Switching from QinQ method and the VLAN transition method
search cancel

Switching from QinQ method and the VLAN transition method

book

Article ID: 382452

calendar_today

Updated On:

Products

SV-3800 SSL Visibility Appliance Software

Issue/Introduction

A customer is using ixia to send traffic SSLV and attached appliances. The customer is using QinQ method on Ixia and wants to change to VLAN transition method. 

Is there any configuration change needed on SSLV Appliance?

Environment

SSLV 4.5/5.x

Resolution

Switching from the QinQ method to the VLAN Transition method on the Symantec SSL Visibility (SSLV) appliance will require adjustments to the appliance configuration to ensure the traffic is processed correctly. Here's an analysis based on the provided Broadcom documentation:

Key Considerations for Changing from QinQ to VLAN Transition
  1. Understand the VLAN Methods:

    • QinQ (802.1ad):
      • QinQ adds an extra VLAN tag to the packets, creating a "stacked VLAN" structure.
      • Commonly used for separating traffic across different customer networks or segments.
    • VLAN Transition:
      • VLAN Transition involves mapping incoming traffic from one VLAN ID to another or passing the traffic through while preserving its VLAN tag.
      • Typically used for direct VLAN mappings or transitions.
  2. Impact on SSLV Configuration:

    • SSLV can process VLAN-tagged traffic based on its VLAN lists and policies. The method of tagging (QinQ vs. VLAN Transition) determines how traffic is identified and routed.
    • If the VLAN tagging structure changes, SSLV will need corresponding updates in its VLAN configuration and possibly routing domains.

 

Configuration Changes on the SSLV Appliance

1. VLAN Lists:

  • Go to Policies Menu > VLAN Lists (as described here).
  • Update the VLAN lists to reflect the VLANs used in the VLAN Transition method.
  • Remove references to QinQ VLAN IDs if they are no longer applicable.

2. Routing Domains:

  • If routing domains are being used, ensure that the VLAN associations within the domains reflect the new VLAN structure (reference).
  • Update the traffic routing policies to handle traffic based on the new VLAN IDs.

3. Aggregate Interfaces:

  • Review aggregate interface configurations to ensure compatibility with the VLAN Transition method (reference).
  • If QinQ-specific configurations were applied (e.g., handling stacked VLAN tags), these should be removed or adjusted.

4. VLAN Policies:

  • Update the VLAN policies to match the new method (reference).
  • Ensure the policies reflect how traffic is matched and processed based on the updated VLAN tags.

5. Traffic Monitoring and Testing:

  • After applying the changes, test the traffic flow:
    • Confirm the SSLV appliance is correctly identifying and processing VLAN-tagged traffic.
    • Monitor traffic using the SSLV UI Overview for errors or mismatches.

 

Additional Steps

  1. Coordinate with Ixia Settings:

    • Ensure that the VLAN tags configured in the Ixia traffic generator match those expected by the SSLV appliance.
    • Misalignment in VLAN configurations between Ixia and SSLV can lead to traffic drops or misrouting.
  2. Backup Configuration:

    • Before making changes, back up the current SSLV configuration.
    • This ensures you can revert to the original settings if needed.
  3. Refer to SSLV Documentation:

    • The detailed VLAN configuration documentation (linked here) should guide you through setting up VLANs and policies.

 

In ending, to switch from QinQ to VLAN Transition on the SSLV appliance:

  • Update VLAN Lists to reflect the new tagging structure.
  • Adjust routing domains and policies to handle the new VLAN configuration.
  • Verify aggregate interface configurations.
  • Test traffic flow to ensure proper processing of VLAN-tagged traffic.

These changes ensure that the SSLV appliance properly recognizes and processes traffic from the Ixia generator using the VLAN Transition method.