Q-in-Q Tunneling Basics
Service providers often have to meet specific requirements for VLAN IDs and the number of VLANs to be supported from their customers. Those VLAN IDs might overlap, and the traffic needs to be segregated. Simply assigning a unique range of VLAN IDs to each customer is not an option, it would restrict customer configurations, and it is possible to exceed the VLAN limit of 4096, as defined by the 802.1Q specification.
Using Q-in-Q (aka dvlan) tunneling allow service providers to create Layer 2 Ethernet connection between customer sites in different geographic locations, or use a single service VLAN to bundle different customer VLANs. Data centers can use Q-in-Q tunneling to isolate customer traffic within a single site.
The 802.1Q tunneling expands the VLAN space by adding another layer of 802.1Q tags. The customer 802.1Q (dot1Q) VLAN tags are prepended by the service VLAN tags (S-Tags). A port configured to support Q-in-Q tunneling became NNI (network node interface), other interfaces will become UNI (user-network interface). When configuring tunneling, you need to assign a VLAN that is dedicated to tunneling. That VLAN will support all of the customer’s VLANs.
In ICOS, mode dvlan-tunnel or mode dot1q-tunnel command is used to set the NNI port. The rest of interfaces will be configured as UNI ports automatically after one of these commands is issued.
The customer/server port becomes a UNI port. The packet received on this UNI port will be tagged with an S-Tag. It is important to configure the VLAN S and pvid S on this UNI port without tagging. Then, the packet will be forwarded to NNI port as a single-tag or double-tag packet.
A simple example without using custom EtherType values.
Create Service VLAN ID
VLAN 10 is the service VLAN (S-VLAN).
(Switch-1) #vlan database (Switch-1) (Vlan)#vlan 10 (Switch-1) (Vlan)#exit
Configure the NNI (Trunk) Port
Assuming port 0/49 as a service port.
(Switch-1) (Interface 0/49)#switchport mode trunk (Switch-1) (Interface 0/49)#mode dvlan-tunnel (Switch-1) (Interface 0/49)#exit
In Trunk mode, the port becomes a member of all VLANs on the switch unless specified in the allowed list in the *switchport trunk allowed vlan command.
mode dvlan-tunnel is equal to the mode dot1q-tunnel command and enables Q-in-Q on the port.
Configure the User Port
Assuming port 0/1 as a user port.
(Switch-1) (Interface 0/1)#vlan participation include 10 (Switch-1) (Interface 0/1)#vlan pvid 10 (Switch-1) (Interface 0/1)#no vlan tagging 10
The service VLAN tag is enabled on the user port, and tagging for it is disabled.