waas setup part 3 out of 3

This is the third setup for WAAS this is where all the Good stuff happens here.  I am showing a simple layer 2 redirect just like I showed in my remote sites.  This is by far the easiest way to setup your redirection.  So you will see I have two main DC routers.  I have a WAN VLAN and a WAAS Vlan.

 

WAAS3

 

The setup is the exact same as the remote sites.  The Packet is sent from the remote site it is cached in the WAAS.  The WAAS then communicates with one of the two WAAS’s I have in my Data center.  One of those WAAS devices will be setup as the Central manager who makes all the decisions.  So the packet is then intercepted either from the first WAAS or the second WAAS.  If it is intercepted by the secondary WAAS it will then communicate with the primary still just in order for decision making purposes.  So lets take a look at the Central manager configuration if you are to use it as a cluster.

wccp router-list 8 x.x.x.x This is the command which allows Router A or Router B in the data center to redirect towards the WAAS
wccp tcp-promiscuous service-pair 61 62 router-list-num 8 This is Needed if you are using a cluster.  A problem with the cluster is that router A can redirect a packet and sent it out asychnonrously to router B this undesired.
ip route x.x.x.x 255.255.255.255 ip of router Since the router identifier is setup as the loop back of the router make sure that the communication from the waas back and forth does not use the default route.

central-manager address x.x.x.x

And thats it!  Very simply.  On your router A / router B you will need to do the same redirection as you would do in your remote sites with WCCP 61 / WCCP 62.  The rest of the customer central manager list can setup easily through the central manager which is accessible via web browser.

 

 

 

 

Advertisements

waas setup part 2 out of 3

waasp2

This is part 2 of the waas setup.  In part one we looked over a simple infrastructure with WAAS technology.  Here I will guide everyone through the remote site.  What is nice about the newer ISR(inegrated service routers) from cisco is the WAAS option.  A waas module listed below

WAAS Module

WAAS Module

Can simply fit into most ISR 29xx,28xx,39xx etc.  All the device is is a module which one can simply session into or connect into via the managment IP on the module.  For example here is the configuration on the router for the module.

interface SM1/0
ip address 10.0.0.1 255.255.255.0  This is the IP address to get to the router
service-module ip address 10.0.0.2 255.255.255.0  Management to get into the Module from the outside world. 
!Application: Restarted at Thu Nov  8 16:23:02 2012
service-module ip default-gateway 10.0.0.1 Default gateway for the WAAS to get to the rest of the network.  
no keepalive
end

We Can session in the WAAS by running the following command. service-module SM 1/0 session

Once you session in there are a few commands you will want to run.

interface GigabitEthernet 1/0
ip address 10.0.0.2 255.255.255.0 Creates the Interface handing off to the router
exit
ip default-gateway 10.0.0.1  Sets the SM1/0 interface as the default gateway
ip name-server x.x.x.x Sets the DNS server
ntp server x.x.x.x Sets the NTP server
wccp router-list 8 x.x.x.x Sets the router that is able to redirect into the waas make sure the ISR’s Loopback IP is here otherwise it will not work.
wccp tcp-promiscuous router-list-num 8 Sets ACL router list 8 as routers allowed to do redirection.
wccp version 2 Uses Version 2 of WCCP
central-manager address x.x.x.x This is the address of the WAAS Central manager back in the Data center this module communicates to this is needed.

Now On the Router.

ip cef
ip wccp 61 Creates WCCP 61
ip wccp 62 Creates WCCP 62
ip wccp 61 redirect-list WAAS  Creates WCCP redirect list with The WAAS ACL
ip wccp 62 redirect-list WAAS
ip access-lists extended WAAS
permit tcp any any eq 80

wccp version 2

interface Se0/0
description to ISP1
ip wccp 62 redirect in

intSe0/1
description to ISP2
ip wccp 62 redirect in

interface Fa0/1
description LAN interface
ip wccp 61 redirect in

There are three general ways of redirection into a WAAS unit.  We are covering the most common method of redirection WCCP.

