About QinQ

Operating rules and guidelines

This section provides an overview of QinQ operations and restrictions on the switch.

Enabling QinQ and configuring QinQ modes

By default, QinQ is disabled. When QinQ is enabled via the CLI, an operating mode is globally configured on the switch. Two QinQ modes are supported:

qinq mixedvlan

C-VLANs and S-VLANs are both supported, with regular switching/routing based on C-VLAN tags in the C-VLAN domain, while S-VLANs are used for QinQ tunneling through the provider network.

qinq svlan

C-VLANs are not supported on the device. All configured VLANs on the switch must be S-VLANs.

The following table shows how the various QinQ modes and operations impact VLAN configuration options on the switch.

Relationship of QinQ operating modes to VLAN environments

QinQ Operation CLI Command VLAN Options
QinQ disabled

No QinQ support

(Default)

no qinq Only regular VLAN commands are available. If QinQ is disabled, S-VLAN commands are not available.
QinQ enabled
QinQ mixed VLANmode qinq mixedvlan Both S-VLAN and regular VLAN commands (known as C-VLANs in a mixed vlan environment) are available.
QinQ S-VLAN mode qinq svlan No regular VLAN commands are available. All VLANs configured on the switch are S-VLANs only.

QinQ mixed VLAN mode

The QinQ mixed VLAN mode configuration supports both C-VLAN and S-VLAN operations on the same device. This allows the use of S-VLAN member ports for QinQ tunneling, while regular ports can still do switching or routing within the C-VLAN space. To tunnel customer frames through the provider network, you can externally connect a regular port to a customer-network port, eliminating the need for a separate S-VLAN bridge device to perform such operations. When configuring VLANs on a mixed VLAN mode device, a separate svlan vid command is used to distinguish the S-VLAN type from regular VLANs.

The main advantage for QinQ mixed VLAN mode is that users do not have to dedicate the entire switch as a QinQ access switch. For a high density chassis switch such as the 5400zl or 8200zl series, customers can use regular ports for normal LAN switching, while S-VLAN member ports can be configured to access the QinQ provider network (see QinQ configuration example). There are some additional restrictions in mixed-VLAN mode.

HP Switch in mixed-VLAN mode

HP Switch in mixed-VLAN mode

Configuring VLANs

  • A VLAN created on a QinQ mixed VLAN mode device can be either a regular VLAN (C-VLAN) or a tunnel VLAN (S-VLAN). C-VLANs have no mapping/relation to the S-VLANs on the device.

  • VLANs created on a QinQ S-VLAN mode device can be S-VLANs only. S-VLANs provide QinQ tunneling of customer frames and behave like a port-based/s-tagged interface.

QinQ and duplicate VIDs

Duplicate VID's for c-tagged and s-tagged VLANs (for example, C-VID=100; S-VID=100) are allowed in certain cases. Customer-network ports are essentially S-VLAN ports: they simply read the C-tags in the customer frame to insert them into the appropriate untagged S-VLAN for that port. Once this double-tagging occurs, frames are forwarded based on the S-VLAN tag only, while the C-VLAN tag remains shielded during data transmission.

QinQ and duplicate VIDs: examples of allowed configurations

QinQ and duplicate VIDs: examples of allowed configurations

Assigning ports to VLANs

In mixed VLAN mode, a port can be a member of a C-VLAN or of an S-VLAN but not both.

Configuring port types

The IEEE 802.1ad standard requires that every S-VLAN member port be configured as either a provider-network or as a customer-network port. In a typical deployment scenario, customer-network ports will be configured as untagged members of S-VLANs while provider-network ports will be configured as tagged members of S-VLANs. Note the following configuration rules and guidelines:

  • All ports of a device that is QinQ enabled (in S-VLAN mode or mixed VLAN mode) are provider-network ports by default—if there are any ports that connect to a customer device, they must be manually configured as customer-network ports.

  • Configuring a port-type is applicable only if the device is QinQ enabled and the port is a member of an S-VLAN. In QinQ mixed mode, ports that are members of C-VLANs cannot be configured to any port-type.


