Business customers of service providers often have specific requirements
for VLAN IDs and the number of VLANs to be supported. The VLAN ranges required
by different customers in the same service-provider network might overlap, and
the traffic of customers through the infrastructure might be mixed. Assigning a
unique range of VLAN IDs to each customer would restrict customer
configurations and could easily exceed the VLAN limit of 4096 of the 802.1Q
Q-in-Q is supported on port channels and virtual port channels
(vPCs). To configure a port channel as an asymmetrical link, all ports in the
port channel must have the same tunneling configuration.
Using the 802.1Q tunneling feature, service providers can use a single
VLAN to support customers who have multiple VLANs. Customer VLAN IDs are
preserved and the traffic from different customers is segregated within the
service-provider infrastructure even when they appear to be on the same VLAN.
The 802.1Q tunneling expands the VLAN space by using a VLAN-in-VLAN
hierarchy and tagging the tagged packets. A port configured to support 802.1Q
tunneling is called a tunnel port. When you configure tunneling, you assign a
tunnel port to a VLAN that is dedicated to tunneling. Each customer requires a
separate VLAN, but that VLAN supports all of the customer’s VLANs.
Customer traffic that is tagged in the normal way with appropriate VLAN
IDs come from an 802.1Q trunk port on the customer device and into a tunnel
port on the service-provider edge switch. The link between the customer device
and the edge switch is an asymmetric link because one end is configured as an
802.1Q trunk port and the other end is configured as a tunnel port. You assign
the tunnel port interface to an access VLAN ID that is unique to each customer.
Figure 1. 802.1Q-in-Q Tunnel Ports
Selective Q-in-Q tunneling is not supported. All frames that enter the
tunnel port are subject to Q-in-Q tagging.
Packets that enter the tunnel port on the service-provider edge switch,
which are already 802.1Q-tagged with the appropriate VLAN IDs, are encapsulated
with another layer of an 802.1Q tag that contains a VLAN ID that is unique to
the customer. The original 802.1Q tag from the customer is preserved in the
encapsulated packet. Therefore, packets that enter the service-provider
infrastructure are double-tagged.
The outer tag contains the customer’s access VLAN ID (as assigned by the
service provider), and the inner VLAN ID is the VLAN of the incoming traffic
(as assigned by the customer). This double tagging is called tag stacking,
Double-Q, or Q-in-Q as shown in the following figure.
Figure 2. Untagged 802.1Q-Tagged, and Double-Tagged Ethernet
By using this method, the VLAN ID space of the outer tag is independent
of the VLAN ID space of the inner tag. A single outer VLAN ID can represent the
entire VLAN ID space for an individual customer. This technique allows the
customer’s Layer 2 network to extend across the service provider network,
potentially creating a virtual LAN infrastructure over multiple sites.
Hierarchical tagging, or multi-level dot1q tagging Q-in-Q, is not