Ads 468x60px

Monday, June 6, 2011

What is QinQ

In this section, we will see about Switching concept QinQ. In service provider networks, This is very important. Service provider use this Switching function to pass customer data from one end to other end with two vlan id’s in own switching network. 

Let’s see this concept in detail---

What is QinQ?

The QinQ technology is called VLAN dot1q tunnel, 802.1Q tunnel, VLAN Stacking technology. The standard comes from IEEE 802.1ad and it is the expansion of the 802.1Q protocol. QinQ adds one layer of 802.1Q tag (VLAN tag) based on the original 802.1Q packet head. With the double layers of tags, the VLAN quantity is increased to 802.1Q.

QinQ encapsulates the private network VLAN tag of the user in the public(service provider) network VLAN Tag to make the packet with double layers of VLAN Tags cross the backbone network (public network) of the operator. In the public network, the packet is passed according to the out layer of VLAN tag (that is the public network VLAN Tag) and the private network VLAN Tag of the user is shielded.

The formats of the common 802.1Q packet with one layer of VLAN TAG and the QinQ packet with two layers of VLAN TAGs are as follows:


The formats of common VLAN packet and QinQ packet


The formats of common VLAN packet and QinQ packet Two layers of VLAN tags can support 4K × 4K VLANs, meeting most of requirements ISP and overcoming limitation of VLANs.

QinQ features:
  1. Provide one simple L2 VPN tunnel for the user.
  2. Do not need the supporting of the protocol and signaling; be realized by the static configuration.

QinQ mainly solves the following problems:
  1. Shield the VLAN ID of the user, so as to save the public network VLAN ID resource of the service provider.
  2. The user can plan the private network VLAN ID, avoiding the confliction with the public network and other user VLAN IDs.
  3. Provide the simple L2 VLAN solution.


QinQ in Action



The upstream packet of the CE1 switch carries one layer of VLAN tag. The packet reaches the QinQ port of the PE1 switch. According to the configuration of the QinQ port, add one out layer of VLAN TAG to the packet. The packet with two layers of VLAN tags is forwarded to PE2 via the public network. On the QinQ port of PE2, the out layer of VLAN TAG is deleted, and the packet recovers to have one layer of VLAN Tag and is forwarded to CE2.

Realizing Modes of QinQ

QinQ is divided to two kinds, including basic QinQ and selective QinQ.

Basic QinQ: 
When receiving the packet, the QinQ port adds the VLAN TAG of the default VLAN of the port to the packet no matter whether the packet has the VLAN TAG. Before the packet is forwarded out from the QinQ port, delete the out layer of TAG and then forward it. The disadvantage of the method is that the encapsulated out layer of VLAN cannot be selected according to the VLAN TAG of the packet

Selective QinQ: 
The selective QinQ solves the disadvantage of the basic QinQ. When receiving the packet, the QinQ port adds the specified out layer of VLAN TAG to the packet according to the VLAN TAG of the packet. If the encapsulated out layer of VLAN TAG is not specified, add the VLAN TAG of the default VLAN of the port to the packet.

QinQ expansion: Configure the mapping entries on the QinQ port to replace the VLAN TAG of the packet with the specified VLAN TAG to realize the conversion of the VLAN TAG. The function is called VLAN Mapping.

TPID (Tag Protocol Identifier): It is one field in VLAN TAG, used to indicate the protocol type of VLAN TAG. IEEE 802.1Q protocol defines the value of the field as 0x8100 The default value of the out layer of TPID of QinQ is 0x8100. The TPID of the out VLAN TAG of the device QinQ packet of some manufacturer is 0x9100 or 0x9200. The user can modify the TPID of the port at the public network to realize the intercommunication of the devices of different manufacturers.

In next post we will see about configuration of Maipu Switches for QinQ, For Cisco QinQ configuration - Click here 

Hope this post will help you for understanding concepts of QinQ.

For any feedback and queries, Plz put comment with Mail id and Name. you can use Name/URL option in profile…

Posted by Uttamkumar at 7:52 PM 53 comments
Labels: , ,

802.1x - Maipu Configurations


As discussed in last post, In this section we will see configuration examples for 802.1x for Maipu routers and Switches, Here I covered Client base authentication, Mac base authentication, Radius based authentication.

Device Used - MP 1800 series

Let's see Client base authentication scenario - 

802.1X Client Authentication

Topology Details
As shown in diagram, one user is connected to Port 0/1 of the device. The device manager of the device hopes to perform the 802.1X authentication for the user access on the port, so as to control the access for Internet.

