Configure VLAN Mapping on a Cisco Business Switch

Available Languages

Download Options

PDF (621.9 KB)
View with Adobe Reader on a variety of devices
ePub (709.6 KB)
View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle) (1.2 MB)
View on Kindle device or Kindle app on multiple devices

Updated:July 24, 2020

Document ID:1595554107263451

Objective

This article provides instructions on how to configure the Virtual Local Area Network (VLAN) mapping settings on your Cisco Business switch.

Applicable Devices | Software Version

CBS250 (Data Sheet) | 3.0.0
CBS350 (Data Sheet) | 3.0.0
CBS350-2X (Data Sheet) | 3.0.0
CBS350-4X (Data Sheet) | 3.0.0

Introduction

To establish Service Provider Virtual Local Area Networks (S-VLANs), you can configure VLAN mapping or VLAN ID translation on trunk ports that are connected to a customer network. This will map customer VLANs to service provider. Packets entering the port are mapped to S-VLAN based on the port number and the original customer VLAN-ID (C-VLAN) of the packet.

In a typical metro deployment, VLAN mapping takes place on user network interfaces (UNIs) or enhanced network interfaces (ENIs) that face the customer network. However, you are not prevented from configuring VLAN mapping on network node interfaces (NNIs).

The image below displays an example of a network where a customer uses the same VLANs in multiple sites on different sides of a service provider network.

You can map the C-VLAN IDs to S-VLAN IDs for packet travel across the service provider backbone. The C-VLAN IDs are retrieved at the other side of the service provider backbone for use in the other customer site. You can configure the same set of VLAN mappings at a customer-connected port on each side of the service provider network.

VLAN Tunneling

VLAN tunneling is an enhancement of the QinQ or Nested VLAN or the Customer mode VLAN feature. It enables service providers to use a single VLAN to support customers who have multiple VLANs, while preserving customer VLAN IDs and keeping traffic in different customer VLANs segregated. This feature is known as double tagging or QinQ because in addition to the regular 802.1Q tag, which is also known as the C-VLAN, the switch adds a second ID tag known as the S-VLAN, to forward traffic over the network. On an edge interface, which is an interface where a customer network is connected to the provider edge switch, C-VLANs are mapped to S-VLANs and the original C-VLAN tags are kept as part of the payload. Untagged frames are dropped.

When a frame is sent on a non-edge tagged interface, it is encapsulated with another layer of S-VLAN tag to which the original C-VLAN-ID is mapped. Therefore, packets transmitted on non-edge interfaces frames are double-tagged, with an outer S-VLAN tag and inner C-VLAN tag. The S-VLAN tag is preserved while traffic is forwarded through the network infrastructure of the service provider. On an egress device, the S-VLAN tag is stripped when a frame is sent out on an edge interface. Untagged frames are dropped.

The VLAN tunneling feature uses a different set of commands than the original QinQ or Nested VLAN implementation, and adds the following functionality in addition to the original implementation:

Provides multiple mappings of different C-VLANs to separate S-VLANs per edge interface.
Allows the configuration of a drop action for certain C-VLANs received on edge interfaces.
Allows the configuration of the action for C-VLANs which are not specifically mapped to an S-VLAN (drop or map to certain S-VLANs).
Allows the global configuration and per NNI (backbone ports) which is the Ethertype of the S-VLAN tag. In the previous QinQ implementation, only the Ethertype of 0x8100 was supported for an S-VLAN tag.

You must create and specify the S-VLAN on the device before configuring it on an interface as an S-VLAN. If this VLAN does not exist, the command fails.

The IPv4 or IPv6 forwarding and VLAN tunneling are mutually exclusive. Meaning that if either IPv4 or IPv6 forwarding are enabled, an interface cannot be set to VLAN tunneling mode. And if any interface is set to VLAN tunneling mode, both IPv4 and IPv6 forwarding cannot be enabled on that device.

