Understanding Q-in-Q Tunneling on EX-series Switches
Q-in-Q tunneling allows service providers on Ethernet access networks to extend a Layer 2 Ethernet connection between two customer sites. Using Q-in-Q tunneling, providers can also segregate or bundle customer traffic into fewer VLANs or different VLANs by adding another layer of 802.1Q tags. Q-in-Q tunneling is useful when customers have overlapping VLAN IDs, because the customer’s 802.1Q (dot1Q) VLAN tags are prepended by the service VLAN (S-VLAN) tag. The JUNOS software implementation of Q-in-Q tunneling supports the IEEE 802.1ad standard.
This topic describes:
How Q-in-Q Tunneling Works
In Q-in-Q tunneling, as a packet travels from a customer VLAN (C-VLAN) to a service provider's VLAN, a customer-specific 802.1Q tag is added to packets. This additional tag is used to segregate traffic into service–provider–defined service VLANs. The original customer 802.1Q tag of the packet remains and is transmitted transparently, passing through the service provider's network. The S-VLAN tag is added on egress for incoming packets, optionally including untagged packes. As the packet leaves the S-VLAN in the downstream direction, the extra 802.1Q tag is removed, leaving the original customer tag on the packet.
When Q-in-Q tunneling is enabled, trunk interfaces are assumed to be part of the service provider network and access interfaces are assumed to be customer facing. An access interface can receive both tagged and untagged frames in this case.
A trunk interface can be a member of multiple S-VLANs. You can map one C-VLAN to one S-VLAN (1:1) or multiple C-VLANs to one S-VLAN (N:1). You can also double-tag packets for an additional layer of segregating or bundling of C-VLANs. C-VLAN and S-VLAN tags are unique, so you can have both C-VLAN 101 and S-VLAN 101, for example. You can limit the set of accepted customer tags to a list of ranges or discrete values. Class-of-service (CoS) values of C-VLANs are unchanged in the downstream direction. You may, optionally, copy ingress priority and CoS settings to the S-VLAN. Using private VLANs, you can isolate users to prevent forwarding traffic between user interfaces even if the interfaces are on the same VLAN.
Limitations for Q-in-Q Tunneling
You cannot add the C-VLAN tag on egress for incoming untagged packets or remove the C-VLAN tag in the downstream direction. Q-in-Q does not support IGMP snooping or most access port security features. You cannot disable MAC learning. There is no per-VLAN (customer) policing or per-VLAN (outgoing) shaping and limiting with Q-in-Q.