Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring Q-in-Q Tunneling on Security Devices

 

Q-in-Q tunneling and VLAN translation allow service providers to create a Layer 2 Ethernet connection between two customer sites. Providers can segregate different customers’ VLAN traffic on a link (for example, if the customers use overlapping VLAN IDs) or bundle different customer VLANs into a single service VLAN. Data centers can use Q-in-Q tunneling and VLAN translation to isolate customer traffic within a single site or to enable customer traffic flows between cloud data centers in different geographic locations.

Note

Q-in-Q VLAN tagging is supported only on SRX340, SRX345, SRX550M, and SRX1500 devices.

Note

VLAN translation is supported on SRX300 and SRX320 devices and these devices do not support Q-in-Q tunneling.

Q-in-Q tunneling prepends a service VLAN tag to all customer’s 802.1Q VLAN tags. The Juniper Networks Junos OS implementation of Q-in-Q tunneling supports the IEEE 802.1ad standard.

Note

This task uses a Junos OS release that supports the Enhanced Layer 2 Software (ELS) configuration style.

With releases earlier than Junos OS Release 15.1X49-D80, you cannot create a regular VLAN on an interface if you have created an S-VLAN or C-VLAN on that interface for Q-in-Q tunneling. This means that you cannot create an integrated routing and bridging (IRB) interface on that interface because regular VLANs are a required part of and IRB configuration. With Junos OS Release 15.1X49-D80, you can create a regular VLAN on a trunk interface that has an S-VLAN, which means that you can also create an IRB interface on the trunk. In this case, the regular VLAN and S-VLAN on the same trunk interface cannot share the same VLAN ID. Junos OS Release 15.1X49-D80, does not allow you to create a regular VLAN on an access interface that has a C-VLAN.

Before setting up Q-in-Q tunneling, make sure you have created and configured the necessary customer VLANs on the neighboring devices. See Example: Configuring VLANs on Security Devices (J-Web Procedure).

Using the Different Mapping Methods

Once you have created the required VLANs on the neighboring devices, configure Q-in-Q tunneling using one of the three methods to map customer VLANs (C-VLANs) to service-provider-defined service VLANs (S-VLANs):

  • All-in-one bundling maps all packets from all C-VLAN interfaces to an S-VLAN.

  • Use many-to-many bundling when you want a subset of the C-VLANs on the access device to be part of multiple S-VLANs.

  • Use specific interface mapping when you want to assign an S-VLAN to a specific C-VLAN on an interface.

Configuring All-in-One Bundling

You can configure Q-in-Q tunneling using the all-in-one bundling method, which forwards all packets entering a C-VLAN interface to an S-VLAN. (Packets are forwarded to the S-VLAN regardless of whether they are tagged or untagged before they enter.) Using this approach saves you the effort of specifying a specific mapping for each C-VLAN.

First configure the S-VLAN and its interface:

  1. Enable the interface to transmit packets with two 802.1Q VLAN tags:
    [edit interfaces interface-name]
    user@host# flexible-vlan-tagging
  2. Enable extended VLAN bridge encapsulation on the interface:
    [edit interfaces interface-name]
    user@host# encapsulation extended-vlan-bridge
  3. Enable the S-VLAN interface to send and receive untagged packets:
    [edit interfaces interface-name]
    user@host# native-vlan-id vlan-id
  4. Bind the logical interface (unit) of the interface to the automatically-created VLAN ID for the S-VLAN:
    [edit interfaces interface-name unit logical-unit-number]
    user@host# vlan-id number
    user@host# family ethernet-switching vlan members vlain-id

For example, the following configuration enables Q-in-Q tunneling on interface ge-0/0/7, enables ge-0/0/7 to accept untagged packets, and binds the VLAN ID of S-VLAN VL-S91 to a logical interface of ge-0/0/7.

set interfaces ge-0/0/7 flexible-vlan-tagging
set interfaces ge-0/0/7 native-vlan-id 91
set interfaces ge-0/0/7 encapsulation extended-vlan-bridge
set interfaces ge-0/0/7 unit 91 vlan-id 91
set interfaces ge-0/0/7 unit 91 family ethernet-switching vlan members VL-S91

Now configure all-in-one bundling on a C-VLAN interface:

  1. Enable the interface to transmit packets with 802.1Q VLAN tags:
    [edit interfaces interface-name]
    user@host# flexible-vlan-tagging
  2. Enable extended VLAN bridge encapsulation on the interface:
    [edit interfaces interface-name]
    user@host# encapsulation extended-vlan-bridge
  3. Enable the C-VLAN interface to send and receive untagged packets:
    [edit interfaces interface-name]
    user@host# native-vlan-id vlan-id
  4. Configure a logical interface to receive and forward any tagged packet whose VLAN ID tag matches the list of VLAN IDs you specify:
    [edit interfaces interface-name unit logical-unit-number]
    user@host# vlan-id-list vlan-id-numbers
    Note

    On some SRX Series devices, you can apply no more than eight VLAN identifier lists to a physical interface.

