This article provides instructions on how to configure the Virtual Local Area Network (VLAN) mapping settings on your switch through the Command Line Interface (CLI).
To establish Service Provider Virtual Local Area Networks (S-VLANs), you can configure VLAN mapping or VLAN ID translation on trunk ports that are connected to a customer network. This will map customer VLANs to service provider. Packets entering the port are mapped to S-VLAN based on the port number and the original customer VLAN-ID (C-VLAN) of the packet.
In a typical metro deployment, VLAN mapping takes place on user network interfaces (UNIs) or enhanced network interfaces (ENIs) that face the customer network. However, you are not prevented from configuring VLAN mapping on network node interfaces (NNIs).
The image below displays an example of a network where a customer uses the same VLANs in multiple sites on different sides of a service provider network.
You can map the C-VLAN IDs to S-VLAN IDs for packet travel across the service provider backbone. The C-VLAN IDs are retrieved at the other side of the service provider backbone for use in the other customer site. You can configure the same set of VLAN mappings at a customer-connected port on each side of the service provider network.
VLAN tunneling is an enhancement of the QinQ or Nested VLAN or the Customer mode VLAN feature. It enables service providers to use a single VLAN to support customers who have multiple VLANs, while preserving customer VLAN IDs and keeping traffic in different customer VLANs segregated. This feature is known as double tagging or QinQ because in addition to the regular 802.1Q tag, which is also known as the C-VLAN, the switch adds a second ID tag known as the S-VLAN, to forward traffic over the network. On an edge interface, which is an interface where a customer network is connected to the provider edge switch, C-VLANs are mapped to S-VLANs and the original C-VLAN tags are kept as part of the payload. Untagged frames are dropped.
When a frame is sent on a non-edge tagged interface, it is encapsulated with another layer of S-VLAN tag to which the original C-VLAN-ID is mapped. Therefore, packets transmitted on non-edge interfaces frames are double-tagged, with an outer S-VLAN tag and inner C-VLAN tag. The S-VLAN tag is preserved while traffic is forwarded through the network infrastructure of the service provider. On an egress device, the S-VLAN tag is stripped when a frame is sent out on an edge interface. Untagged frames are dropped.
The VLAN tunneling feature uses a different set of commands than the original QinQ or Nested VLAN implementation, and adds the following functionality in addition to the original implementation:
You must create and specify the S-VLAN on the device before configuring it on an interface as an S-VLAN. If this VLAN does not exist, the command fails.
The IPv4 or IPv6 forwarding and VLAN tunneling are mutually exclusive. Meaning that if either IPv4 or IPv6 forwarding are enabled, an interface cannot be set to VLAN tunneling mode. And if any interface is set to VLAN tunneling mode, both IPv4 and IPv6 forwarding cannot be enabled on that device.
The following features are also mutually exclusive with the VLAN tunneling feature:
The IPv4 and IPv6 interfaces cannot be defined on VLANs containing edge interfaces.
The following Layer 2 features are not supported on VLANs containing edge interfaces:
The following features are not supported on edge interfaces or UNI:
The original QinQ implementation (customer mode-related commands) continues to exist alongside the new implementation of VLAN tunneling. The customer port mode is a particular case of VLAN-mapping tunnel port mode, and does not require allocation of Ternary Content Addressable Memory (TCAM) resources.
In addition to VLAN tunneling, the switch supports VLAN One-to-One Mapping. In VLAN One-to-One Mapping, on an edge interface, C-VLANs are mapped to S-VLANs and the original C-VLAN tags are replaced by the specified S-VLAN. Untagged frames are dropped.
When a frame is sent on non-edge tagged interface, it is sent with a single VLAN tag, namely that of the specified S-VLAN. The S-VLAN tag is preserved while traffic is forwarded through the infrastructure network of the service provider. On the egress device, the S-VLAN tag is replaced with the C-VLAN tag when a frame is sent to an edge interface.
In the VLAN mapping one-to-one mode, an interface belongs to all S-VLANs for which mapping on this interface is defined as an egress-tagged interface. The interface port VLAN ID (PVID) is set to 4095.
Note: Applying VLAN tunneling on an interface requires the use of router TCAM rules. There should be four TCAM entries per mapping. If there is not a sufficient number of router TCAM resources, the command will fail.
