Fortinet white logo
Fortinet white logo
6.4.6

Carrying customer VLANs over a provider network

Carrying customer VLANs over a provider network

Note

This cookbook article is for FortiSwitch units in standalone mode.

This cookbook article describes how to use VLAN stacking (QinQ) to carry customer VLANs over a service provider network. The following tasks are covered:

  1. Configure the provider switches
  2. Accept specific VLANs at the provider ingress
  3. Assign different service tags at the provider ingress
  4. Retag service VLANs
  5. VLAN retagging/translation of regular 802.1Q traffic

There are two customers, Customer Red and Customer Green, each with two FortiSwitch units. They are connected to the three FortiSwitch units belonging to the service provider.

  • Customer Red is using VLANs 10-15, VLAN 30, and untagged VLAN 60 to connect to port1 of the provider switches PSW1 and PSW3. The provider is using port3 to connect to Customer Red through VLANs 10-15, VLAN 30, and untagged VLAN 60.
  • Customer Green is using VLANs 20, 40, and 50 to connect to port2 of the provider. The provider is using port3 to connect to Customer Green through VLANs 20, 40, and 50.
Provider switches

The service provider is using VLANs 100 and 200 to connect the three provider switches.

For the customer port, the provider switches PSW1 and PSW3 have QinQ enabled with all tags accepted at ingress. The switches has the “native-vlan” as the service VLAN for the customer port, and allowed-vlans are not used. The inner tag needs to be set or removed for untagged traffic on the customer port.

For the provider port, the provider switches PSW1 and PSW3 have QinQ disabled with regular allowed-vlans for each service VLAN. If the default VLAN TPID profile of 0x8100 is not being used, you need to specify the VLAN TPID profile with the set vlan-tpid command.

The provider switch PSW2 has QinQ disabled with regular allowed-vlans for each service VLAN. If the default VLAN TPID profile of 0x8100 is not being used, you need to specify the VLAN TPID profile with the set vlan-tpid command. For QinQ, use a VLAN TPID profile of 0x88a8.

Customer switches

The customer switches use simple 802.1Q VLANs. They are unaware of QinQ.

Carrying customer VLANs over a provider network

Carrying customer VLANs over a provider network

Note

This cookbook article is for FortiSwitch units in standalone mode.

This cookbook article describes how to use VLAN stacking (QinQ) to carry customer VLANs over a service provider network. The following tasks are covered:

  1. Configure the provider switches
  2. Accept specific VLANs at the provider ingress
  3. Assign different service tags at the provider ingress
  4. Retag service VLANs
  5. VLAN retagging/translation of regular 802.1Q traffic

There are two customers, Customer Red and Customer Green, each with two FortiSwitch units. They are connected to the three FortiSwitch units belonging to the service provider.

  • Customer Red is using VLANs 10-15, VLAN 30, and untagged VLAN 60 to connect to port1 of the provider switches PSW1 and PSW3. The provider is using port3 to connect to Customer Red through VLANs 10-15, VLAN 30, and untagged VLAN 60.
  • Customer Green is using VLANs 20, 40, and 50 to connect to port2 of the provider. The provider is using port3 to connect to Customer Green through VLANs 20, 40, and 50.
Provider switches

The service provider is using VLANs 100 and 200 to connect the three provider switches.

For the customer port, the provider switches PSW1 and PSW3 have QinQ enabled with all tags accepted at ingress. The switches has the “native-vlan” as the service VLAN for the customer port, and allowed-vlans are not used. The inner tag needs to be set or removed for untagged traffic on the customer port.

For the provider port, the provider switches PSW1 and PSW3 have QinQ disabled with regular allowed-vlans for each service VLAN. If the default VLAN TPID profile of 0x8100 is not being used, you need to specify the VLAN TPID profile with the set vlan-tpid command.

The provider switch PSW2 has QinQ disabled with regular allowed-vlans for each service VLAN. If the default VLAN TPID profile of 0x8100 is not being used, you need to specify the VLAN TPID profile with the set vlan-tpid command. For QinQ, use a VLAN TPID profile of 0x88a8.

Customer switches

The customer switches use simple 802.1Q VLANs. They are unaware of QinQ.