  5. Configure the system to add an S-VLAN tag (outer tag) as packets travel from a C-VLAN interface to the S-VLAN:
    [edit interfaces interface-name unit logical-unit-number]
    user@host# input-vlan-map push
  6. Configure the system to remove the S-VLAN tag when packets are forwarded (internally) from the S-VLAN interface to the C-VLAN interface:
    [edit interfaces interface-name unit logical-unit-number]
    user@host# output-vlan-map pop
    user@host# family ethernet-switching vlan members vlan-id
  7. Configure S-VLAN and vlan id binding:
    [edit vlans vlan-name]
    user@host# vlan-id vlan-id-numbers

For example, the following configuration makes ge-0/0/4 a member of S-VLAN VL-S91, enables Q-in-Q tunneling, maps packets from C-VLANs to S-VLAN VL-S91, and enables ge-0/0/4 to accept untagged packets. If a packet originates in C-VLAN and needs to be sent across the S-VLAN, a tag with VLAN ID 91 is added to the packet. When a packet is forwarded (internally) from the S-VLAN interface to interface ge-0/0/4, the tag with VLAN ID 91 is removed.

set interfaces ge-0/0/4 flexible-vlan-tagging
set interfaces ge-0/0/4 native-vlan-id 50
set interfaces ge-0/0/4 encapsulation extended-vlan-bridge
set interfaces ge-0/0/4 unit 50 vlan-id-list 30-70
set interfaces ge-0/0/4 unit 50 input-vlan-map push
set interfaces ge-0/0/4 unit 50 output-vlan-map pop
set interfaces ge-0/0/4 unit 50 family ethernet-switching vlan members VL-S91
set vlans VL-S91 vlan-id 91

Configuring Many-to-Many Bundling

You can configure Q-in-Q tunneling using the many-to-many bundling method, which maps packets from multiple C-VLANs to multiple S-VLANs. This method is convenient for mapping a range of C-VLANs without having to specify each one individually. (You can also use this method to configure only one C-VLAN to be mapped to an S-VLAN.)

First configure the S-VLANs and assign them to an interface:

  1. Enable the physical interface to transmit packets with two 802.1Q VLAN tags:
    [edit interfaces interface-name]
    user@host# flexible-vlan-tagging
  2. Enable extended VLAN bridge encapsulation on the interface:
    [edit interfaces interface-name]
    user@host# encapsulation extended-vlan-bridge
  3. Enable the S-VLAN interface to send and receive untagged packets:
    [edit interfaces interface-name]
    user@host# native-vlan-id vlan-id
  4. Bind one of the logical units of the interface to the VLAN ID for one of the S-VLANs.
    [edit interfaces interface-name unit logical-unit-number]
    user@host# vlan-id number
    user@host# family ethernet-switching vlan members vlan-id
  5. Repeat Step 4 to bind the automatically-created VLAN IDs for the other S-VLANs to the other logical units of the interface:

For example, the following configuration creates S-VLANs VL-S10 and VL-S30 and associates them with interface ge-0/0/7. It also enables Q-in-Q tunneling, enables ge-0/0/7 to accept untagged packets, and maps incoming C-VLAN packets to S-VLANs VL-S10 and VL-S30.

set interfaces ge-0/0/7 flexible-vlan-tagging
set interfaces ge-0/0/7 native-vlan-id 10
set interfaces ge-0/0/7 encapsulation extended-vlan-bridge
set interfaces ge-0/0/7 unit 10 vlan-id 10
set interfaces ge-0/0/7 unit 10 family ethernet-switching vlan members VL-S10
set interfaces ge-0/0/7 unit 30 vlan-id 30
set interfaces ge-0/0/7 unit 30 family ethernet-switching vlan members VL-S30

To configure the many-to-many bundling method on a C-VLAN interface, perform the following steps for each customer:

  1. Enable the interface to transmit packets with 802.1Q VLAN tags:
    [edit interfaces interface-name]
    user@host# flexible-vlan-tagging
  2. Enable extended VLAN bridge encapsulation on the interface:
    [edit interfaces interface-name]
    user@host# encapsulation extended-vlan-bridge
  3. Enable the C-VLAN interface to send and receive untagged packets:
    [edit interfaces interface-name]
    user@host# native-vlan-id vlan-id
  4. For each physical interface, configure a logical interface (unit) to receive and forward any tagged packet whose VLAN ID tag matches the list of VLAN IDs you specify:
    [edit interfaces interface-name unit logical-unit-number]
    user@host# vlan-id-list vlan-id-numbers

    To configure only one C-VLAN to be mapped to an S-VLAN, specify only one VLAN ID after vlan-id-list.

    Note

    On some SRX Series devices you can apply no more than eight VLAN identifier list to a physical interface.

  5. For each physical interface, configure the system to add an S-VLAN tag (outer tag) as packets travel from the C-VLAN interface to the S-VLAN:
    [edit interfaces interface-name unit logical-unit-number]
    user@host# input-vlan-map push
  6. For each physical interface, configure the system to remove the S-VLAN tag when packets are forwarded from the S-VLAN interface to the C-VLAN interface:
    [edit interfaces interface-name unit logical-unit-number]
    user@host# output-vlan-map pop
    user@host# family ethernet-switching vlan members vlan-id
  7. Configure S-VLAN and vlan id binding:
    [edit vlans vlan-name]
    user@host# vlan-id vlan-id-numbers

For example, the following configuration makes ge-0/0/1 a member of S-VLAN VL-S10, enables Q-in-Q tunneling, and maps packets from C-VLANs 10 through 20 to S-VLAN VL-S10. The configuration for customer 2 makes ge-0/0/2 a member of S-VLAN VL-S30, enables Q-in-Q tunneling, and maps packets from C-VLANs 30 through 40, 50 through 60, and 70 through 80 to S-VLAN VL-S30. Both interfaces are configured to accept untagged packets.

If a packet originates in C-VLAN 10 and needs to be sent over the S-VLAN, a tag with a VLAN 10 is added to the packet. If a packet is forwarded internally from the S-VLAN interface to ge-0/0/1, the tag with VLAN 10 is removed. The same principles apply to the C-VLANs configured on interface ge-0/0/2.

Note

Notice that you can use the same tag value for an S-VLAN and C-VLAN. For example, the configuration for customer 1 maps C-VLAN 10 to S-VLAN VL-S10. Because C-VLAN and S-VLAN tags use separate name spaces, this configuration is allowed.

Configuration for customer 1:

set interfaces ge-0/0/1 flexible-vlan-tagging
set interfaces ge-0/0/1 encapsulation extended-vlan-bridge
set interfaces ge-0/0/1 unit 10 vlan-id-list 10-20
set interfaces ge-0/0/1 native-vlan-id 15
set interfaces ge-0/0/1 unit 10 input-vlan-map push
set interfaces ge-0/0/1 unit 10 output-vlan-map pop
set interfaces ge-0/0/1 unit 10 family ethernet-switching vlan members VL-S10
set vlans VL-S10 vlan-id 10

Configuration for customer 2:

set interfaces ge-0/0/2 flexible-vlan-tagging
set interfaces ge-0/0/2 encapsulation extended-vlan-bridge
set interfaces ge-0/0/2 unit 30 vlan-id-list 30-40
set interfaces ge-0/0/2 unit 30 vlan-id-list 50-60
set interfaces ge-0/0/2 unit 30 vlan-id-list 70-80
set interfaces ge-0/0/2 native-vlan-id 75
set interfaces ge-0/0/2 unit 30 input-vlan-map push
set interfaces ge-0/0/2 unit 30 output-vlan-map pop
set interfaces ge-0/0/2 unit 30 family ethernet-switching vlan members VL-S30
set vlans VL-S30 vlan-id 30

Configuring a Specific Interface Mapping with VLAN ID Translation Option

You can configure Q-in-Q tunneling by mapping packets from a specified C-VLAN to a specified S-VLAN. In addition, you can configure the system to replace a C-VLAN tag with an S-VLAN tag or replace an S-VLAN tag with a C-VLAN tag (instead of double tagging). This is called VLAN translation or VLAN rewriting. VLAN translation is particularly useful if a service provider’s Layer 2 network that connects to customer sites does not support double tagged packets.