[NOTE: ]

NOTE: If a device running in QinQ S-VLAN mode has one or more customer-network ports, it is considered to be a provider edge and not a provider core bridge. This may affect certain operations, such as meshing, UDLD, and stacking. This is because at the edge of the provider network such proprietary protocol are filtered out at customer network ports. This prevents the intermix of stacking meshing/UDLD protocols in the customer and provider domains (since they use the same dst-mac address in either domain).


Operating notes and restrictions

Cannot run concurrently with RPVST+

QinQ cannot run concurrently with RPVST+

Changing bridge modes requires a reboot

When changing the operating mode (to/from: QinQ S-VLAN mode, QinQ mixed VLAN mode, or QinQ disabled), you will prompted to restart the system before the changes can take effect. Upon reboot, all configuration information for the prior QinQ mode will be lost. Any configurations created will be erased, and the device will boot up with a default configuration for the new QinQ mode.

Provider edge devices at Layer 2 only

QinQ does not provide Layer 3 capabilities of complete network isolation between customers. In a mixed VLAN configuration, there is no switching/routing between C-VLANs and S-VLANs. S-VLANs are essentially Layer 2 VLANs that switch packets based on S-VIDs.

IP support

Regular VLANs support IP and can be routing enabled. S-VLANs of mixed VLAN mode devices cannot be ip enabled. S-VLANs of S-VLAN mode devices can be ip-enabled, though routing related features (such as ip routing) are not supported.

Double-tagging causes frame size increases

Since there is both a provider VLAN tag and customer VLAN tag in each QinQ frame, the size of each double-tagged frame increases by 4 bytes. To accommodate the frame size increase, HP recommends that you configure all port-based S-VLANs to accept jumbo frames.

S-VLAN configuration restrictions

S-VLAN commands are not available when QinQ is disabled on the switch.

VLAN configuration restrictions in mixed VLAN mode

  • Both C-VLANs and S-VLANs can be configured on the switch. In a mixed mode device, the default VLAN is always a C-VLAN.

  • VLAN types cannot be updated dynamically. A VLAN can be classified only as an S-VLAN or a C-VLAN at the time its created. Once created, the VLAN cannot be moved between being a C-VLAN and an S-VLAN. If a VID that was initially created as a regular VLAN needs to be used for an S-VLAN, the VID must be deleted and re-created as an S-VLAN.

  • If a VLAN being configured as an S-VLAN already exists as a GVRP C-VLAN or a static C-VLAN on the switch, the S-VLAN creation is blocked. Similarly, a C-VLAN creation is blocked if the same VID exists as a static S-VLAN on the device.

  • S-VLANs in a mixed vlan device cannot be configured as a voice-VLAN, primary-VLAN, or management-VLAN.

  • S-VLANs cannot be configured with ip-layer functionality, except for ip-acls.

VLAN configuration restrictions in S-VLAN mode

  • Only S-VLANs are supported—the keyword on all vlan-related command syntax changes from vlan to svlan.

  • Routing related features such as ip-routing, RIP, OSPF, PIM, and VRRP are not supported in S-VLAN mode.

Port-based restrictions

  • In QinQ mixed VLAN mode, a port must be explicitly GVRP-disabled before it can be assigned to the S-VLAN space.

  • In QinQ mixed VLAN mode, only ports that are members of S-VLANs can be configured as customer network or provider network ports; ports that are members of C-VLANs cannot be configured to any port-type.

  • QinQ mixed VLAN mode devices cannot be connected in an S-VLAN mesh topology. This is because STP cannot be run in the S-VLAN space, and so a mesh topology (or the presence of any redundant links) would result in loops.

  • A port can either be a member of S-VLANs or C-VLANs only, but not a combination of both.

  • A port cannot be configured as a Customer-Edge as specified in Section 12.13.3 of the IEEE 802.1ad specification. In the current software release, such C-tagged interfaces are not supported—only port-based/S-tagged interfaces are supported.

