The IEEE 802.1Q double tagging VLAN is also referred to Q-in-Q or VLAN stacking (IEEE 802.1ad). Its purpose is to expand the 802.1q VLAN space by tagging the inner tagged packets. In this way, a “double-tagged” frame is created so as to separate customer traffic within a service provider network. As shown below in “Double-Tagged Frame” illustration, an outer tag is added between source destination and inner tag at the provider network‟s edge.
This can support C-VLAN (Customer VLAN) over Metro Area Networks and ensure complete separation between traffic from different user groups. Moreover, the addition of double-tagged space increases the number of available VLAN tags which allow service
providers to use a single SP-VLAN (Service Provider VLAN) tag per customer over the
PAYLOAD FCS Original frame
TCI/P/C/VID Type/LEN PAYLOAD FCS 802.1q Frame
As shown below in “Q-in-Q Example” illustration, Headquarter A wants to communicate with Branch 1 that is 1000 mile away. One common thing about these two locations is that they have the same VLAN ID of 20, called C-VLAN (Customer VLAN). Since customer traffic will be routed to service provider‟s backbone, there is a possibility that traffic might be forwarded insecurely, for example due to the same VLAN ID used. Therefore, in order to get the information from Headquarter to Branch 1, the easiest way for the carrier to ensure security to customers is to encapsulate the original VLAN with a second VLAN ID of 100. This second VLAN ID is known as SP-VLAN (Service Provider VLAN) that is added as data enters the service provider‟s network and then removed as data exits. Eventually, with the help of SP-Tag, the information sent from Headquarter to Branch 1 can be delivered with customers‟ VLANs intact and securely.
Q-in-Q Example
4.4.7.4 802.1Q VLAN
The following screen page appears when you choose IEEE 802.1q Tag VLAN.
1. Configure VLAN: To create, edit or delete 802.1Q Tag VLAN settings.
2. Tag VLAN Setting: To set up VLAN-Aware, Ingress Filter, Frame Type, Port VLAN ID, Port Egress Mode.
4.4.7.4.1 Configure VLAN
The following screen page appears if you choose Configure VLAN.
Click New to add a new VLAN entity an then the following screen page appears.
Click Edit to view and edit current IEEE 802.1Q Tag VLAN setting.
Click Delete to remove a VLAN entity.
VLAN ID: Specify a VLAN ID between 1 and 4094.
VLAN Name: Use the default name or specify a VLAN name.
VLAN Members: If you select “V” from the pull-down menu, it denotes that the ports selected belong to VLAN.
4.4.7.4.2 Configure VLAN Aware
The following screen page appears if you choose Tag VLAN Settings and then select VLAN Aware from the pull-down menu of Select Setting.
The default setting for all ports is “Disable”.
VLAN Aware Disable: The ingress frame will always be tagged with a PVID. If the incoming frame already has a (VID or C-tag) tag, then it will be doubled-tagged (a PVID will be added).
VLAN Aware Enable: The Managed Switch will check the ingress frame‟s VID (C-tag) to determine whether it should be tagged or not. If the ingress frame is untagged, then the ingress frame will be tagged with a PVID. For tagged Ingress frames, they will stay intact.
For example:
Aware Mode
Ingress Port PVID=100 VLAN Aware Disable VLAN Aware Enable Ingress Frame with a C-Tag Ingress Frame=C-tag +tag
100
Ingress Frame=C-tag Ingress Frame without a Tag Ingress Frame= tag 100 Ingress Frame=tag
100
4.4.7.4.3 Configure Ingress Filter
The following screen page appears when you choose Tag VLAN Settings and then select Ingress Filter from the pull-down menu of Select Setting.
The default setting for all ports is “Enable”.
Ingress Filter Enable: When enabled, ingress traffic from a port that belongs to one of the existing VID entries is allowed to pass through; otherwise, they will be dropped before checking the entire VID table.
Ingress Filter Disable: When disabled, incoming frame VID will not be compared with the ingress port VLAN membership. It will only check its address table to see whether the destination VLAN exists.
