Technical White Paper for QinQ

Huawei Technologies Co., Ltd.

 Technical White Paper for QinQ

目 录

1 Foreword ........................................................................................................................................ 1

2 Introduction.................................................................................................................................... 1
2.1 QinQ Packet Format ............................................................................................................. 2
2.2 QinQ Encapsulation.............................................................................................................. 2
2.2.1 Port-Based QinQ Encapsulation ................................................................................ 2
2.2.2 Traffic-Based QinQ Encapsulation............................................................................. 2
2.2.3 QinQ Encapsulation on the Route Subinterface ........................................................ 3
2.3 QinQ Termination.................................................................................................................. 4
2.3.1 Termination Subinterface as a Gateway Device of Users ......................................... 4
2.3.2 Interconnection to MPLS/BGP L3 VPN of the Core Network .................................... 6
2.3.3 Active/Standby Mechanism Supported by the QinQ Termination Subinterface ........ 7
2.3.4 Interconnection to VLL/PWE3 of the Core Network................................................... 8
2.3.5 Interconnection to VPLS of the Core Network ........................................................... 9
2.4 QinQ Packet Forwarding Flow............................................................................................ 11
2.4.1 QinQ Technology Used in the Whole Process......................................................... 12
2.4.2 QinQ Termination on the Edge of the Core Network ............................................... 12

3 Typical Application...................................................................................................................... 13
3.1 Used by Public Users in the ME Network........................................................................... 13
3.2 Interconnection to Leased Lines of Enterprise Users......................................................... 14

4 Conclusion ................................................................................................................................... 15

Appendix A References ................................................................................................................. 15

Appendix B Abbreviations ............................................................................................................ 15

Copyright ©2007 Huawei Technologies Co., Ltd. All Rights Reserved i

http://datacomm.huawei.com
 Technical White Paper for QinQ

Technical White Paper QinQ

Abstract: QinQ is to add a VLAN tag to 802.1Q VLAN, and thus expands the VLAN space.
The QinQ encapsulation and termination modes tend to diversity to cater for the
development of the metro Ethernet. QinQ is widely applied for the intensive
operation of carriers. This document describes the QinQ technology in details.

Keywords: QinQ, Selective QinQ, QinQ Stacking subinterface, QinQ Termination, VLL,
VPLS, PWE3

1 Foreword

As the metro Ethernet is widely deployed, 802.1Q VLAN is restricted in terms of isolating
and identifying users. The VLAN tag defined in IEEE802.1Q has 12 bits. The VLAN tag
can only indicate 4K VLANs, which are not enough to identify the mass users. The QinQ
technology is developed to solve this problem.

QinQ was originally designed to expand the number of VLANs by adding a tag to an
802.1Q packet. With this extra tag, the number of VLANs indicated is increased to 4K ×
4K. As the metro Ethernet grows as well as lean operation, the double QinQ tags can
indicate different information. For example, the inner tag indicates the user and the outer
tag, the service. In addition, the QinQ packet with two tags can traverse the carrier’s
network and the inner tag is transmitted transparently. Such a mode is also a simple and
practical VPN technology. Thus, QinQ can function as the extension of a core MPLS
VPN in the metro Ethernet to form the end-to-end VPN technology.

The following lists details.

2 Introduction

To master the QinQ technology, you should know about:

z Basic QinQ packet format

z QinQ encapsulation and termination modes
z QinQ packet forwarding flow
Copyright ©2007 Huawei Technologies Co., Ltd. All Rights Reserved 1
http://datacomm.huawei.com
 Technical White Paper for QinQ

2.1 QinQ Packet Format

802.1Q Encapsulation
DA SA ETYPE TAG LEN/ETYPE DATA FCS
6 Bytes 6 Bytes 2 Bytes 2 Bytes 2 Bytes 0 Byte~1500 Bytes 4 Bytes

Q-in-Q Encapsulation
DA SA ETYPE TAG ETYPE TAG LEN/ETYPE DATA FCS
6 Bytes 6 Bytes 2 Bytes 2 Bytes 2 Bytes 2 Bytes 2 Bytes 0 Byte~1500 Bytes 4 Bytes

0x8100 Priority CFI VLAN ID

The QinQ packet has its format. One tag is added to another tag. A QinQ packet has
more four bytes than a common 802.1Q packet.

The ETYPE value of a QinQ packet varies with vendors. Huawei keeps its default,
namely 0x8100. Some vendors set it to 0x9100. For interworking with devices of these
vendors, Huawei devices allow users to configure QinQ protocol based on port. That is, a
user can set QinQ protocol, to 0x9100, for example, on a device port. In this case, when
a QinQ packet passes the port, the ETYPE of its outer VLAN tag is changed into 0x9100.
In this way, QinQ packets sent to any port of another device can be identified by the
device.

2.2 QinQ Encapsulation

QinQ encapsulation is to convert an 802.1Q packet with a single tag into a QinQ packet
with double tags. Encapsulation is mainly implemented on the switched port of the UPE.
The QinQ encapsulation can be based on port or traffic. Also, on the route subinterface,
special QinQ encapsulation can proceed.

2.2.1 Port-Based QinQ Encapsulation

Port-based QinQ encapsulation is to encapsulate all traffic incoming to a port with an

outer VLAN tag. This mode is inflexible.

2.2.2 Traffic-Based QinQ Encapsulation

In the traffic-based encapsulation mode, device performs traffic classification for the data
incoming to a port. Then, it decides whether to use an outer tag for each kind of traffic
and which tag to use. In this mode, QinQ is also called selective QinQ. Selective QinQ is
classified into the following based on traffic classification:

Copyright ©2007 Huawei Technologies Co., Ltd. All Rights Reserved 2

http://datacomm.huawei.com
 Technical White Paper for QinQ

Traffic classification by VLAN tag

1) Traffic classification according to the VLAN ID range of packets

When a user uses different VLAN IDs for different services, traffic can be classified
according to the VLAN ID range. For example, the VLAN ID for surfing on the
Internet by PC ranges from 101 to 200. The VLAN ID of IPTV service ranges from
201 to 300. The VLAN IDs of VIP customers range from 301 to 400. After receiving
user data, the UPE labels the traffic of surfing on the Internet by PC with 100 as an
outer tag, IPTV with 300, and VIP customers with 500.

2) Traffic classification according to the VLAN ID + User Priority

When a user uses the same VLAN ID for different services, his traffic can be
classified by priority and labeled with different outer tags.

3) QinQ encapsulation based on destination IP address

When a user uses a PC for surfing on the Internet and voice service, different users
have different IP addresses. Data can be classified by ACL and then labeled with
different outer tags.

4) QinQ encapsulation based on ETYPE

When a user uses a PC for PPPoE-based Internet access and IPOE-based IPTV
service, data can be classified by ETYPE, and then labeled with different outer tags.
The ETYPE of IPOE is 0x0800 and that of PPPOE is 0x8863/8864.

2.2.3 QinQ Encapsulation on the Route Subinterface

In general, QinQ encapsulation proceeds on a switched port. One exception is that QinQ
encapsulation can proceed on the route subinterface.

When the user data is transmitted transparently over the core network by VLL/PWE3, the
route subinterface on the NPE can encapsulate the outer VLAN based on VLAN tag and
access VLL/PWE3 through the outer VLAN. In this mode, multiple VLANs of users can
be transmitted transparently through a subinterface, which is called QinQ Stacking
subinterface.

This is also a traffic-based encapsulation mode. This mode is useful only when QinQ
Stacking subinterface is used with L2VPN (PWE3/VLL/VPLS). In this mode, L3
forwarding is not supported.

Copyright ©2007 Huawei Technologies Co., Ltd. All Rights Reserved 3

http://datacomm.huawei.com
 Technical White Paper for QinQ

2.3 QinQ Termination

Termination is to identify the outer and inner tags of a QinQ packet and then, based on
the subsequent forwarding, strip both the tags or continue to transmit the QinQ packet.
When QinQ technology is used to interconnect with the core network, termination
method varies.

On the edge of the core network, QinQ termination is carried out on the route
subinterface, namely, QinQ Termination subinterface. The QinQ Termination
subinterface is similar to a common VLAN subinterface. The common VLAN subinterface
identifies and terminates the single-tagged VLAN. The QinQ Termination subinterface
identifies and terminates double-tagged VLAN. The QinQ Termination can be
unambiguous or ambiguous：

z When both the inner and outer VLAN tags have specific values, the QinQ
Termination subinterface is unambiguous.

