Configuring Q-in-Q Tunneling and VLAN Q-in-Q Tunneling and VLAN Translation
Understanding Q-in-Q Tunneling and VLAN Translation
Q-in-Q tunneling and VLAN translation allow service providers to create a Layer 2 Ethernet connection between two customer sites. Providers can segregate different customers’ VLAN traffic on a link (for example, if the customers use overlapping VLAN IDs) or bundle different customer VLANs into a single service VLAN. Data centers can use Q-in-Q tunneling and VLAN translation to isolate customer traffic within a single site or to enable customer traffic flows between cloud data centers in different geographic locations.
Using Q-in-Q tunneling, providers can segregate or bundle customer traffic into fewer VLANs or different VLANs by adding another layer of 802.1Q tags. Q-in-Q tunneling is useful when customers have overlapping VLAN IDs, because the customer’s 802.1Q (dot1Q) VLAN tags are prepended by the service VLAN (S-VLAN) tag. The Juniper Networks Junos operating system (Junos OS) implementation of Q-in-Q tunneling supports the IEEE 802.1ad standard.
This topic describes:
- How Q-in-Q Tunneling Works
- How VLAN Translation Works
- Using Dual VLAN Tag Translation
- Sending and Receiving Untagged Packets
- Disabling MAC Address Learning
- Mapping C-VLANs to S-VLANs
- Routed VLAN Interfaces on Q-in-Q VLANs
- Constraints for Q-in-Q Tunneling and VLAN Translation
How Q-in-Q Tunneling Works
In Q-in-Q tunneling, as a packet travels from a customer VLAN (C-VLAN) to a service provider's VLAN, a customer-specific 802.1Q tag is added to the packet. This additional tag is used to segregate traffic into service-provider-defined service VLANs (S-VLANs). The original customer 802.1Q tag of the packet remains and is transmitted transparently, passing through the service provider's network. As the packet leaves the S-VLAN in the downstream direction, the extra 802.1Q tag is removed.
All of the VLANs in an implementation can be service VLANs. That is, if the total number of supported VLANs is 4090, all of them can be service VLANs.
When Q-in-Q tunneling is enabled on Juniper Networks EX Series Ethernet Switches, trunk interfaces are assumed to be part of the service provider network and access interfaces are assumed to be customer facing. An access interface can receive both tagged and untagged frames in this case.
Starting with Junos OS 14.1X53-D30, you can configure the same interface to be an S-VLAN/NNI interface and a C-VLAN/UNI interface. This means that the same physical interface can transmit single-tagged and double-tagged frames simultaneously. This allows you maximum flexibility in your network topology and lets you maximize the use of your interfaces.
An interface can be a member of multiple S-VLANs. You can map one C-VLAN to one S-VLAN (1:1) or multiple C-VLANs to one S-VLAN (N:1). Packets are double-tagged for an additional layer of segregating or bundling of C-VLANs. C-VLAN and S-VLAN tags are unique; so you can have both a C-VLAN 101 and an S-VLAN 101, for example. You can limit the set of accepted customer tags to a range of tags or to discrete values. Class-of-service (CoS) values of C-VLANs are unchanged in the downstream direction. You may, optionally, copy ingress priority and CoS settings to the S-VLAN. On non-ELS switches, you can use private VLANs to isolate users to prevent the forwarding of traffic between user interfaces even if the interfaces are on the same VLAN.
When Q-in-Q tunneling is enabled, trunk interfaces are assumed
to be part of the service provider or data center network. Access
interfaces are assumed to be customer-facing and accept both tagged
and untagged frames. When using many-to-one bundling or mapping a
specific interface, you must use the native option to specify
an S-VLAN for untagged and priority tagged packets if you want to
accept these packets. (Priority tagged packets have their VLAN ID
set to 0, and their priority code point bits might be configured with
a CoS value.)
Priority tagged packets are not supported with Q-in-Q tunneling on QFX5100 and EX4600 switches.
If you do not specify an S-VLAN for them, untagged packets are
discarded. The native option is not available for all-in-one
bundling because there is no need to specify untagged and priority
tagged packets when all packets are mapped to an S-VLAN.
You can use the native option to specify an S-VLAN
for untagged and priority tagged packets when using many-to-one bundling
and mapping a specific interface approaches to map C-VLANs to S-VLANs.
(This does not apply to switches supporting ELS.) Otherwise the packets
are discarded. The native option is not available for all-in-one
bundling because there is no need to specify untagged and priority
tagged packets when all packets are mapped to the S-VLAN. See the
Mapping C-VLANs to S-VLANs section of this document for information
on the methods of mapping C-VLANs to S-VLANs.
On QFabric systems only, you can use the native option
to apply a specified inner tag to packets that ingress as untagged
on access interfaces. This functionality is useful if your QFabric
system connects to servers that host customer virtual machines that
send untagged traffic and each customer’s traffic requires its
own VLAN while being transported through the QFabric. Instead of using
individual VLANs for each customer (which can quickly lead to VLAN
exhaustion), you can apply a unique inner (C-VLAN) tag to each customer’s
traffic and then apply a single outer tag (S-VLAN) tag for transport
through the QFabric. This allows you to segregate your customers’s
traffic while consuming only one QFabric VLAN. Use the inner-tag option of the mapping statement to accomplish this.
On non-ELS switches, firewall filters allow you to map an interface
to a VLAN based on a policy. Using firewall filters to map an interface
to a VLAN is useful when you want a subset of traffic from a port
to be mapped to a selected VLAN instead of the designated VLAN. To
configure a firewall filter to map
an interface to a VLAN, the vlan option has to be configured
as part of the firewall filter and the mapping policy option
must be specified in the interface configuration for each logical interface using the filter.
On an EX4300 switch, you can configure multiple logical interfaces on the same Ethernet port, but each logical interface supports only single-tagged packets and that tag must include a different VLAN ID than those supported by the other logical interfaces. Given this situation, you cannot enable Q-in-Q tunneling on Ethernet ports with multiple logical subinterfaces.
Q-in-Q tunneling does not affect any class-of-service (CoS) values that are configured on a C-VLAN. These settings are retained in the C-VLAN tag and can be used after a packet leaves an S-VLAN. CoS values are not copied from C-VLAN tags to S-VLAN tags.
Depending on your interface configuration, you might need to adjust the MTU value on your trunk or access ports to accommodate the 4 bytes used for the tag added by Q-in-Q tunneling. For example, if you use the default MTU value of 1514 bytes on your access and trunk ports, you need to make one of the following adjustments:
Reduce the MTU on the access links by at least 4 bytes so that the frames do not exceed the MTU of the trunk link when S-VLAN tags are added.
Increase the MTU on the trunk link so that the link can handle the larger frame size.
You can configure Q-in-Q tunneling only on access ports (not trunk ports).
How VLAN Translation Works
VLAN translation replaces an incoming C-VLAN tag with an S-VLAN tag instead of adding an additional tag. The C-VLAN tag is therefore lost, so a single-tagged packet is normally untagged when it leaves the S-VLAN (at the other end of the link). If an incoming packet has had Q-in-Q tunneling applied in advance, VLAN translation replaces the outer tag and the inner tag is retained when the packet leaves the S-VLAN at the other end of the link. Incoming packets whose tags do not match the C-VLAN tag are dropped, unless additional VLAN translation configuration for those tags exist.
To configure VLAN translation, use the mapping swap statement at the [edit vlans interface] hierarchy
level. As long as the C-VLAN and S-VLAN tags are unique, you can configure
more than one C-VLAN-to-S-VLAN translation on an access port. If you
are translating only one VLAN on an interface, you do not need to
include the dot1q-tunneling statement in the S-VLAN configuration.
If you are translating more than one VLAN, you must use the dot1q-tunneling statement.
You can configure VLAN translation on access ports only. You cannot configure it on trunk ports, and you cannot configure Q-in-Q tunneling on the same access port. You can configure only one VLAN translation for a given VLAN and interface. For example, you can create no more than one translation for VLAN 100 on interface xe-0/0/0.
VLAN translation is not supported on QFabric systems.
Using Dual VLAN Tag Translation
Starting with Junos OS Release 14.1X53-D40, you can use the dual VLAN tag translation (also known as dual VLAN tag rewrite) feature to deploy switches in service-provider domains, allowing dual-tagged, single-tagged, and untagged VLAN packets to come into or exit from the switch. Table 1 shows the operations that are added for dual VLAN tag translation.
Operation |
Function |
|---|---|
swap-push |
Swap a VLAN tag and push a new VLAN tag |
pop-swap |
Pop an outer VLAN tag and swap an inner VLAN tag |
swap-swap |
Swap both outer and inner VLAN tags |
Dual VLAN tag translation supports:
Configuration of S-VLANs (NNI) and C-VLANs (UNI) on the same physical interface
Control protocols such as VSTP, OSPF, and LACP
IGMP snooping
Configuration of a private VLAN (PVLAN) and VLAN on a single-tagged interface
Use of TPID 0x8100 on both inner and outer VLAN tags
See Setting Up a Dual VLAN Tag Translation Configuration on QFX Switches.
