Home > Service Provider > QinQ: 802.1q Tunneling on Cisco Switches

QinQ: 802.1q Tunneling on Cisco Switches

One of Metro Ethernet solution to extend Layer 2 Ethernet Connection between two customer sites is use 802.1q Tunneling, also known as QinQ.

QinQ concept is explained based on the diagram below:

Customer Switch Site A and B connected to SP (Service Provider) Edge Switch, usually use trunk mode on the port that facing to SP. SP Edge Switch use 802.1q Tunnel mode. Service Provider usually allocated one VLAN tag per-customer and used to tagging ethernet frames that coming from customer.

How the 802.1q work? See the example below:

Every frames from Customer is tagged with the SP allocated VLAN tag for customer. This process done in the SP Edge Switch that facing to the Customer Switch site A. The existing VLAN tag of the frames is not changed. So, every frames from customer will have two VLAN tag in the SP Networks. The inner tag is the customers real VLAN tag, and the outer tag is the SP VLAN Tag allocated to the customer. In the SP Edge Swtich that facing to the Site B, the outer VLAN tag is stripped, and the frames is forwarded to the Customer Site B switch.

In the diagram above, we look that every customers can use the same VLAN tags, and this will not conflicted. Every customers can not see the other customer even their VLAN tags is same, because Service Provider will tagging the customers frame with the unique per-customer VLAN tag. We see that Customer XYZ is allocated with the VLAN Tag 10 and Customer ABC with the VLAN tag 9.

Because the port from customer switch that connected to SP Edge switch can use the trunk-mode, so there are a few requirement:

  1. Port in the SP Edge switch that facing to the customer must set BPDU Filter and Root Guard to prevent the customer switches act as a STP root switch. The customer switches can see the BDPU from their opponent switches.
  2. By default, VTP between two customer switches across the Service Provider network is not work. You must configure protocol tunneling to enabled the VTP between the customer switches in both of the SP Edge Switches.
  3. UDLD, PAgP and CDP (disabled by default) can work.
  4. The maximum VLAN that can allocated to the customer is 4096 VLAN ID, because the VLAN ID field in the 802.1q frame is 12 bits.

See the example configuration of Service Provider Edge Switch below:

SPE-Site-A#sh run int f0/10
interface FastEthernet0/10
description Connection to Customer-XYZ-Site-A
switchport access vlan 10
switchport mode dot1q-tunnel

SPE-Site-A#sh run int f0/9
interface FastEthernet0/9
description Connection to Customer-ABC-Site-A
switchport access vlan 9
switchport mode dot1q-tunnel

Categories: Service Provider Tags: , ,
  1. Michael
    July 5, 2008 at 1:50 am


    I try to build a q-in-q lab, but can not find any complete basic config. for a little network like yours. Please could you help out and explain how the config looks like on both PE switches?

    Thank you very much


  2. irwanp
    July 14, 2008 at 2:26 pm


    You can see my posting in https://irwanp.wordpress.com/2008/07/14/connecting-trunk-with-qinq/

    Hope can answer your question …

    –Irwan P.

  3. Nainit
    September 25, 2010 at 3:16 pm


    Please permit me to become the part of it

  4. June 11, 2011 at 10:20 am

    thanks a lot.clear explanation

  5. Fath
    May 28, 2012 at 5:02 pm

    Much Much thanks to you. You believe it or not first time understood QinQ. Again thank you fox.

    • irwanp
      June 5, 2012 at 4:54 pm

      I’m glad to hear it…

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: