Configuring Q-in-Q Tunneling and VLAN Q-in-Q Tunneling and VLAN Translation | Junos OS (2024)

Q-in-Q tunneling and VLAN translation allow service providersto create a Layer 2 Ethernet connection between two customer sites.Providers can segregate different customers’ VLAN traffic ona link (for example, if the customers use overlapping VLAN IDs) orbundle different customer VLANs into a single service VLAN. Data centerscan use Q-in-Q tunneling and VLAN translation to isolate customertraffic within a single site or to enable customer traffic flows betweencloud data centers in different geographic locations.

Using Q-in-Q tunneling, providers can segregate or bundle customertraffic into fewer VLANs or different VLANs by adding another layerof 802.1Q tags. Q-in-Q tunneling is useful when customers have overlappingVLAN IDs, because the customer’s 802.1Q (dot1Q) VLAN tags areprepended by the service VLAN (S-VLAN) tag. The Juniper Networks Junosoperating system (Junos OS) implementation of Q-in-Q tunneling supportsthe IEEE 802.1ad standard.

How Q-in-Q Tunneling Works

In Q-in-Q tunneling, as a packet travels from a customer VLAN(C-VLAN) to a service provider's VLAN, a customer-specific 802.1Qtag is added to the packet. This additional tag is used to segregatetraffic into service-provider-defined service VLANs (S-VLANs). Theoriginal customer 802.1Q tag of the packet remains and is transmittedtransparently, passing through the service provider's network. Asthe packet leaves the S-VLAN in the downstream direction, the extra802.1Q tag is removed.

When Q-in-Q tunneling is enabled on Juniper Networks EX SeriesEthernet Switches, trunk interfaces are assumed to be part of theservice provider network and access interfaces are assumed to be customerfacing. An access interface can receive both tagged and untagged framesin this case.

An interface can be a member of multiple S-VLANs. You can mapone C-VLAN to one S-VLAN (1:1) or multiple C-VLANs to one S-VLAN (N:1).Packets are double-tagged for an additional layer of segregating orbundling of C-VLANs. C-VLAN and S-VLAN tags are unique; so you canhave both a C-VLAN 101 and an S-VLAN 101, for example. You can limitthe set of accepted customer tags to a range of tags or to discretevalues. Class-of-service (CoS) values of C-VLANs are unchanged inthe downstream direction. You may, optionally, copy ingress priorityand CoS settings to the S-VLAN. On non-ELS switches, you can use privateVLANs to isolate users to prevent the forwarding of traffic betweenuser interfaces even if the interfaces are on the same VLAN.

When Q-in-Q tunneling is enabled, trunk interfaces are assumedto be part of the service provider or data center network. Accessinterfaces are assumed to be customer-facing and accept both taggedand untagged frames. When using many-to-one bundling or mapping aspecific interface, you must use the native option to specifyan S-VLAN for untagged and priority tagged packets if you want toaccept these packets. (Priority tagged packets have their VLAN IDset to 0, and their priority code point bits might be configured witha CoS value.)

If you do not specify an S-VLAN for them, untagged packets arediscarded. The native option is not available for all-in-onebundling because there is no need to specify untagged and prioritytagged packets when all packets are mapped to an S-VLAN.

You can use the native option to specify an S-VLANfor untagged and priority tagged packets when using many-to-one bundlingand mapping a specific interface approaches to map C-VLANs to S-VLANs.(This does not apply to switches supporting ELS.) Otherwise the packetsare discarded. The native option is not available for all-in-onebundling because there is no need to specify untagged and prioritytagged packets when all packets are mapped to the S-VLAN. See theMapping C-VLANs to S-VLANs section of this document for informationon the methods of mapping C-VLANs to S-VLANs.

On QFabric systems only, you can use the native optionto apply a specified inner tag to packets that ingress as untaggedon access interfaces. This functionality is useful if your QFabricsystem connects to servers that host customer virtual machines thatsend untagged traffic and each customer’s traffic requires itsown VLAN while being transported through the QFabric. Instead of usingindividual VLANs for each customer (which can quickly lead to VLANexhaustion), you can apply a unique inner (C-VLAN) tag to each customer’straffic and then apply a single outer tag (S-VLAN) tag for transportthrough the QFabric. This allows you to segregate your customers’straffic while consuming only one QFabric VLAN. Use the inner-tag option of the mapping statement to accomplish this.