1.)WCCP
2.)PBR
3.)Inline mode

The most important part of the configuration is getting the correct interfaces for redirection.  Also getting the ACL in for redirection otherwise it will redirect all TCP traffic into the WAAS without the WAAS ACL.  Now on the router if I issue the sh ip wccp I should see traffic redirecting into my WAAS SM.

routersiteA#sh ip wccp
Global WCCP information:
Router information:
Router Identifier:                   1.1.1.1 loopback of the router
Protocol Version:                    2.0

Service Identifier: 61
Number of Service Group Clients:     1
Number of Service Group Routers:     1
Total Packets s/w Redirected:        100
Process:                           0
CEF:                               100
Service mode:                        Open
Service Access-list:                 -none-
Total Packets Dropped Closed:        0
Redirect Access-list:                WAAS-
Total Packets Denied Redirect:       100
Total Packets Unassigned:            100
Group Access-list:                   -none-
Total Messages Denied to Group:      0
Total Authentication failures:       0
Total GRE Bypassed Packets Received: 100

Service Identifier: 62
Number of Service Group Clients:     1
Number of Service Group Routers:     1
Total Packets s/w Redirected:        100
Process:                           0
CEF:                               100
Service mode:                        Open
Service Access-list:                 -none-
Total Packets Dropped Closed:        0
Redirect Access-list:                WAAS
Total Packets Denied Redirect:       100
Total Packets Unassigned:            1
Group Access-list:                   -none-
Total Messages Denied to Group:      0
Total Authentication failures:       0
Total GRE Bypassed Packets Received: 100

WAAS setup Part 1 out of 3

In this 3 part Series I will simply setup a WAAS  infrastructure for two different providers and two different remote sites connecting to one data center.  WAAS is a great Wan accelerator created by Cisco.  The way we have everything setup here is that each remote site has a WAAS module built into the ISR(integrated service router) Which traffic we specify will be redirected to the WAAS for WAN optimization.  For every WAAS deployment you will need atleast two WAAS units.  One WAAS for the remote site and one WAAS in the data which is called the CM(Central Manager) Within a Central Manager it will have all of your WAAS devices where one would manage each of their remote site wan accelerators.  Any WAAS can be a central manager.

I will jump into a full configuration in part 2 and 3.  The basic way it works is traffic is intercepted from the router transparently then redirected into the WAAS back to the router and out the WAN.  The interesting part is that packet is then received at the router in the data center where it does the exact same thing.  This information is cached on both sides of the TCP connection.  This is then cached on both WAAS devices so it will never have t o leave the WAN for the exact same data. 

CCIE#37401

Image

My first Attempt was Setpember 21st in Toronto.  I arrived onsite at 8:45PM as I talked to the other candidates.  I was the only first timer.  One guy had taken the lab 7 times in the last year.  It was very easy to be discouraged.  By 9:05 the proctor came in to collect our ID’s and it was off to the lab.

Troubleshooting is as hard as everyone says.  The worse part is the clock that ticks in the corner of the screen.  I had 2 hours but it honestly felt like an eternity.  I was able to finish the troubleshooting section with 5 minutes left to review.  I was very confident when I hit the finish button that I had passed troublehsooting.

Off to config.  As soon as I hit the begin lab button I just went brain dead.  I am not sure what happened?  I just lost it.  I felt like I had stage freight.  I felt like i had forgotten everything I had studied in the past year and a half.  I sat and stared at the screen for a good 20 minutes.  I realised where I was and how important the situation was.  I went to the bathroom splashed some water in my face and back to the lab.  By the time I was 50% through layer 2 it was break time.  My prcotor was not the greatest.  I am pretty sure he practiced how to say “Do what you think is right” in the mirrir in the morning.  I asked him a few questions and that was his response everytime.  The lunches are as stressed as everyone says they are.  After lunch I was able to finish the lab.  By 5pm I was finished it was time to take the 5 hour drive back to Pittsburgh.