Configuring VLAN Tunnel Mapping on the switch performs the following actions:
Note: The ACL can be bound on the interface later through the configuration of One-to-One VLAN Mapping.
Follow these steps to configure tunnel mapping on a specific interface or interfaces of your switch:
Step 1. Log in to the switch console. The default username and password is cisco/cisco. If you have configured a new username or password, enter the credentials instead.
Note: To learn how to access an SMB switch CLI through SSH or Telnet, click here.
Note: The commands may vary depending on the exact model of your switch. In this example, the SG350X switch is accessed through Telnet.
Step 2. From the Privileged EXEC mode of the switch, enter the Global Configuration mode by entering the following:
SG350X#configureStep 3. In the Global Configuration mode, enter the Interface Configuration context by entering the following:
SG350X(config)#interface [interface-id]The options are:
Note: In this example, the interface used is ge1/0/48 is being configured.
Step 4. To configure selective tunneling on an edge interface, enter the following:
SG350X(config-if)#switchport vlan-mapping tunnel [vlan-list | default] [outer-vlan-id | drop]The parameters are:
Note: This example shows how to configure selective tunneling on the interface ge1/0/48 so that the traffic with a C-VLAN ID of 30 and 40 would be tunneled with S-VLAN ID of 10.
Quick Tip: You can define a few switchport configurations on the same interface, only if the VLAN List arguments do not contain common VLAN IDs.
Step 5. (Optional) Repeat Step 4 to configure more Tunnel Mapping settings on the port or Steps 3 and 4 to configure other ports.
Note: In this example, the traffic entering interface ge1/0/48 from VLAN 50 will be dropped.
Step 6. (Optional) To delete the configured tunnel mapping settings on a specific interface, enter the following:
SG350X(config-if)#no switchport vlan-mapping tunnel [vlan-list | default]Step 7. Enter the end command to go back to the Privileged EXEC mode:
SG350X(config-if)#endYou should now have successfully configured the VLAN Tunnel Mapping settings on a specific port or ports on your switch through the CLI.
In One-to-One VLAN Mapping, you can configure the C-VLAN ID entering the switch from the customer network and the assigned S-VLAN ID on a specific port on your switch. In the VLAN mapping One-to-One mode, an interface belongs to all S-VLANs for which mapping on this interface is defined as egress tagged interface. The interface PVID is set to 4095.
In the VLAN Mapping One-to-One mode, an interface uses one ingress ACL and one egress ACL. The One-to-One VLAN Mapping adds rules to these ACLs. These ACLs are applied in order to:
The VLAN One-to-One mapping adds rules to these ACLs and they are bound on the interface only if its mode is VLAN Mapping One-to-One. The ingress ACL contains V+1 rules and the egress ACL contains V rules, where V is the number of specified C-VLANs.
Follow these steps to configure One-to-One VLAN mapping on a specific interface or interfaces of your switch:
Step 1. From the Privileged EXEC mode of the switch, enter the Global Configuration mode by entering the following:
SG350X#configureStep 2. In the Global Configuration mode, enter the Interface Configuration context by entering the following:
SG350X(config)#interface [interface-id]The options are:
Note: In this example, interface ge1/0/25 is chosen.You can configure a few One-to-One VLAN Translation settings on the same interface.
Step 3. To configure one-to-one VLAN translation on an edge interface, enter the following:
SG350X(config-if)#switchport vlan-mapping one-to-one [vlan-id] [translated-vlan-id]The parameters are:
Note: In this example, VLAN 10 is entered as the Source VLAN and VLAN 30 is used as the Translated VLAN.
Step 4. (Optional) Repeat Step 3 to configure more One-to-One translation settings on the port or Steps 2 and 3 to configure other ports.
Note: In this example, new source and translated VLAN IDs are configured on the same GE25 interface.
Step 5. (Optional) To remove the configured one-to-one VLAN translation settings on the interface, enter the following:
SG350X(config-if)#no switchport vlan-mapping one-to-one [vlan-id]Step 6. Enter the end command to go back to the Privileged EXEC mode:
SG350X(config-if)#endYou have now successfully configured the VLAN One-to-One mapping settings on a specific port or ports on your switch through the CLI.