Dot1Q Tunneling Explained and Configuration Example
Contents
I- QinQ (Aka Do1Q tunnel) Overview
QinQ (short for “802.1Q-in-802.1Q”) is a networking technique that allows service providers to transport multiple customer VLANs over their infrastructure while maintaining traffic separation and scalability. It involves adding an additional VLAN tag to Ethernet frames, effectively nesting one VLAN tag inside another.
1- Customer VLAN Tag (C-Tag): The original VLAN tag used within the customer’s network.
2- Service Provider VLAN Tag (S-Tag): An additional VLAN tag added by the service provider to encapsulate the customer’s traffic.
This double-tagging allows the service provider to differentiate between customer traffic, even if customers use the same VLAN IDs internally. The outer S-Tag is used for forwarding within the provider’s network, while the inner C-Tag remains unchanged for the customer’s use.
II- How QinQ Works: Step-by-Step
- Ingress: When a customer’s Ethernet frame enters the service provider’s network, the provider’s edge device adds an S-Tag to the frame, encapsulating the original C-Tag.
- Transit: Within the provider’s network, forwarding decisions are based on the S-Tag, ensuring that traffic from different customers remains isolated.
- Egress: As the frame exits the provider’s network towards the customer’s destination, the S-Tag is removed, leaving the original C-Tag intact.
III- Lab Topology
Configuration
Configuration Notes
dot1q-tunnel” mode
This command essential for correct tag insertion and removal at the network edges. it basically allow the encapsulation of a customer’s VLAN (C-Tag) with an additional outer S-Tag, preserving internal VLAN structures.
MTU and Overhead:
Additional tagging increases frame size by 4 bytes per tag, verify MTU settings to prevent fragmentation issues.
SW-1:
vlan 401
name customer1
vlan 402
name customer2
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
mtu 1504
!
interface GigabitEthernet0/1
switchport access vlan 401
switchport mode dot1q-tunnel
mtu 1504
!
interface GigabitEthernet0/2
switchport access vlan 402
switchport mode dot1q-tunnel
mtu 1504Code language: PHP (php)SW-2:
vlan 401
name customer1
vlan 402
name customer2
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
mtu 1504
negotiation auto
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
mtu 1504
negotiation auto
Code language: PHP (php)
SW-3:
vlan 401
name customer1
vlan 402
name customer2
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
mtu 1504
!
interface GigabitEthernet0/1
switchport access vlan 401
switchport mode dot1q-tunnel
mtu 1504
!
interface GigabitEthernet0/2
switchport access vlan 402
switchport mode dot1q-tunnelCode language: PHP (php)* Packet capture for Customer1 Traffic:
1- From customer CPE, we see traffic tagged with customer tag (vlan 10):
2- SW-1 is tunneling traffic in the Service provider Dot1q header (aka adding S-tag):
3- SW-2 just trunking VLAN 401, not even aware of tag 10,
4- On Egress, SW-3 remove the S-tag and deliver the original frame to the R3:
So, it looks basically like this:
* Packet capture for Customer-2 Traffic:
In the same way, the customer-2 traffic flows:
Customer-2 Traffic on interface Gi0/0 of SW-1:
This maintains the customer’s VLAN ID while allowing the provider to manage and segregate traffic effectively.
![Nutanix Basics [Explained]](https://learnduty.com/wp-content/uploads/2021/07/nutanix-platform-circa-2014-800x450.png?v=1647900709)
![Single Area OSPF Configuration Example [Packet Tracer]](https://learnduty.com/wp-content/uploads/2021/07/word-image-124-800x111.png?v=1647900715)
![AAA authentication configuration [Cisco IOS]](https://learnduty.com/wp-content/uploads/2021/07/word-image-111.png)