Driving home I received the message from Cisco to log in and check.  My heart was ready to beat out of my chest.  I told my Wife I would open the email with here.  I got home only to open it to find out I passed TS but failed config :(.  With really really low numbers.  I believe I made a mistake on Layer 2 which affected me throughout the entire lab.

I took a week off of studying to figure out what I did wrong.  I was prepared for the lab topics but I did not prepare for the way the exam was structured.  I wish I took the Mock Exams that are offered by INE.  Fast forward to November I decided to take another stab at it.

This time I was more prepared.  I was able to finish ts with 10 minutes to spare.  I did not realise it but I was clicking on R1 and going to R4… yes I believe Cisco does this on purpose.  I was able to verify I did everything correctly without breaking any of the rules.

Off to config.  I looked at the lab at first read through every question.  I was able to finish layer 2 at the begining of lunch.  I had the same stressful lunch that I had in Toronto.  I was able to finish config with 1 hour for review.  I could not believe the amount of mistakes I made.  Just small little mistakes and how a few mistakes would have caused me to lose points in multiple tickets.  I fixed everything and verified connectivity with a TCL script.  I left RTP for the day hoping by the time I was back home I would get results…. Friday goes by.. Saturday… nothing.  I woke up Sunday at 0600 to an email from Cisco my heart was about to beat out of my chest.  I could not help to think in the back of my head I really do not want to retake this all the work that went into every attempt. I logged in and seen I had passed.  I was so tired, I closed my browser reopened it and checked again.  I did the same sequence 3 times just to make sure!! I passed!!! I went down the hallway to wake my wife up…. I was mid way down the hall I wanted to check on my laptop just one more time to make sure.  This was 1.5 years in the making of a strict 25 hour a week study.

What do I do with this blog now?  What would any new CCIE do… give back to the community which has helped me so much by adding more blog posts and write ups.  I work with newer data center technology, Nexus,WAAS load balancers etc etc. I feel I need to master the newer products out there.

I have to thank my friends, family coworkers and most importantly my biggest supporter my wife.  For all the help she has given me through my frustrations for the past year and a half.  She has easily been my biggest supporter.

-Daniel Hertzberg

CCIE#37401

CCIE Update

I havent blogged in a while due to how busy I am.  Work and study have been the death of me.  My lab is scheduled for September 21st in Toronto for attempt #1.  I pray attempt #1 is my last attempt.  Its alot for me to take in.  I have been studying for this for the past 1.5 years.  Its alot to take in especially when it is 1750 dollars a pop.  I have spent the last year with the same routine.  Work 0800 – 1600 get home take the dog out and study for 3.5-4 hours.  Work out come home and prepare for the next day.  If I pass its odd but I dont know what I will do with all my free time… the wife already has a plan for that of course!

Well wish me luck, as I will make a blog post after I take the lab.

%BGP-4-VPNV4NH_MASK: Nexthop

Wha?

Well I found some interesting stuff while trying to run OSPF as a IGP in a MPLS environment while peering BGP by loop back.  Here is the configuration keep in mind this is with INE’s topology.

ip vrf VPN_A
rd 1:1
route-target export 1:1
route-target import 1:1
!
router bgp 1
neighbor 150.1.1.1 remote-as 1
neighbor 150.1.1.1 update-source lo0
neighbor 150.1.2.2 remote-as 1
neighbor 150.1.2.2 update-source lo0
neighbor 150.1.3.3 remote-as 1
neighbor 150.1.3.3 update-source lo0
neighbor 150.1.4.4 remote-as 1
neighbor 150.1.4.4 update-source lo0
neighbor 150.1.5.5 remote-as 1
neighbor 150.1.5.5 update-source lo0
!
address-family vpnv4 unicast
neighbor 150.1.1.1 activate
neighbor 150.1.1.1 send-community both
neighbor 150.1.2.2 activate
neighbor 150.1.2.2 send-community both
neighbor 150.1.3.3 activate
neighbor 150.1.3.3 send-community both
neighbor 150.1.4.4 activate
neighbor 150.1.4.4 send-community both
neighbor 150.1.5.5 activate
neighbor 150.1.5.5 send-community both
!
address-family ipv4 vrf VPN_A
redistribute ospf 3 vrf VPN_A
no synchronization
exit-address-family
!
router ospf 3 vrf VPN_A
redistribute bgp 1 subnets

Then I get this message.. on Each PE router.

*Mar 1 17:10:19.575: %BGP-4-VPNV4NH_MASK: Nexthop 150.1.1.1 may not be reachable from neigbor 150.1.2.2 – not /32 mask
*Mar 1 17:11:26.579: %BGP-4-VPNV4NH_MASK: Nexthop 150.1.3.3 may not be reachable from neigbor 150.1.1.1 – not /32 mask
*Mar 1 17:11:55.683: %BGP-4-VPNV4NH_MASK: Nexthop 150.1.5.5 may not be reachable from neigbor 150.1.1.1 – not /32 mask

On a CE router.

Rack1SW2#sh ip route 155.1.67.7
Routing entry for 155.1.67.0/24
Known via “ospf 1”, distance 110, metric 3, type inter area
Last update from 155.1.58.5 on Vlan58, 00:04:55 ago
Routing Descriptor Blocks:
* 155.1.58.5, from 5.5.5.5, 00:04:55 ago, via Vlan58
Route metric is 3, traffic share count is 1

Traceroute

Rack1SW2#trace 155.1.67.6

Type escape sequence to abort.
Tracing the route to 155.1.67.6

1 155.1.58.5 0 msec 0 msec 9 msec
2 *

Looking over my MPLS forwarding table it appears that since OSPF by default will take my /24 loopback and advertise it by default as a /32 LDP gets confused.  It shows up in the tag switching table as a /24 but a /32 in the routing table.  The fix for this was making each loop back a point-to-point interface under the loopback via OSPF.  Im not sure how this would scale in a large service provider environment… this might even be a IOS bug not sure.

After the change…

Rack1SW2#trace 155.1.67.6

Type escape sequence to abort.
Tracing the route to 155.1.67.6

1 155.1.58.5 8 msec 0 msec 9 msec
2 155.1.146.1 0 msec 8 msec 0 msec
3 155.1.146.6 25 msec * 0 msec

One thing that someone might want to do to make sure that the Loopback is also the router-id as well so there are no problems is by issues the following command under global configuration.

Rack1R1(config)#mpls ldp router-id lo0 force

That way the router-id is always lo0.  By issuing force at the end of the statement it will drop all current ldp connectivity to the loopback.  So if you have MPLS sessions currently using another loopback or interface they will be dropped reinitialize and use lo0.  Otherwise without the force option the mpls neighbor x.x.x.x command will have to be used.

Load balancing a BGP default route from 2 different providers / as-path multipath-relax

ASpathrelax
Generally with BGP you do not hear much about load balancing of routes.  Where I work we have some select remote sites with one router and two circuits going to two different service providers.  Within BGP you will not be able to load balance out a default route.  A better metric will occur and a default will be injected into the RIB where the other circuit does nothing but wait until the primary circuit with the better metric goes down.  So instead of adding more bandwidth to save money I went ahead and applied a nifty little trick.  This could have all been accomplished through static routing but who wants to do that.

