Did You Know?

Hierarchical approvals let your manager know what people are trying to transfer

CONNEXITE
leafleafleafMan illustrationFlower illustration
Updated on May 4, 2026

Configuring QINQ

Estimated reading: 11 minutes 1 views

Summary: Networking › Switching › Edge › Synapse

Overview of QINQ

QINQ technology also known as Stacked VLAN. The standard is derived from IEEE 802.1ad, which means that the public network VLAN Tag of a service provider network is encapsulated before the user packet enters the service provider network, and the private network user VLAN Tag in the user packet is regarded as data, so that the packet carries Two-layer VLAN tag traversal of service provider network. In the metropolitan area network, a large number of VLANs are required to isolate users. The 4094 VLANs supported by the IEEE 802.1Q protocol are far from meeting the requirements. Through the double-layer Tag encapsulation of QINQ technology, in the service provider network, the packets are only transmitted according to the unique outer VLAN Tag allocated on the public network, so that the VLANs of different private network users can be reused, and the number of VLAN tags available to users is expanded. At the same time, it provides a simple Layer 2 VPN function, so QINQ technology is actually a VLAN VPN technology. In addition to QINQ, common VLAN VPN technologies also include VLAN Mapping. The only difference between the two is that QINQ is for stacking VLANs, and VLAN Mapping is for VLAN mapping.

VLAN Stacking

VLAN Stacking: From the user network to the provider network, a single-layer tag becomes a double-layer tag, and the C-Tag remains in the packet as an inner-layer tag; reverse, from a double-layer tag to a single-layer tag. VLAN Stacking QINQ is divided into three categories:

  • Type A: Basic QINQ, which is enabled and disabled based on the interface. When an interface with basic QINQ enabled receives a packet, it is treated as an un-tagged packet. On the basis of the original packet, a VLAN tag of the default VLAN of the port is added.
  • Type B: Flexible QINQ based on C-tag, according to the C-VLAN Tag on the user side, according to the configured mapping policy, an S-VLAN tag is added to the original packet. There are two optional configuration methods for this type of QINQ, and only one of them can be selected. One way is to configure the mapping relationship between C-VLAN and S-VLAN directly on the interface; the other way is to configure VLAN VPN globally (which includes the mapping relationship between C-VLAN and S-VLAN), and then associate the VPN on the interface. When using the same mapping policy for multiple interfaces, generally choose the latter configuration method. For this type of QINQ, if the packets received by the interface are un-tagged, the C-tag is the default VLAN Tag of the interface.
  • Class C: ACL-based flexible QINQ, adding outer tags according to the configured traffic policy. The configuration of this type of QINQ is placed in the "QOS" module. For details, please refer to the "Configuring QOS" chapter. The policy pair between Policy-map and Class-map: "nest vlan <1-4094>" is used to configure ACL-based Flexible QINQ.

The above three types of QINQ can be enabled at the same time on the same port, and their priority relationship is: Type C > Type B > Type A.

VLAN Mapping

VLAN Mapping: From the user network to the provider network, it is still a single-layer Tag, but the C-Tag becomes S-Tag; in reverse, from S-Tag to C-Tag. VLAN Mapping is divided into 1:1 VLAN Mapping and 1:N VLAN Mapping (the reverse is N:1). Currently, only 1:1 VLAN Mapping is supported. VLAN Mapping is configured by configuring VLAN VPN globally, and then associating VPN on interface. VLAN Mapping only takes effect on tag packets, which is very different from the QINQ function. The following points should be noted when configuring QINQ and VLAN Mapping. VLAN Mapping takes effect only for tagged packets. Upstream, original packets must carry tags to implement CVLAN-to-SVLAN mapping; for downstream, the VLAN output rule on downlink interfaces must be tag output to implement SVLAN-to-SVLAN mapping. Mapping of CVLANs.

Note

Only physical interfaces support the configuration of QINQ and VLAN Mapping, but aggregated interfaces do not When using the QINQ function or the VLAN Mapping function, it needs to be used in conjunction with the VLAN configuration. In the input and output directions, the filtering function of the VLAN, and the rules for whether the VLAN carries tags are all subject to the VLAN configuration. Specific requirements are as follows:

  • Both CVLAN and SVLAN need to be added to the allow list of the downlink interface (connected to the Customer network), otherwise the flow will be filtered.
  • The SVLAN needs to be added to the allow list of the uplink interface (connected to the provider network), otherwise the flow will be filtered.
  • For QINQ, on the downlink interface, SVLAN should be configured with untag output, so as to strip the outer tag of QINQ downstream.
  • For VLAN-Map, since it only takes effect for untag packets, for downlink interfaces, SVLAN should be configured with tag output, otherwise the downstream flow cannot complete the mapping from SVLAN to CVLAN.