Sending and Receiving Untagged Packets
To enable an interface to send and receive untagged packets, you must specify a native VLAN for a physical interface. When the interface receives an untagged packet, it adds the VLAN ID of the native VLAN to the packet in the C-VLAN field and adds the S-VLAN tag as well (so the packet is double-tagged), and sends the newly tagged packet to the mapped interface.
The preceding paragraph does not apply to:
Non-ELS switches.
EX4300 switches running under a Junos release prior to Junos OS Release 19.3R1.
When the switches in the short list above receive an untagged packet, they add the S-VLAN tag to the packet (so the packet is single-tagged) and send the newly tagged packet to the mapped interface.
Ensure that all switches configured in your Q-in-Q setup operate with either the single-tag approach or the double-tag approach. The setup will not work if the switches do not have the same approach.
Starting in Junos OS Release 19.3R1, you can configure EX4300
switches to use the double-tag approach. Set the configuration statement input-native-vlan-push to enable and ensure that the input-vlan-map configuration statement is set to push, as shown in the
following example:
[edit interfaces ge-1/0/45]
flexible-vlan-tagging;
native-vlan-id 20;
input-native-vlan-push enable;
encapsulation extended-vlan-bridge;
unit 10 {
vlan-id-list 10-100;
input-vlan-map push;
output-vlan-map pop;
}
On switches that support this feature, except for the EX4300
switch, the input-native-vlan-push statement is set to enable by default. (The input-native-vlan-push statement is set to disable by default on the EX4300
switch.) However, we recommend that you check the configuration to
ensure that input-vlan-map is set to push—the feature does not work if that
setting isn’t in place.
To specify a native VLAN, use the native-vlan-id statement
at the [edit interfaces interface-name] hierarchy level. The native VLAN ID must match the C-VLAN or S-VLAN ID or be included in the VLAN ID list specified on the
logical interface.
For example, on a logical interface for a C-VLAN interface, you might specify a C-VLAN ID list of 100-200. Then, on the C-VLAN physical interface, you could specify a native VLAN ID of 150. This configuration would work because the native VLAN of 150 is included in the C-VLAN ID list of 100-200.
We recommend configuring a native VLAN when using any of the approaches to map C-VLANs to S-VLANs. See the Mapping C-VLANs to S-VLANs section in this topic for information about the methods of mapping C-VLANs to S-VLANs.
Disabling MAC Address Learning
In a Q-in-Q deployment, customer packets from downstream interfaces are transported without any changes to source and destination MAC addresses. You can disable MAC address learning at global, interface, and VLAN levels:
To disable learning globally, disable MAC address learning for the switch.
To disable learning for an interface, disable MAC address learning for all VLANs of which the specified interface is a member.
To disable learning for a VLAN, disable MAC address learning for a specified VLAN.
Disabling MAC address learning on an interface disables learning for all the VLANs of which that interface is a member. When you disable MAC address learning on a VLAN, MAC addresses that have already been learned are flushed.
If you disable MAC address learning on an interface or a VLAN, you cannot include 802.1X authentication in that same VLAN configuration.
When a routed VLAN interface (RVI) is associated with either an interface or a VLAN on which MAC address learning is disabled, the Layer 3 routes resolved on that VLAN or that interface are not resolved with the Layer 2 component. This results in routed packets flooding all the interfaces associated with the VLAN.
Mapping C-VLANs to S-VLANs
There are multiple ways to map C-VLANs to an S-VLAN:
If you configure multiple mapping methods, the switch gives priority to mapping a specific interface, then to many-to-many bundling, and last to all-in-one bundling. However, for a particular mapping method, setting up overlapping rules for the same C-VLAN is not supported.
All-in-one bundling—Use the
edit vlans s-vlan-name dot1q-tunnelingstatement without specifying customer VLANs. All packets received on all access interfaces (including untagged packets) are mapped to the S-VLAN.Many-to-one bundling—Use the
edit vlans s-vlan-name dot1q-tunneling customer-vlansstatement to specify which C-VLANs are mapped to the S-VLAN. Use this method when you want a subset of the C-VLANs to be part of the S-VLAN. If you want untagged or priority tagged packets to be mapped to the S-VLAN, use thenativeoption with thecustomer-vlansstatement. (Priority tagged packets have their VLAN ID set to 0, and their priority code point bits might be configured with a CoS value.)Many-to-many bundling—Use many-to-many bundling when you want a subset of the C-VLANs on the access switch to be part of multiple S-VLANs.
Mapping a specific interface—Use the
edit vlans s-vlan-name interface interface-name mappingstatement to specify a C-VLAN for a given S-VLAN. This configuration applies to only one interface—not all access interfaces as with all-in-one and many-to-one bundling. If you want untagged or priority tagged packets to be mapped to the S-VLAN, use thenativeoption with thecustomer-vlansstatement.This method has two options: swap and push. With the push option, a packet retains its tag and an additional VLAN tag is added. With the swap option, the incoming tag is replaced with an S-VLAN tag. (This is VLAN translation.)
You can configure multiple push rules for a given S-VLAN and interface. That is, you can configure an interface so that the same S-VLAN tag is added to packets arriving from multiple C-VLANs.
You can configure only one swap rule for a given S-VLAN and interface.
This functionality is typically used to keep traffic from different customers separate or to provide individualized treatment for traffic on a certain interface.
If you configure multiple methods, the switch gives priority to mapping a specific interface, then to many-to-one bundling, and last to all-in-one bundling. However, you cannot have overlapping rules for the same C-VLAN under a given approach. For example, you cannot use many-to one bundling to map C-VLAN 100 to two different S-VLANs.
- All-in-One Bundling
- Many-to-One Bundling
- Many-to-Many Bundling
- Mapping a Specific Interface
- Combining Methods and Configuration Restrictions
All-in-One Bundling
All-in-one bundling maps all packets from all C-VLAN interfaces to an S-VLAN.
The C-VLAN interface accepts untagged and single-tagged packets. An S-VLAN 802.1Q tag is then added to these packets, and the packets are sent to the S-VLAN interface, which accepts untagged, single-tagged, and double-tagged packets.
The C-VLAN and S-VLAN interfaces accept untagged packets provided
that the native-vlan-id statement is configured on these
interfaces.
Many-to-One Bundling
Many-to-one bundling is used to specify which C-VLANs are mapped
to an S-VLAN. Many-to-one bundling is configured using the customer-vlans option.
Many-to-one bundling is used when you want a subset of the C-VLANs
on the access switch to be part of the S-VLAN. When using many-to-one
bundling, untagged and priority tagged packets can be mapped to the
S-VLAN when the native option is specified along with the customer-vlans option.
Many-to-Many Bundling
Many-to-many bundling is used to specify which C-VLANs are mapped to which S-VLANs.
Use many-to-many bundling when you want a subset of the C-VLANs on the access switch to be part of multiple S-VLANs. With many-to-many bundling, the C-VLAN interfaces accept untagged and single-tagged packets. An S-VLAN 802.1Q tag is then added to these packets, and the packets are sent to the S-VLAN interfaces, which accept untagged, single-tagged, and double-tagged packets.
The C-VLAN and S-VLAN interfaces accept untagged packets provided
that the native-vlan-id statement is configured on these
interfaces.
Mapping a Specific Interface
Use specific interface mapping when you want to assign an S-VLAN to a specific C-VLAN on an interface. The configuration applies only to the specific interface, not to all access interfaces.
Specific interface mapping has two suboptions: push and swap. When traffic that is mapped to a specific interface
is pushed, the packet retains its original tag as it moves from the
C-VLAN to the S-VLAN and an additional S-VLAN tag is added to the
packet. When traffic that is mapped to a specific interface is swapped,
the incoming tag is replaced with a new VLAN tag. This is sometimes
known VLAN rewriting or VLAN translation.
Typically, this method is used to keep data from different customers separate or to provide individualized treatment of the packets on a certain interface. You might also use this method map VLAN traffic from different customers to a single S-VLAN.
When using specific interface mapping, the C-VLAN interfaces accept untagged and single-tagged packets, while the S-VLAN interfaces accept untagged, single-tagged, and double-tagged packets.
The C-VLAN and S-VLAN interfaces accept untagged packets provided
that the native-vlan-id statement is configured on these
interfaces.
Combining Methods and Configuration Restrictions
If you configure multiple methods, the switch gives priority to mapping a specific interface, then to many-to-one bundling, and last to all-in-one bundling. An access interface configured under all-in-one bundle cannot be part of a many-to-one bundle. It can have additional mappings defined, however.
