You are here

IEEE 802.1Q Tunneling (Q-in-Q)

I wasn’t very familiar with dot1q tunneling aka Q-in-Q. But since I started working for a service provider, I was more and more involved with this technology almost on a daily basis. So I started researching and reading more about. While studying and reviewing switching topics, I came across dot1q and while implementing the INE lab, I noticed a few things that I thought this is worth a post here and it is officially my first study post! So enough talking and let’s start tagging!!

QinQ is simply a techniuq used (mainly by ISPs) to keep traffic from customers segregated within the ISP’s cloud. Suppose Customer A has 2 sites and it needs to have both sites privately connected within the ISP cloud. One approach here is to let the ISP assign a block of VLANs to this customer to identify its traffic and keep it segregated from other customer. This approach is not really practical and lack flexibility for the customers.

QinQ will allow the ISP to assign one VLAN per customer which will be used as the second (outer) tag for each frame enters the ISP cloud regardless of the initial VLAN (inner tag) that the customer uses. So each frame that belongs to this customer will have two tags when traveling within the ISP cloud.

I think it will become very much clearer with an example. I have run this scenario successfully in my lab. However, I wanted to capture the two tags and ran into some fun issues which actually triggered me to write this post.

Please refer to the below diagram and related config:

R3

!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 10.1.1.3 255.255.255.0
!

R1
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 20.1.1.1 255.255.255.0
!

R6
!
interface FastEthernet0/1.10
encapsulation dot1Q 10
ip address 10.1.1.6 255.255.255.0
!

R4
!
interface FastEthernet0/1.20
encapsulation dot1Q 20
ip address 20.1.1.4 255.255.255.0
!

SW1
!
interface FastEthernet0/1
switchport access vlan 200
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable
!
interface FastEthernet0/3
switchport access vlan 100
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable

SW4
!
interface FastEthernet0/4
switchport access vlan 200
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable
!
interface FastEthernet0/6
switchport access vlan 100
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable

 As shown here, I have connectivity on both vlans:

 R4#ping 20.1.1.1 re 20

Type escape sequence to abort.
Sending 20, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (20/20), round-trip min/avg/max = 1/2/4 ms

R3#ping 10.1.1.6 re 40

Type escape sequence to abort.
Sending 40, 100-byte ICMP Echos to 10.1.1.6, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (40/40), round-trip min/avg/max = 1/2/4 ms

 

Even though I had full connectivity, I thought it would be really cool to capture this traffic being sent with double tags. However, I could only see one inner tag (that is vlan 20 and vlan 10). To make sure that I am actually correctly double tagging, I removed vlan 200 from the allowed vlan list on the trunk between SW4 and SW2, and I ran another ping, all timed out. So what is exactly the issue here?

Obviously, I missed the fact that my laptop’s NIC will not understand vlan tagging, and always removed the vlan tag (in this case it can’t assume that there are actually 2 tags, so it will remove the outer tag, vlan 200 and will leave the inner tag) which was exactly what I was seeing.

Now the fun part begins, how am I going to make my laptop understands vlan tagging? You really have two ways to do this. One is simply get one of those good old PCMCIA Carbuses that supports frame tagging. Or edit the registry values of the NIC driver to force it to keep the 802.1Q tags. I will explain the second method, which I did on my old Dell Laptop.

Search for/Run regedit, browse to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\[4D36E972-E325-11CE-BFC1-08002BE10318]. Once you collapse that, depending on what software you have installed, you will find a number of 000x entries. Click HERE to see a snapshot of this. You have to check each one of these entries and check the Provider Name to identify the manufacturer of your NIC. I have a Dell laptop with Broadcom NIC which I found in 0009.

Once you’re there, if you see “PreserveVlanInfoRxPacket”, right click and choose Modify then change the Value data to 1. If it does not exist, right click in the white pane on the right and choose New, then select String Value, rename it to “PreserveVlanInfoRxPacket” and change its Value data to 1 and you’re pretty much done!!

Here’s a traffic capture for vlan10 and vlan20 when I ran the ping tests above. As you can see, frames are double tagged as expected.

 

Baher

 

 

Leave a Reply

Top