The globally configured VLAN VPN is either used for VLAN Stacking (QINQ) or VLAN Mapping, but not both. VLAN Mapping only supports 1:1 mapping. Therefore, if there are VLAN VPNs with N:1 mapping, they cannot be associated with the interface as the VPN of VLAN mapping. Similarly, if the VPN has been associated with the interface as the VLAN mapping, the mapping relationship Cannot change to N:1 The mapping relationship of VLAN Mapping must be consistent globally. Therefore, different interfaces can only be associated with the same VLAN VPN. On the same interface, if you need to apply VLAN Mapping and QINQ at the same time, it should be noted that the two functions need to control different CVLANs and SVLANs. The specific constraints are as follows.

  • If VLAN Mapping is used together with basic QINQ, the basic QINQ will take effect and VLAN Mapping will be invalid.
  • If VLAN Mapping and flexible QINQ are used together, if a flow passes through the SVLAN mapped by VLAN Mapping and can be used as CVLAN to match the mapping policy of flexible QINQ, the final packet will take effect with flexible QINQ, adding SVLAN as external Layer TAG, the inner layer TAG remains unchanged (not the VLAN mapped by VLAN Mapping).
  • Due to the above constraints, when two applications are enabled on the same interface, it is necessary to pay attention that the VLANs controlled by the two do not overlap. Invalid.

For Type B QINQs, you can either choose to configure the mapping policy directly under the interface, or choose to associate with VPN, but cannot be configured at the same time.

Configuring

  • Creating VLAN VPN
SWITCH(config)#vlan-vpn VPN-NAME
SWITCH(config)#no vlan-vpn VPN-NAME

There can be multiple VPNs in the system, and each VPN maintains the mapping relationship between independent CVLANs and SVLANs. A VPN will only actually take effect when applied to an interface. A VPN can be applied to VLAN Stacking (QINQ) or VLAN Mapping, but only one of the two can be selected.

SWITCH(config-vlan-vpn)#cvlan VLAN_LIST svlan VLANID
SWITCH(config-vlan-vpn)#no cvlan VLAN_LIST
SWITCH(config-vlan-vpn)#no cvlan

The valid range of VLAN_LIST and VLANID is <1,4094>, VLAN_LIST supports standard multi-vlan representation method ("-" and "," and combination of both). no cvlan without any parameters, clear all the mapping relationships in the VPN.

SWITCH(config-if)#switchport vlan-stacking basic
SWITCH(config-if)#no switchport vlan-stacking basic

After basic QINQ is enabled, all incoming packets from this interface match the QINQ rules, and the mapped SVLAN is the default VLAN ID of the interface.

SWITCH(config-if)#switchport vlan-stacking cvlan VLAN_LIST svlan VLANID
SWITCH(config-if)#no switchport vlan-stacking cvlan VLAN_LIST
SWITCH(config-if)#no switchport vlan-stacking cvlan

Similar to the mapping relationship configuration under VPN. Only when the interface is not associated with a VPN, can the mapping relationship be configured directly.

SWITCH(config-if)#switchport vlan-stacking vpn VPN-NAME
SWITCH(config-if)#no switchport vlan-stacking vpn

An interface can only be associated with one VPN. The VPN association configuration can be performed only when the interface is not configured with a mapping relationship.

SWITCH(config-if)#no switchport vlan-stacking

Equivalent to three commands: no switchport vlan-stacking basic no switchport vlan-stacking cvlan no switchport vlan-stacking vpn

SWITCH(config-if)#switchport vlan-mapping vpn VPN-NAME
SWITCH(config-if)#no switchport vlan-mapping

VLAN mapping configured on different interfaces must be associated with the same VPN. And the mapping relationship in the corresponding VPN must be 1:1.

Examples

Example 1: This example shows how to configure L2 VPN service. Service Provider provides VPN for Enterprise A and Enterprise B:

  • Enterprise A and enterprise B belong to different VLANs on the public network, and communicate through their own public network VLANs.
  • The VLANs in enterprise A and enterprise B are transparent to the public network, and the user VLANs in enterprise A and enterprise B can be reused without conflict.
  • Tunnel encapsulates a layer of VLAN Tag of Native VLAN to user data packets. In the public network, user data packets are transmitted in the native VLAN, which does not affect the use of VLANs in different enterprise user networks, and implements a simple Layer 2 VPN.

Illustration:

  • Customer A1, Customer A2, Customer B1 and Customer B2 are the edge devices of the network where enterprise user A and enterprise user B are located, respectively. Provider A and Provider B are edge devices of the service provider network, and enterprise A and enterprise B access the public network through the edge devices of the provider.
  • The VLAN range of the office network used by enterprise A is VLAN 1-100.
  • The VLAN range of the office network used by enterprise B is VLAN 1-200.