To ensure deterministic results, the following configuration restrictions apply:
Mapping cannot be defined for untagged vlans.
-
An access interface can have multiple customer VLAN ranges, but an interface cannot have overlapping tags across the VLANs.
An access interface can have a single rule that maps an untagged packet to a VLAN.
Each interface can have at most one mapping swap rule per VLAN.
You can push a VLAN tag only on the access ports of a Q-in-Q VLAN. This restriction applies to all three methods of pushing a VLAN tag: that is, all-in-one bundling, many-to-one-bunding, and mapping a specific interface using push.
You can push different C-VLAN tags for a given S-VLAN on different interfaces. This could potentially result in traffic leaking across VLANs, depending on your configuration.
Routed VLAN Interfaces on Q-in-Q VLANs
Routed VLAN interfaces (RVIs) are supported on Q-in-Q VLANs.
Packets arriving on an RVI that is using Q-in-Q VLANs will get routed regardless of whether the packet is single or double tagged. The outgoing routed packets contain an S-VLAN tag only when exiting a trunk interface; the packets exit the interface untagged when exiting an access interface.
Constraints for Q-in-Q Tunneling and VLAN Translation
Be aware of the following constraints when configuring Q-in-Q tunneling and VLAN translation:
-
Q-in-Q tunneling supports only two VLAN tags.
-
Q-in-Q tunneling does not support most access port security features. There is no per-VLAN (customer) policing or per-VLAN (outgoing) shaping and limiting with Q-in-Q tunneling unless you configure these security features by using firewall filters.
-
With releases of Junos OS Release 13.2X51 previous to Release 13.2X51-D20, you cannot create a regular VLAN on an interface if you have created an S-VLAN or C-VLAN on that interface for Q-in-Q tunneling. This means that you cannot create an integrated routing and bridging (IRB) interface on that interface because regular VLANs are a required part of IRB configuration. With Junos OS Release 13.2X51-D25, you can create a regular VLAN on a trunk interface that has an S-VLAN, which means that you can also create an IRB interface on the trunk. In this case, the regular VLAN and S-VLAN on the same trunk interface cannot share the same VLAN ID. Junos OS Release 13.2X51-D25 does not allow you to create a regular VLAN on an access interface that has a C-VLAN.
-
Starting with Junos OS Release 14.1X53-D40, integrated routing and bridging (IRB) interfaces are supported on Q-in-Q VLANs—you can configure the IRB interface on the same interface as one used by an S-VLAN, and you can use the same VLAN ID for both the VLAN used by the IRB interface and for the VLAN used as an S-VLAN.
Packets arriving on an IRB interface that is using Q-in-Q VLANs will get routed regardless of whether the packet is single tagged or double tagged. The outgoing routed packets contain an S-VLAN tag only when exiting a trunk interface; the packets exit the interface untagged when exiting an access interface.
Note:You can configure the IRB interface only on S-VLAN (NNI) interfaces, not on C-VLAN (UNI) interfaces.
-
Support for QFX5K switches with Q-in-Q interfaces using the
vlan-tagsstatement is limited to Layer 2 interfaces. Layer 3 interfaces that are configured with Q-in-Qvlan-tagsstatements might not function as expected. -
Most access port security features are not supported with Q-in-Q tunneling and VLAN translation.
-
Configuring Q-in-Q tunneling and VLAN rewriting/VLAN translation on the same port is not supported.
-
You can configure at most one VLAN rewrite/VLAN translation for a given VLAN and interface. For example, you can create no more than one translation for VLAN 100 on interface xe-0/0/0.
-
The combined total of VLANs and rules for Q-in-Q tunneling and VLAN translation cannot exceed 6000. For example, you can configure and commit 4000 VLANs and 2000 rules for Q-in-Q tunneling and VLAN translation. However, you cannot configure 4000 VLANs and 2500 rules for Q-in-Q tunneling and VLAN translation. If you try to commit a configuration that exceeds the limit, you see CLI and syslog errors that inform you about the problem.
-
You cannot use the native VLAN ID.
-
MAC addresses are learned from S-VLANs, not C-VLANs.
-
Broadcast, unknown unicast, and multicast traffic is forwarded to all members in the S-VLAN.
-
The following features are not supported with Q-in-Q tunneling:
-
DHCP relay
-
Fibre Channel over Ethernet
-
IP Source Guard
-
-
The following features are not supported with VLAN rewriting/VLAN translation:
-
Fibre Channel over Ethernet
-
Firewall filter applied to a port or VLAN in the output direction
-
Private VLANs
-
VLAN Spanning Tree Protocol
-
Reflective relay
-
Configuring Q-in-Q Tunneling on QFX Series Switches
Q-in-Q tunneling and VLAN translation allow service providers to create a Layer 2 Ethernet connection between two customer sites. Providers can segregate different customers’ VLAN traffic on a link (for example, if the customers use overlapping VLAN IDs) or bundle different customer VLANs into a single service VLAN. Data centers can use Q-in-Q tunneling to isolate customer traffic within a single site or when customer traffic flows between cloud data centers in different geographic locations.
Starting in Junos OS Release 19.4R1, the QFX10000 line of switches support the third and fourth Q-in-Q tags as payload (also known as a pass-through tag) along with the existing two tags (for VLAN matching and operations). The QFX10000 switches support multiple Q-in-Q tags for both Layer 2 bridging and EVPN-VXLAN cases. The Layer 2 access interfaces accept packets with three or four tags (all tags with the TPID value 0x8100). All the tags beyond the fourth tag (that is, from the fifth tag onward) are considered part of the Layer 3 payload and are forwarded transparently.
In a one or two tagged packet, the tags, tag 1 and tag 2 can carry any TPID values such as 0x8100, 0x88a8, 0x9100, and 0x9200.
Before you begin setting up Q-in-Q tunneling, make sure you have created and configured the necessary customer VLANs on the neighboring switches. See ../task/../topic-map/bridging-and-vlans.html#id-configuring-vlans-on-switches.
To configure Q-in-Q tunneling:
Depending on your interface configuration, you might need to adjust the MTU value on your trunk or access ports to accommodate the 4 bytes used for the tag added by Q-in-Q tunneling. For example, if you use the default MTU value of 1514 bytes on your access and trunk ports, you need to make one of the following adjustments:
Reduce the MTU on the access links by at least 4 bytes so that the frames do not exceed the MTU of the trunk link when S-VLAN tags are added.
Increase the MTU on the trunk link so that the link can handle the larger frame size.
Configuring Q-in-Q Tunneling on EX Series Switches with ELS Support
This task uses Junos OS for EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see Configuring Q-in-Q Tunneling on EX Series Switches. For ELS details, see Using the Enhanced Layer 2 Software CLI.
Q-in-Q tunneling enables service providers on Ethernet access networks to segregate or bundle customer traffic into different VLANs by adding another layer of 802.1Q tags. You can configure Q-in-Q tunneling on EX Series switches.
You cannot configure 802.1X user authentication on interfaces that have been enabled for Q-in-Q tunneling.
When Q-in-Q tunneling is configured on EX Series switches, trunk interfaces are assumed to be part of the service-provider network and access interfaces are assumed to be part of the customer network. Therefore, this topic also refers to trunk interfaces as service-provider VLAN (S-VLAN) interfaces (network-to-network interfaces [NNI]), and to access interfaces as customer VLAN (C-VLAN) interfaces (user-network interfaces [UNI]).
Before you begin configuring Q-in-Q tunneling, make sure you set up your VLANs. See Configuring VLANs for EX Series Switches with ELS Support (CLI Procedure) or Configuring VLANs for EX Series Switches (J-Web Procedure).
Configure Q-in-Q tunneling by using one of the following methods to map C-VLANs to S-VLANs:
- Configuring All-in-One Bundling
- Configuring Many-to-Many Bundling
- Configuring a Specific Interface Mapping with VLAN Rewrite Option
Configuring All-in-One Bundling
You can configure Q-in-Q tunneling by using the all-in-one bundling method, which maps packets from all C-VLAN interfaces on a switch to an S-VLAN.