The following features are also mutually exclusive with the VLAN tunneling feature:

Auto Voice VLAN
Auto Smartport
Voice VLAN

The IPv4 and IPv6 interfaces cannot be defined on VLANs containing edge interfaces.

The following Layer 2 features are not supported on VLANs containing edge interfaces:

Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping
Dynamic Host Configuration Protocol (DHCP) Snooping
IPv6 First Hop Security

The following features are not supported on edge interfaces or UNI:

Remote Authentication Dial-In User Service (RADIUS) VLAN assignment
802.1x VLAN
Switch Port Analyzer (SPAN) or Remote SPAN (RSPAN) — As a destination port with the network keyword or as a reflector port destination port with the network keyword or reflector port.

The original QinQ implementation (customer mode-related commands) continues to exist alongside the new implementation of VLAN tunneling. The customer port mode is a particular case of VLAN-mapping tunnel port mode, and does not require allocation of TCAM resources.

VLAN One-to-One Mapping

In addition to VLAN tunneling, the switch supports VLAN One-to-One Mapping. In VLAN One-to-One Mapping, on an edge interface, C-VLANs are mapped to S-VLANs and the original C-VLAN tags are replaced by the specified S-VLAN. Untagged frames are dropped.

When a frame is sent on non-edge tagged interface, it is sent with a single VLAN tag, namely that of the specified S-VLAN. The S-VLAN tag is preserved while traffic is forwarded through the infrastructure network of the service provider. On the egress device, the S-VLAN tag is replaced with the C-VLAN tag when a frame is sent to an edge interface.

In the VLAN mapping one-to-one mode, an interface belongs to all S-VLANs for which mapping on this interface is defined as an egress-tagged interface. The interface port VLAN ID (PVID) is set to 4095.

Prerequisites in configuring VLAN Mapping on your switch:

Note: Applying VLAN tunneling on an interface requires the use of router TCAM rules. There should be four TCAM entries per mapping. If there is not a sufficient number of router TCAM resources, the command will fail.

1. Create the VLANs. To learn how to configure the VLAN settings on your switch, click here.

2. Disable IP routing on the switch. To learn how to configure IP routing settings on your switch, click here.

3. Configure Ternary Content Addressable Memory (TCAM) allocations on your switch. To learn how to configure router TCAM resources allocation for VLAN tunneling and mapping purposes, click here.

4. Disable Spanning Tree Protocol (STP) on the interfaces that you want to configure. For instructions on how to configure the STP interface settings on your switch, click here.

5. Configure the interface as trunk ports. For instructions, click here.

6. Disable Generic Attribute Registration Protocol (GARP) VLAN Registration Protocol (GVRP) on the interface. To learn how to configure the GVRP settings on your switch, click here.

Configure VLAN Mapping

Configure Tunnel Mapping

Configuring VLAN Tunnel Mapping on the switch performs the following actions:

Creates an Access Control List (ACL) for mapping VLANs from VLAN List to Outer VLAN ID.
Adds to the ACL one rule for each VLAN from the VLAN List.
Reserves the place into Tunnel Termination and Interface (TTI) for this ACL. If there is not enough free place into TTI, the command fails.

Note: The ACL can be bound on the interface later through the configuration of One-to-One VLAN Mapping.

Adds the edge interface to the VLAN specified in the Outer VLAN ID.
The ACL contains V+1 rules, where V is the number of specified C-VLANs.

Follow these steps to configure tunnel mapping on a specific interface or interfaces of your switch:

Step 1. Log in to the web-based utility of the switch then choose VLAN Management > VLAN Translation > VLAN Mapping.

Note: The available menu options may vary depending on the device model.

Step 2. (Optional) To display the pre-configured Tunnel Mapping on the switch, choose Tunnel Mapping from the Mapping Type drop-down list.

Step 3. Click Go to bring up a list of pre-configured VLAN Tunnel mapping entries. In this example, there is no pre-configured Tunnel mapping entry.

Step 4. Click Add to add a new entry.

