Configuring the Switch

3-178

3

Configuring IEEE 802.1Q Tunneling

IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for
multiple customers across their networks. QinQ tunneling is used to maintain
customer-specific VLAN and Layer 2 protocol configurations even when different
customers use the same internal VLAN IDs. This is accomplished by inserting
Service Provider VLAN (SPVLAN) tags into the customer’s frames when they enter
the service provider’s network, and then stripping the tags when the frames leave
the network.
A service provider’s customers may have specific requirements for their internal
VLAN IDs and number of VLANs supported. VLAN ranges required by different
customers in the same service-provider network might easily overlap, and traffic
passing through the infrastructure might be mixed. Assigning a unique range of
VLAN IDs to each customer would restrict customer configurations, require intensive
processing of VLAN mapping tables, and could easily exceed the maximum VLAN
limit of 4096.
QinQ tunneling uses a single Service Provider VLAN (SPVLAN) for customers who
have multiple VLANs. Customer VLAN IDs are preserved and traffic from different
customers is segregated within the service provider’s network even when they use
the same customer-specific VLAN IDs. QinQ tunneling expands VLAN space by
using a VLAN-in-VLAN hierarchy, preserving the customers original tagged packets,
and adding SPVLAN tags to each frame (also called double tagging).
A port configured to support QinQ tunneling must be set to tunnel port mode. The
Service Provider VLAN (SPVLAN) ID for the specific customer must be assigned to
the QinQ tunnel access port on the edge switch where the customer traffic enters
the service provider’s network. Each customer requires a separate SPVLAN, but this
VLAN supports all of the customer's internal VLANs. The QinQ tunnel uplink port
that passes traffic from the edge switch into the service providers metro network
must also be added to this SPVLAN. The uplink port can be added to multiple
SPVLANs to carry inbound traffic for different customers onto the service provider’s
network.
When a double-tagged packet enters another trunk port in an intermediate or core
switch in the service provider’s network, the outer tag is stripped for packet
processing. When the packet exits another trunk port on the same core switch, the
same SPVLAN tag is again added to the packet.
When a packet enters the trunk port on the service provider’s egress switch, the
outer tag is again stripped for packet processing. However, the SPVLAN tag is not
added when it is sent out the tunnel access port on the edge switch into the