When you use VLAN translation, both ends of the link normally must be able to swap the tags appropriately. That is, both ends of the link must be configured to swap the C-VLAN tag for the S-VLAN tag and swap the S-VLAN tag for the C-VLAN tag so that traffic in both directions is tagged appropriately while in transit and after arrival.

First configure the S-VLAN and its interface:

  1. Enable the interface to transmit packets with 802.1Q VLAN tags:
    [edit interfaces interface-name]
    user@host# flexible-vlan-tagging
  2. Enable the S-VLAN interface to send and receive untagged packets:
    [edit interfaces interface-name]
    user@host# native-vlan-id vlan-id
  3. Enable extended VLAN bridge encapsulation on the interface:
    [edit interfaces interface-name]
    user@host# encapsulation extended-vlan-bridge
  4. Bind the logical interface (unit) of the interface that you specified earlier to the VLAN ID for the S-VLAN:
    [edit interfaces interface-name unit logical-unit-number]
    user@host# vlan-id number
    user@host# family ethernet-switching vlan members vlan-id

For example, the following configuration enables Q-in-Q tunneling on interface ge-0/0/0, enables ge-0/0/0 to accept untagged packets, and binds a logical interface of ge-0/0/0 to the VLAN ID of S-VLAN VL-S200.

set interfaces ge-0/0/0 flexible-vlan-tagging
set interfaces ge-0/0/0 native-vlan-id 10
set interfaces ge-0/0/0 encapsulation extended-vlan-bridge
set interfaces ge-0/0/0 unit 200 vlan-id 200
set interfaces ge-0/0/0 unit 200 family ethernet-switching vlan members VL-S200

Now configure a specific interface mapping with optional VLAN ID translation on the C-VLAN interface:

  1. Enable the interface to transmit packets with 802.1Q VLAN tags:
    [edit interfaces interface-name]
    user@host# flexible-vlan-tagging
  2. Enable the C-VLAN interface to send and receive untagged packets:
    [edit interfaces interface-name]
    user@host# native-vlan-id vlan-id
  3. Enable extended VLAN bridge encapsulation on the interface:
    [edit interfaces interface-name]
    user@host# encapsulation extended-vlan-bridge
  4. Configure a logical interface (unit) to receive and forward any tagged packet whose VLAN ID tag matches the VLAN IDs you specify:
    [edit interfaces interface-name unit logical-unit-number]
    user@host# vlan-id number
  5. Configure the system to remove the existing C-VLAN tag and replace it with the S-VLAN tag when packets enter the C-VLAN interface and are forwarded to the S-VLAN:
    [edit interfaces interface-name unit logical-unit-number]
    user@host# input-vlan-map swap
  6. Configure the system to remove the existing S-VLAN tag and replace it with the C-VLAN tag when packets are forwarded from the S-VLAN interface to the C-VLAN interface:
    [edit interfaces interface-name unit logical-unit-number]
    user@host# output-vlan-map swap
  7. To configure an S-VLAN and associate it with the appropriate C-VLAN interface:
    [edit vlans vlan-name]
    user@host# interface interface-name
  8. Configure S-VLAN and vlan id binding:
    [edit vlans vlan-name]
    user@host# vlan-id vlan-id-numbers

For example, the following configuration on C-VLAN interface ge-0/0/1 enables Q-in-Q tunneling, enables ge-0/0/1 to accept untagged packets, and maps incoming packets from C-VLAN 150 to logical interface 200, which is a member of S-VLAN VL-S200. Also, when packets exit from C-VLAN interface ge-0/0/1 and travel to the S-VLAN interface, the C-VLAN tag of 150 is removed and replaced with the S-VLAN tag of 200. When packets travel from the S-VLAN interface to the C-VLAN interface, the S-VLAN tag of 200 is removed and replaced with the C-VLAN tag of 150.

set interfaces ge-0/0/1 flexible-vlan-tagging
set interfaces ge-0/0/1 native-vlan-id 10
set interfaces ge-0/0/1 encapsulation extended-vlan-bridge
set interfaces ge-0/0/1 unit 200 vlan-id 150
set interfaces ge-0/0/1 unit 200 family ethernet-switching vlan members VL-S200
set interfaces ge-0/0/1 unit 200 output-vlan-map swap
set interfaces ge-0/0/1 unit 200 input-vlan-map swap
Set vlans VL-S200 vlan-id 200