Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring Q-in-Q Tunneling

 

Q-in-Q tunneling and VLAN translation allow service providers to create a Layer 2 Ethernet connection between two customer sites. Providers can segregate different customers’ VLAN traffic on a link (for example, if the customers use overlapping VLAN IDs) or bundle different customer VLANs into a single service VLAN. Data centers can use Q-in-Q tunneling and VLAN translation to isolate customer traffic within a single site or to enable customer traffic flows between cloud data centers in different geographic locations.

Q-in-Q tunneling adds a service VLAN tag before the customer’s 802.1Q VLAN tags. The Juniper Networks Junos operating system implementation of Q-in-Q tunneling supports the IEEE 802.1ad standard.

Note

This task uses a Junos OS release that supports the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see Configuring Q-in-Q Tunneling on QFX Series Switches.

With releases of Junos OS 13.2X51 previous to 13.2X51-D20, you cannot create a regular VLAN on an interface if you have created an S-VLAN or C-VLAN on that interface for Q-in-Q tunneling. This means that you cannot create an integrated routing and bridging (IRB) interface on that interface because regular VLANs are a required part of IRB configuration. With Junos OS 13.2X51-D25, you can create a regular VLAN on a trunk interface that has an S-VLAN, which means that you can also create an IRB interface on the trunk. In this case, the regular VLAN and S-VLAN on the same trunk interface cannot share the same VLAN ID. Junos OS 13.2X51-D25 does not allow you to create a regular VLAN on an access interface that has a C-VLAN.

Before setting up Q-in-Q tunneling, make sure you have created and configured the necessary customer VLANs on the neighboring switches. See Configuring VLANs on Switches.

Using the Different Mapping Methods

Once you have created the required VLANs on the neighboring switches, configure Q-in-Q tunneling using one of the three methods to map customer VLANs (C-VLANs) to service-provider-defined service VLANs (S-VLANs):.

Configuring Q-in-Q Tunneling Using All-in-One Bundling

You can configure Q-in-Q tunneling using the all-in-one bundling method, which forwards all packets that ingress on a C-VLAN interface to an S-VLAN. (Packets are forwarded to the S-VLAN regardless of whether they are tagged or untagged prior to ingress.) Using this approach saves you the effort of specifying a specific mapping for each C-VLAN.

First configure the S-VLAN and its interface:

  1. Assign a logical interface (unit) to be a member of the S-VLAN.
    [edit vlans vlan-name]
    user@switch# interface interface-name.unit-number
    Note

    Do not use logical interface unit 0. You must later bind a VLAN tag ID to the unit you specify in this step, and you cannot bind a VLAN tag ID to unit 0. Also note that you do not create a VLAN ID for the S-VLAN. The ID is created automatically for the appropriate logical interface.

  2. Enable the interface to transmit packets with two 802.1Q VLAN tags:
    [edit interfaces interface-name]
    user@switch# set flexible-vlan-tagging
  3. Enable extended VLAN bridge encapsulation on the interface:
    [edit interfaces interface-name]
    user@switch# set encapsulation extended-vlan-bridge
    Note

    If you configure an enterprise-style configuration such as PVLAN on the same physical interface on which you are configuring Q-in-Q tunneling, use set encapsulation flexible-ethernet-services in step 3. See Understanding Flexible Ethernet Services Encapsulation on Switches.

  4. Enable the S-VLAN interface to send and receive untagged packets:
    [edit interfaces interface-name]
    user@switch# set native-vlan-id vlan-id
  5. Bind the logical interface (unit) of the interface that you specified in step 1 to the automatically created VLAN ID for the S-VLAN:
    [edit interfaces interface-name unit logical-unit-number]
    user@switch# set vlan-id number
Note

If you configured flexible-ethernet-services in step 3, configure vlan-bridge encapsulation on the logical interface:

[edit interfaces interface-name unit logical-unit-number]
user@switch# set encapsulation vlan-bridge

For example, the following configuration makes xe-0/0/0.10 a member of VLAN 10, enables Q-in-Q tunneling on interface xe-0/0/0, enables xe-0/0/0 to accept untagged packets, and binds the VLAN ID of S-VLAN v10 to a logical interface of xe-0/0/0.

set vlans v10 interface xe-0/0/0.10
set interfaces xe-0/0/0 flexible-vlan-tagging
set interfaces xe-0/0/0 native-vlan-id 10
set interfaces xe-0/0/0 encapsulation extended-vlan-bridge
set interfaces xe-0/0/0 unit 10 vlan-id 10

Now configure all-in-one bundling on a C-VLAN interface:

  1. Assign a logical interface (unit) of the C-VLAN interface to be a member of the S-VLAN.
    [edit vlans vlan-name]
    user@switch# set interface interface-name.unit-number
  2. Enable the interface to transmit packets with 802.1Q VLAN tags :
    [edit interfaces interface-name]
    user@switch# set flexible-vlan-tagging
  3. Enable extended VLAN bridge encapsulation on the interface:
    [edit interfaces interface-name]
    user@switch# set encapsulation extended-vlan-bridge
  4. Enable the C-VLAN interface to send and receive untagged packets:
    [edit interfaces interface-name]
    user@switch# set native-vlan-id vlan-id
  5. Configure a logical interface to receive and forward any tagged packet whose VLAN ID tag matches the list of VLAN IDs you specify:
    [edit interfaces interface-name unit logical-unit-number]
    user@switch# set vlan-id-list vlan-id-numbers
    Caution

    You can apply no more than eight VLAN identifier lists to a physical interface. This limitation does not apply to QFX10000 switches.

  6. Configure the system to add an S-VLAN tag (outer tag) as packets travel from a C-VLAN interface to the S-VLAN:
    [edit interfaces interface-name unit logical-unit-number]
    user@switch# set input-vlan-map push
    Note

    You can configure vlan-id on input-vlan-map, but doing so is optional.

  7. Configure the system to remove the S-VLAN tag when packets are forwarded (internally) from the S-VLAN interface to the C-VLAN interface:
    [edit interfaces interface-name unit logical-unit-number]
    user@switch# set output-vlan-map pop

For example, the following configuration makes xe-0/0/1.10 a member of S-VLAN v10, enables Q-in-Q tunneling, maps packets from C-VLANs 100 through 200 to S-VLAN 10, and enables xe-0/0/1 to accept untagged packets. If a packet originates in C-VLAN 100 and needs to be sent across the S-VLAN, a tag with VLAN ID 10 is added to the packet. When a packet is forwarded (internally) from the S-VLAN interface to interface xe-0/0/1, the tag with VLAN ID 10 is removed.

set vlans v10 interface xe-0/0/1.10
set interfaces xe-0/0/1 flexible-vlan-tagging
set interfaces xe-0/0/1 encapsulation extended-vlan-bridge
set interfaces xe-0/0/1 unit 10 vlan-id-list 100-200
set interfaces xe-0/0/1 native-vlan-id 150
set interfaces xe-0/0/1 unit 10 input-vlan-map push
set interfaces xe-0/0/1 unit 10 output-vlan-map pop

Configuring Q-in-Q Tunneling Using Many-to-Many Bundling

You can configure Q-in-Q tunneling using the many-to-many bundling method, which maps packets from multiple C-VLANs to multiple S-VLANs. This method is convenient for mapping a range of C-VLANs without having to specify each one individually. (You can also use this method to configure only one C-VLAN to be mapped to an S-VLAN.)

First configure the S-VLANs and assign them to an interface:

  1. Assign a logical interface (unit) to be a member of one of the S-VLANs. Do not use logical interface unit 0.
    [edit vlans vlan-name]
    user@switch# set interface interface-name.unit-number
    Note

    Note that you do not create a VLAN ID for the S-VLAN. The ID is created automatically for the appropriate logical interface.

  2. Repeat step 1 for the other S-VLANs.
  3. Enable the physical interface to transmit packets with two 802.1Q VLAN tags:
    [edit interfaces interface-name]
    user@switch# set flexible-vlan-tagging
  4. Enable extended VLAN bridge encapsulation on the interface:
    [edit interfaces interface-name]
    user@switch# set encapsulation extended-vlan-bridge
  5. Enable the S-VLAN interface to send and receive untagged packets:
    [edit interfaces interface-name]
    user@switch# set native-vlan-id vlan-id
  6. Bind one of the logical units of the interface to the VLAN ID for one of the S-VLANs.
    [edit interfaces interface-name unit logical-unit-number]
    user@switch# set vlan-id number
  7. Repeat step 6 to bind the automatically-created VLAN IDs for the other S-VLANs to the other logical units of the interface:

For example, the following configuration creates S-VLANs v10 and v30 and associates them with interface xe-0/0/0.10, enables Q-in-Q tunneling, enables xe-0/0/0 to accept untagged packets, and maps incoming C-VLAN packets to S-VLANs v10 and v30.

set vlans v10 interface xe-0/0/0.10
set vlans v30 interface xe-0/0/0.10
set interfaces xe-0/0/0 flexible-vlan-tagging
set interfaces xe-0/0/0 native-vlan-id 10
set interfaces xe-0/0/0 encapsulation extended-vlan-bridge
set interfaces xe-0/0/0 unit 10 vlan-id 10
set interfaces xe-0/0/0 unit 30 vlan-id 30