Requirements:
  1. During the authentication, use the Radius authentication mode (the keys of the device and server are both set as maipu).
  2. When the user does not pass the authentication, he can access the Update Server (Update Server is in Vlan 10).
  3. After passing the authentication, the user can access Internet (the port of the device connected to Internet is in VLAN 5).
  4. After the user passes the authentication, the other users on the port can access Internet without authentication.

Topology

802.1x configuration diagram
Description

A host accesses the network via 802.1X authentication. The authentication server is a radius server. The accessed port 0/1 of the client host (Supplicant) is in the VLAN 1; the authentication server is in the VLAN 2; the Update Server is used for downloading and upgrading the client software, is in the VLAN 10; the port 0/2 connects to Internet of the switch is in the VLAN 5.

Configuration-

Command
Description
router#conf terminal
Enter the configuration mode
router(config)#aaa new-model
Enable the AAA mode
router(config)#aaa authentication connection default radius
Configure AAA as the radius authentication mode
router(config)#radius-server host 128.255.42.1 key maipu
Configure the radius server address and key
router(config)#vlan 2
Create vlan2
router(config-vlan2)#exit
Exit the vlan configuration mode
router(config)#port 0/3
Enter the port configuration mode
router(config-port-0/3)#port access vlan 2
Add port 0/3 into VLAN 2
router(config-port-0/3)#exit
Exit the port configuration mode
router(config)#interface vlan 2
Enter the interface configuration mode
router(config-if-vlan2)#ip address 128.255.42.10 255.255.255.0
Configure the address information of vlan2 interface
router(config-if-vlan2)#exit
Exit the interface configuration mode
router(config)#vlan 5
Create vlan5
router(config-vlan5)#exit
Exit the vlan configuration mode
router(config)#port 0/2
Enter the port configuration mode
router(config-port-0/2)#port access vlan 5
Add port 0/2 into VLAN 5
router(config-port-0/2)#exit
Exit the port configuration mode
router(config)#vlan 10
Create vlan 10
router(config-vlan10)#exit
Exit the vlan configuration mode
router(config)#port 0/4
Enter the port configuration mode
router(config-port-0/4)#port access vlan 10
Add port 0/4 into vlan10
router(config-port-0/4)#port 0/1
Switch to port 0/1 configuration mode
router(config-port-0/1)#dot1x port-control enable
Enable the 802.1X authentication mode
router(config-port-0/1)#dot1x port-method portbased
Configure the port-based access control mode
router(config-port-0/1)#dot1x guest-vlan 10
Configure vlan10 as guest vlan
router(config-port-0/1)#exit
Exit the port configuration
router(config)#



802.1x configuration diagram

The port 0/1 is added into the Guest VLAN, and the supplicant and update server are both in VLAN10 at the time. The supplicant can access the Update Server and download the 802.1X client:


802.1x configuration diagram

When the user passes the authentication and is online, the authentication server assigns VLAN 5. Right now the supplicant and port 0/2 are both in VLAN 5, and the Supplicant can access the Internet.

Let’s have look for MAC base authentication -

MAC Address Authentication

Local Authentication

Topology Details - 

As shown in diagram, one user is connected to port 0/0 of the device. The manager of the device hopes to perform the MAC address authentication for the user access on the port, so as to control the access for Internet.

Requirements:
  1. The device detects whether the user is offline with an interval of 120s.
  2.  After the user authentication fails, the authentication can be performed again only after 5 minutes.
  3. During the authentication, use the local authentication mode.
  4. Use the source MAC of the user as the user name and password and the MAC address uses the hyphen “-“.


Topology

Local authentication mode

Configuration

Command
Description
router#conf terminal
Enter the configuration mode
router(config)#user 00-01-7a-22-22-33 password 0 00-01-7a-22-22-33
Configure the local user; the user name and password are the MAC address of the user to be connected 00-01-7a-22-22-33
router(config)#aaa new-model
Enable the AAA mode
router(config)#aaa authentication connection default local
Configure the AAA local authentication mode
router(config)#port 0/0
Enter the port configuration mode
router(config-port-0/0)#dot1x timeout offline-detect 120
Configure performing the offline detection for the user with an interval of 120s
router(config-port-0/0)#dot1x timeout quiet-period 300
Configure the quiet time as 5 minutes (300s) after the user authentication fails
router(config-port-0/0)#dot1x mac-authentication enable
Enable the MAC authentication function on the port
router(config-port-0/0)#dot1x mac-authentication user-name-format mac-address with-hyphen
Configure the MAC authentication user name format: use the MAC information with hyphen - as the use name and password (the option is the default configuration)
router(config-port-0/0)#exit
Exit the port configuration mode

The show running-config command is used to view the current configuration information:

router#show running-config
Building Configuration...done
……
user 00-01-7a-22-22-33 password 0 00-01-7a-22-22-33
……
aaa new-model
aaa authentication connection default local
……
port 0/0
  dot1x timeout offline-detect 120
 dot1x timeout quiet-period 300
 dot1x mac-authentication enable
 exit
……

Let’s have look for Radius Authentication -

RADIUS Authentication

Topology Details

As shown in diagram, one user is connected to port 0/0 of the device. The device manager hopes to perform the MAC address authentication for the user access on the port, so as to control the access for Internet.