  • Moving ports between C-VLANs and S-VLANs may cause conflicts. For example, if a port has any mirroring/monitoring sessions set up, they will not be allowed to change VLAN domains until these sessions are re-configured.

Interoperating with other vendor devices

When enabling QinQ, you can configure a unique tpid value, such as 0x8100, to allow the device to interoperate with devices that require this value for the inner and outer VLAN-tag. If the provider tag-type is configured as 0x8100, then:

  • Customer-network ports cannot be configured as tagged-S-VLAN members

  • Tagged-S-VLAN members cannot be configured as customer-network ports.

Configuring QinQ with other network protocols

The networks for both the customer and provider can be complex. For information on how QinQ may impact other network protocols (such as spanning tree, LLDP, and GVRP), see HP Switch in mixed-VLAN mode

Changing QinQ modes

Changing QinQ modes (or disabling QinQ operations) will result in the current configuration being erased. See the following Caution for details.


[CAUTION: ]

CAUTION: Configuring the switch to operate in a different bridge mode requires a reboot to take effect. Upon reboot, all configuration information for the prior QinQ mode is lost. Any configurations created under the existing QinQ mode is erased, and the device boots up with a default configuration for the new QinQ mode.


For information on the effect of the different QinQ modes on switch protocols and operations, see Impacts of QinQ configurations on other switch features.

Effects of QinQ on other switch features

Per the IEEE standards, protocols such as STP and GVRP are assigned separate addresses for customer networks and provider networks, ensuring that QinQ has no impact on their operations. Bridge Protocol Data Units (BPDUs) that need to be tunneled through the provider network are treated as normal multicast frames at the provider bridge and forwarded out.

However, other protocols use common addresses for both customer and provider networks, and so are not supported when QinQ is enabled on the switch. Similarly, proprietary features such as meshing, discovery, UDLD, and loop-protect do not provide tunneling support. In such cases, where provider networks could run an instance of the same protocol as a customer could run local to their site, these frames are dropped at the customer-network ports of the provider bridge.


[NOTE: ]

NOTE: The IEEE standards group is devising new addressing schemes that may support additional QinQ tunneling operations. Check the latest product release notes for implementation updates as they apply to HP switches.


When QinQ is not enabled (the default setting), there are no impacts to the switch's normal operations. The following table shows the impacts of QinQ on the operation of switch protocols and features based on the QinQ mode that is configured as QinQ mixed VLAN mode (C-VLANs and S-VLANs are allowed) or QinQ S-VLAN mode (S-VLANs only).

Impacts of QinQ configurations on other switch features

Switch feature Impacts of QinQ configurations and allowed operations
ACLs

In QinQ mixed VLAN or S-VLAN modes:

  • On double-tagged frames , the VID applicable when applying ACLs will be the S-VLAN tag and not the C-VLAN tag.

aaa

In QinQ mixed VLAN mode:

  • auth-vid/unauth-vid configuration is not supported on S-VLAN ports; the auth-vid/unauth-vid cannot be an S-VLAN id.

  • If a port that is a member of C-VLANs is configured with auth-vid or unauth-vid and it needs to be added to the S-VLAN domain, the auth/unauth configuration must first be undone.

arp-protect

In QinQ mixed VLAN mode:

  • ARP-protect is not supported on S-VLANs, nor on S-VLAN ports.

CDP

In QinQ VLAN or S-VLAN modes:

  • CDP frames are consumed at customer network ports, if CDP is enabled on the device port, and the customer device shows up as a CDP neighbor on the customer-network port. If not, the frames are dropped.

DHCP

In QinQ mixed VLAN or S-VLAN modes:

  • DHCP relay applies only to C-VLANs.

  • DHCP snooping is not supported on S-VLANs.

directed-broadcast

In QinQ S-VLAN mode:

  • directed-broadcast is not supported on provider core devices.

GVRP

In QinQ mixed VLAN mode:

  • S-VLAN ports cannot be GVRP enabled.

  • Regular VLANs will participate in C-VLAN GVRP if enabled to do so. S-VLANs will tunnel all C-VLAN GVRP frames through.

  • An explicit GVRP disable on a port is a prerequisite for moving the port to an S-VLAN domain.

  • Port-based interfaces do not have support for provider-GVRP protocols. Provider GVRP frames received at S-VLAN interfaces will be dropped.

  • If a VLAN being configured as an S-VLAN is already a GVRP VLAN on the switch, this S-VLAN creation would be blocked.

In QinQ S-VLAN mode:

  • GVRP is supported on S-VLAN ports if the qinq mode is S-VLAN.

igmp-proxy

In QinQ mixed VLAN mode:

  • IGMP-proxy cannot be configured on S-VLANs.

In QinQ S-VLAN mode:

  • IGMP-proxy is not supported.

IPv6

In QinQ mixed VLAN mode:

  • IPv6 features are not supported on S-VLANs.

ip-recv-mac

In QinQ mixed VLAN mode:

  • ip-recv-mac cannot be configured on S-VLANs.

In QinQ S-VLANmode:

  • ip-recv-mac is not supported.

Jumbo

In QinQ mixed VLAN or S-VLAN modes:

  • No change in operations. HP recommends to jumbo-enable all S-VLANs used for customer data tunneling to support the addition of the extra S-tag in each frame.

LACP/ Port Trunks

In QinQ mixed VLAN mode:

  • Dynamic-LACP is not supported on S-VLAN ports: LACP manual trunks alone are supported. The new trunk will be a member of C-VLANs (port types are not applicable).

  • If two ports are added to a trunk, the resultant trunk will be a member of the default-vlan (vid-1) which is always a C-VLAN. The trunk can subsequently be manually assigned to an S-VLAN.

  • Port-type and VLAN configurations are not mapped. If the port-type is updated through CLI or SNMP and the port is subsequently moved from the C-VLAN space to the S-VLAN space then back again, the last configured port-type is retained through each move.

In QinQ S-VLAN mode:

  • On S-VLAN bridges, both manual and dynamic LACP trunks are supported. HP does not recommend that you configure dynamic trunks on customer ports because they cannot become dynamic members of S-VLANs (there is no provider-gvrp for a dynamic trunk to become a member of S-VLANs.)

  • A newly formed trunk will by default be of type provider-network. When the trunk is manually assigned to an S-VLAN for the first time after being created, the port-type is provider-network.

Layer 3 Protocols (IP, IP+, DHCP, ARP, IGMP Layer 3, Layer 3 ACLs)

In QinQ mixed VLAN mode:

  • There is no IP layer functionality on S-VLANs.

  • No change in IP layer functionality on regular C-VLANs.

  • S-VLANs cannot be configured as RIP, OSPF, PIM, or VRRP interfaces.

In QinQ S-VLAN mode:

  • S-VLANs can be ip enabled.

  • IP routing is not supported.

LLDP

In QinQ mixed VLAN or S-VLAN modes:

  • LLDP is supported on the device (in both qinq modes). However, there is no provision for tunneling customer LLDP BPDUs through the provider-network.

  • LLDP BPDUs received from a customer's network will be consumed at the customer-network ports of a provider device and the customer device will be displayed as an LLDP neighbor. Similarly the provider network device will show up as a neighbor on the customer's network if the customer-network ports send out LLDP advertisements.

load-sharing

In QinQ S-VLAN mode:

  • Equal cost multi-path (ECMP) is not supported on provider core devices.

management VLAN

In QinQ mixed VLAN mode:

  • The management VLAN cannot be an S-VLAN.

Meshing

In QinQ mixed VLAN mode:

  • Meshing is not supported on the device.

In QinQ S-VLAN mode:

  • On an all provider-network ports of an S-VLAN bridge, meshing is supported.

  • Meshing cannot be enabled on customer-network ports.

Mirroring/Monitoring

In QinQ mixed VLAN mode:

  • Remote mirroring is not supported on S-VLANs.