To configure the all-in-one bundling method on a C-VLAN interface:
The following configuration on the C-VLAN interface ge-0/0/1 enables Q-in-Q tunneling and maps packets from C-VLANs 100 through 200 to logical interface 10, which is in turn associated with S-VLAN v10. In this sample configuration, a packet originated in C-VLAN 100 includes a tag with the VLAN ID 100. When this packet travels from the interface ge-0/0/1 to the S-VLAN interface, a tag with VLAN ID 10 is added to it. As the packet exits the S-VLAN interface, the tag with the VLAN ID 10 is removed.
set interfaces ge-0/0/1 flexible-vlan-tagging set interfaces ge-0/0/1 encapsulation extended-vlan-bridge set interfaces ge-0/0/1 unit 10 vlan-id-list 100-200 set interfaces ge-0/0/1 native-vlan-id 150 set interfaces ge-0/0/1 unit 10 input-vlan-map push set interfaces ge-0/0/1 unit 10 output-vlan-map pop set vlans v10 interface ge-0/0/1.10
To configure the all-in-one bundling method on an S-VLAN interface:
Enable the transmission of packets with no, one, or two 802.1Q VLAN tags:
[edit interfaces interface-name] user@switch# set flexible-vlan-tagging
Enable extended VLAN bridge encapsulation:
[edit interfaces interface-name] user@switch# set encapsulation extended-vlan-bridge
Map packets from the logical interface specified in the C-VLAN interface configuration to the S-VLAN:
[edit interfaces interface-name unit logical-unit-number] user@switch# set vlan-id number
Enable the S-VLAN interface to send and receive untagged packets:
[edit interfaces interface-name] user@switch# set native-vlan-id vlan-id
When specifying a native VLAN ID on an S-VLAN physical interface, the value must match the VLAN ID specified on the S-VLAN logical interface in step 3.
Associate the S-VLAN interface with the S-VLAN that was configured in the C-VLAN interface procedure:
[edit vlans vlan-name] user@switch# set interface interface-name.logical-unit-number
For example, the following configuration on the S-VLAN interface ge-1/1/1 enables Q-in-Q tunneling and maps packets with a VLAN ID tag of 10 to logical interface 10, which is in turn associated with S-VLAN v10. .
set interfaces ge-1/1/1 flexible-vlan-tagging set interfaces ge-1/1/1 encapsulation extended-vlan-bridge set interfaces ge-1/1/1 unit 10 vlan-id 10 set interfaces ge-1/1/1 native-vlan-id 10 set vlans v10 interface ge-1/1/1.10
Configuring Many-to-Many Bundling
You can configure Q-in-Q tunneling by using the many-to-many bundling method, which maps packets from multiple C-VLANs to multiple S-VLANs.
To configure the many-to-many bundling method on a C-VLAN interface:
The following configuration on the C-VLAN interface ge-0/0/1 for customer 1 enables Q-in-Q tunneling and maps packets from C-VLANs 100 through 120 to logical interface 10, which is in turn associated with S-VLAN v10.
The configuration on the C-VLAN interface ge-0/0/2 for customer 2 enables Q-in-Q tunneling and maps packets from C- VLANs 30 through 40, 50 through 60, and 70 through 80 to logical interface 30, which is in turn associated with S- VLAN v30.
In this sample configuration, a packet originated in C-VLAN 100 includes a tag with the VLAN ID 100. When this packet travels from the interface ge-0/0/1 to the S-VLAN interface, a tag with a VLAN ID of 10 is added to it. As the packet exits the S-VLAN interface, the tag with the VLAN ID of 10 is removed.
Customer 1
set interfaces ge-0/0/1 flexible-vlan-tagging set interfaces ge-0/0/1 encapsulation extended-vlan-bridge set interfaces ge-0/0/1 unit 10 vlan-id-list 100-120 set interfaces ge-0/0/1 native-vlan-id 100 set interfaces ge-0/0/1 unit 10 input-vlan-map push set interfaces ge-0/0/1 unit 10 output-vlan-map pop set vlans v10 interface ge-0/0/1.10
Customer 2
set interfaces ge-0/0/2 flexible-vlan-tagging set interfaces ge-0/0/2 encapsulation extended-vlan-bridge set interfaces ge-0/0/2 unit 30 vlan-id-list 30-40 set interfaces ge-0/0/2 unit 30 vlan-id-list 50-60 set interfaces ge-0/0/2 unit 30 vlan-id-list 70-80 set interfaces ge-0/0/2 native-vlan-id 30 set interfaces ge-0/0/2 unit 30 input-vlan-map push set interfaces ge-0/0/2 unit 30 output-vlan-map pop set vlans v30 interface ge-0/0/2.30
To configure the many-to-many bundling method on an S-VLAN interface:
Enable the transmission of packets with no, one, or two 802.1Q VLAN tags:
[edit interfaces interface-name] user@switch# set flexible-vlan-tagging
Enable extended VLAN bridge encapsulation:
[edit interfaces interface-name] user@switch# set encapsulation extended-vlan-bridge
Map packets from each logical interface specified in the C-VLAN interface configuration to an S-VLAN:
[edit interfaces interface-name unit logical-unit-number] user@switch# set native-vlan-id number
Enable an S-VLAN interface to send and receive untagged packets:
[edit interfaces interface-name] user@switch# set native-vlan-id vlan-id
When specifying a native VLAN ID on an S-VLAN physical interface, the value must match an S-VLAN ID specified on the S-VLAN logical interface in step 3.
Associate the S-VLAN interface with the S-VLANs that were configured in the C-VLAN interface procedure:
[edit vlans vlan-name] user@switch# set interface interface-name.logical-unit-number
For example, the following configuration on the S-VLAN interface ge-1/1/1 enables Q-in-Q tunneling and maps incoming C-VLAN packets to logical interfaces 10 and 30, which are in turn associated with S-VLANs v10 and v30, respectively.
set interfaces ge-1/1/1 flexible-vlan-tagging set interfaces ge-1/1/1 encapsulation extended-vlan-bridge set interfaces ge-1/1/1 unit 10 vlan-id 10 set interfaces ge-1/1/1 unit 30 vlan-id 30 set interfaces ge-1/1/1 native-vlan-id 10 set vlans v10 interface ge-1/1/1.10 set vlans v30 interface ge-1/1/1.30
Configuring a Specific Interface Mapping with VLAN Rewrite Option
You can configure Q-in-Q tunneling by mapping packets from a specified C-VLAN to a specified S-VLAN. In addition, while the packets are transmitted to and from the S-VLAN, you can specify that the 802.1Q C-VLAN tag be removed and replaced with the S-VLAN tag or vice versa.
To configure a specific interface mapping with VLAN rewriting on the C-VLAN interface:
For example, the following configuration on the C-VLAN interface ge-0/0/1 enables Q-in-Q tunneling and maps incoming packets from C-VLAN 150 to logical interface 200, which is in turn associated with VLAN v200. Also, as packets travel from the C-VLAN interface ge-0/0/1 to an S-VLAN interface, the C-VLAN tag 150 is removed and replaced with the S-VLAN tag 200. As packets travel from an S-VLAN interface to C-VLAN interface ge-0/0/1, the S-VLAN tag 200 is removed and replaced with the C-VLAN tag of 150.
set interfaces ge-0/0/1 flexible-vlan-tagging set interfaces ge-0/0/1 encapsulation extended-vlan-bridge set interfaces ge-0/0/1 unit 200 vlan-id 150 set interfaces ge-0/0/1 native-vlan-id 150 set interfaces ge-0/0/1 unit 200 input-vlan-map swap set interfaces ge-0/0/1 unit 200 output-vlan-map swap set vlans v200 interface ge-0/0/1.200
To configure a specific interface mapping with VLAN rewriting on the S-VLAN interface:
Enable the transmission of packets with no, one, or two 802.1Q VLAN tags:
[edit interfaces interface-name] user@switch# set flexible-vlan-tagging
Enable extended VLAN bridge encapsulation:
[edit interfaces interface-name] user@switch# set encapsulation extended-vlan-bridge
Map packets from the logical interface specified in the C-VLAN interface configuration to the S-VLAN:
[edit interfaces interface-name unit logical-unit-number] user@switch# set vlan-id number
Enable the S-VLAN interface to send and receive untagged packets:
[edit interfaces interface-name] user@switch# set native-vlan-id vlan-id
When specifying a native VLAN ID on an S-VLAN physical interface, the value must match the VLAN ID specified on the S-VLAN logical interface in step 3.
Associate the S-VLAN interface with the S-VLAN that was configured in the C-VLAN interface procedure: :
[edit vlans vlan-name] user@switch# set interface interface-name.logical-unit-number
For example, the following configuration on the S-VLAN interface ge-1/1/1 enables Q-in-Q tunneling and maps packets with VLAN ID 200 to logical interface 200, which is in turn associated with S-VLAN v200.
set interfaces ge-1/1/1 flexible-vlan-tagging set interfaces ge-1/1/1 encapsulation extended-vlan-bridge set interfaces ge-1/1/1 unit 200 vlan-id 200 set interfaces ge-1/1/1 native-vlan-id 200 set vlans v200 interface ge-1/1/1.200
Configuring Q-in-Q Tunneling on EX Series Switches
This task uses Junos OS for EX Series switches that does not support the Enhanced Layer 2 Software (ELS) configuration style.
Q-in-Q tunneling allows service providers on Ethernet access networks to segregate or bundle customer traffic into different VLANs by adding another layer of 802.1Q tags. You can configure Q-in-Q tunneling on EX Series switches.