ProviderA and ProviderB are completely symmetrical and have exactly the same configuration:

  • Configuring VLAN
SWITCH(config)#vlan 2-200
SWITCH(config)#interface gigabitEthernet0/1
SWITCH(config-if)#switchport mode trunk
SWITCH(config-if)#switchport trunk allowed vlan 1-100
SWITCH(config-if)#switchport trunk native vlan 10
SWITCH(config)#interface gigabitEthernet0/2
SWITCH(config-if)#switchport mode trunk
SWITCH(config-if)#switchport trunk native vlan 10
SWITCH(config-if)#interface gigabitEthernet0/5
SWITCH(config-if)#switchport mode trunk
SWITCH(config)#interface gigabitEthernet0/1-2
SWITCH(config-if)#switchport vlan-stacking basic
SWITCH(config-if)#exit

Example 2: This example shows how to Implement Layer 2 VPN and service flow management based on Flexible QINQ. Basic QinQ can only encapsulate user data packets in the outer tag of a native VLAN, that is, the encapsulation of the outer tag depends on the native VLAN of the tunnel port. Flexible QinQ provides flexible encapsulation of external tags (S-Tags) of service providers (ISPs) according to the tags of user packets (ie C-Tags), so as to flexibly implement VPN transparent transmission and service flow QoS policies. As shown in the figure below, the client devices in the metropolitan area network are aggregated through the corridor switches in the community, and broadband Internet access and IPTV services are differentiated by assigning different VLANs to enjoy different QoS service policies. Illustration: PE1 and PE2 are configured exactly the same:

SWITCH(config)#vlan 2-200
SWITCH(config)#interface gigabitEthernet0/1
SWITCH(config-if)#switchport mode hybrid
SWITCH(config-if)#switchport hybrid untagged vlan 100,200
SWITCH(config-if)#switchport hybrid vlan 100
SWITCH(config-if)#interface gigabitEthernet0/2
SWITCH(config-if)#switchport mode trunk
SWITCH(config-if)#exit
SWITCH(config)#vlan-vpn isp
SWITCH(config-vlan-vpn)# cvlan 1-100 svlan 100
SWITCH(config-vlan-vpn)# cvlan101-200 svlan 200
SWITCH(config-vlan-vpn)# interface gigabitEthernet0/1
SWITCH(config-if)#switchport vlan-stacking vpn isp
SWITCH(config-if)#exit

Example 3: This example shows how to Implement Layer 2 VPN and service flow management based on VLAN Mapping. Similar to Case 2, the broadband Internet access service and the IPTV service of the user are distinguished. For example, the broadband Internet access service is VLAN2, and the IPTV service is VLAN3. In the ISP network, VLAN200 and VLAN300 are respectively used to represent broadband Internet access services and IPTV services. All ports 1-10 of the PE device are connected to the CE device, and the uplink interface is gigabitEthernet0/11. PE1 and PE2 are configured exactly the same:

SWITCH(config)#vlan2-3,200,300
SWITCH(config)#interface gigabitEthernet0/1-10
SWITCH(config-if)#switchport mode trunk
SWITCH(config-if)#interface gigabitEthernet0/11
SWITCH(config-if)#switchport mode trunk
SWITCH(config-if)#exit
SWITCH(config)#vlan-vpn isp-map
SWITCH(config-vlan-vpn)#cvlan 2 svlan 200
SWITCH(config-vlan-vpn)#cvlan 3 svlan 300

SWTICH(config-vlan-vpn)#interface gigabitEthernet0/1-10

SWITCH(config-if)#switchport vlan-mapping vpn isp-map
SWITCH(config-if)#exit

Display Information

  • Display a VPN Information
SWITCH#show vlan-vpn test

———————————————————– VLAN VPN: test Class: vlan-stacking Mapping attributes: cvlan 1-25,73,75-80 svlan 3 cvlan 200 svlan 4 Applied interfaces: gigabitEthernet0/17 gigabitEthernet0/18

SWITCH#show vlan-vpn

———————————————————– VLAN VPN: test Class: vlan-stacking Mapping attributes: cvlan 1-25,73,75-80 svlan 3 cvlan 200 svlan 4 Applied interfaces: gigabitEthernet0/17 gigabitEthernet0/18 ———————————————————– VLAN VPN: test-map1 Class: vlan-mapping Mapping attributes: cvlan 100 svlan 1 cvlan 200 svlan 2 cvlan 800 svlan 8 cvlan 900 svlan 9 Applied interfaces: gigabitEthernet0/18 gigabitEthernet0/19 ———————————————————– VLAN VPN: test1 Class: unkown Mapping attributes: cvlan 800 svlan 8 cvlan 900 svlan 9 Applied interfaces: empty!

Related articles

Share this Doc

Configuring QINQ

Or copy link

Powered By EazyDocs