802.1q Tunneling

l2tunnel_blogBy taking traffic that is already 802.1q tagged and adding another tag on top of it we can create an 802.1q, or Q-in-Q, tunnel. This is a handy feature that service providers may use in a metro ethernet.
802.1q tunneling allows service providers to use a single VLAN to support multiple VLANs of customers, while preserving customer VLAN IDs and keeping traffic in different customer VLANs segregated.

Traffic from R1 enters SW1 with an 802.1q tag. SW1 adds another 802.1q tag and forwards the frame across the network. When the frame reaches SW4 it strips the outer 802.1q tag and leaves the inner one. When R4 receives the frame with the first 802.1q tag R4 processes the frame as if it came directly from R1. I have created a Layer 2 tunnel through the switches. From the routers perspective they are directly connected and will pass L2 traffic, like CDP. Here’s how the config looks for it

R1(config)#int fa0/0
R1(config-if)#no shut
R1(config-if)#int fa0/0.14
R1(config-if)#encapsulation dot1q 14
R1(config-if)#ip address
R4(config)#int fa0/0
R4(config-if)#no shut
R4(config-if)#encapsulation dot1q 14
R4(config-if)#ip address

With the routers setup and ready to send and receive 802.1q tagged traffic, let’s use vlan 100. So we will create the vlan and create trunks between the switches

SW1(config)#vlan 100
SW1(config-vlan)#int fa1/12
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport mode trunk
SW2(config)#vlan 100
SW2(config-vlan)#int fa1/12
SW2(config-if)#switchport trunk encapsulation dot1q
SW2(config-if)#switchport mode trunk
SW2(config-if)#int fa1/23
SW2(config-if)#switchport trunk encapsulation dot1q
SW2(config-if)#switchport mode trunk
SW3(config)#vlan 100
SW3(config-vlan)#int fa1/23
SW3(config-if)#switchport trunk encapsulation dot1q
SW3(config-if)#switchport mode trunk
SW3(config-if)#int fa1/34
SW3(config-if)#switchport trunk encapsulation dot1q
SW3(config-if)#switchport mode trunk
SW4(config)#vlan 100
SW4(config-vlan)#int fa1/34
SW4(config-if)#switchport trunk encapsulation dot1q
SW4(config-if)#switchport mode trunk

Now let’s configure routers connections

SW1(config)#int fa1/0
SW1(config-if)#switchport access vlan 100
SW1(config-if)#switchport mode dot1q-tunnel
SW1(config-if)l2protocol-tunnel cdp
SW1(config-if)#no cdp enable
SW4(config)#int fa1/0
SW4(config-if)#switchport access vlan 100
SW4(config-if)#switchport mode dot1q-tunnel
SW4(config-if)#l2protocol-tunnel cdp
SW4(config-if)#no cdp enable

what we’ve done is :
–>access ports that connect to the routers we placed them in vlan 100
–>even though the router is already sending traffic with frames tagged with vlan 14, we are appending ( or adding on top) this new vlan.
–>We told the switches that these ports at the beginning and ending of an 802.1q tunnel.
–>we want to send cdp traffic across this tunnel.
–>we don’t want to send or receive cdp traffic on this interface. The cdp traffic can pass through the interface, but we aren’t participating in it.

Let’s see what the routers see.
R1#sho cdp neighbors
 Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
 S – Switch, H – Host, I – IGMP, r – Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
 R4 Fas 0/0 135 R S I 3750 Fas 0/0




About ccie4all
Hello, and welcome to the first post of my CCIE blog This blog has got one simple goal and that is to improve our skills in Cisco Networking field so we can become best engineers on a job market. Wordpress Blog https://ccie4all.wordpress.com/ information about the changes made to Gns3 BGP , MPLS and R&S CCIE labs. In order to access and download all provided materials and receive important updates from Gns3 BGP , MPLS and R&S CCIE labs under GNS3 tab in the main header please go ahead and subscribe to https://ccie4all.wordpress.com/ ! All other posts have not been affected and can be accessed at any given time. Enjoy ! Tom

9 Responses to 802.1q Tunneling

  1. RSAR says:

    Hi, Does Cisco ME-3400G-12CS-D 12.2(50)SE4 ME340x-METROACCESS-M, supports QinQ?

    • ccie4all says:

      hi Rudy,

      I’m pretty certain that it does not and you would have to upgrade to 12.2(54)SE where IEEE 802.1ad standard was introduced that allows traditional QinQ tunnels and 802.1ad tunnels on a bridge at the same time , however please could you let us know as in this case I could be mistaken


      • RSAR says:

        Thank you Tom.

  2. rsar says:

    Hi Tom,
    How about this model then? Does it support QinQ?

    ME-3400-24TS-D 12.2(55)SE ME340x-METROBASEK9-M

  3. Once you have configured “switchport mode dot1q-tunnel” you should also increase System MTU to 1504 on provider switches. This is because of additional VLAN tag increases overhead on frames.

    • ccie4all says:

      Thanks Jaakko! Great catch ! Let’s keep sharing our knowledge and master every technology out there !


  4. Pingback: 802.1Q Tunneling | dtechquest

  5. Pingback: https://ccie4all.wordpress.com/2012/12/25/802-1q-tunneling/ | pedroccna

  6. Victoria says:

    Dear Tom,
    Please kindly answer in which programm did you create this topology. If you did it in GNS3 what kind of IOS image did you use?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: