802.1Q Tunneling (Q-in-Q) Configuration Example

Great article, but you might want to edit this little typo as Fa0/20 is not in your example diagrams:

SW3(config)#interface fastEthernet 0/20  
SW3(config-if)#switchport trunk encapsulation dot1q 
SW3(config-if)#switchport mode trunk

I knew what you meant, though, and again, great article!

Thanks Matt, I just fixed it :slight_smile:


Dear Rene!,

you deserve thanks from me. one of our customer in France ordered EVPL link but due to miss understanding of our project team, they configured MPLS L2 VPN. however, our customer requirement is EVPL which they are sending touble tags and they also want their other end End-user to see the inner tag here in Saudi arabia.
The issue came to me and still working on QnQ. However, after studying your topin, i am more than clear now and i belive i can solve their issue tommorow.

Thank you so much.

Hi Rene,
In frame, Next to source mac will it be customer vlan tag or isp vlan tag?
Router R1 and Router R2 near customer site is bit confusing , my understanding is router terminates all broadcast traffic. How come traffic for the same vlan goes through router to the other side of customer site ?
Please correct me or point me to some links explain about these metro ethernet concepts in detail.

Hi Srini,

I used routers just to have some “customer” device that could do tagging for me in this example. In a real network, you would use customer switches instead.

The tag on the left side is the tag from the ISP, I should probably have used the same color for the customer tag.


Hi Rene

My question is : does the actual RSP720-3C-10GE also support the Q-in-Q feature ?

We have a client that might want to shift away from the 7200/NPE-G2 and start using the 7600 series router and asked me if it does support the feature without use of the ES+ line cards.

I find this Cisco 7600 series router config document regards to QinQ (802.1ad) :

And i find this one for the ES+ line cards :

Hope you can give me more info … thanks in advance


Hi Tim,

I checked the Cisco feature navigator and it does show Q-in-Q support for the 7600-RSP720-10GE/MSFC4.

Just to be sure, better double check that with Cisco perhaps :slight_smile:


Hi Rene

Cisco is not very helpfull if you do not have a service contract.
I have a expired CCNA cert :frowning: …and only CCIE like you get access to all the Cisco tools and TAC.

But you are right if i research by software , then choose the RSP720 / major release / release / feature set i find Q-in-Q and also with 802.1ad .

The weird thing is that I can still not find it when i search by Feature/Technology … i do find the feature 802.1ad … the only IOS releases i get are XE IOS then i see the ASR903 ASR-920
With the other last releases (15.4S and 15.5S) i only find the ME3600/3800 machines.

But thanks for the help.


How can we encrypt traffics passing through Metro Ethernet?

Hi Don’

Here’s a good document:

Layer two Encryptors for Metro and Carrier Ethernet


Hello Rene,

Please correct me if I am wrong!

Frame Comes From R1 to SW1, the max size could be 1522 bytes(1460data+20TCP+20IP+14ETH+4FCS+4VLAN_TAG) and when leave from switch size will be 1526 bytes (adding another 4 byte tag) but you mentioned the size 1500 and 1504. Little bit confused on it. Thanks,


Hi Zaman,

The Ethernet MTU is 1500 bytes which means that the payload of the Ethernet frame can be 1500 bytes. In reality, the entire frame is 1460 (data) + 20 (IP) + 20 (TCP) + 14 (Ethernet header) = 1514 bytes.

By setting the MTU to 1504, we can send a payload of 1500 bytes including a 4 byte 802.1Q tag.


Is it usually recommended that the customer tag its own packets? Doesnt seem to be a requirement in your demonstration but I can see how things can go wrong very quickly. Native VLAN might be used for something else within the SP cloud. Although they can force all the frames to be tagged with the vlan dot1q tag native command.

Hello Michael.

The customer does not necessarily have to tag his own packets. It is not a requirement. The packets will pass through the q-in-q tunnel in whatever format the customer sends them in: either tagged or untagged depending on his needs.

I’ve implemented a q-in-q production network and I tend to agree with you that it is a much cleaner implementation if no untagged traffic was allowed on (the outer layer of) a q-in-q tunnel. (The inner layer or the customer traffic can send whatever they want). The dot1q tag native command is very useful in keeping the implementation clean.

I hope this has been helpful!


Why when the interface of a CE or an Access Metro is down and after is up, Thor CdP is is disable? There is any form that doesn’t fall?

Hello Oscar.

I’m not sure I understand your question completely. Can you describe the situation in more detail? If I understand correctly, when your customer equipment access port goes down and then comes back up, CDP is disabled? Can you give me a little more information?



HI Rene,

Can you please explain how dot1 q tunneling is beneficial in a customer environmrnt? Can you cite a scenario?

Hello Ananth.

QinQ tunneling is mainly used by telcos to allow for the trunking of multiple customer VLANs over one telco VLAN. It is rare to actually use QinQ tunneling just within a customer’s network.

I can give you an example of the use of QinQ within a customer environment based on my experience. I am administrator of a Municipal Fibre Optic (MAN) network which is owned by the municipality that I partner with. There are over 80 km of fibre optic cabling that terminates at 24 different nodes with Cisco equipment in each. The fibre optic network serves many of the municipality’s buildings but also provides network connectivity for the city’s hospitals, schools and other public services. Each service that is connected is provided with one VLAN.

The municipality itself is a special case, because we have 18 VLANs that serve the internal networks of the municipality itself. So, I created VLAN 35 on the Fibre Optic network (propagated to all switches via VTP) as a QinQ VLAN and pass all of the municipality’s internal VLANs over that VLAN. So because the MAN belongs to the municipality, strictly speaking, I created a QinQ VLAN within the customer’s network.

In order to warrant the use of QinQ on a customer’s network, it must be a very large network with special VLAN requirements. You will not come across such a network very often.

I hope this has been helpful!


Great way of explanation.


Which IOS code are we using on this config video?