metro Switch Software Configuration Guide
13-2
Customer A
VLANs 1 to 100
Tunnel port
VLAN 30
Tunnel port
VLAN 30
Tunnel port
VLAN 40
Customer B
VLANs 1 to 200
Chapter 13 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling
Figure 13-1.
Service
provider
Tunnel port
VLAN 30
Trunk Trunk
ports ports
Tunnel port
VLAN 40
Trunk
Asymmetric link
Customer A
VLANs 1 to 100
Customer B
VLANs 1 to 200
78-15870-01