Understanding QinQ: Double-Tag VLANs Explained for Network Engineers
This article explains how QinQ (IEEE 802.1ad) extends traditional VLANs with a second tag to overcome VLAN scalability limits, detailing its functions, implementation methods, packet format, and a step‑by‑step working example for service provider networks.
VLAN technology simplifies network management but is limited to 4094 VLANs, prompting the development of VXLAN and QinQ.
This article introduces QinQ technology.
What is QinQ?
QinQ, defined by IEEE 802.1ad, extends the 802.1Q protocol by adding an additional VLAN tag, effectively increasing the number of VLANs that can be used.
It encapsulates a customer's private VLAN tag inside a provider's VLAN tag, allowing double‑tagged frames to traverse the provider’s backbone, with the outer tag used for forwarding.
QinQ packets have a fixed format: an 802.1Q‑tagged packet is encapsulated within another 802.1Q tag, adding four extra bytes.
QinQ Functions
Provides a simple L2 VPN tunnel.
No protocol or signaling required; configured statically.
Hides customer VLAN IDs, saving provider VLAN resources.
Allows customers to plan private VLAN IDs without conflicts.
Implementation Methods
There are two implementation methods:
Basic QinQ
The QinQ port adds the default VLAN tag to every incoming frame, regardless of existing tags, and removes the outer tag before forwarding. Its drawback is the inability to select the outer tag based on the inner VLAN.
Selective QinQ
Selective QinQ resolves this by adding a specified outer VLAN tag based on the inner VLAN tag; if no specific tag is configured, the default VLAN tag is used.
Working Principle
Consider two routers R1 and R2 connected through provider switches SW1‑SW3. Customer traffic uses VLAN 12, while the provider uses VLAN 123 to transport it.
R1 tags frames with VLAN 12; the provider adds outer VLAN 123; after traversing SW3, the outer tag is stripped before delivering the original VLAN 12 frame to R2.
Frame Changes
Original Ethernet frame:
Customer 802.1Q frame:
Provider trunk 802.1Q frame:
Conclusion
IEEE 802.1Q QinQ tunnels are designed for service providers to transport multiple customers' traffic while preserving each customer's VLAN and Layer‑2 configuration, achieved by inserting a service‑provider VLAN (SPVLAN) tag on ingress and stripping it on egress.
Open Source Linux
Focused on sharing Linux/Unix content, covering fundamentals, system development, network programming, automation/operations, cloud computing, and related professional knowledge.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.