Looking at the way it was setup before for a default route it through AS 1803 it is best and will be injected in the routing table only towards AS1803.

testrouter#sh ip bgp 0.0.0.0
BGP routing table entry for 0.0.0.0/0, version 6
Paths: (2 available, best #2, table Default-IP-Routing-Table)
Advertised to update-groups:
2
13979 64001, (received & used)
1.1.1.1 from 10.102.97.9 (12.123.67.236)
Origin IGP, localpref 100, valid, external
1803 64001, (received & used)
2.2.2.2from 10.102.97.13 (10.247.23.220)
Origin IGP, localpref 100, valid, external, best
Extended Community: RT:1803:4603

The routing table only showing one route for 0.0.0.0

testrouter#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via “bgp 6550”, distance 20, metric 0, candidate default path
Tag 1803, type external
Redistributing via eigrp 1
Advertised by eigrp 1 metric 2000 2100 255 1 1500
Last update from 10.102.97.13 3w5d ago
Routing Descriptor Blocks:
* 2.2.2.2, from 2.2.2.2, 3w5d ago
Route metric is 0, traffic share count is 1
AS Hops 2
Route tag 1803

Neighbor        V          AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
1.1.1.1     4      13979  156868  153101        6    0    0 3w5d            1
2.2.2.2     4       1803  156770  153099        6    0    0 3w5d            1
How to fix this?  BGP has two routes through its routing table but the second one is never injected into the routing table.  So we go ahead and work some magic to get it into the RIB.

conf t
router bgp 6500
maximum-paths 2
bgp bestpath as-path multipath-relax
end
!
clear ip bgp 2.2.2.2

After

fsp5958route#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via “bgp 6500”, distance 20, metric 0, candidate default path
Tag 1803, type external
Last update from 2.2.2.2 1w6d ago
Routing Descriptor Blocks:
2.2.2.2, from 2.2.2.2, 1w6d ago
Route metric is 0, traffic share count is 1
AS Hops 2
Route tag 1803
* 1.1.1.1, from 1.1.1.1, 1w6d ago
Route metric is 0, traffic share count is 1
AS Hops 2
Route tag 1803

CCIE update

So far I am doing well.  There are some things I am lacking…. going over INE’s vol2 labs to see where I am generally weak I am not very well on the following. QoS,multicast NAT.  I am not entirely concerned that well with NAT.  I honestly have not used it much in the real world other than ASA’s and never on IOS in production networks.

The good part about QoS is I use it heavily at work Catalyst QoS along with router QoS.  Catalyst QoS is finally making sense to me to the point where I can write it out on notepad and make it work but I feel I am not advanced to the point where I could get it going with the gotcha’s and other small problems for the test.  I am planning on going over Multicast with Vol1 next week and anything I do not understand i will spend time labbing it out on a blank vol1 test topology.

Since I am getting married in June and spending majority of June in Greece… Yay!  I am planning on taking the lab the end of summer most likely?  Maybe August or September again.  Mainly I am tired of the old crap.  I really hate learning about Frame-relay, rip and old legacy stuff I would never use.  At this point there is no way I could get the time I have put into this so I might as well get the lab over with.

When I update this again I am hoping to be more efficient with advanced multicast features , QoS and Nat.  I believe once I finish lab 20 of INE and go over the DoCD a few hundred times I will be ready.  its just so hard to spend the 2000 with no promise of passing.

Running OSPF on your Ubuntu Server……

I was wondering if there was a possibility to this.  I really do not see much of a reason for other than the neatness factor.  I was looking over some old RIP information and seeing that version 1 would run on some older windows server 2000 machines I wondered if it were possible to pass OSPF routes to a Linux based server.  There is a Program called Quagga which will emulate almost a stripped down looking IOS as a Daemon within Linux.  Neat stuff!   You can run OSPFv2, OSPFv3, RIP , BGP and RIPng.  So if I wanted a more specific route through OSPF rather than having a default route on my servers it is possible.  Of if I wanted to have some sort of secondary process of OSPF on my cores or routers only to do the routing on my servers it would be possible.  So heres a step by step way I configured it just to test.

