Dot1Q Tunnel / q-in-q Tunneling

Dot1Q tunnel or q-in-q tunneling is a technique generally used by service providers to extend customer's VLANs to different locations. It is done by encapsulating the customer VLAN inside another 802.1q encapsulation and because of this we must increase the system mtu on the service provider switches to something greater than 1500. In this blogtorial, we will take a look at a very simple topology with easy to follow configurations.

Here is the topology. 

Our objective: 

VLAN 10 in a Customer Site in California (SW1) needs to be extended to a Customer Site in Illinois (SW4).

First we need to configure the customer equipment to put the interface facing the service provider on VLAN 10.

SW1#sh run int fa1/1  
interface FastEthernet1/1  
  description SW1 to SP1  
  switchport access vlan 10  
end
SW1#sh run int vlan 10
interface vlan10
ip address 10.10.10.1 255.255.255.0  
end

Next we need to get SP1 interface facing the customer in a q-in-q mode and assign a metro-tag. In this case I assigned metro-tag 510.

SP1#sh run int fa1/1 
interface FastEthernet1/1  
  description SW1 to SW4 dot1q  
  switchport access vlan 510
!!VLAN 510 above is commonly referred to as metro-tag or customer tag.   
  switchport mode dot1q-tunnel 
!!Notice that we also tunnel cdp, stp, and vtp as well. 
!!Normally they would not be by default 
  l2protocol-tunnel cdp  
  l2protocol-tunnel stp  
  l2protocol-tunnel vtp  
  no cdp enable  
end  

Now we need to configure the interfaces between the Service Providers which is just a basic trunk.

 
SP1#sh run int fa1/2 
interface FastEthernet1/2  
  description connected to SP2 
  switchport trunk encapsulation dot1q
  switchport mode trunk  
end  

 
SP2#sh run int fa1/2 
interface FastEthernet1/1  
  description connected to SP1
  switchport trunk encapsulation dot1q
  switchport mode trunk
end  

The interface on SP2 facing the customer side is assigned the same metro-tag of 510.

 
SP2#sh run int fa1/3
interface FastEthernet1/3  
  description SW4 to SW1 dot1q  
  switchport access vlan 510  
  switchport mode dot1q-tunnel  
  l2protocol-tunnel cdp  
  l2protocol-tunnel stp  
  l2protocol-tunnel vtp  
  no cdp enable  
end  

We need to configure the customer equipment to put the interface facing the service provider on VLAN 10.

SW4#sh run int fa1/3
interface FastEthernet1/3  
  description connected to SP2
  switchport access vlan 10  
end  
SW#sh run int vlan 10
interface vlan10
ip add 10.10.10.4 255.255.255.0
end

Let's see what happens when we ping from SW1 to SW4.

SW1#ping 10.10.10.4  
 Type escape sequence to abort.  
 Sending 5, 100-byte ICMP Echos to 10.10.10.4, timeout is 2 seconds:  
 !!!!!  
 Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/12 ms  
SW1#  

Let's see what CDP shows.

SW1#show cdp neighbors  
 Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge  
          S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone  
 Device ID    Local Intrfce   Holdtme  Capability Platform  Port ID  
 SW4          Fas 1/1            142       R        3550    Fas 1/3  
SW1#  

As you can see it appears as though SW4 is connected directly to SW1. What is really happening is that VLAN 10 traffic is double tagged with VLAN 510. In other words VLAN 10 is encapsulated in VLAN 510 and sent across to SP2 hence the q-in-q tunneling.

Side note -- You will have to set the system mtu greater than 1500 on the SP1 and SP2 switches which does require a reboot to take effect. In the Cisco 3750s that I used the command to increase the system mtu is "system mtu 1546". 

Many more articles to come so stay tuned.

Please reshare/subscribe/comment/+1 if you like my posts as it keeps me motivated to write more and spread the knowledge.