Example: Ethernet 1/0/1.1> QinQ termination pe-vid 100 ce-vid 200

z When both the inner and outer VLAN tags are configured to a range of values, the
QinQ Termination subinterface is ambiguous.

Example: Ethernet1/0/1.2> QinQ termination pe-vid 200 ce-vid 300 to 400

Ethernet1/0/1.2> QinQ termination pe-vid 201 ce-vid 300 to 400

The implementation methods and functions of a QinQ Termination subinterface are

related to the specific application scenario. The following gives out details.

2.3.1 Termination Subinterface as a Gateway Device of Users

When the termination subinterface functions as a gateway device of users, it provides

the following functions:

z Supporting IP forwarding

When the NPE on the edge of the core network functions as a gateway device of
users, the QinQ Termination subinterface supports IP forwarding.

The QinQ Termination subinterface first identifies the double-tagged VLAN. The ARP
entry includes IP address, MAC address and information on the double-layer VLAN.

For the uplink data stream, the termination subinterface proceeds to the following:

Strip the information on the MAC address and VLAN.

Copyright ©2007 Huawei Technologies Co., Ltd. All Rights Reserved 4
http://datacomm.huawei.com
 Technical White Paper for QinQ

Search in the routing table according to the destination IP address.

Perform L3 forwarding.

For the downlink data stream, the termination subinterface proceeds to the following:

Encapsulate the MAC address and the double-tagged VLAN of the IP packet
according to the ARP entry.

Transmit the IP packet to the end user.

z Supporting the ARP agent

The QinQ Termination subinterface supports the ARP agent, thus enabling L2
interworking between users within different VLANs. Details are as follows:

All users share an IP network segment. A different has a different VLAN ID. User
packets are encapsulated by using QinQ technology and terminated on a
subinterface. When a user communicates with another user, the destination IP
address is judged first.

If the users belong to different network segments, an ARP request is initiated for the
gateway address. Then, L3 forwarding is performed through the gateway.

If the users belong to one network segment, the ARP resolution of the destination IP
address is sent directly. But ARP cannot be broadcast to the end user because the
users belong to different VLANs. In this case, the ARP agent is enabled on the QinQ
Termination subinterface to make a broadcast path available for the ARP packet so
that the users in different VLANs can interwork with each other at layer 2.

z Supporting DHCP Server

The QinQ Termination subinterface supports DHCP Server. With this function, all
QinQ users terminated by the QinQ subinterface can be allocated with IP addresses.

z Supporting DHCP Relay

The QinQ Termination subinterface supports DHCP Relay to forward DHCP

requests and allocate IP addresses to users. When working with DHCP Snooping,
DHCP Relay can generate a DHCP binding table to prevent attacks from illegal
users. The specific process is as follows:

1) Enable DHCP Relay and DHCP Snooping on the device.

Copyright ©2007 Huawei Technologies Co., Ltd. All Rights Reserved 5

http://datacomm.huawei.com
 Technical White Paper for QinQ

2) The DHCP Snooping device captures the DHCP request that enters the DHCP
Relay device, inserts the information on the outer and inner tags to the option82
field of the DHCP request, and continues to forward the request to the DHCP
Server.

3) When the DHCP Relay device receives an ACK packet, the DHCP Snooping
device resolves it and records IP address and MAC address of the user.

4) A DHCP binding table, including IP address, MAC address, and information on

the outer and inner QinQ tags, is generated on the subinterface.

5) The forwarding engine checks whether the IP packet and the ARP packet
received on the port are legal according to the information in the binding table, to
filter illegal packets.

2.3.2 Interconnection to MPLS/BGP L3 VPN of the Core Network

Enterprise users are interconnected through the VPN. When the core network uses
MPLS/BGP L3 VPN, in the ME network, QinQ packet can be terminated on a
subinterface of the PE. The termination subinterface is bound to a VRF, and thus forms
an end-to-end VPN. In this case, the QinQ Termination subinterface supports the
following functions:

z Supporting IP forwarding

Similar to the IP forwarding in Section 2.3.1

z Supporting unicast routing protocol

The core network transmits the routing information of the private network by using a
normal MBGP.

