Lessons Learned: Cisco Catalyst Q-in-Q

Today I had the chance to work on a scenario where cisco Q-in-Q was needed. Basically, Q-in-Q is a method wherein a vlan (normally that of a customer) is left intact, and encapsulated within another vlan (normally that of a provider). So it’s vlan-within-a-vlan.

There are plenty of guides on the internet that explain it, though in  a nutshell, a simple scenario would be: cisco-q-in-q

So a customer tags his traffic with vlan tag 123, or anything else of their choice, and the provider would like to keep an outer tag of 456 within their infrastructure. In essence, port f0/1 on SW_P1 needs to encapsulate anything that enters into it with vlan tag 456, and remove the vlan tag for traffic exiting the interface, leaving the inner traffic intact.

Fairly simple with the cisco catalyst switches, for example:

SW_P1, f0/1:

conf t
interface FastEthernet0/1
description ****
switchport access vlan 456
switchport mode dot1q-tunnel
duplex full
speed 100
no mdix auto
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
exit

vlan dot1q tag native
end

SW_P1, f0/2:

conf t
interface FastEthernet0/1
description ****
switchport mode trunk
switchport encapsulation dot1q
end

There’s much more info on the ‘net about the above, though the above alone will give you a general idea. What is not very well document is before even starting on any of the above commands, you need to disable IGMP snooping using:

no ip igmp snooping

Else, the switch simply doesnt perform Q-in-Q. To be fair, cisco documentation states that IGMP snooping and Q-in-Q do not match well and so IGMP should be disabled. But most guides on the internet fail to tell you this.