First install Quagga

apt-get install quagga

Next specify which of the routing protocols you want to use for Qugga
In this case this post is dedicated towards OSPF. But theres all sorts of
flexibility here

burnyd@dynamips:~$ cat /etc/quagga/daemons
# This file tells the quagga package which daemons to start.
#
# Entries are in the format: <daemon>=(yes|no|priority)
# 0, “no” = disabled
# 1, “yes” = highest priority
# 2 .. 10 = lower priorities
# Read /usr/share/doc/quagga/README.Debian for details.
#
# Sample configurations for these daemons can be found in
# /usr/share/doc/quagga/examples/.
#
# ATTENTION:
#
# When activation a daemon at the first time, a config file, even if it is
# empty, has to be present *and* be owned by the user and group “quagga”, else
# the daemon will not be started by /etc/init.d/quagga. The permissions should
# be u=rw,g=r,o=.
# When using “vtysh” such a config file is also needed. It should be owned by
# group “quaggavty” and set to ug=rw,o= though. Check /etc/pam.d/quagga, too.
#
zebra=yes
bgpd=no
ospfd=no
ospf6d=no
ripd=no
ripngd=no
isisd=no

change this to

zebra=yes
bgpd=no
ospfd=yes
ospf6d=no
ripd=no
ripngd=no
isisd=no

I would recommend restarting Quagga just in case.

burnyd@dynamips:~$ sudo /etc/init.d/quagga restart

Now copy the “sample Daemons” and put then in /etc/quagga Depending on what Distro these could be located in other places but since this is Ubuntu 11.04 it is located in the following..

/usr/share/doc/quagga/examples/zebra.conf.sample

We need to take zebra.conf.sample and ospfd.conf.sample and move them into the path of /etc/quagga

burnyd@dynamips:~$ sudo cp /usr/share/doc/quagga/examples/zebra.conf.sample /etc/quagga/zebra.conf
burnyd@dynamips:~$ sudo cp /usr/share/doc/quagga/examples/ospfd.conf.sample /etc/quagga/ospfd.conf

then add permissions.

burnyd@dynamips:~$ sudo chmod 770 /etc/quagga/zebra.conf

burnyd@dynamips:~$ sudo chmod 770 /etc/quagga/ospfd.conf

Next make sure to forward traffic from Quagga over your ethernet device, otherwise this will not work!

sudo su -c “echo 1 > /proc/sys/net/ipv4/ip_forward”

restart Quagga again..

Next go ahead and telnet to your local host on port 2064.  I cannot recall what the default password is since I changed it.  But it should be located within /etc/quagga/ospfd.conf where you can change it with a file editor.

burnyd@dynamips:~$ telnet localhost

Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.

Hello, this is Quagga (version 0.99.17).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

User Access Verification

Password:
ospfd> en
ospfd#

At this point this looks like a stripped down IOS for the most part. I have Eth0 at 192.168.2.211 on my data network / vlan. I am running OSPF on that interface on a few of my devices here both on my core switch and my Wanrouter. So those used to OSPF I have to advertise Eth0 to OSPF.

I first have to specify the interface I want to run OSPF over

ospfd(config)# int eth0
ospfd(config-if)# ospf network broadcast

then specify my ospf options.

ospfd# conf t
ospfd(config)#router ospf
ospfd(config-router)#network 192.168.2.0/24 area 0.0.0.0

So I go ahead and check my regular routing table on dynamips box and….

