802.1Q Tunneling (Q-in-Q)

Q-IN-Q VLAN TUNNEL

Solution on How to transport customer’s vlan in an encrypted format

Q-in-Q tunnels mean transporting an 802.1Q frame in another 802.1Q frame, Q-in-Q VLAN tunnel enables a service provider to segregate the traffic of different customers in their infrastructure, while still giving the customer a full range of VLANs for their internal use by adding a second 802.1Q tag to an already tagged frame.

One of the advantages of this solution is that;

  • It’s easy to implement, you don’t need any hardware to run any routing protocols between the service provider and the customer.  From the customer’s perspective, it’s just like their sites are directly connected on  layer 2.

Configuration

Consider the example figure above, two routers at each customer site i.e. Site 1 as Rs1 and site as Rs2, connected through the service provider network which consists of three switches named S1, S2 and S3. A customer wants to use vlan10 between the two sites. The service provider has decided to use vlan1 to transport everything for this customer.

RS1

RS1(config)#interface fastEthernet 0/0

RS1(config-if)#no shutdown

RS1(config-if)# interface fastEthernet 0/0.1 0

RS1(config-subif)#encapsulation dot1Q 10

RS1(config-subif)#ip address 172.16.10.1 255.255.255.0

RS2

RS2(config)#interface fastEthernet 0/0

RS2(config-if)#no shutdown

RS2(config-if)#interface fastEthernet 0/0.10

RS2(config-subif)#encapsulation dot1Q 10

RS2(config-subif)#ip address 172.16.10.2 255.255.255.0

R1 and R2 are both configured with sub-interfaces and use subnet 172.16.10.0 /24. All their frames are tagged as vlan 1. On the service provider network,  configure a number of items. First, configure 802.1Q trunks between S1 – S3 and S2 – S3.

S1

S1(config)#interface fastEthernet 0/19

S1(config-if)#switchport trunk encapsulation dot1q

S1(config-if)#switchport mode trunk

S2

S2(config)#interface fastEthernet 0/21

S2(config-if)#switchport trunk encapsulation dot1q

S2(config-if)#switchport mode trunk

S3

S3(config)#interface fastEthernet 0/19

S3(config-if)#switchport trunk encapsulation dot1q

S3(config-if)#switchport mode trunk

S3(config)#interface fastEthernet 0/21

S3(config-if)#switchport trunk encapsulation dot1q

S3(config-if)#switchport mode trunk

The next part configures the actual “Q-in-Q” tunneling. The service provider will use vlan1 to transfer everything from the customer. Configure the interfaces towards the customer routers to tag everything for vlan1:

SW1(config)#interface fastEthernet 0/1

SW1(config-if)#switchport access vlan 1

SW1(config-if)#switchport mode dot1q-tunnel

SW2(config)#interface fastEthernet 0/2

SW2(config-if)#switchport access vlan 1

SW2(config-if)#switchport mode dot1q-tunnel

SW2(config)#interface fastEthernet 0/2

SW2(config-if)#switchport access vlan 1

SW2(config-if)#switchport mode dot1q-tunnel

The switchport mode dot1q-tunnel command tells the switch to tag the traffic and switchport access vlan command is required to specify the Q-in-Q VLAN of “1”. Make sure that vlan 1 is available on S1, S2 and S3. By assigning the interfaces above to this VLAN it was automatically created on S1 and S2 but I also have to make sure that S3 has vlan1 in its database.

S3(config)#vlan 1

Whenever RS1 sends traffic it will tag its frames for VLAN10. Once it arrives at the service provider, S1 will add an additional VLAN tag (vlan1).  Once S2 forwards the frame towards RS2 it will remove the second VLAN tag (vlan1) and forward the original tagged frame (vlan10) from RS1.

Page Visit Counter 677
Total Page Visits: 819 - Today Page Visits: 4

About the author

Violet

View all posts