Expressroute Private peering vlan advice

Thank you for your information. "Once configured, you need to share this VLAN ID and s-key of the ExpressRoute circuit with your service provider for them to configure it in the routers. The VLAN ID configured on the portal should match with the ones configured in the routers for the ExpressRoute ARP (Address Resolution Protocol) to come UP." You mention sharing the vlan id of the circuit and s key with our service provider. I shared the s key with Comcast and they have provisioned the circuit. Unfortunately Comcast does not provide layer 3 capability and only essentially drops just the epl line for us (layer 2). So our network team seems to be the ones needing to set all of this up. My question was I suppose more related to our responsibilities to get this up. Since we have only one epl line and not two we need to pass two different vlans over it to account for the redundancy at our provider and msee edge configuration, correct? As far as I know these networks have to have separate VLAN IDs. If this is the case and say we used 101 and 102 for example what would the value of the vlan tag at the circuit level (c tag)? The VLAN IDs defined by you in the Azure portal are different than the VLAN IDs at service provider end. The ones defined by you in the portal are the inner tags called customer tag (c-tag) and the ones at service provider ends are the outer tags or service provider tag (s-tag). The VLAN IDs configured by you in the portal must be same for both Primary and Secondary links (this is for the routing domain/peering and not for the circuit).

My provider does not configure any routing etc for us as they are layer 2.Our network team seems to be the ones needing to create this. My original question pertaining to the vlans is still a bit perplexing We only have one epl. It is my understanding that since this is the case we will need to configure two separate VLANS with separate VLAN IDS over this line to account for or to essentially mirror the partner and MSEE edge dual 1 GIG connections. The following MS Expressroute FAQ states "If I'm not colocated at a cloud exchange and my service provider offers point-to-point connection, do I need to order two physical connections between my on-premises network and Microsoft? If your service provider can establish two Ethernet virtual circuits over the physical connection, you only need one physical connection. The physical connection (for example, an optical fiber) is terminated on a layer 1 (L1) device (see the image). The two Ethernet virtual circuits are tagged with different VLAN IDs, one for the primary circuit, and one for the secondary. Those VLAN IDs are in the outer 802.1Q Ethernet header. The inner 802.1Q Ethernet header (not shown) is mapped to a specific ExpressRoute routing domain." So if our networking team needs to configure two separate vlans with separate IDs on our side what vlan ID needs to be inputted into the circuit private peering field? Thanks

Hello @azure-000 ,

My question was I suppose more related to our responsibilities to get this up. Since we have only one epl line and not two we need to pass two different vlans over it to account for the redundancy at our provider and msee edge configuration, correct? As far as I know these networks have to have separate VLAN IDs. If this is the case and say we used 101 and 102 for example what would the value of the vlan tag at the circuit level (c tag)?

As you correctly referred to the below FAQ:

https://video2.skills-academy.com/en-us/azure/expressroute/expressroute-faqs#onep2plink

You will configure a QinQ encapsulation in your router interface where the outer VLAN ID (s-tag), remains the same across all peerings. The inner VLAN ID (c-tag) is unique per peering.

And the inner VLAN ID (c-tag), which you configure on the Azure portal can be any valid number (such as 5, 100, 200, etc.) to establish the peering. For both Primary and Secondary links, you must use the same VLAN ID on the portal. You can choose any number here. And make sure that no other peering in the circuit uses the same VLAN ID.

For example, if you choose 101 and 102 as primary and secondary VLAN IDs for the circuit, then you can configure any other number, for example 100, 121, 200 etc. in the VLAN ID for the ExpressRoute private peering (for both primary and secondary connections) in the Azure portal.

But if you later configure Microsoft peering on the same ExpressRoute circuit, then you must choose a different VLAN ID or c-tag when configuring Microsoft peering on the Azure portal.

So, if you added 100 for private peering, you must choose some number other than 100 such as 200 or 300 for Microsoft peering.

As I mentioned above, the VLAN ID configured by you in the Azure portal is called C-tag or customer tag because it is customer defined and it can be any valid number that you choose to use.

Regards,

Gita

So to use your example. The C tag that we input into the private peering can be any number as long as it is not the same as what we configure on our router sub interface. (Say 100 as in your example) If we have two on prem routers that we wish to configure for each side of the circuit We would create a QinQ on each routers subinterface. Each sub interface would contain a c tag and s tag In your example of 101 and 102 VLAN IDS are we saying that these IDs would constitute the S tag for each sub interface (one sub interface on each router?) I suppose Im trying to understand using your example what the values of the QinQ S and C tags would be respectively for each of our two routers sub interfaces. Thanks in advance

Yes, correct. S-tag of 101 and 102 for each sub-interface with the same c-tag of 100 on both sub-interface will be your QinQ configuration.