You cannot configure 802.1X user authentication on interfaces that have been enabled for Q-in-Q tunneling.
Before you begin configuring Q-in-Q tunneling, make sure you set up your VLANs. See Configuring VLANs for EX Series Switches or Configuring VLANs for EX Series Switches (J-Web Procedure).
To configure Q-in-Q tunneling:
Configuring Q-in-Q Tunneling on ACX Series
SUMMARY
Q-in-Q Tunneling on ACX Series Overview
Q-in-Q tunneling allows service providers to create a Layer 2 Ethernet connection between two customer sites. Providers can segregate different customers’ VLAN traffic on a link (for example, if the customers use overlapping VLAN IDs) or bundle different customer VLANs into a single service VLAN. Service providers can use Q-in-Q tunneling to isolate customer traffic within a single site or to enable customer traffic flows across geographic locations.
Q-in-Q tunneling adds a service VLAN tag before the customer’s 802.1Q VLAN tags. The Juniper Networks Junos operating system implementation of Q-in-Q tunneling supports the IEEE 802.1ad standard.
In Q-in-Q tunneling, as a packet travels from a customer VLAN (C-VLAN) to a service provider's VLAN (S-VLAN), another 802.1Q tag for the appropriate S-VLAN is added before the C-VLAN tag. The C-VLAN tag remains and is transmitted through the network. As the packet exits from the S-VLAN space, in the downstream direction, the S-VLAN 802.1Q tag is removed.
In ACX Series routers, you can configure Q-in-Q tunneling by
explicitly configuring an input VLAN map with push function
on customer facing interfaces in a bridge domain.
You can configure Q-in-Q tunneling on aggregated Ethernet interface by configuring input and output VLAN map.
Configuring Q-in-Q Tunneling on ACX Series
To configure Q-in-Q tunneling, you need to configure the logical interface connected to the customer network (user-to-network interfaces (UNI)) and the logical interface connected to the service provider network (network-to-network interface (NNI)).
The following is an example to configure a logical interface connected to a customer network:
[edit]
interface ge-1/0/1 {
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 0 {
encapsulation vlan-bridge;
vlan-id-list 10-20;
input-vlan-map {
push;
vlan-id 500;
}
output-vlan-map pop;
}
}
The following is an example to configure a logical interface connected to a service provider network:
[edit] interface ge-1/0/2; { flexible-vlan-tagging; encapsulation flexible-ethernet-services; unit 0 { encapsulation vlan-bridge; vlan-id 500; } }
The following is an example to configure the bridge domain:
[edit] bridge-domains { qnq-stag-500{ interface ge-1/0/1; interface ge-1/0/2; } }
You can configure Q-in-Q tunneling on aggregated Ethernet interface connected to the customer network (UNI) and the logical interface connected to the service provider network (NNI).
Configuring Q-in-Q Tunneling Using All-in-One Bundling
You can configure Q-in-Q tunneling using the all-in-one bundling method, which forwards all packets that ingress on a C-VLAN interface to an S-VLAN. (Packets are forwarded to the S-VLAN regardless of whether they are tagged or untagged prior to ingress.) Using this approach saves you the effort of specifying a specific mapping for each C-VLAN.
First configure the S-VLAN and its interface:
If you configured flexible-ethernet-services, configure vlan-bridge encapsulation on the logical interface:
[edit interfaces interface-name unit logical-unit-number] user@switch# set encapsulation vlan-bridge
For example, the following configuration makes xe-0/0/0.10 a member of VLAN 10, enables Q-in-Q tunneling on interface xe-0/0/0, enables xe-0/0/0 to accept untagged packets, and binds the VLAN ID of S-VLAN v10 to a logical interface of xe-0/0/0.
set vlans v10 interface xe-0/0/0.10 set interfaces xe-0/0/0 flexible-vlan-tagging set interfaces xe-0/0/0 native-vlan-id 10 set interfaces xe-0/0/0 encapsulation extended-vlan-bridge set interfaces xe-0/0/0 unit 10 vlan-id 10
Now configure all-in-one bundling on a C-VLAN interface:
Assign a logical interface (unit) of the C-VLAN interface to be a member of the S-VLAN.
[edit vlans vlan-name] user@switch# set interface interface-name.unit-number
Enable the interface to transmit packets with 802.1Q VLAN tags :
[edit interfaces interface-name] user@switch# set flexible-vlan-tagging
Enable extended VLAN bridge encapsulation on the interface:
[edit interfaces interface-name] user@switch# set encapsulation extended-vlan-bridge
Enable the C-VLAN interface to send and receive untagged packets:
[edit interfaces interface-name] user@switch# set native-vlan-id vlan-id
Configure a logical interface to receive and forward any tagged packet whose VLAN ID tag matches the list of VLAN IDs you specify:
[edit interfaces interface-name unit logical-unit-number] user@switch# set vlan-id-list vlan-id-numbers
CAUTION:You can apply no more than eight VLAN identifier lists to a physical interface. This limitation does not apply to QFX10000 switches.
Configure the system to add an S-VLAN tag (outer tag) as packets travel from a C-VLAN interface to the S-VLAN:
[edit interfaces interface-name unit logical-unit-number] user@switch# set input-vlan-map push
Note:You can configure
vlan-idoninput-vlan-map, but doing so is optional.Configure the system to remove the S-VLAN tag when packets are forwarded (internally) from the S-VLAN interface to the C-VLAN interface:
[edit interfaces interface-name unit logical-unit-number] user@switch# set output-vlan-map pop
For example, the following configuration makes xe-0/0/1.10 a member of S-VLAN v10, enables Q-in-Q tunneling, maps packets from C-VLANs 100 through 200 to S-VLAN 10, and enables xe-0/0/1 to accept untagged packets. If a packet originates in C-VLAN 100 and needs to be sent across the S-VLAN, a tag with VLAN ID 10 is added to the packet. When a packet is forwarded (internally) from the S-VLAN interface to interface xe-0/0/1, the tag with VLAN ID 10 is removed.
set vlans v10 interface xe-0/0/1.10 set interfaces xe-0/0/1 flexible-vlan-tagging set interfaces xe-0/0/1 encapsulation extended-vlan-bridge set interfaces xe-0/0/1 unit 10 vlan-id-list 100-200 set interfaces xe-0/0/1 native-vlan-id 10 set interfaces xe-0/0/1 unit 10 input-vlan-map push set interfaces xe-0/0/1 unit 10 output-vlan-map pop
Configuring Q-in-Q Tunneling Using Many-to-Many Bundling
You can configure Q-in-Q tunneling using the many-to-many bundling method, which maps packets from multiple C-VLANs to multiple S-VLANs. This method is convenient for mapping a range of C-VLANs without having to specify each one individually. (You can also use this method to configure only one C-VLAN to be mapped to an S-VLAN.)
First configure the S-VLANs and assign them to an interface:
For example, the following configuration creates S-VLANs v10 and v30 and associates them with interface xe-0/0/0.10, enables Q-in-Q tunneling, enables xe-0/0/0 to accept untagged packets, and maps incoming C-VLAN packets to S-VLANs v10 and v30.
set vlans v10 interface xe-0/0/0.10 set vlans v30 interface xe-0/0/0.10 set interfaces xe-0/0/0 flexible-vlan-tagging set interfaces xe-0/0/0 native-vlan-id 10 set interfaces xe-0/0/0 encapsulation extended-vlan-bridge set interfaces xe-0/0/0 unit 10 vlan-id 10 set interfaces xe-0/0/0 unit 30 vlan-id 30
To configure the many-to-many bundling method on a C-VLAN interface, perform the following steps for each customer:
Assign a logical interface (unit) of one C-VLAN interface to be a member of one S-VLAN.
[edit vlans vlan-name] user@switch# set interface interface-name.unit-number
Repeat step 1 to assign another C-VLAN interface (physical interface) to be a member of another S-VLAN.
Enable the interface to transmit packets with 802.1Q VLAN tags:
[edit interfaces interface-name] user@switch# set flexible-vlan-tagging
Enable extended VLAN bridge encapsulation on the interface:
[edit interfaces interface-name] user@switch# encapsulation extended-vlan-bridge
Enable the C-VLAN interface to send and receive untagged packets:
[edit interfaces interface-name] user@switch# set native-vlan-id vlan-id
For each physical interface, configure a logical interface (unit) to receive and forward any tagged packet whose VLAN ID tag matches the list of VLAN IDs you specify:
[edit interfaces interface-name unit logical-unit-number] user@switch# set vlan-id-list vlan-id-numbers
To configure only one C-VLAN to be mapped to an S-VLAN, specify only one VLAN ID after vlan-id-list.
CAUTION:You can apply no more than eight VLAN identifier lists to a physical interface. This limitation does not apply to QFX10000 switches.
