Fortinet white logo
Fortinet white logo

Administration Guide

QinQ 802.1Q in 802.1Q

QinQ 802.1Q in 802.1Q

QinQ (802.1Q in 802.1Q) is supported for FortiGate VM models, where multiple VLAN tags can be inserted into a single frame.

In this example, the FortiGate VM is connected to a provider vSwitch and then a customer switch. The FortiGate encapsulates the frame with an outer 802.1Q tag of VLAN 100 and an inner 802.1Q tag of VLAN 200; port5 is used as the physical port. The provider vSwitch strips the outer tag and forwards traffic to the appropriate customer. Then the customer switch strips the inner tag and forwards the packet to the appropriate customer VLAN.

To configure the interfaces:
  1. Configure the interface to the provider that uses the outer tag:

    config system interface
        edit "vlan-8021q"
            set vdom "root"
            set device-identification enable
            set role lan
            set interface "port5"
            set vlan-protocol 8021q
            set vlanid 100
        next
    end
  2. Configure the interface to the provider that uses the inner tag:

    config system interface
        edit "vlan-qinq8021q"
            set vdom "root"
            set ip 1.1.1.71 255.255.255.0
            set allowaccess ping https ssh snmp http
            set device-identification enable
            set role lan
            set interface "vlan-8021q"
            set vlanid 200
        next
    end
To verify the traffic:
  1. From the FortiGate, ping 1.1.1.72:

    # execute ping 1.1.1.72
    PING 1.1.1.72 (1.1.1.72): 56 data bytes
    64 bytes from 1.1.1.72: icmp_seq=0 ttl=255 time=0.2 ms
    64 bytes from 1.1.1.72: icmp_seq=1 ttl=255 time=0.1 ms
    64 bytes from 1.1.1.72: icmp_seq=2 ttl=255 time=0.1 ms
    64 bytes from 1.1.1.72: icmp_seq=3 ttl=255 time=0.1 ms
    ^C
    --- 1.1.1.72 ping statistics ---
    4 packets transmitted, 4 packets received, 0% packet loss
    round-trip min/avg/max = 0.1/0.1/0.2 ms
  2. Verify the packet capture frame header output captured from the FortiGate's port5:

    Frame 2: 106 bytes on wire (848 bits), 106 bytes captured (848 bits)
    Ethernet II, Src: VMware_93:ae:8f (00:50:56:93:ae:8f), Dst: VMware_93:e3:72 (00:50:56:93:e3:72)
        Destination: VMware_93:e3:72 (00:50:56:93:e3:72)
        Source: VMware_93:ae:8f (00:50:56:93:ae:8f)
        Type: 802.1Q Virtual LAN (0x8100)
    802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 100
        000. .... .... .... = Priority: Best Effort (default) (0)
        ...0 .... .... .... = DEI: Ineligible
        .... 0000 0110 0100 = ID: 100
        Type: 802.1Q Virtual LAN (0x8100)
    802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 200
        000. .... .... .... = Priority: Best Effort (default) (0)
        ...0 .... .... .... = DEI: Ineligible
        .... 0000 1100 1000 = ID: 200
        Type: IPv4 (0x0800)
    Internet Protocol Version 4, Src: 1.1.1.71, Dst: 1.1.1.72
    Internet Control Message Protocol

    The outer tag (first tag) is an 802.1Q tag with VLAN ID 100. The inner tag (second tag) is also an 802.1Q tag with VLAN ID 200.

QinQ 802.1Q in 802.1Q

QinQ 802.1Q in 802.1Q

QinQ (802.1Q in 802.1Q) is supported for FortiGate VM models, where multiple VLAN tags can be inserted into a single frame.

In this example, the FortiGate VM is connected to a provider vSwitch and then a customer switch. The FortiGate encapsulates the frame with an outer 802.1Q tag of VLAN 100 and an inner 802.1Q tag of VLAN 200; port5 is used as the physical port. The provider vSwitch strips the outer tag and forwards traffic to the appropriate customer. Then the customer switch strips the inner tag and forwards the packet to the appropriate customer VLAN.

To configure the interfaces:
  1. Configure the interface to the provider that uses the outer tag:

    config system interface
        edit "vlan-8021q"
            set vdom "root"
            set device-identification enable
            set role lan
            set interface "port5"
            set vlan-protocol 8021q
            set vlanid 100
        next
    end
  2. Configure the interface to the provider that uses the inner tag:

    config system interface
        edit "vlan-qinq8021q"
            set vdom "root"
            set ip 1.1.1.71 255.255.255.0
            set allowaccess ping https ssh snmp http
            set device-identification enable
            set role lan
            set interface "vlan-8021q"
            set vlanid 200
        next
    end
To verify the traffic:
  1. From the FortiGate, ping 1.1.1.72:

    # execute ping 1.1.1.72
    PING 1.1.1.72 (1.1.1.72): 56 data bytes
    64 bytes from 1.1.1.72: icmp_seq=0 ttl=255 time=0.2 ms
    64 bytes from 1.1.1.72: icmp_seq=1 ttl=255 time=0.1 ms
    64 bytes from 1.1.1.72: icmp_seq=2 ttl=255 time=0.1 ms
    64 bytes from 1.1.1.72: icmp_seq=3 ttl=255 time=0.1 ms
    ^C
    --- 1.1.1.72 ping statistics ---
    4 packets transmitted, 4 packets received, 0% packet loss
    round-trip min/avg/max = 0.1/0.1/0.2 ms
  2. Verify the packet capture frame header output captured from the FortiGate's port5:

    Frame 2: 106 bytes on wire (848 bits), 106 bytes captured (848 bits)
    Ethernet II, Src: VMware_93:ae:8f (00:50:56:93:ae:8f), Dst: VMware_93:e3:72 (00:50:56:93:e3:72)
        Destination: VMware_93:e3:72 (00:50:56:93:e3:72)
        Source: VMware_93:ae:8f (00:50:56:93:ae:8f)
        Type: 802.1Q Virtual LAN (0x8100)
    802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 100
        000. .... .... .... = Priority: Best Effort (default) (0)
        ...0 .... .... .... = DEI: Ineligible
        .... 0000 0110 0100 = ID: 100
        Type: 802.1Q Virtual LAN (0x8100)
    802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 200
        000. .... .... .... = Priority: Best Effort (default) (0)
        ...0 .... .... .... = DEI: Ineligible
        .... 0000 1100 1000 = ID: 200
        Type: IPv4 (0x0800)
    Internet Protocol Version 4, Src: 1.1.1.71, Dst: 1.1.1.72
    Internet Control Message Protocol

    The outer tag (first tag) is an 802.1Q tag with VLAN ID 100. The inner tag (second tag) is also an 802.1Q tag with VLAN ID 200.