Routing information is transmitted between the PE and the CE over IGP. Because
QinQ Termination subinterface is used on the PE, the transmission of the routing
protocol packets is a little different. The uplink protocol packets are encapsulated by
using the QinQ technology, terminated and processed on the NPE subinterface. The
downlink protocol packets are labeled with an outer and an inner tag through the
ARP entry, and sent to the CE for processing to exchange routing information.

QinQ Termination subinterface supports BGP, OSPF, ISIS, and RIP.

Copyright ©2007 Huawei Technologies Co., Ltd. All Rights Reserved 6

http://datacomm.huawei.com
 Technical White Paper for QinQ

2.3.3 Active/Standby Mechanism Supported by the QinQ Termination

Subinterface

VRRP is a redundancy backup protocol. When the next hop router of the host fails, this
protocol enables another router to take over its work, thus ensuring the continuity and
reliability of network communication. The QinQ Termination subinterface supports VRRP.

As shown in the figure above, selective QinQ function is enabled on Switch1. All data
packets with their inner VLAN IDs falling within 100–200 are labeled with an outer VLAN
ID1000. The QinQ packets are terminated at a subinterface of R1 and R2 respectively. A
VRRP instance is set up within a specific double-layer tag, such as 1000/100. This VRRP
instance is not only valid for the QinQ data tagged 1000/100, but also valid for all QinQ
packets terminated on the subinterface. Detailed rules are as follows:

VRRP includes the following three functions:

z Maintain the active/standby status of the VRRP router.

z Respond to the ARP request of the user.

z Update the MAC entry in connection with the L2 switch.

When VRRP is enabled on the QinQ Termination subinterface, the three functions
are implemented as follows:

Copyright ©2007 Huawei Technologies Co., Ltd. All Rights Reserved 7

http://datacomm.huawei.com
 Technical White Paper for QinQ

z The active/standby status of the VRRP routers on both ends is maintained through
the VRRP with a double-layer tag of 1000/100. No special processing is required.

z The ARP module responds to the ARP requests regardless of the double-layer tag
set in VRRP configuration. That is, it not only responds to the ARP requests with the
double-layer tag of 1000/100, but also to the ARP requests with the outer tag of 1000
and inner tag of 101 to 200 and to the ARP requests of other QinQ packets
terminated on the subinterface.

z MAC entry of the L2 switch is updated by periodically sending free ARP. One free
ARP is copied for all double-layer tags on the termination subinterface. By doing so,
all VLAN space of the L2 switch learns the virtual MAC address. To ensure
performance, make free ARPs to be sent more frequently during status switching.
When the status keeps stable, make free ARPs to be sent less frequently. The
frequency of sending free ARPs should be greater the MAC aging time of the L2
switch.

Note: If no free ARP is sent, the virtual router can send an ARP reply, in respond to the ARP request sent
by user, to update the MAC of the L2 switch. However, the aging of the ARP entry is slow, which leads to
much broadcast traffic in the network due to failure in searching in the MAC table. In addition, the return
data packets do not allow the L2 switch to learn the virtual MAC address. In this case, the real MAC
address is learned. To update the virtual MAC entry of the L2 switch, wait until the ARP is aged.

Enabling VRRP on the QinQ Termination subinterface has the following advantages:

z One VRRP instance can be set up for the QinQ users in the same network segment
even with different VLAN tags, thus saving VRRP resources.

z Save hardware resources of routers.

z Reduce a waste of IP addresses and add the number of access users.

2.3.4 Interconnection to VLL/PWE3 of the Core Network

QinQ Termination subinterface access to PWE3/VLL of core network based on, the
VLAN tag range. Users’ data with double tags are sent to a remote BRAS device
transparently so that the BRAS can identify and verify users.

Note: Both QinQ Termination subinterface and Stacking subinterface can interconnect to
the L2 VPN of the core network. However, the interconnection differs.