  • Cannot monitor a VLAN with mirror ports in the other VLAN domain. That is, an S-VLAN or an S-VLAN port cannot be monitored using a C-VLAN port as its mirror, and vice-versa.

  • When a port is moved from the S-VLAN space to the C-VLAN space (or vice versa), all mirror/monitor sessions on the port must be unconfigured before the move will be allowed.

multicast-routing

In QinQ S-VLAN mode:

  • Multicast routing is not supported on provider core devices.

QoS

In QinQ mixed VLAN or S-VLAN modes:

  • HP does not recommend that you enable DSCP on S-VLANs used for tunneling as the customer IP-pkt will be modified in the S-VLAN space.

Routing

In QinQ S-VLAN mode:

  • Routing is not supported on provider core devices.

source-binding

In QinQ mixed VLAN or S-VLAN modes:

  • source-binding cannot be configured on S-VLANs.

source-route

In QinQ S-VLAN mode:

  • source-route is not supported on provider core devices.

Spanning Tree

In QinQ mixed VLAN mode:

  • Customer (C-VLAN) spanning tree is supported. All C-VLAN ports will receive/transmit customer STP BPDUs and participate in regular VLAN spanning tree as usual.

  • When customer STP BPDUs are received at S-VLAN ports on the switch, they will be flooded out of the other ports on the S-VLAN. All such frames will be tunneled through the S-VLAN tunnel unscathed.

  • Provider (S-VLAN) spanning tree is not supported on the switch. If S-VLAN STP frames are received on any S-VLAN enabled ports, they will be re-forwarded out of the other ports on the S-VLAN.

  • STP configuration on S-VLAN ports is not supported.

  • If a port that is a member of C-VLANs is moved into being a member of S-VLANs, the port would, by default, tunnel customer STP BPDUs.

  • If a C-VLAN port has been configured with any non-default STP parameters (such as admin-edge, auto-edge, and bpdu-protect) and is then moved into an S-VLAN, the port will be put into a forwarding state regardless of the STP configurations done when the port was a member of the C-VLAN.

  • MSTP instances cannot include S-VLANs.

In QinQ S-VLAN mode:

  • Provider (S-VLAN) spanning tree is supported—both provider-network ports and customer-network ports will receive/transmit provider STP BPDUs.

  • Customer (VLAN) spanning tree tunneling is supported on S-VLAN interfaces—customer-network or provider-network ports will tunnel customer STP BPDUs through the appropriate S-VLAN.

Stacking (3800 switches)

In QinQ mixed VLAN mode:

  • Stacking is supported only on C-VLANs. The device does not advertise itself (using the stack discovery protocol) in the S-VLAN space.

In QinQ S-VLAN mode:

  • Configuring QinQ with S-VLANs in a switch is not supported. Stacking discovery protocol frames will not be sent out of customer-network ports; similarly, any stacking discovery protocol frames received on customer-network ports will be dropped.

UDLD

In QinQ mixed vlan or S-VLAN modes:

  • UDLD frames received on udld-disabled customer network ports will be dropped. However, if the customer-network port is udld-enabled, it can peer with a customer device.

  • UDLD frames received on udld-disabled provider network ports will be re-forwarded out of other udld-disabled provider network ports on the same VLAN.

  • UDLD re-forwarding in the C-VLAN space (QinQ disabled or mixed VLAN mode) will remain unaltered.

udp-bcast-forward

In QinQ S-VLAN mode:

  • udp-bcast-forward is not supported on provider core devices.

unknown-vlans

In QinQ mixed VLAN mode:

  • GVRP (learn and disabled modes) not supported on S-VLAN ports.

  • A C-VLAN port that has GVRP enabled will need to disable it before it can be added to S-VLANs.

Voice VLANs

In QinQ mixed VLAN mode:

  • S-VLANs cannot be configured as voice-VLANs.

VRRP

In QinQ mixed VLAN or S-VLAN modes:

  • VRRP is not supported on S-VLANs.