We are back to playing with QinQ tunnels. This time solving a Layer 2 loop issue.
If you recall from part 1 we have had to do a bit of a McGyver and loop a cable in and out of our switch to bring up the tunnel. It worked well in that post, but now it's time to open up the tunnel a bit more and allow more vlans through it.
Our QinQ trunk port is configured as follows:
3750#sh run int fa1/0/1 Building configuration... Current configuration : 263 bytes ! interface FastEthernet1/0/1 description **** QinQ vlan **** switchport access vlan 500 switchport trunk encapsulation dot1q switchport mode dot1q-tunnel ip access-group 101 in no keepalive l2protocol-tunnel cdp l2protocol-tunnel stp no cdp enable endAnd our access port is configure as:
3750#sh run int fa1/0/17 Building configuration... Current configuration : 177 bytes ! interface FastEthernet1/0/17 description **** Cust trunk **** switchport trunk encapsulation dot1q switchport trunk allowed vlan 4,10,11,61,62,63 switchport mode trunk endSo the logical solution to allow all our vlans to communicate over the QinQ would be to change the allowed VLAN list to "all", this should do it, right?
Not so much, and behold the problem when we do this:
3750(config-if)#int fa1/0/17 3750(config-if)#switchport trunk allowed vlan all 3750(config-if)#exit 3750(config)#exit 03:34:26: %PM-4-ERR_DISABLE: l2ptguard error detected on Fa1/0/1, putting Fa1/0/1 in err-disable state 3750# 03:34:27: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to down 03:34:27: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/17, changed state to down 03:34:27: %SYS-5-CONFIG_I: Configured from console by console 03:34:28: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to down 03:34:28: %LINK-3-UPDOWN: Interface FastEthernet1/0/17, changed state to down 3750#Immediately we find that our switch detects a layer 2 loop and is error disabled: "%PM-4-ERR_DISABLE: l2ptguard error detected on Fa1/0/1, putting Fa1/0/1 in err-disable state".
This is because we are allowing the QinQ vlan (vlan 500) to be trunked. We can either specify all the vlans we want to allow (1,4,5,6,7, etc etc) or instead we can use the much cleaner way below:
3750(config)#int fa1/0/17 3750(config-if)#switchport trunk allowed vlan ? WORD VLAN IDs of the allowed VLANs when this port is in trunking mode add add VLANs to the current list all all VLANs except all VLANs except the following none no VLANs remove remove VLANs from the current list 3750(config-if)#switchport trunk allowed vlan except 500 3750(config-if)#exitUsing the "except" command we can specify which VLANs we don't want to trunk, and the IOS will trunk everything that's not in the list. So your mileage will vary depending on whether you want to allow or restrict more, but its a cleaner approach for this example.
We have to remember to shut and no shut our QinQ interface to bring up the tunnel:
3750(config)#int fa1/0/1 3750(config-if)#shut 3750(config-if)#no shut 3750(config-if)#exit 3750(config)#exit 03:35:31: %LINK-5-CHANGED: Interface FastEthernet1/0/1, changed state to administratively down 3750# 03:35:33: %SYS-5-CONFIG_I: Configured from console by console 03:35:33: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to up 03:35:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up 03:35:35: %LINK-3-UPDOWN: Interface FastEthernet1/0/17, changed state to up 03:35:37: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/17, changed state to upAnd now we should be able to see the other side of the network (the 3560), which should be listed twice - once for the trunk link between the two (port 48) and again on port 17.
3750#sh cdp neigh
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
3560 Fas 1/0/17 132 S I WS-C3560-4Fas 0/17
3560 Fas 1/0/48 143 S I WS-C3560-4Fas 0/48
3550-B Fas 1/0/12 138 R S I WS-C3550-2Fas 0/12
3750#
No more l2ptguard errors!