Copyright ©2007 Huawei Technologies Co., Ltd. All Rights Reserved 8

http://datacomm.huawei.com
 Technical White Paper for QinQ

z QinQ Termination subinterface terminates user data with the tags within the range of
double-layer VLAN tags. The user data received carries double-layer VLAN tags.

z QinQ Stacking subinterface adds an outer VLAN tag to the user data with the tags
within the range of single-layer VLAN tags. The user data received carries a
single-layer VLAN tag.

2.3.5 Interconnection to VPLS on the Core Network

When VPLS is used in the core network, QinQ accesses the VPLS in a symmetric or an
asymmetric mode.

As defined in Virtual Private LAN Service (VPLS), one VC link can only be used to
connect two VLANs located at different places. To connect multiple VLANs located at
different places, multiple VC connections are required. Because a QinQ subinterface
supports a range of VLANs, one VC link can be used to connect two QinQ VLAN ranges
through the QinQ Termination subinterface. The traffic of all VLANs passes the VC link,
thus saving the VC resources of the public network. The VPLS forwarding is performed
through the MAC address learning. If the MAC address learning supports the learning
mechanism of the double-layer VLAN tag, QinQ Termination subinterface can built
MP2MP connection through VPLS on the core network.

QinQ users can access the VPLS, in a symmetric or asymmetric way as they need.

z Symmetric access

QinQ users want to access the VPLS in a symmetric mode. Isolation is implemented
within the user VLAN (based on inner tag).

Copyright ©2007 Huawei Technologies Co., Ltd. All Rights Reserved 9

http://datacomm.huawei.com
 Technical White Paper for QinQ

The figure above shows the symmetric mode. After PE1 receives a data packet with
an outer and an inner tag, it uses the inner tag as the user tag. The MAC address
learning only aims at the outer tag. The inner tag of the user will be transparently
transmitted to PE2. In this way, the users’ VLANs are segregated. That is, VLAN100
below PE1 can only communicate with VLAN100 below PE2.

z Asymmetric access

Asymmetric access is the default mode. QinQ users can access the VPLS in an
asymmetric mode to implement interworking in the whole VSI range. Even if users
on both ends access the VPLS in a symmetric mode, they can work in an
asymmetric mode.

Copyright ©2007 Huawei Technologies Co., Ltd. All Rights Reserved 10

http://datacomm.huawei.com
 Technical White Paper for QinQ

The figure above shows the asymmetric mode. After PE1 receives a data packet
with an outer and an inner tag, it uses both tags as the ISP tags. The MAC address
learning aims at the outer and the inner tags. User data through the VPLS don’t carry
the VLAN tag. In this mode, user VLANs cannot be isolated. That is, VLAN100 below
PE1 can communicate with both VLAN300 and VLAN400 below PE2.

In the symmetric mode, VLANs must be planned at all sites consistently, and only the
same VLAN at different sites can access each other. In the asymmetric mode, users can
plan their own VLANs at will. Any VLAN users at any sites can communicate with each
other.

2.4 QinQ Packet Forwarding Flow

In the process of forwarding QinQ packets, only the devices on two ends that
encapsulate and terminate QinQ packets need to process the outer and inner tags. All
intermediate devices only process outer tags. In other words, the devices that do not
support QinQ can be used as intermediate devices.

There are two scenarios for QinQ packet forwarding. One is to use QinQ technology in
the whole process. Another is to terminate QinQ packets on the edge of the core
network.

Copyright ©2007 Huawei Technologies Co., Ltd. All Rights Reserved 11

http://datacomm.huawei.com
 Technical White Paper for QinQ

2.4.1 QinQ Technology Used in the Whole Process

Because QinQ technology enables transparent transmission of user data, port-based

QinQ can be used for simple VPNs. As shown in the figure above, the CE interconnects
to the PE by Trunk. The PE port uses the Access mode and enables port-based QinQ
function. After user data arrives at PE1, they are uniformly encapsulated with VLAN tag
1000. In the intermediate network, QinQ packets are sent according to the outer VLAN.
After the QinQ packets arrive at PE2, the outer tag is stripped according to the Access
feature of the port and user data is recovered.