Step 5. Choose an interface from the Port or Link Aggregation Group (LAG) from the LAG drop-down lists.

Note: In this example, Port GE4 is chosen. You can configure a few VLAN tunnel mapping settings on the same interface.

The Interface VLAN Mode area displays the current VLAN mode of the port.

Step 6. Click the Tunnel Mapping radio button to configure the tunnel VLAN mapping settings.

Step 7. In the Customer VLAN area, click Default to define the required action for C-VLANs not specifically specified or click on VLAN List to specifically define VLAN tunnel behavior for listed VLANs in the VLAN List field.

Note: You can define a few switchport configurations on the same interface, only if the VLAN List arguments do not contain common VLAN IDs.

Step 8. In the Tunneling area, click the Drop radio button to drop the untagged frames or click Outer VLAN ID to specifically define the Outer VLAN ID in the Outer VLAN ID field.

Note: This example shows how to configure selective tunneling on the GE4 port so that the traffic with a C-VLAN ID of 30 and 40 would be tunneled with S-VLAN ID of 10.

Step 9. Click Apply.

Step 10. (Optional) Repeat steps 5 to 9 to configure more Tunnel Mapping settings on the port or to configure other ports.

Note: In this example, the traffic entering port GE4 from VLAN 50 will be dropped.

Step 11. Click Close.

Step 12. (Optional) Click Save to save settings to the startup configuration file.

You should now have successfully configured the VLAN Tunnel Mapping settings on a specific port or ports on your switch.

Configure One to One VLAN Mapping

In One-to-One VLAN Mapping, you can configure the C-VLAN ID entering the switch from the customer network and the assigned S-VLAN ID on a specific port on your switch. In the VLAN mapping One-to-One mode, an interface belongs to all S-VLANs for which mapping on this interface is defined as egress tagged interface. The interface PVID is set to 4095.

In the VLAN Mapping One-to-One mode, an interface uses one ingress ACL and one egress ACL. The One-to-One VLAN Mapping adds rules to these ACLs. These ACLs are applied in order to:

Ingress ACL (in TTI):

- Replace specified C-VLAN-ID by S-VLAN-ID.

- Drop frames with unspecified C-VLAN-IDs.

- Drop untagged input frames.

Egress ACL (in TCAM):

- Replace S-VLAN-ID by C-VLAN-ID.

The VLAN One-to-One mapping adds rules to these ACLs and they are bound on the interface only if its mode is VLAN Mapping One-to-One. The ingress ACL contains V+1 rules and the egress ACL contains V rules, where V is the number of specified C-VLANs.

Follow these steps to configure One-to-One VLAN mapping on a specific interface or interfaces of your switch:

Step 1. Log in to the web-based utility of the switch then choose VLAN Management > VLAN Translation > VLAN Mapping.

Note: The available menu options may vary depending on the device model.

Step 2. (Optional) To display the pre-configured One to One mapping on the switch, choose One to One from the Mapping Type drop-down list.

Step 3. (Optional) Click Go to bring up a list of pre-configured VLAN One to One mapping entries. In this example, there is no pre-configured One to One mapping entry.

Step 4. Click Add to add a new entry.

Step 5. Choose an interface from the Unit and Port or Link Aggregation Group (LAG) from the LAG drop-down lists.

Note: In this example, Port GE2 is chosen. You can configure a few One-to-One VLAN Translation settings on the same interface.

The Interface VLAN Mode area displays the current VLAN mode of the port.

Step 6. Click the One to One radio button to define one-to-one VLAN mapping settings.

Step 7. Enter the VLAN ID of the C-VLAN that will be translated to S-VLAN in the Source VLAN field. The range is from one to 4094.

Note: In this example, VLAN 10 is entered as the Source VLAN.

Step 8. Enter the VLAN ID of the S-VLAN that will replace the specified C-VLAN in the Translated VLAN field. The range is from one to 4094. This will be the ingress ACL which will drop untagged input frames and unspecified C-VLAN IDs.