CHAPTER
9-1
Ethernet Card Software Feature and Configuration Guide, R7.2
January 2009
9
Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling
Virtual private networks (VPNs) provide enterprise-scale connectivity on a shared infrastructure, often
Ethernet-based, with the same security, prioritization, reliability, and manageability requirements of
private networks. Tunneling is a feature designed for service providers who carry traffic of multiple
customers across their networks and are required to maintain t he VLAN and Layer 2 protocol
configurations of each customer without impairing the traffic of other customers. The ML-Series cards
support IEEE 802.1Q tunneling and Layer 2 protocol tunneling.
This chapter contains the following sections:
Understanding IEEE 802.1Q Tunneling, page 9-1
Configuring IEEE 802.1Q Tunneling, page 9-4
Understanding VLAN-Transparent and VLAN-Specific Services, page 9-6
Understanding Layer 2 Protocol Tunneling, page 9-9
Configuring Layer 2 Protocol Tunneling, page 9-10

Understanding IEEE 802.1Q Tunneling

Business customers of service providers often have specific requirements for VLAN IDs and the number
of supported VLANs. The VLAN ranges required by different customers in the same service-provider
network might overlap, and traffic of customers through the infrastructure might be mixed. Assigning a
unique range of VLAN IDs to each customer would restrict c ustomer configurations and could easily
exceed the IEEE 802.1Q specification VLAN limit of 4096.
Using the IEEE 802.1Q tunneling (QinQ) feature, s ervice providers can use a single VLAN to support
customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different
customers is segregated within the service-provider infrastructure even when they appear to be on the
same VLAN. The IEEE 802.1Q tunneling expands VLAN space by using a VLAN-in-VLAN hierarchy
and tagging the tagged packets. A port configured to support IEEE 802.1Q tunneling is called a tunnel
port. When you configure tunneling, you assign a tunnel port to a VLAN that is de dicated to tunneling.
Each customer requires a separate VLAN, but that VLAN supports all of the customer’s VLANs.
Customer traffic tagged in the normal way with appropriate VLAN IDs comes from an IEEE 802.1Q
trunk port on the customer device and into a tunnel port on the ML-Series card. The link between the
customer device and the ML-Series card is an asymmetric link because one end is configured as an
IEEE 802.1Q trunk port and the other end is configured as a tunnel port. You assign the tunnel port
interface to an access VLAN ID unique to each customer (Figure 9-1).