On non-ELS switches, firewall filters allow you to map an interfaceto a VLAN based on a policy. Using firewall filters to map an interfaceto a VLAN is useful when you want a subset of traffic from a portto be mapped to a selected VLAN instead of the designated VLAN. Toconfigure a firewall filter to mapan interface to a VLAN, the vlan option has to be configuredas part of the firewall filter and the mapping policy optionmust be specified in the interface configuration for each logical interface using the filter.

Q-in-Q tunneling does not affect any class-of-service (CoS)values that are configured on a C-VLAN. These settings are retainedin the C-VLAN tag and can be used after a packet leaves an S-VLAN.CoS values are not copied from C-VLAN tags to S-VLAN tags.

Depending on your interface configuration, you might need toadjust the MTU value on your trunk or access ports to accommodatethe 4 bytes used for the tag added by Q-in-Q tunneling. For example,if you use the default MTU value of 1514 bytes on your access andtrunk ports, you need to make one of the following adjustments:

• Reduce the MTU on the access links by at least 4 bytesso that the frames do not exceed the MTU of the trunk link when S-VLANtags are added.

• Increase the MTU on the trunk link so that the link canhandle the larger frame size.

How VLAN Translation Works

VLANtranslation replaces an incoming C-VLAN tag with an S-VLAN tag insteadof adding an additional tag. The C-VLAN tag is therefore lost, soa single-tagged packet is normally untagged when it leaves the S-VLAN(at the other end of the link). If an incoming packet has had Q-in-Qtunneling applied in advance, VLAN translation replaces the outertag and the inner tag is retained when the packet leaves the S-VLANat the other end of the link. Incoming packets whose tags do not matchthe C-VLAN tag are dropped, unless additional VLAN translation configurationfor those tags exist.

To configure VLAN translation, use the mapping swap statement at the [edit vlans interface] hierarchylevel. As long as the C-VLAN and S-VLAN tags are unique, you can configuremore than one C-VLAN-to-S-VLAN translation on an access port. If youare translating only one VLAN on an interface, you do not need toinclude the dot1q-tunneling statement in the S-VLAN configuration.If you are translating more than one VLAN, you must use the dot1q-tunneling statement.

Using Dual VLAN Tag Translation

Startingwith Junos OS Release 14.1X53-D40, you can use the dual VLAN tag translation(also known as dual VLAN tag rewrite) feature to deploy switches inservice-provider domains, allowing dual-tagged, single-tagged, anduntagged VLAN packets to come into or exit from the switch. Table 1 shows the operations thatare added for dual VLAN tag translation.

Dual VLAN tag translation supports:

• Configuration of S-VLANs (NNI) and C-VLANs (UNI) on thesame physical interface

• Control protocols such as VSTP, OSPF, and LACP

• IGMP snooping

• Configuration of a private VLAN (PVLAN) and VLAN on asingle-tagged interface

• Use of TPID 0x8100 on both inner and outer VLAN tags

See Setting Up a Dual VLAN TagTranslation Configuration on QFX Switches.

Sending and Receiving Untagged Packets

To enable an interface to send and receive untagged packets,you must specify a native VLAN for a physical interface. When theinterface receives an untagged packet, it adds the VLAN ID of thenative VLAN to the packet in the C-VLAN field and adds the S-VLANtag as well (so the packet is double-tagged), and sends the newlytagged packet to the mapped interface.

The preceding paragraph does not applyto:

• Non-ELS switches.

• EX4300 switches running under a Junos release prior toJunos OS Release 19.3R1.

When the switches in the short list above receive an untaggedpacket, they add the S-VLAN tag to the packet (so the packet is single-tagged)and send the newly tagged packet to the mapped interface.