For each physical interface, configure the system to add an S-VLAN tag (outer tag) as packets travel from the C-VLAN interface to the S-VLAN:
[edit interfaces interface-name unit logical-unit-number] user@switch# set input-vlan-map push
For each physical interface, configure the system to remove the S-VLAN tag when packets are forwarded from the S-VLAN interface to the C-VLAN interface:
[edit interfaces interface-name unit logical-unit-number] user@switch# set output-vlan-map pop
For example, the following configuration makes xe-0/0/1.10 a member of S-VLAN v10, enables Q-in-Q tunneling, and maps packets from C-VLANs 10 through 20 to S-VLAN 10. The configuration for customer 2 makes xe-0/0/2.30 a member of S-VLAN v30, enables Q-in-Q tunneling, and maps packets from C-VLANs 30 through 40, 50 through 60, and 70 through 80 to S-VLAN 30. Both interfaces are configured to accept untagged packets.
If a packet originates in C-VLAN 10 and needs to be sent over the S-VLAN, a tag with a VLAN ID 10 is added to the packet. If a packet is forwarded internally from the S-VLAN interface to xe-0/0/1.10, the tag with VLAN ID 10 is removed. The same principles apply to the C-VLANs configured on interface xe-0/0/2.
Notice that you can use the same tag value for an S-VLAN and C-VLAN. For example, the configuration for customer 1 maps C-VLAN ID 10 to S-VLAN ID 10. C-VLAN and S-VLAN tags use separate name spaces, so this configuration is allowed.
Configuration for customer 1:
set vlans v10 interface xe-0/0/1.10 set interfaces xe-0/0/1 flexible-vlan-tagging set interfaces xe-0/0/1 encapsulation extended-vlan-bridge set interfaces xe-0/0/1 unit 10 vlan-id-list 10-20 set interfaces xe-0/0/1 native-vlan-id 15 set interfaces xe-0/0/1 unit 10 input-vlan-map push set interfaces xe-0/0/1 unit 10 output-vlan-map pop
Configuration for customer 2:
set vlans v30 interface xe-0/0/2.30 set interfaces xe-0/0/2 flexible-vlan-tagging set interfaces xe-0/0/2 encapsulation extended-vlan-bridge set interfaces xe-0/0/2 unit 30 vlan-id-list 30-40 set interfaces xe-0/0/2 unit 30 vlan-id-list 50-60 set interfaces xe-0/0/2 unit 30 vlan-id-list 70-80 set interfaces xe-0/0/2 native-vlan-id 75 set interfaces xe-0/0/2 unit 30 input-vlan-map push set interfaces xe-0/0/2 unit 30 output-vlan-map pop
Configuring a Specific Interface Mapping with VLAN ID Translation Option
You can configure Q-in-Q tunneling by mapping packets from a specified C-VLAN to a specified S-VLAN. In addition, you can configure the system to replace a C-VLAN tag with an S-VLAN tag or replace an S-VLAN tag with a C-VLAN tag (instead of double tagging). This is call VLAN translation or VLAN rewriting. VLAN translation is particularly useful if a service provider’s Layer 2 network that connects a customer’s sites does not support double tagged packets.
When you use VLAN translation, both ends of the link normally must be able to swap the tags appropriately. That is, both ends of the link must be configured to swap the C-VLAN tag for the S-VLAN tag and swap the S-VLAN tag for the C-VLAN tag so that traffic in both directions is tagged appropriately while in transit and after arrival.
First configure the S-VLAN and its interface:
For example, the following configuration creates S-VLAN v200, makes xe-0/0/0.200 a member of that VLAN, enables Q-in-Q tunneling on interface xe-0/0/0, enables xe-0/0/0 to accept untagged packets, and binds a logical interface of xe-0/0/0 to the VLAN ID of VLAN v200.
set vlans v200 interface xe-0/0/0.200 set interfaces xe-0/0/0 flexible-vlan-tagging set interfaces xe-0/0/0 native-vlan-id 150 set interfaces xe-0/0/0 encapsulation extended-vlan-bridge set interfaces xe-0/0/0 unit 200 vlan-id 200
Now configure a specific interface mapping with optional VLAN ID translation on the C-VLAN interface:
Assign a logical interface of the C-VLAN interface to be a member of the S-VLAN.
[edit vlans vlan-name] user@switch# set interface interface-name.unit-number
Enable the interface to transmit packets with 802.1Q VLAN tags:
[edit interfaces interface-name] user@switch# set flexible-vlan-tagging
Enable the C-VLAN interface to send and receive untagged packets:
[edit interfaces interface-name] user@switch# set native-vlan-id vlan-id
Enable extended VLAN bridge encapsulation on the interface:
[edit interfaces interface-name] user@switch# set encapsulation extended-vlan-bridge
Configure a logical interface (unit) to receive and forward any tagged packet whose VLAN ID tag matches the VLAN IDs you specify:
[edit interfaces interface-name unit logical-unit-number] user@switch# set vlan-id number
Configure the system to remove the existing C-VLAN tag and replace it with the S-VLAN tag when packets ingress on the C-VLAN interface and are forwarded to the S-VLAN:
[edit interfaces interface-name unit logical-unit-number] user@switch# set input-vlan-map swap
Configure the system to remove the existing S-VLAN tag and replace it with the C-VLAN tag when packets are forwarded from the S-VLAN interface to the C-VLAN interface:
[edit interfaces interface-name unit logical-unit-number] user@switch# set output-vlan-map swap
To configure an S-VLAN and associate it with the appropriate C-VLAN interface:
[edit vlans vlan-name] user@switch# set interface interface-name
For example, the following configuration on C-VLAN interface xe-0/0/1.200 enables Q-in-Q tunneling, enables xe-0/0/1 to accept untagged packets, and maps incoming packets from C-VLAN 150 to logical interface 200, which is a member of S-VLAN 200. Also, when packets egress from C-VLAN interface xe-0/0/1 and travel to the S-VLAN interface, the C-VLAN tag of 150 is removed and replaced with the S-VLAN tag of 200. When packets travel from the S-VLAN interface to the C-VLAN interface, the S-VLAN tag of 200 is removed and replaced with the C-VLAN tag of 150.
set vlans v200 interface xe-0/0/1.200 set interfaces xe-0/0/1 flexible-vlan-tagging set interfaces xe-0/0/1 native-vlan-id 150 set interfaces xe-0/0/1 encapsulation extended-vlan-bridge set interfaces xe-0/0/1 unit 200 vlan-id 200 set interfaces xe-0/0/1 unit 200 output-vlan-map swap set interfaces xe-0/0/1 unit 200 input-vlan-map swap
Example: Setting Up Q-in-Q Tunneling on QFX Series Switches
Service providers can use Q-in-Q tunneling to transparently pass Layer 2 VLAN traffic between customer sites without removing or changing the customer VLAN tags or class-of-service (CoS) settings. Data centers can use Q-in-Q tunneling to isolate customer traffic within a single site or when customer traffic flows between cloud data centers in different geographic locations.
This example uses a Junos OS release that does not support the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that supports ELS, see Configuring Q-in-Q Tunneling on QFX Series, NFX Series, and EX4600 Switches with ELS Support.
This example describes how to set up Q-in-Q tunneling:
Requirements
This example requires one QFX Series device with Junos OS Release 12.1 or later.
Before you begin setting up Q-in-Q tunneling, make sure you have created and configured the necessary customer VLANs on the neighboring switches. See ../example/../topic-map/bridging-and-vlans.html#id-configuring-vlans-on-switches.
Overview and Topology
In this service provider network, there are multiple customer VLANs mapped to one service VLAN.
Table 2 lists the settings for the sample topology.
| Interface | Description |
|---|---|
|
Tagged S-VLAN trunk port |
|
Untagged customer-facing access port |
|
Untagged customer-facing access port |
|
Tagged S-VLAN trunk port |
Configuration
CLI Quick Configuration
To quickly create and configure Q-in-Q tunneling, copy the following commands and paste them into the switch terminal window:
[edit] set vlans service-vlan vlan-id 1000 set vlans service-vlan dot1q-tunneling customer-vlans 1-100 set vlans service-vlan dot1q-tunneling customer-vlans 201-300 set interfaces xe-0/0/11 unit 0 family ethernet-switching port-mode trunk set interfaces xe-0/0/11 unit 0 family ethernet-switching vlan members 1000 set interfaces xe-0/0/12 unit 0 family ethernet-switching port-mode access set interfaces xe-0/0/12 unit 0 family ethernet-switching vlan members 1000 set interfaces xe-0/0/13 unit 0 family ethernet-switching port-mode access set interfaces xe-0/0/13 unit 0 family ethernet-switching vlan members 1000 set interfaces xe-0/0/14 unit 0 family ethernet-switching port-mode trunk set interfaces xe-0/0/14 unit 0 family ethernet-switching vlan members 1000 set ethernet-switching-options dot1q-tunneling ether-type 0x9100
Procedure
Step-by-Step Procedure
To configure Q-in-Q tunneling:
Set the VLAN ID for the S-VLAN:
[edit vlans] user@switch# set service-vlan vlan-id 1000
Enable Q-in-Q tunneling and specify the customer VLAN ranges:
[edit vlans] user@switch# set service-vlan dot1q-tunneling customer-vlans 1-100 user@switch# set service-vlan dot1q-tunneling customer-vlans 201-300
Set the port mode and VLAN information for the interfaces:
[edit interfaces] user@switch# set xe-0/0/11 unit 0 family ethernet-switching port-mode trunk user@switch# set xe-0/0/11 unit 0 family ethernet-switching vlan members 1000 user@switch# set xe-0/0/12 unit 0 family ethernet-switching port-mode access user@switch# set xe-0/0/12 unit 0 family ethernet-switching vlan members 1000 user@switch# set xe-0/0/13 unit 0 family ethernet-switching port-mode access user@switch# set xe-0/0/13 unit 0 family ethernet-switching vlan members 1000 user@switch# set xe-0/0/14 unit 0 family ethernet-switching port-mode trunk user@switch# set xe-0/0/14 unit 0 family ethernet-switching vlan members 1000
Set the Q-in-Q Ethertype value (optional):
[edit] user@switch# set ethernet-switching-options dot1q-tunneling ether-type 0x9100
Results
Check the results of the configuration:
user@switch> show configuration vlans service-vlan
vlan-id 1000 {
dot1q-tunneling {
customer-vlans [ 1-100 201-300 ];
}
user@switch> show configuration interfaces
xe-0/0/11 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan members 1000;
}
}
}
xe-0/0/12 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan members 1000;
}
}
}
xe-0/0/13 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan members 1000;
}
}
}
xe-0/0/14 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan members 1000;
}
}
}
user@switch> show ethernet-switching-options
dot1q-tunneling {
ether-type 0x9100;
}
Verification
Confirm that the configuration is working properly.
Verifying That Q-in-Q Tunneling Was Enabled
Purpose
Verify that Q-in-Q tunneling was properly enabled.
Action
Use the show vlans command:
user@switch> show vlans service-vlan extensive
VLAN: service-vlan, Created at: Wed Mar 14 07:17:53 2012
802.1Q Tag: 1000, Internal index: 18, Admin State: Enabled, Origin: Static
Dot1q Tunneling Status: Enabled
Customer VLAN ranges:
1-100
201-300
Protocol: Port Mode
Number of interfaces: Tagged 2 (Active = 0), Untagged 2 (Active = 0)
xe-0/0/11.0, tagged, trunk
xe-0/0/14.0, tagged, trunk
xe-0/0/12.0, untagged, access
xe-0/0/13.0, untagged, access
Meaning
The output indicates that Q-in-Q tunneling is enabled and that the VLAN is tagged and shows the associated customer VLANs.
Example: Setting Up Q-in-Q Tunneling on EX Series Switches
Service providers can use Q-in-Q tunneling to transparently pass Layer 2 VLAN traffic from a customer site, through the service provider network, to another customer site without removing or changing the customer VLAN tags or class-of-service (CoS) settings. You can configure Q-in-Q tunneling on EX Series switches.
This example describes how to set up Q-in-Q:
Requirements
This example requires one EX Series switch with Junos OS Release 9.3 or later for EX Series switches.
Before you begin setting up Q-in-Q tunneling, make sure you have created and configured the necessary customer VLANs. See Configuring VLANs for EX Series Switches or Configuring VLANs for EX Series Switches (J-Web Procedure).
Overview and Topology
In this service provider network, there are multiple customer VLANs mapped to one service VLAN.
Table 3 lists the settings for the example topology.
| Interface | Description |
|---|---|
ge-0/0/11.0 |
Tagged S-VLAN trunk port |
ge-0/0/12.0 |
Untagged customer-facing access port |
ge-0/0/13.0 |
Untagged customer-facing access port |
ge-0/0/14.0 |
Tagged S-VLAN trunk port |
Configuration
CLI Quick Configuration
To quickly create and configure Q-in-Q tunneling, copy the following commands and paste them into the switch terminal window:
[edit] set vlans qinqvlan vlan-id 4001 set vlans qinqvlan dot1q-tunneling customer-vlans 1-100 set vlans qinqvlan dot1q-tunneling customer-vlans 201-300 set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members 4001 set interfaces ge-0/0/12 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members 4001 set interfaces ge-0/0/13 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members 4001 set interfaces ge-0/0/14 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members 4001 set ethernet-switching-options dot1q-tunneling ether-type 0x9100
Procedure
Step-by-Step Procedure
To configure Q-in-Q tunneling:
Set the VLAN ID for the S-VLAN:
[edit vlans] user@switch# set qinqvlan vlan-id 4001
Enable Q-in-Q tuennling and specify the customer VLAN ranges:
[edit vlans] user@switch# set qinqvlan dot1q-tunneling customer-vlans 1-100 user@switch# set qinqvlan dot1q-tunneling customer-vlans 201-300
Set the port mode and VLAN information for the interfaces:
[edit interfaces] user@switch# set ge-0/0/11 unit 0 family ethernet-switching port-mode trunk user@switch# set ge-0/0/11 unit 0 family ethernet-switching vlan members 4001 user@switch# set ge-0/0/12 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/12 unit 0 family ethernet-switching vlan members 4001 user@switch# set ge-0/0/13 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/13 unit 0 family ethernet-switching vlan members 4001 user@switch# set ge-0/0/14 unit 0 family ethernet-switching port-mode trunk user@switch# set ge-0/0/14 unit 0 family ethernet-switching vlan members 4001
Set the Q-in-Q Ethertype value:
[edit] user@switch# set ethernet-switching-options dot1q-tunneling ether-type 0x9100
Results
Check the results of the configuration:
user@switch> show configuration vlans qinqvlan
vlan-id 4001 {
dot1q-tunneling {
customer-vlans [ 1-100 201-300 ];
}
user@switch> show configuration interfaces
ge-0/0/11 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan members 4001;
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan members 4001;
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan members 4001;
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan members 4001;
}
}
}
user@switch> show ethernet-switching-options
dot1q-tunneling {
ether-type 0x9100;
}
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying That Q-in-Q Tunneling Was Enabled
Purpose
Verify that Q-in-Q tunneling was properly enabled on the switch.
Action
Use the show vlans command:
user@switch> show vlans qinqvlan extensive
VLAN: qinqvlan, Created at: Thu Sep 18 07:17:53 2008
802.1Q Tag: 4001, Internal index: 18, Admin State: Enabled, Origin: Static
Dot1q Tunneling Status: Enabled
Customer VLAN ranges:
1-100
201-300
Protocol: Port Mode
Number of interfaces: Tagged 2 (Active = 0), Untagged 4 (Active = 0)
ge-0/0/11.0, tagged, trunk
ge-0/0/14.0, tagged, trunk
ge-0/0/12.0, untagged, access
ge-0/0/13.0, untagged, access
Meaning
The output indicates that Q-in-Q tunneling is enabled and that the VLAN is tagged and shows the associated customer VLANs.
Setting Up a Dual VLAN Tag Translation Configuration on QFX Switches
Starting with Junos OS Release 14.1X53-D40, you can use the dual VLAN tag translation (also known as dual VLAN tag rewrite) feature to deploy switches in service-provider domains, allowing dual-tagged, single-tagged, and untagged VLAN packets to come into or exit from the switch.
The following example configuration shows use of the swap-swap, pop-swap, and swap-push dual tag operations.