To configure the many-to-many bundling method on a C-VLAN interface, perform the following steps for each customer:

  1. Assign a logical interface (unit) of one C-VLAN interface to be a member of one S-VLAN.
    [edit vlans vlan-name]
    user@switch# set interface interface-name.unit-number
  2. Repeat step 1 to assign another C-VLAN interface (physical interface) to be a member of another S-VLAN.
  3. Enable the interface to transmit packets with 802.1Q VLAN tags:
    [edit interfaces interface-name]
    user@switch# set flexible-vlan-tagging
  4. Enable extended VLAN bridge encapsulation on the interface:
    [edit interfaces interface-name]
    user@switch# encapsulation extended-vlan-bridge
  5. Enable the C-VLAN interface to send and receive untagged packets:
    [edit interfaces interface-name]
    user@switch# set native-vlan-id vlan-id
  6. For each physical interface, configure a logical interface (unit) to receive and forward any tagged packet whose VLAN ID tag matches the list of VLAN IDs you specify:
    [edit interfaces interface-name unit logical-unit-number]
    user@switch# set vlan-id-list vlan-id-numbers

    To configure only one C-VLAN to be mapped to an S-VLAN, specify only one VLAN ID after vlan-id-list.

    Caution

    You can apply no more than eight VLAN identifier lists to a physical interface. This limitation does not apply to QFX10000 switches.

  7. For each physical interface, configure the system to add an S-VLAN tag (outer tag) as packets travel from the C-VLAN interface to the S-VLAN:
    [edit interfaces interface-name unit logical-unit-number]
    user@switch# set input-vlan-map push
  8. For each physical interface, configure the system to remove the S-VLAN tag when packets are forwarded from the S-VLAN interface to the C-VLAN interface:
    [edit interfaces interface-name unit logical-unit-number]
    user@switch# set output-vlan-map pop

For example, the following configuration makes xe-0/0/1.10 a member of S-VLAN v10, enables Q-in-Q tunneling, and maps packets from C-VLANs 10 through 20 to S-VLAN 10. The configuration for customer 2 makes xe-0/0/2.30 a member of S-VLAN v30, enables Q-in-Q tunneling, and maps packets from C-VLANs 30 through 40, 50 through 60, and 70 through 80 to S-VLAN 30. Both interfaces are configured to accept untagged packets.

If a packet originates in C-VLAN 10 and needs to be sent over the S-VLAN, a tag with a VLAN ID 10 is added to the packet. If a packet is forwarded internally from the S-VLAN interface to xe-0/0/1.10, the tag with VLAN ID 10 is removed. The same principles apply to the C-VLANs configured on interface xe-0/0/2.

Note

Notice that you can use the same tag value for an S-VLAN and C-VLAN. For example, the configuration for customer 1 maps C-VLAN ID 10 to S-VLAN ID 10. C-VLAN and S-VLAN tags use separate name spaces, so this configuration is allowed.

Configuration for customer 1:

set vlans v10 interface xe-0/0/1.10
set interfaces xe-0/0/1 flexible-vlan-tagging
set interfaces xe-0/0/1 encapsulation extended-vlan-bridge
set interfaces xe-0/0/1 unit 10 vlan-id-list 10-20
set interfaces xe-0/0/1 native-vlan-id 15
set interfaces xe-0/0/1 unit 10 input-vlan-map push
set interfaces xe-0/0/1 unit 10 output-vlan-map pop

Configuration for customer 2:

set vlans v30 interface xe-0/0/2.30
set interfaces xe-0/0/2 flexible-vlan-tagging
set interfaces xe-0/0/2 encapsulation extended-vlan-bridge
set interfaces xe-0/0/2 unit 30 vlan-id-list 30-40
set interfaces xe-0/0/2 unit 30 vlan-id-list 50-60
set interfaces xe-0/0/2 unit 30 vlan-id-list 70-80
set interfaces xe-0/0/2 native-vlan-id 75
set interfaces xe-0/0/2 unit 30 input-vlan-map push
set interfaces xe-0/0/2 unit 30 output-vlan-map pop

Configuring a Specific Interface Mapping with VLAN ID Translation Option

You can configure Q-in-Q tunneling by mapping packets from a specified C-VLAN to a specified S-VLAN. In addition, you can configure the system to replace a C-VLAN tag with an S-VLAN tag or replace an S-VLAN tag with a C-VLAN tag (instead of double tagging). This is call VLAN translation or VLAN rewriting. VLAN translation is particularly useful if a service provider’s Layer 2 network that connects a customer’s sites does not support double tagged packets.