Requirements:
  1. The device detects whether the user is offline with an interval of 120s.
  2. After the user authentication fails, the authentication can be performed again only after 5 minutes.
  3. During the authentication, use the Radius authentication mode (set the keys of the device and server as maipu).
  4. During the authentication, adopt the fixed user name format; the user name is abcd and the password is 1234.


Topology

Radius authentication mode
Configuration

Note-
When using RADIUS authentication, ensure that the route between the device and the RADIUS is available and add the user name and password successfully on the RADIUS server.
Command

Description
router#conf terminal
Enter the configuration mode
router(config)#aaa new-model
Enable the AAA mode
router(config)#aaa authentication connection default radius
Configure AAA as the radius authentication mode
router(config)#radius-server host 128.255.42.1 key maipu
Configure the Radius server address and key
router(config)#interface vlan 1
Enter the interface configuration mode
router(config-if-vlan1)#ip address 128.255.42.10 255.255.255.0
Configure the address information of vlan1 interface
router(config-if-vlan1)#exit
Exit the interface configuration mode
router(config)#port 0/0
Enter the port configuration mode
router(config-port-0/0)#dot1x timeout offline-detect 120
Configure performing the offline detection for the user with an interval of 120
router(config-port-0/0)#dot1x timeout quiet-period 300
Configure the quiet time as 5 minutes after the user authentication fails (300s)
router(config-port-0/0)#dot1x mac-authentication enable
Enable the port MAC authentication function
router(config-port-0/0)#dot1x mac-authentication user-name-format fixed account abcd password 1234
Configure the MAC authentication user name format: fixed user name format; the user name is abcd and the password is 1234
router(config-port-0/0)#exit
Exit the port configuration mode


The show running-config command can be used to view the current configuration information:

router#show running-config
Building Configuration...done
……
aaa new-model
aaa authentication connection default radius
……
port 0/0
 dot1x timeout offline-detect 120
 dot1x timeout quiet-period 300
 dot1x mac-authentication enable
dot1x mac-authentication user-name-format fixed account abcd password 1234
 exit
……
interface vlan1
 ip address 128.255.42.10 255.255.255.0
 exit
radius-server host 128.255.42.1 auth-port 1645 acct-port 1646 priority 0 key maipu
……

Monitoring Commands

Command

Description
show dot1x
Display the default parameter information of 802.1x
show dot1x statistic
Display the 802.1x statistics information
show dot1x user
{port|link-aggregation|summary }
Display the 802.1x user information of the specified port. If the port is not specified, display all user information. If summary is input, display the user quantity information.
show dot1x config
{port|link-aggregation}
Display the 802.1x configuration of a specified port; if no port is specified, display the 802.1x configuration of all ports (the ports which are not configured with any 802.1x item are not displayed)

Monitoring Command Output

For environment and configuration, refer to client base authentication

router#show dot1x user

Displayed result:
NO.  VLAN   MAC_ADDRESS   PORT NAME    STATUS   IP_ADDRESS   USERTYPE   USERNAME
----  ----  --------------  -------------------  -------------  ---------------  --------  --------
1     10  0005.5de4.0e25      port 0/1   Unauthorized   128.255.42.111    DOT1X  abcd
     Total: 1   Authorized: 0   Unauthorized: 1   Unknown: 0

Description and analysis:
No: user serial number
VLAN: the VLAN of the user port
MAC_ADDRESS: user MAC address
PORT NAME: port name
STATUS: user authorization status
IP_ADDRESS: user IP address
USERTYPE: the user type (DOT1X user or MAC authentication user)
USERNAME: user name

Debug Command

View the user login authentication information via the command debug dot1x all.

Hope this configuration will help you for 802.1x configurations.

For any queries and feedback, Plz put comment with Name and mail id . you can use Name/URL option in profile ...


For any comments and feedback.Plz comment with your mail and Name, you can use Name/URL option in profile.

Posted by Uttamkumar at 2:16 PM 36 comments
Labels: , ,
Subscribe to: Posts (Atom)
Related Posts Plugin for WordPress, Blogger...