Starting in Junos OS Release 19.3R1, you can configure EX4300switches to use the double-tag approach. Set the configuration statement input-native-vlan-push to enable and ensure that the input-vlan-map configuration statement is set to push, as shown in thefollowing example:

To specify a native VLAN, use the native-vlan-id statementat the [edit interfaces interface-name] hierarchy level. The native VLAN ID must match the C-VLAN or S-VLAN ID or be included in the VLAN ID list specified on thelogical interface.

For example, on a logical interface for a C-VLAN interface,you might specify a C-VLAN ID list of 100-200. Then, on the C-VLANphysical interface, you could specify a native VLAN ID of 150. Thisconfiguration would work because the native VLAN of 150 is includedin the C-VLAN ID list of 100-200.

We recommend configuring a native VLAN when using any of theapproaches to map C-VLANs to S-VLANs. Seethe Mapping C-VLANs to S-VLANs section in this topic for informationabout the methods of mapping C-VLANs to S-VLANs.

Disabling MAC Address Learning

In a Q-in-Q deployment, customer packets from downstream interfacesare transported without any changes to source and destination MACaddresses. You can disable MAC address learning at global, interface,and VLAN levels:

• To disable learning globally, disable MAC address learningfor the switch.

• To disable learning for an interface, disable MAC addresslearning for all VLANs of which the specified interface is a member.

• To disable learning for a VLAN, disable MAC address learningfor a specified VLAN.

Disabling MAC address learning on an interface disables learningfor all the VLANs of which that interface is a member. When you disableMAC address learning on a VLAN, MAC addresses that have already beenlearned are flushed.

If you disable MAC address learning on an interface or a VLAN,you cannot include 802.1X authentication in that same VLAN configuration.

When a routed VLAN interface (RVI) is associated with either an interface or aVLAN on which MAC address learning is disabled, the Layer 3 routesresolved on that VLAN or that interface are not resolved with theLayer 2 component. This results in routed packets flooding all theinterfaces associated with the VLAN.

Mapping C-VLANs to S-VLANs

There are multiple ways to map C-VLANs to an S-VLAN:

• All-in-one bundling—Use the edit vlans s-vlan-name dot1q-tunneling statement without specifyingcustomer VLANs. All packets received on all access interfaces (includinguntagged packets) are mapped to the S-VLAN.

• Many-to-one bundling—Use the edit vlans s-vlan-name dot1q-tunneling customer-vlans statementto specify which C-VLANs are mapped to the S-VLAN. Use this methodwhen you want a subset of the C-VLANs to be part of the S-VLAN. Ifyou want untagged or priority tagged packets to be mapped to the S-VLAN,use the native option with the customer-vlans statement. (Priority tagged packets have their VLAN ID set to 0,and their priority code point bits might be configured with a CoSvalue.)

• Many-to-many bundling—Use many-to-many bundlingwhen you want a subset of the C-VLANs on the access switch to be partof multiple S-VLANs.

• Mapping a specific interface—Use the edit vlans s-vlan-name interface interface-name mapping statement to specify a C-VLAN for a given S-VLAN.This configuration applies to only one interface—not all accessinterfaces as with all-in-one and many-to-one bundling. If you wantuntagged or priority tagged packets to be mapped to the S-VLAN, usethe native option with the customer-vlans statement.

  This method has two options: swap and push. With the push option,a packet retains its tag and an additional VLAN tag is added. Withthe swap option, the incoming tag is replaced with an S-VLAN tag.(This is VLAN translation.)

  • You can configure multiple push rules for a given S-VLANand interface. That is, you can configure an interface so that thesame S-VLAN tag is added to packets arriving from multiple C-VLANs.

  • You can configure only one swap rule for a given S-VLANand interface.

  This functionality is typically used to keep traffic from differentcustomers separate or to provide individualized treatment for trafficon a certain interface.

If you configure multiple methods, the switch gives priorityto mapping a specific interface, then to many-to-one bundling, andlast to all-in-one bundling. However, you cannot have overlappingrules for the same C-VLAN under a given approach. For example, youcannot use many-to one bundling to map C-VLAN 100 to two differentS-VLANs.