2.4.2 QinQ Termination on the Edge of the Core Network

This scenario is widely used in the ME network. QinQ encapsulation is mainly based on
traffic. After user data arrives at the UPE, they are labeled with different outer tags
according to the traffic classification rules. Then, the user data is sent in the intermediate
network according to the outer tags. After the data arrives at the QinQ termination device,
the data is determined according to the configuration of the core network. For details,
refer to the QinQ termination described above.

Copyright ©2007 Huawei Technologies Co., Ltd. All Rights Reserved 12

http://datacomm.huawei.com
 Technical White Paper for QinQ

3 Typical Application

3.1 Used by Public Users in the ME Network

Start the QinQ
VRRP of QinQ termination sub-interface.
termination sub- The outer and the inner
interfaces of two tags are VLAN ID
NPEs can be started ranges.
to ensure network
reliability. Core network

Start the DHCP

binding table to
prevent attacks.

Metropolitan Ethernet

Enable flexible QinQ. Outer tags

are labeled by the internal VLAN
ID range. The outer tag of each
DSLAM is different.

As shown in the figure above, DSLAM device supports multi-PVC access. One user uses
multiple services, for example, surfing on Internet by PC, IPTV and VOIP.

Carriers definer a different PVC and a different range of VLAN IDs for a different service.

Surfing on Internet by PC: 101-300; VOIP: 301-500; IPTV: 501-700

Suppose a user uses the VOIP service. The user data arrives at the DSLAM device
along the specified PVC. According to the mapping between the PVC and the VLAN ID
range, the data is tagged, 301 for example, in the VOIP VLAN range. When VOIP
packets arrive at the UPE, they are tagged with outer VLAN IDs, 2000 for example. The
inner VLAN tag indicates user information. The outer VLAN tag indicates service
information or location information of the DSLAM device. Data transmitted below
different DSLAM devices are tagged with different outer tags. Then, data arrives at the
NPE according to the outer VLAN tag and is terminated on the QinQ Termination
subinterface. Based on the core network configuration, IP forwarding is performed or the
data enters the related VPN.

Copyright ©2007 Huawei Technologies Co., Ltd. All Rights Reserved 13

http://datacomm.huawei.com
 Technical White Paper for QinQ

The service of surfing on the Internet by PC and IPTV service are processed similarly,
except that traffic of the surfing on Internet by PC is QinQ terminated on a BRAS device.

As required, the NPE can do the following:

z Perform HQOS scheduling according to the double-layer tag

z Generate a DHCP binding table to prevent network attacks

z Perform DHCP plus authentication based on double-layer VLAN and other

information

z Enable QinQ VRRP on itself to ensure reliable access to services

Note: The NPE device mentioned above includes a BRAS device and an SR device.

3.2 Interconnection to Leased Lines of Enterprise Users

As shown in the figure above, an enterprise deploys two sites at different places. Each
site contains finance, marketing, and others networks. To ensure security of the networks,
users of a network cannot communicate with users of another network.

The VPLS technology is applied to the core network and QinQ to the ME network. Three
VLANs are deployed at each site: finance, marketing, and others. Their VLAN IDs are
100, 200, and 300 respectively. On the UPE, outer VLAN1000 is encapsulated based on
port (The outer VLAN IDs at both sides can be different). VSI on the NPE is set to
symmetric mode. Thus, users of different sites cannot communicate with each other,
unless they belong to the same VLAN.

Copyright ©2007 Huawei Technologies Co., Ltd. All Rights Reserved 14

http://datacomm.huawei.com
 Technical White Paper for QinQ

4 Conclusion

The use of QinQ technology enriches the application scenarios of VLAN. As the metro
Ethernet develops, QinQ plays an increasingly important role in the metro Ethernet
solutions due to its:

z Simplicity

z Flexibility

z Support for a wide variety of services

Appendix A References

IEEE 802.1Q
IEEE 802.1ad

Appendix B Abbreviations

Abbreviation/Acronym Full spelling

QinQ 802.1Q in 802.1Q

VPLS Virtual Private LAN Service
VSI Virtual Switch Instance
VLL Virtual Leased Line
PWE3 Pseudo Wire Emulation Edge-to-edge
PW Pseudo Wire

Copyright ©2007 Huawei Technologies Co., Ltd. All Rights Reserved 15

http://datacomm.huawei.com