Understanding QinQ (802.1Q in 802.1Q): Extending VLAN Space for Metro Ethernet

What is QinQ?

With the massive deployment of Ethernet, using VLANs for user isolation and identification becomes limited because the VLAN Tag field defined in IEEE 802.1Q is only 12 bits, allowing 4096 VLANs, which is insufficient for metro‑Ethernet scenarios. QinQ (802.1Q in 802.1Q) extends the VLAN space by adding an extra 802.1Q tag on top of an existing one, so a user frame carries two tags: an inner private‑network tag and an outer public‑network tag.

QinQ encapsulated frames add two VLAN tags after the source MAC address of an untagged Ethernet frame.

QinQ Encapsulation Structure

TPID (Tag Protocol Identifier) indicates the frame type; a value of 0x8100 denotes an 802.1Q tag. Devices that do not support 802.1Q will drop such frames.

For the inner 802.1Q tag, TPID is set to 0x8100; for the outer tag, different vendors may use different values:

0x8100 – used by Huawei routers

0x88A8 – defined by 802.1ad for the outer tag

On Huawei devices the outer tag defaults to 0x8100 but can be changed via CLI.

QinQ Operation Principle

In the public network, devices forward frames based solely on the outer VLAN tag and learn MAC addresses from that outer tag, while the inner private VLAN tag is treated as payload. Even if private tags are identical, different outer tags distinguish users.

QinQ Implementation – Basic QinQ

Basic QinQ is port‑based. When the feature is enabled on a port, incoming frames receive the port’s default VLAN tag; already‑tagged frames become double‑tagged, and untagged frames receive the default tag.

The drawback is that the outer VLAN tag is fixed, making it difficult to support multiple services flexibly.

Basic QinQ Packet Processing

SW1 receives frames with VLAN IDs 10 and 20 and forwards them to SW2.

SW2 adds an outer VLAN ID 100 to the existing tag.

The double‑tagged user data frame is forwarded normally at Layer 2.

SW3 strips the outer tag (VLAN 100) and forwards the frame to SW4, which now sees a single tag (10 or 20).

SW4 forwards based on VLAN ID and destination MAC address.

QinQ Implementation – Flexible QinQ

Selective QinQ can add or omit an outer VLAN tag based on flow classification results (e.g., inner VLAN, 802.1p priority, MAC, IP, or application port).

Examples include VLAN‑ID‑based, priority‑based, or QoS‑policy‑based outer tag assignment.

The main difference from basic QinQ is that the outer tag can vary per inner tag, allowing finer user VLAN segmentation.

Flexible QinQ Packet Processing

SW1 receives VLAN 10 and 20 frames and forwards them to SW2.

SW2 adds outer VLAN 100 to VLAN 10 frames and outer VLAN 200 to VLAN 20 frames.

The double‑tagged frames are forwarded normally.

SW3 strips the outer tag (100 or 200) and forwards to SW4, which now sees a single tag (10 or 20).

SW4 forwards based on VLAN ID and MAC address.

QinQ Application in Campus Networks

Scenario Requirements

Each terminal must be traceable, have an independent Layer‑2 broadcast domain to limit BUM (Broadcast, Unknown Unicast, Multicast) traffic impact, and maintain Layer‑2 connectivity to the BRAS for PPPoE authentication.

BRAS (Broadband Remote Access Server) is the core device for broadband aggregation and forwarding.

BUM traffic is handled by switches via flooding.

Solution

Access switch assigns a unique VLAN to each downstream port.

When forwarding to the aggregation switch, the access switch adds one 802.1Q tag.

The aggregation switch deploys QinQ, assigning a unique VLAN per downstream interface, adds a second tag, and forwards traffic to the core switch.

The core switch transparently passes traffic to the BRAS, which performs QinQ decapsulation.

BRAS and BUM definitions are reiterated for clarity.

Configuration Example – Basic QinQ

Lab Requirements

Enterprise 1 and Enterprise 2 share the same ISP and have overlapping VLAN spaces.

The ISP uses QinQ to enable data exchange between sites of the same enterprise.

Enterprise 1 uses VLAN 100; Enterprise 2 uses VLAN 200.

SW1 configuration:

[SW1] vlan batch 100 200
[SW1] interface GigabitEthernet 0/0/1
# configure outer TAG 100 on GE0/0/1
[SW1-GigabitEthernet0/0/1] port link-type dot1q-tunnel
[SW1-GigabitEthernet0/0/1] port default vlan 100
[SW1] interface GigabitEthernet 0/0/2
# configure outer TAG 200 on GE0/0/2
[SW1-GigabitEthernet0/0/2] port link-type dot1q-tunnel
[SW1-GigabitEthernet0/0/2] port default vlan 200
[SW1] interface GigabitEthernet 0/0/3
[SW1-GigabitEthernet0/0/3] port trunk
[SW1-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 200
# set TPID for outer VLAN tag
[SW1-GigabitEthernet0/0/3] qinq protocol 9100

SW2 configuration is similar (omitted).

Configuration Example – Flexible QinQ

Lab Requirements

Internet users and VoIP users connect via SW1 and SW2 to the ISP network and communicate with each other.

Enterprise assigns VLAN 100 to PCs and VLAN 300 to VoIP phones.

Internet users and VoIP users use VLAN 2 and VLAN 3 on the ISP side.

SW1 configuration:

[SW1] vlan batch 2 3
[SW1] interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1] port link-type hybrid
[SW1-GigabitEthernet0/0/1] port hybrid untagged vlan 2 3
[SW1-GigabitEthernet0/0/1] qinq vlan-translation enable
[SW1-GigabitEthernet0/0/1] port vlan-stacking vlan 100 stack-vlan 2
[SW1-GigabitEthernet0/0/1] port vlan-stacking vlan 300 stack-vlan 3
[SW1] interface GigabitEthernet 0/0/2
[SW1-GigabitEthernet0/0/2] port link-type trunk
[SW1-GigabitEthernet0/0/2] port trunk allow-pass vlan 2 3

SW2 configuration is similar (omitted).

Precautions

For flexible QinQ, set the interface type to Hybrid and enable VLAN translation with

qinq vlan-translation enable

; it only takes effect on inbound traffic.

When VLAN stacking is configured, use an untagged mode on the interface if the outer tag must be removed on egress; use tagged mode if the outer tag should be retained.