burnyd@dynamips:~$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.17.245 192.168.2.253 255.255.255.255 UGH 0 0 0 eth0
2.2.2.2 192.168.2.253 255.255.255.255 UGH 0 0 0 eth0
1.1.1.1 192.168.2.254 255.255.255.255 UGH 0 0 0 eth0
192.168.7.0 192.168.2.254 255.255.255.0 UG 0 0 0 eth0
192.168.6.0 192.168.2.254 255.255.255.0 UG 0 0 0 eth0
192.168.4.0 192.168.2.254 255.255.255.0 UG 0 0 0 eth0
192.168.3.0 192.168.2.254 255.255.255.0 UG 0 0 0 eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 192.168.2.254 255.255.255.0 UG 0 0 0 eth0
10.10.1.0 192.168.2.254 255.255.255.0 UG 0 0 0 eth0
192.168.9.0 192.168.2.254 255.255.255.0 UG 0 0 0 eth0
192.168.8.0 192.168.2.254 255.255.255.0 UG 0 0 0 eth0
0.0.0.0 192.168.2.254 0.0.0.0 UG 0 0 0 eth0
burnyd@dynamips:~$

ospfd# sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
2.2.2.2 1 Full/Backup 33.075s 192.168.2.253 eth0:192.168.2.211 0 0 0
1.1.1.1 1 Full/DR 38.384s 192.168.2.254 eth0:192.168.2.211 0 0 0

On my Core switch and wan router..

WANROUTER#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL/DR 00:00:36 192.168.4.254 Vlan4
1.1.1.1 1 FULL/DR 00:00:30 192.168.3.254 Vlan3
1.1.1.1 1 FULL/DR 00:00:36 192.168.2.254 Vlan2
192.168.2.211 1 FULL/DROTHER 00:00:31 192.168.2.211 Vlan2

cs1#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/BDR 00:00:30 192.168.4.253 Vlan4
2.2.2.2 1 FULL/BDR 00:00:31 192.168.3.253 Vlan3
2.2.2.2 1 FULL/BDR 00:00:37 192.168.2.253 Vlan2
192.168.2.211 1 FULL/DROTHER 00:00:31 192.168.2.211 Vlan2

L2tunneling CDP and QinQ

This is a pretty simple topology, I will try to keep it simple  , this is my first experience with L2tunneling.  Ive never read about it in any books.  My first encounter with it was in INE labs.  I worked for a service provider who mainly ran L2 Metro Ethernet circuits and we generally QinQ for internal VLANs but turned CDP off.  From the looks of the interface possibilities you can tunnel CDP,VTP and STP.

This configuration is pretty simple, On CE1 and CE2 this is an access port for VLAN 2.  This vlan is simply trunked across the PE switches. For l2tunnel to work from what I am reading this has to be an access port.

S1

interface FastEthernet0/1
switchport access vlan 2
switchport mode access
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable
end

S2

interface FastEthernet0/1
switchport access vlan 2
switchport mode access
end
!
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
end

S3

interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/2
switchport access vlan 2
switchport mode access
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable

S4

interface FastEthernet0/1
switchport access vlan 2
switchport mode access
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable
end

#Show CDP neighbor on CE1 shows CE2 as CDP is tunneled across
CE1#sh cdp neighbors
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
CE2              Fas 0/1           156          R S I     WS-C3560- Fas 0/1

#Show CDP neighbor on CE2

CE2#sh cdp neighbors
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
CE1              Fas 0/1           147          R S I     WS-C3560- Fas 0/1

If I want to QinQ tunnel which makes more sense for a service provider to run I have to change my PE switches to run Dot1q tunnels.  Which is something in the real world that is used often.  Now in our small topology we are using vlan 2… not everyone can use vlan 2 within the service provider.  If I want to use vlan 2 since everything on my site is in vlan 2 as well as my remote site I have to QinQ tunnel the link between both PE switches.  So I run vlan 2, my service provider puts me within VLAN 200.  So across my PE1 and PE2 switchs it encapsulates one tag in another.  My only changes are on both PE switches.

PE1
#
interface FastEthernet0/1
description to CE1
switchport access vlan 200
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable
end
!
interface FastEthernet0/2
Description trunk to PE2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200
switchport mode trunk
end

PE2

interface FastEthernet0/1
description trunk to PE1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200
switchport mode trunk
!

interface FastEthernet0/2
description to CE2
switchport access vlan 200
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable
end