When you use VLAN translation, both ends of the link normally must be able to swap the tags appropriately. That is, both ends of the link must be configured to swap the C-VLAN tag for the S-VLAN tag and swap the S-VLAN tag for the C-VLAN tag so that traffic in both directions is tagged appropriately while in transit and after arrival.

First configure the S-VLAN and its interface:

  1. Assign a logical interface to be a member of the S-VLAN. Do not use unit 0.
    [edit vlans vlan-name]
    user@switch# set interface interface-name.unit-number
    Note

    Note that you do not create a VLAN ID for the S-VLAN. The ID is created automatically for the appropriate logical interface.

  2. Enable the interface to transmit packets with 802.1Q VLAN tags:
    [edit interfaces interface-name]
    user@switch# set flexible-vlan-tagging
  3. Enable the S-VLAN interface to send and receive untagged packets:
    [edit interfaces interface-name]
    user@switch# set native-vlan-id vlan-id
  4. Enable extended VLAN bridge encapsulation on the interface:
    [edit interfaces interface-name]
    user@switch# set encapsulation extended-vlan-bridge
  5. Bind the logical interface (unit) of the interface that you specified earlier to the VLAN ID for the S-VLAN:
    [edit interfaces interface-name unit logical-unit-number]
    user@switch# set vlan-id number

For example, the following configuration creates S-VLAN v200, makes xe-0/0/0.200 a member of that VLAN, enables Q-in-Q tunneling on interface xe-0/0/0, enables xe-0/0/0 to accept untagged packets, and binds a logical interface of xe-0/0/0 to the VLAN ID of VLAN v200.

set vlans v200 interface xe-0/0/0.200
set interfaces xe-0/0/0 flexible-vlan-tagging
set interfaces xe-0/0/0 native-vlan-id 150
set interfaces xe-0/0/0 encapsulation extended-vlan-bridge
set interfaces xe-0/0/0 unit 200 vlan-id 200

Now configure a specific interface mapping with optional VLAN ID translation on the C-VLAN interface:

  1. Assign a logical interface of the C-VLAN interface to be a member of the S-VLAN.
    [edit vlans vlan-name]
    user@switch# set interface interface-name.unit-number
  2. Enable the interface to transmit packets with 802.1Q VLAN tags:
    [edit interfaces interface-name]
    user@switch# set flexible-vlan-tagging
  3. Enable the C-VLAN interface to send and receive untagged packets:
    [edit interfaces interface-name]
    user@switch# set native-vlan-id vlan-id
  4. Enable extended VLAN bridge encapsulation on the interface:
    [edit interfaces interface-name]
    user@switch# set encapsulation extended-vlan-bridge
  5. Configure a logical interface (unit) to receive and forward any tagged packet whose VLAN ID tag matches the VLAN IDs you specify:
    [edit interfaces interface-name unit logical-unit-number]
    user@switch# set vlan-id number
  6. Configure the system to remove the existing C-VLAN tag and replace it with the S-VLAN tag when packets ingress on the C-VLAN interface and are forwarded to the S-VLAN:
    [edit interfaces interface-name unit logical-unit-number]
    user@switch# set input-vlan-map swap
  7. Configure the system to remove the existing S-VLAN tag and replace it with the C-VLAN tag when packets are forwarded from the S-VLAN interface to the C-VLAN interface:
    [edit interfaces interface-name unit logical-unit-number]
    user@switch# set output-vlan-map swap
  8. To configure an S-VLAN and associate it with the appropriate C-VLAN interface:
    [edit vlans vlan-name]
    user@switch# set interface interface-name

For example, the following configuration on C-VLAN interface xe-0/0/1.200 enables Q-in-Q tunneling, enables xe-0/0/1 to accept untagged packets, and maps incoming packets from C-VLAN 150 to logical interface 200, which is a member of S-VLAN 200. Also, when packets egress from C-VLAN interface xe-0/0/1 and travel to the S-VLAN interface, the C-VLAN tag of 150 is removed and replaced with the S-VLAN tag of 200. When packets travel from the S-VLAN interface to the C-VLAN interface, the S-VLAN tag of 200 is removed and replaced with the C-VLAN tag of 150.

set vlans v200 interface xe-0/0/1.200
set interfaces xe-0/0/1 flexible-vlan-tagging
set interfaces xe-0/0/1 native-vlan-id 150
set interfaces xe-0/0/1 encapsulation extended-vlan-bridge
set interfaces xe-0/0/1 unit 200 vlan-id 200
set interfaces xe-0/0/1 unit 200 output-vlan-map swap
set interfaces xe-0/0/1 unit 200 input-vlan-map swap