A QFX5100 allows for dot1q-tunneling, or Q-in-Q. If you ever configured dot1q-tunneling on an EX-switch, this configuration differs a lot from what you may be used to. This article offers an attempt to clarify and explain the configuration of a dot1q-tunnel on a standalone QFX5100 without an enhanced feature license.

I will use the following setup in the next examples:

QFX Q in Q

What I will do is configure several vlan interfaces on the MX104 routers (Mars and Jupiter) and establish IP connectivity between those interfaces.

Let’s start with the configuration of the QFX5100. To create a dot1q-tunnel between the two ports in the example, I have started with the encapsulation of the interfaces.

set interfaces xe-0/0/46 vlan-tagging
set interfaces xe-0/0/46 encapsulation extended-vlan-bridge
set interfaces xe-0/0/47 vlan-tagging
set interfaces xe-0/0/47 encapsulation extended-vlan-bridge

After, I applied the interface unit configuration. This configuration involves a vlan input and output map. The input map will push a tag onto the frames send to the QFX, and the output map will simply pop the outer tag.

set interfaces xe-0/0/46 unit 10 input-vlan-map push
set interfaces xe-0/0/46 unit 10 input-vlan-map vlan-id 10
set interfaces xe-0/0/46 unit 10 output-vlan-map pop

set interfaces xe-0/0/47 unit 10 input-vlan-map push
set interfaces xe-0/0/47 unit 10 input-vlan-map vlan-id 10
set interfaces xe-0/0/47 unit 10 output-vlan-map pop

After this, we need to determine what vlans are allowed into the ‘tunnel’. We will start with vlan 1500:

set interfaces xe-0/0/46 unit 10 vlan-id-list 1500
set interfaces xe-0/0/47 unit 10 vlan-id-list 1500

The last thing we need to configure is the dot1q vlan (this needs to be configured without a tag):

set vlans Q-in-Q interface xe-0/0/46.10
set vlans Q-in-Q interface xe-0/0/47.10

The complete configuration of the dot1q-tunnel on the QFX5100 will end up looking like this:

set interfaces xe-0/0/46 description MX104-MARS_xe-1/2/0
set interfaces xe-0/0/46 vlan-tagging
set interfaces xe-0/0/46 encapsulation extended-vlan-bridge
set interfaces xe-0/0/46 unit 10 vlan-id-list 1500
set interfaces xe-0/0/46 unit 10 input-vlan-map push
set interfaces xe-0/0/46 unit 10 input-vlan-map vlan-id 10
set interfaces xe-0/0/46 unit 10 output-vlan-map pop

set interfaces xe-0/0/47 description MX104-JUPITER_xe-1/3/0
set interfaces xe-0/0/47 vlan-tagging
set interfaces xe-0/0/47 encapsulation extended-vlan-bridge
set interfaces xe-0/0/47 unit 10 vlan-id-list 1500
set interfaces xe-0/0/47 unit 10 input-vlan-map push
set interfaces xe-0/0/47 unit 10 input-vlan-map vlan-id 10
set interfaces xe-0/0/47 unit 10 output-vlan-map pop

set vlans Q-in-Q interface xe-0/0/46.10
set vlans Q-in-Q interface xe-0/0/47.10

Having applied the configuration, let’s move over to the MX-routers and configure a subinterface with vlan-id 1500.

Mars:

set interfaces xe-1/2/0 description QFX5100-xe-0/0/46
set interfaces xe-1/2/0 flexible-vlan-tagging
set interfaces xe-1/2/0 encapsulation flexible-ethernet-services
set interfaces xe-1/2/0 unit 1500 vlan-id 1500
set interfaces xe-1/2/0 unit 1500 family inet address 192.168.1.1/24

Jupiter:

set interfaces xe-1/3/0 description QFX5100-xe-0/0/47
set interfaces xe-1/3/0 flexible-vlan-tagging
set interfaces xe-1/3/0 encapsulation flexible-ethernet-services
set interfaces xe-1/3/0 unit 1500 vlan-id 1500
set interfaces xe-1/3/0 unit 1500 family inet address 192.168.1.2/24

After were done with the configuration and when we start sending traffic from the Mars router to the Jupiter router, the following will happen:

QFX Q in Q

The QFX will push vlan-id 10 on ingress and the tag is popped (removed) on egress. Let’s verify the connectivity between the routers:

play@MX104-TEST-HB:Mars> ping 192.168.1.2 size 1472 do-not-fragment
PING 192.168.1.2 (192.168.1.2): 1472 data bytes
1480 bytes from 192.168.1.2: icmp_seq=0 ttl=64 time=1.066 ms
1480 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=1.001 ms
^C
--- 192.168.1.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.001/1.034/1.066/0.032 ms

play@MX104-TEST-HB:Mars> show arp no-resolve | match 192.168.1.2
cc:e1:7f:7a:d4:a0 192.168.1.2     xe-1/2/0.1500        none

On the QFX, we can see the following:

play@QFX5100-play> show ethernet-switching table

MAC flags (S - static MAC, D - dynamic MAC, L - locally learned, P - Persistent static
           SE - statistics enabled, NM - non configured MAC, R - remote PE MAC, O - ovsdb MAC)


Ethernet switching table : 2 entries, 2 learned
Routing instance : default-switch
    Vlan                MAC                 MAC         Age    Logical
    name                address             flags              interface
    Q-in-Q              cc:e1:7f:7a:d3:f7   D             -   xe-0/0/46.10
    Q-in-Q              cc:e1:7f:7a:d4:a0   D             -   xe-0/0/47.10

With the current configuration, the QFX doesn’t care how many tags the MX attaches to the packet. To test this, let’s add vlan 1000 to the allowed vlan-list on the QFX and have the MX send packets with two tags across this link.

Jupiter:

set interfaces xe-1/3/0 unit 1000 vlan-tags outer 1000
set interfaces xe-1/3/0 unit 1000 vlan-tags inner 2500
set interfaces xe-1/3/0 unit 1000 family inet address 10.0.0.1/24

On Mars:

set interfaces xe-1/2/0 unit 1000 vlan-tags outer 1000
set interfaces xe-1/2/0 unit 1000 vlan-tags inner 2500
set interfaces xe-1/2/0 unit 1000 family inet address 10.0.0.2/24

On the QFX:

set interfaces xe-0/0/46 unit 10 vlan-id-list 1000
set interfaces xe-0/0/47 unit 10 vlan-id-list 1000

This last command will only add the vlan to the vlan-id-list, it will not remove the previously configured vlan:

play@QFX5100-play> show configuration interfaces xe-0/0/47
description MX104-JUPITER_xe-1/3/0;
vlan-tagging;
encapsulation extended-vlan-bridge;
unit 10 {
    vlan-id-list [ 1000 1500 ];
    input-vlan-map {
        push;
        vlan-id 10;
    }
    output-vlan-map pop;
}

After applying all the configuration, we can observe the following:

play@MX104-TEST-HB:Jupiter> show interfaces xe-1/3/0.1000
  Logical interface xe-1/3/0.1000 (Index 462) (SNMP ifIndex 656)
    Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x8100.1000 0x8100.2500 ]  Encapsulation: ENET2
    Input packets : 24
    Output packets: 35
    Protocol inet, MTU: 1500
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 10.0.0/24, Local: 10.0.0.1, Broadcast: 10.0.0.255
    Protocol multiservice, MTU: Unlimited

play@MX104-TEST-HB:Jupiter> ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2): 56 data bytes
64 bytes from 10.0.0.2: icmp_seq=0 ttl=64 time=0.643 ms
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.593 ms
^C
--- 10.0.0.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.593/0.618/0.643/0.025 ms

The ‘old’ EX way was a little more straightforward. On an EX switch (most of them) you can simply configure this:

set ethernet-switching-options dot1q-tunneling ether-type 0x8100
set vlans example vlan-id 2000
set vlans example dot1q-tunneling customer-vlans 1-4094

And apply it to the interface:

set interfaces ge-0/1/3 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/1/3 unit 0 family ethernet-switching vlan members 2000

And if you want to tunnel (v)stp, lldp, etc, just add the following:

set vlans example dot1q-tunneling layer2-protocol-tunneling all

The knob to tunnel layer 2 protocols on the QFX can be found in the [protocols layer2-control] configuration stanza. This doesn not seem work with the QFX configuration I presented here. It does work on interfaces with the etherswitching family enabled. Unfortunately I have not been able to get dot1q-tunneling working with the etherswitching family enabled on an interface.