For example:
VLAN Table Settings:
PORT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 VLAN
100 - - - - - - - v - - - - - - - - - - - - - - v -
Managed Switch
P1 P2~P24
When Ingress Filter is disabled, incoming frames will be forwarded to port 8 &
port 23.
VID 100
When Ingress Filter is enabled, incoming frames will be dropped because port 1 is not a member of the VLAN 100.
4.4.7.4.4 Configure Frame Type
The following screen page appears if you choose Tag VLAN Settings and then select Frame Type from the pull-down menu of Select Setting.
Frame Type: Two frame types are available, these are “All” and “Tagged”. The default setting is “All” to all ports.
All: “All” means that the port will send and receive both VLAN-tagged and untagged frames.
Tagged: “Tagged” means that the port will only send and receive VLAN-tagged frames.
If un-tagged frames are received, they will be dropped.
4.4.7.4.5 Configure Port VLAN ID
The following screen page appears if you choose Tag VLAN Settings and then select Port VLAN ID from the pull-down menu of Select Setting.
Port VLAN ID (PVID): The range of PVID is between 1 and 4094. VLAN ID will be assigned to untagged frames received on the interface. The default setting is 1.
4.4.7.4.6 Configure Port Egress Mode
The following screen page appears if you choose Tag VLAN Settings and then select Port Egress Mode from the pull-down menu of Select Setting.
Port Egress Mode: Two frame types are available; these are “Normal” and “Untag”. The default setting is “Normal” to all ports.
Normal: If the frame‟s VID is same as to egress PVID, then the frame is untagged. If the frame‟s VID is not same as to egress PVID, then the tag will stay intact. See below for an example.
Egress PVID Egress Frame
Egress Port PVID=100 Egress Port PVID ≠100 Egress Frame with tag
100
Remove tag 100
Egress frame is forwarded without a tag.
Egress frame is forwarded with a tag.
Egress Frame with C-tag + tag 100
Remove outer tag 100 Egress frame is forwarded with a C-tag only.
Egress frame is forwarded with a C-tag and tag 100.
Untag: Remove one tag from the frame. If the frame is with one tag, then it will be forwarded untagged. If the frame is double-tagged, then the outer tag (s-tag) will be removed.
4.4.7.4.7 Configure Management VLAN
The following screen page appears if you choose Tag VLAN Settings and then select Management VLAN from the pull-down menu of Select Setting.
CPU VLAN ID: Specify an existing VLAN ID.
Aware: Enable or disable VLAN aware. When VLAN aware is enabled and management ports are ticked, VLAN aware settings will apply to those selected ports and be shown on VLAN Aware page.
Management Port: Tick the checkbox on the ports that you would like them to become Management ports.
When OK is clicked, the configurations you set will be applied immediately and shown on VLAN Aware and Port VLAN ID screen page.
4.4.7.4.8 Frame Traffic Flow
When a frame is received from a port, the Managed Switch will go through several procedures to decide whether the frame will be forwarded or dropped or forwarded with a tag or without a tag. The forwarding rules for incoming frames are depicted in the flow chart below.
4.4.7.4.9 How to Configure Q-in-Q?
This section provides an example on how to configure Q-in-Q using 802.1q function. Follow the steps described blow or use them as reference to set up configurations that are suitable for your networking environment.
Scenario:
Managed Switch
P1 P23
Step 1. Create a VLAN
Create a VLAN 100 that includes Port 1 and Port 23 as a member port.
Incoming port
Outgoing port
Frame Type Check
Incoming Rules:
Aware & PVID
Ingress Filter Check
Forwarding Rules:
VLAN Table Outgoing Rules:
Egress Mode
VID=X VID=X+100
Customer Network C-tag=X Service Provider Network
Q-in-Q
Port 1
PVID=100 Port 23
PVID=1 Port-Based
VLAN
Step 2. Set up VLAN Aware
Set Port 1‟s VLAN Aware to “Disable” and Port 23‟s to “Enable”.
Step 3. Set up Port VLAN ID
Set Port 1‟s Port VLAN ID to 100 and Port 23‟s to 1.
Step 4. Set up Egress Mode
Leave Port 1 and Port 23‟s Egress Mode to their default setting “Normal”.