Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Stacking and Rewriting Gigabit Ethernet VLAN Tags Overview

Stacking and rewriting VLAN tags, commonly known as Q-in-Q tunneling, enables the use of an additional (outer) VLAN tag to differentiate between customer edge (CE) routers that share the same VLAN ID.

You can stack and rewrite VLAN tags on the following interfaces:

  • Gigabit Ethernet

  • Gigabit Ethernet IQ

  • 10-Gigabit Ethernet LAN/WAN PIC

  • 40-Gigabit Ethernet MIC

  • 100-Gigabit Ethernet MIC

  • Gigabit Ethernet IQ2 and IQ2-E

  • 10-Gigabit Ethernet IQ2 and IQ2-E interfaces, and MX Series router Gigabit Ethernet Interfaces

  • Tri-Rate Ethernet copper, and 10-Gigabit Ethernet interfaces with the VLAN encapsulation type configured to support L2 tunneling protocols such as circuit cross-connect (CCC) or virtual private LAN service (VPLS) (as described in 802.1Q VLANs Overview)

Stacking VLAN tags encapsulate multiple VLAN identifiers within a single frame. This approach supports hierarchical segmentation of broadcast domains and enables flexible Layer 2 forwarding. Rewriting VLAN tags modifies these identifiers to ensure that frames are correctly associated with the intended broadcast or bridge domain, either within a virtual switch or across network boundaries. This mechanism is fundamental in Juniper's Layer 2 architecture to maintain traffic isolation and efficient forwarding. In modern networking, the concepts of broadcast domains, bridge domains, and virtual switches play a vital role in segmenting and managing traffic efficiently. Technologies such as Integrated Routing and Bridging (IRB) and VLAN tag manipulation, including stacking (Q-in-Q) and rewriting of Gigabit Ethernet VLAN tags, offer advanced capabilities for traffic isolation, service differentiation, and support for multi-tenant environments.

A broadcast domain is a network segment in which all devices receive broadcast frames sent by any other device within the segment. Routers typically define the boundaries of broadcast domains, as routers do not forward broadcast traffic. Switches and bridges can subdivide networks into multiple broadcast domains using VLANs. While a broadcast domain is a network area where all devices receive broadcast traffic, a bridge domain is a logical Layer 2 construct used to group interfaces for forwarding and flooding decisions, often in virtualized or service provider networks.

A bridge domain is a logical grouping of network interfaces that are bridged together. It operates as a Layer 2 segment where devices can communicate directly without routing. Bridge domains often consist of one or more ports or port-VLAN pairs across multiple devices. For example, For example, an IEEE 802.1Q VLAN can span multiple ports on different devices and each port or VLAN can belong to only one bridge domain.

While a bridge domain represents a logical L2 forwarding construct, a virtual switch implements this functionality by connecting virtual interfaces within the same bridge domain to enable intra-domain communication. It functions similarly to a physical switch but operates in a virtualized environment. Virtual switches manage VLANs and isolate traffic between virtual networks. Within a virtual switch, VLAN IDs are unique—no two bridge domains can share the same VLAN ID.

Each bridge domain can optionally include a routing interface. Integrated Routing and Bridging (IRB) integrates Layer 2 and Layer 3 functionalities within a single interface, allowing it to perform both bridging and routing operations. IRB is especially useful in environments that require routing between VLANs while maintaining Layer 2 connectivity within each VLAN.

When a VLAN tag is pushed on IQ2 interfaces, 10-Gigabit Ethernet LAN/WAN PIC, 40-Gigabit Ethernet MIC, 100-Gigabit Ethernet MIC, IQ2-E interfaces, and MX Series interfaces, the inner VLAN IEEE 802.1p bits are copied to the IEEE bits of the VLAN or VLANs being pushed. If the original packet is untagged, the IEEE bits of the VLAN or VLANs being pushed are set to 0.

Note:

When swap-by-pop push is configured on the interface and a VLAN tag is swapped, the inner VLAN IEEE 802.1p bits are copied to the IEEE bits of the VLAN being swapped. If swap-by-poppush is not configured on the interface, the VLAN IEEE 802.1 p bits of the VLAN being swapped remain the same.

Related Documentation