[edit] set interfaces ge-0/0/1 unit 503 description UNI-3 set interfaces ge-0/0/1 unit 503 encapsulation vlan-bridge set interfaces ge-0/0/1 unit 503 vlan-tags outer 503 set interfaces ge-0/0/1 unit 503 vlan-tags inner 504 set interfaces ge-0/0/1 unit 503 input-vlan-map swap-swap set interfaces ge-0/0/1 unit 503 input-vlan-map vlan-id 500 set interfaces ge-0/0/1 unit 503 input-vlan-map inner-vlan-id 514 set interfaces ge-0/0/1 unit 503 output-vlan-map swap-swap set interfaces ge-0/0/0 description NNI set interfaces ge-0/0/0 flexible-vlan-tagging set interfaces ge-0/0/0 encapsulation flexible-ethernet-services set interfaces ge-0/0/0 unit 500 description "SVLAN500 port" set interfaces ge-0/0/0 unit 500 encapsulation vlan-bridge set interfaces ge-0/0/0 unit 500 vlan-id 500 set interfaces ge-0/0/0 unit 600 description "SVLAN600 port" set interfaces ge-0/0/0 unit 600 encapsulation vlan-bridge set interfaces ge-0/0/0 unit 600 vlan-id 600 set interfaces ge-0/0/0 unit 700 description "SVLAN700 port" set interfaces ge-0/0/0 unit 700 encapsulation vlan-bridge set interfaces ge-0/0/0 unit 700 vlan-id 700 set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode trunk set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members v1000 set interfaces ge-0/0/0 unit 1100 description UNI-SVLAN1100 set interfaces ge-0/0/0 unit 1100 encapsulation vlan-bridge set interfaces ge-0/0/0 unit 1100 vlan-tags outer 1101 set interfaces ge-0/0/0 unit 1100 vlan-tags inner 1102 set interfaces ge-0/0/0 unit 1100 input-vlan-map swap-swap set interfaces ge-0/0/0 unit 1100 input-vlan-map vlan-id 1100 set interfaces ge-0/0/0 unit 1100 input-vlan-map inner-vlan-id 2101 set interfaces ge-0/0/0 unit 1100 output-vlan-map swap-swap set interfaces ge-0/0/0 unit 1200 description UNI-SVLAN1200 set interfaces ge-0/0/0 unit 1200 encapsulation vlan-bridge set interfaces ge-0/0/0 unit 1200 vlan-id 1201 set interfaces ge-0/0/0 unit 1200 input-vlan-map swap-push set interfaces ge-0/0/0 unit 1200 input-vlan-map inner-vlan-id 2200 set interfaces ge-0/0/0 unit 1200 output-vlan-map pop-swap set interfaces ge-0/0/2 description UNI set interfaces ge-0/0/2 flexible-vlan-tagging set interfaces ge-0/0/2 encapsulation flexible-ethernet-services set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode trunk set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members v1000 set interfaces ge-0/0/2 unit 603 description UNI-3 set interfaces ge-0/0/2 unit 603 encapsulation vlan-bridge set interfaces ge-0/0/2 unit 603 vlan-tags outer 603 set interfaces ge-0/0/2 unit 603 vlan-tags inner 604 set interfaces ge-0/0/2 unit 603 input-vlan-map swap-swap set interfaces ge-0/0/2 unit 603 input-vlan-map vlan-id 600 set interfaces ge-0/0/2 unit 603 input-vlan-map inner-vlan-id 614 set interfaces ge-0/0/2 unit 603 output-vlan-map swap-swap set interfaces ge-0/0/3 description UNI set interfaces ge-0/0/3 flexible-vlan-tagging set interfaces ge-0/0/3 encapsulation flexible-ethernet-services set interfaces ge-0/0/3 unit 0 family ethernet-switching interface-mode trunk set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members v1000 set interfaces ge-0/0/3 unit 703 description UNI-3 set interfaces ge-0/0/3 unit 703 encapsulation vlan-bridge set interfaces ge-0/0/3 unit 703 vlan-tags outer 703 set interfaces ge-0/0/3 unit 703 vlan-tags inner 704 set interfaces ge-0/0/3 unit 703 input-vlan-map swap-swap set interfaces ge-0/0/3 unit 703 input-vlan-map vlan-id 700 set interfaces ge-0/0/3 unit 703 input-vlan-map inner-vlan-id 714 set interfaces ge-0/0/3 unit 703 output-vlan-map swap-swap set interfaces ge-0/0/3 unit 701 encapsulation vlan-bridge set interfaces ge-0/0/3 unit 701 vlan-id 701 set interfaces ge-0/0/3 unit 701 input-vlan-map swap-push set interfaces ge-0/0/3 unit 701 input-vlan-map inner-vlan-id 780 set interfaces ge-0/0/3 unit 701 output-vlan-map pop-swap set interfaces ge-0/0/3 unit 1100 description SVLAN1100-NNI set interfaces ge-0/0/3 unit 1100 encapsulation vlan-bridge set interfaces ge-0/0/3 unit 1100 vlan-id 1100 set interfaces ge-0/0/3 unit 1200 description SVLAN1200-NNI set interfaces ge-0/0/3 unit 1200 encapsulation vlan-bridge set interfaces ge-0/0/3 unit 1200 vlan-id 1200 set vlans SVLAN500 interface ge-0/0/0.500 set vlans SVLAN500 interface ge-0/0/1.503 set vlans SVLAN600 interface ge-0/0/0.600 set vlans SVLAN600 interface ge-0/0/2.603 set vlans SVLAN600 interface ge-0/0/3.701 set vlans SVLAN700 interface ge-0/0/0.700 set vlans SVLAN700 interface ge-0/0/3.703 set vlans v1000 vlan-id 1000 set vlans SVLAN1100 interface ge-0/0/0.1100 set vlans SVLAN1100 interface ge-0/0/3.1100 set vlans SVLAN1200 interface ge-0/0/3.1200 set vlans SVLAN1200 interface ge-0/0/0.1200
Dual VLAN tagging (vlan-tags outer, vlan-tags
inner) is not supported on QFX 5000 switches with Layer 3 IFL
family inet.
set interfaces xe-0/0/2 unit 100 vlan-tags outer 1000 set interfaces xe-0/0/2 unit 100 vlan-tags inner 100
Support for Swap-Push/Pop-Swap for QFX and EX Switches
Q-in-Q tunneling with L2 swap-push/pop-swap support is a specific scenario in which
the customer VLAN (C-VLAN) tag is swapped with the inner-vlan-id
tag, and the service-provider-defined service VLAN (S-VLAN) tag is pushed on it (for
traffic flowing from customer to service provider site). This traffic is sent to the
service provider network double-tagged (S-VLAN + C-VLAN). For the traffic flowing
from the service provider network to the customer network, the S-VLAN tag is
removed, and the C-VLAN tag is replaced with the VLAN ID configured on the UNI
logical interface.
The following example shows the swap-push/pop-swap dual tag operations.
- Swap-push—For incoming-single tagged frame from UNI, the C-VLAN (VLAN ID 100) swaps with the configured inner-vlan-id (200) on logical interface and the S-VLAN (VLAN ID 900) pushes on to the frame. The double-tagged frame egresses out of the NNI.
- Pop-swap—For incoming double-tagged frame from the NNI, the S-VLAN tag pops (VLAN ID 900) from the frame and the logical interface's VLAN ID 100 replaces the C-VLAN tag. The single-tagged frame egresses out of the UNI.
set interfaces ge-0/0/1 description UNI set interfaces ge-0/0/1 flexible-vlan-tagging set interfaces ge-0/0/1 encapsulation flexible-ethernet-services set interfaces ge-0/0/1 unit 100 encapsulation vlan-bridge set interfaces ge-0/0/1 unit 100 vlan-id 100 set interfaces ge-0/0/1 unit 100 input-vlan-map swap-push set interfaces ge-0/0/1 unit 100 input-vlan-map vlan-id 900 set interfaces ge-0/0/1 unit 100 input-vlan-map inner-vlan-id 200 set interfaces ge-0/0/1 unit 100 output-vlan-map pop-swap set interfaces ge-0/0/2 description NNI set interfaces ge-0/0/2 flexible-vlan-tagging set interfaces ge-0/0/2 encapsulation flexible-ethernet-services set interfaces ge-0/0/2 unit 900 encapsulation vlan-bridge set interfaces ge-0/0/2 unit 900 vlan-id 900 set vlans vlan-900 interface ge-0/0/1.100 set vlans vlan-900 interface ge-0/0/2.900
If you configure the logical interface with a VLAN ID list and the input-vlan-map and output-vlan-map is configured as swap-push/pop-swap, it results in undesired behavior as the traffic regressing out of the UNI has a logical unit number instead of the original customer VLAN ID from VLAN ID list configured.
Verifying That Q-in-Q Tunneling Is Working on Switches
Purpose
After creating a Q-in-Q VLAN, verify that it is set up properly.
Action
Use the
show configuration vlanscommand to determine if you successfully created the primary and secondary VLAN configurations:user@switch> show configuration vlans svlan { vlan-id 300; dot1q-tunneling { customer-vlans [ 101–200 ]; } }Use the
show vlanscommand to view VLAN information and link status:user@switch> show vlans s-vlan-name extensive VLAN: svlan, Created at: Thu Oct 23 16:53:20 2008 802.1Q Tag: 300, Internal index: 2, Admin State: Enabled, Origin: Static Dot1q Tunneling Status: Enabled Customer VLAN ranges: 101–200 Protocol: Port Mode Number of interfaces: Tagged 1 (Active = 0), Untagged 1 (Active = 0) xe-0/0/1, tagged, trunk xe-0/0/2, untagged, access
Meaning
The output confirms that Q-in-Q tunnling is enabled and that the VLAN is tagged, and lists the customer VLANs that are associated with the tagged VLAN.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.