• All-in-One Bundling
• Many-to-One Bundling
• Many-to-Many Bundling
• Mapping a Specific Interface
• Combining Methods and Configuration Restrictions

Routed VLAN Interfaces on Q-in-Q VLANs

Routed VLAN interfaces (RVIs) are supported on Q-in-Q VLANs.

Packets arriving on an RVI that is using Q-in-Q VLANs will getrouted regardless of whether the packet is single or double tagged.The outgoing routed packets contain an S-VLAN tag only when exitinga trunk interface; the packets exit the interface untagged when exitingan access interface.

Constraints for Q-in-Q Tunneling and VLAN Translation

Be aware of the following constraints when configuring Q-in-Qtunneling and VLAN translation:

• Q-in-Q tunneling supports only two VLAN tags.

• Q-in-Q tunneling does not support most access port security features. There is no per-VLAN (customer) policing or per-VLAN (outgoing) shaping and limiting with Q-in-Q tunneling unless you configure these security features by using firewall filters.

• With releases of Junos OS Release 13.2X51 previous to Release 13.2X51-D20, you cannot create a regular VLAN on an interface if you have created an S-VLAN or C-VLAN on that interface for Q-in-Q tunneling. This means that you cannot create an integrated routing and bridging (IRB) interface on that interface because regular VLANs are a required part of IRB configuration. With Junos OS Release 13.2X51-D25, you can create a regular VLAN on a trunk interface that has an S-VLAN, which means that you can also create an IRB interface on the trunk. In this case, the regular VLAN and S-VLAN on the same trunk interface cannot share the same VLAN ID. Junos OS Release 13.2X51-D25 does not allow you to create a regular VLAN on an access interface that has a C-VLAN.

• Starting with Junos OS Release 14.1X53-D40, integrated routing and bridging (IRB) interfaces are supported on Q-in-Q VLANs—you can configure the IRB interface on the same interface as one used by an S-VLAN, and you can use the same VLAN ID for both the VLAN used by the IRB interface and for the VLAN used as an S-VLAN.

  Packets arriving on an IRB interface that is using Q-in-Q VLANs will get routed regardless of whether the packet is single tagged or double tagged. The outgoing routed packets contain an S-VLAN tag only when exiting a trunk interface; the packets exit the interface untagged when exiting an access interface.

  Note:

  You can configure the IRB interface only on S-VLAN (NNI) interfaces, not on C-VLAN (UNI) interfaces.

• Support for QFX5K switches with Q-in-Q interfaces using the vlan-tags statement is limited to Layer 2 interfaces. Layer 3 interfaces that are configured with Q-iQ vlan-tags statements might not function as expected.

• Most access port security features are not supported with Q-in-Q tunneling and VLAN translation.

• Configuring Q-in-Q tunneling and VLAN rewriting/VLAN translation on the same port is not supported.

• You can configure at most one VLAN rewrite/VLAN translation for a given VLAN and interface. For example, you can create no more than one translation for VLAN 100 on interface xe-0/0/0.

• The combined total of VLANs and rules for Q-in-Q tunneling and VLAN translation cannot exceed 6000. For example, you can configure and commit 4000 VLANs and 2000 rules for Q-in-Q tunneling and VLAN translation. However, you cannot configure 4000 VLANs and 2500 rules for Q-in-Q tunneling and VLAN translation. If you try to commit a configuration that exceeds the limit, you see CLI and syslog errors that inform you about the problem.

• You cannot use the native VLAN ID.

• MAC addresses are learned from S-VLANs, not C-VLANs.

• Broadcast, unknown unicast, and multicast traffic is forwarded to all members in the S-VLAN.

• The following features are not supported with Q-in-Q tunneling:

  • DHCP relay

  • Fibre Channel over Ethernet

  • IP Source Guard

• The following features are not supported with VLAN rewriting/VLAN translation:

  • Fibre Channel over Ethernet

  • Firewall filter applied to a port or VLAN in the output direction

  • Private VLANs

  • VLAN Spanning Tree Protocol

  • Reflective relay