Fortinet black logo

Administration Guide

VLAN stacking (QinQ)

Copy Link
Copy Doc ID 962fb21b-9bd3-11eb-b70b-00505692583a:146340
Download PDF

VLAN stacking (QinQ)

VLAN stacking allows you to have multiple VLAN headers in an Ethernet frame. The value of the EtherType field specifies where the VLAN header is placed in the Ethernet frame.

Use the VLAN TPID profile to specify the value of the EtherType field. The FortiSwitch unit supports a maximum of four VLAN TPID profiles, including the default (0x8100). The default VLAN TPID profile (0x8100) cannot be deleted or changed.

NOTE: The following FortiSwitch models support VLAN stacking:

FS-124D, FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248E-FPOE, FS-424D, FS-424D-POE, FS-424D-FPOE, 424E, 424E-POE, 424E-FPOE, FS-424E-Fiber, 426E-MG-FPOE, FS-448D, FS-448D-POE, FS-448D-FPOE, 448E, 448E-POE, 448E-FPOE, FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE, FS-1024D, FS-1048D, FS-1048E, FS-3032D, and FS-3032E

NOTE: The following features are not supported with VLAN stacking:

  • DHCP relay
  • DHCP snooping
  • IGMP snooping
  • IP source guard
  • PVLAN
  • STP

NOTE: Settings under config qnq are for customer VLANs (C-VLANs). Other settings such as set allowed-vlans, set native-vlan, and set vlan-tpid are for service-provider VLANs (S-VLANs).

To configure VLAN stacking (asterisks indicate the default setting):

config switch interface

edit <interface_name>

set vlan-tpid <default | string>

config qnq

set status {enable | *disable}

set vlan-mapping-miss-drop {enable | *disable}

set add-inner <1-4095>

set edge-type customer

set priority {follow-c-tag | *follow-s-tag}

set remove-inner {enable | *disable}

set s-tag-priority <0-7>

config vlan-mapping

edit <id>

set description <string>

set match-c-vlan <1-4094>

set new-s-vlan <1-4094>

next

end

end

next

end

Variable

Description

Default

<interface_name>

Enter the name of the interface.

No default

vlan-tpid <default | string>

Select which VLAN TPID profile to use. The default VLAN TPID profile has a value of 0x8100 and cannot be deleted or changed.

This setting is only for service-provider VLANs (S-VLANs).

NOTE: If you are not using the default VLAN TPID profile, you must have already defined the VLAN TPID profile with the config switch vlan-tpid command.

default

config qnq

status {enable | *disable}

Enable or disable VLAN stacking (QinQ) mode.

disable

vlan-mapping-miss-drop {enable | *disable}

If the QinQ mode is enabled, enable or disable whether a packet is dropped if the VLAN ID in the packetʼs tag is not defined in the vlan-mapping configuration.

disable

add-inner <1-4095>

If the QinQ mode is enabled, add the inner tag for untagged packets upon ingress.

No default

edge-type customer

If the QinQ mode is enabled, the edge type is set to customer.

customer

priority {follow-c-tag | *follow-s-tag}

If the QinQ mode is enabled, select whether to follow the priority of the S-tag (service tag) or C-tag (customer tag).

NOTE: This command is not available on the 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE and 248E-FPOE models.

follow-s-tag

remove-inner {enable | *disable}

If the QinQ mode is enabled, enable or disable whether the inner tag is removed upon egress.

disable

s-tag-priority <0-7>

If packets follow the priority of the S-tag (service tag), enter the priority value. This option is available only when the priority is set to follow-s-tag.

NOTE: This command is not available on the 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE and 248E-FPOE models.

0

<id>

Enter a mapping entry identifier.

No default

description <string>

Enter a description of the mapping entry.

No default

match-c-vlan <1-4094>

Enter a matching customer (inner) VLAN.

0

new-s-vlan <1-4094>

Enter a new service (outer) VLAN.

NOTE: The VLAN must be in the portʼs allowed VLAN list.

This option is only available after you set the value for match-c-vlan.

No default

To configure VLAN mapping on an interface (asterisks indicate the default setting):

config switch interface

edit <interface_name>

set vlan-tpid <default | string>

set vlan-mapping-miss-drop {enable | *disable}

config vlan-mapping

edit <id>

set description <string>

set direction ingress // ingress example

set match-c-vlan <1-4094>

set action {add | replace}

set new-s-vlan <1-4094>

next

edit <id>

set description <string>

set direction egress // egress example

set match-s-vlan <1-4094>

set action {delete | replace}

set new-s-vlan <1-4094>

next

end

next

end

Variable

Description

Default

<interface_name>

Enter the name of the interface.

No default

vlan-tpid <default | string>

Select which VLAN TPID profile to use. The default VLAN TPID profile has a value of 0x8100 and cannot be deleted or changed.

This setting is only for service-provider VLANs (S-VLANs).

NOTE: If you are not using the default VLAN TPID profile, you must have already defined the VLAN TPID profile with the config switch vlan-tpid command.

default

vlan-mapping-miss-drop {enable | *disable}

Enable or disable whether a packet is dropped if the VLAN ID in the packetʼs tag is not defined in the vlan-mapping configuration.

disable

config vlan-mapping

<id>

Enter an identifier for the VLAN mapping entry.

No default

description <string>

Enter a description of the VLAN mapping entry.

No default

direction {egress | ingress}

Select the ingress or egress direction.

No default

match-s-vlan <1-4094>

If the direction is set to egress, enter the service (outer) VLAN to match.

0

match-c-vlan <1-4094>

If the direction is set to ingress, enter the customer (inner) VLAN to match.

0

action {add | delete | replace}

Select what happens when the packet is matched:

- add—When the packet is matched, add the service VLAN. You cannot set the action to add for the egress direction.

- delete—When the packet is matched, delete the service VLAN. You cannot set the action to delete for the ingress direction.

- replace—When the packet is matched, replace the customer VLAN or service VLAN.

This option is only available after you set a value for match-c-vlan or match-s-vlan.

No default

new-s-vlan <1-4094>

Set the new service (outer) VLAN.

This option is only available after you set the action to add or replace for the ingress direction or after you set the action to replace for the egress direction.

No default

To configure the VLAN TPID profile:

config switch vlan-tpid

edit <VLAN_TPID_profile_name>

set ether-type <0x0001-0xfffe>

next

end

Variable

Description

Default

<VLAN_TPID_profile_name>

Enter a name for the VLAN TPID profile name.

No default

ether-type <0x0001-0xfffe>

Enter a hexadecimal value for the EtherType field.

0x8100

To check the VLAN stacking (QinQ) configuration:

diagnose switch qnq dtag-cfg

VLAN stacking (QinQ)

VLAN stacking allows you to have multiple VLAN headers in an Ethernet frame. The value of the EtherType field specifies where the VLAN header is placed in the Ethernet frame.

Use the VLAN TPID profile to specify the value of the EtherType field. The FortiSwitch unit supports a maximum of four VLAN TPID profiles, including the default (0x8100). The default VLAN TPID profile (0x8100) cannot be deleted or changed.

NOTE: The following FortiSwitch models support VLAN stacking:

FS-124D, FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248E-FPOE, FS-424D, FS-424D-POE, FS-424D-FPOE, 424E, 424E-POE, 424E-FPOE, FS-424E-Fiber, 426E-MG-FPOE, FS-448D, FS-448D-POE, FS-448D-FPOE, 448E, 448E-POE, 448E-FPOE, FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE, FS-1024D, FS-1048D, FS-1048E, FS-3032D, and FS-3032E

NOTE: The following features are not supported with VLAN stacking:

  • DHCP relay
  • DHCP snooping
  • IGMP snooping
  • IP source guard
  • PVLAN
  • STP

NOTE: Settings under config qnq are for customer VLANs (C-VLANs). Other settings such as set allowed-vlans, set native-vlan, and set vlan-tpid are for service-provider VLANs (S-VLANs).

To configure VLAN stacking (asterisks indicate the default setting):

config switch interface

edit <interface_name>

set vlan-tpid <default | string>

config qnq

set status {enable | *disable}

set vlan-mapping-miss-drop {enable | *disable}

set add-inner <1-4095>

set edge-type customer

set priority {follow-c-tag | *follow-s-tag}

set remove-inner {enable | *disable}

set s-tag-priority <0-7>

config vlan-mapping

edit <id>

set description <string>

set match-c-vlan <1-4094>

set new-s-vlan <1-4094>

next

end

end

next

end

Variable

Description

Default

<interface_name>

Enter the name of the interface.

No default

vlan-tpid <default | string>

Select which VLAN TPID profile to use. The default VLAN TPID profile has a value of 0x8100 and cannot be deleted or changed.

This setting is only for service-provider VLANs (S-VLANs).

NOTE: If you are not using the default VLAN TPID profile, you must have already defined the VLAN TPID profile with the config switch vlan-tpid command.

default

config qnq

status {enable | *disable}

Enable or disable VLAN stacking (QinQ) mode.

disable

vlan-mapping-miss-drop {enable | *disable}

If the QinQ mode is enabled, enable or disable whether a packet is dropped if the VLAN ID in the packetʼs tag is not defined in the vlan-mapping configuration.

disable

add-inner <1-4095>

If the QinQ mode is enabled, add the inner tag for untagged packets upon ingress.

No default

edge-type customer

If the QinQ mode is enabled, the edge type is set to customer.

customer

priority {follow-c-tag | *follow-s-tag}

If the QinQ mode is enabled, select whether to follow the priority of the S-tag (service tag) or C-tag (customer tag).

NOTE: This command is not available on the 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE and 248E-FPOE models.

follow-s-tag

remove-inner {enable | *disable}

If the QinQ mode is enabled, enable or disable whether the inner tag is removed upon egress.

disable

s-tag-priority <0-7>

If packets follow the priority of the S-tag (service tag), enter the priority value. This option is available only when the priority is set to follow-s-tag.

NOTE: This command is not available on the 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE and 248E-FPOE models.

0

<id>

Enter a mapping entry identifier.

No default

description <string>

Enter a description of the mapping entry.

No default

match-c-vlan <1-4094>

Enter a matching customer (inner) VLAN.

0

new-s-vlan <1-4094>

Enter a new service (outer) VLAN.

NOTE: The VLAN must be in the portʼs allowed VLAN list.

This option is only available after you set the value for match-c-vlan.

No default

To configure VLAN mapping on an interface (asterisks indicate the default setting):

config switch interface

edit <interface_name>

set vlan-tpid <default | string>

set vlan-mapping-miss-drop {enable | *disable}

config vlan-mapping

edit <id>

set description <string>

set direction ingress // ingress example

set match-c-vlan <1-4094>

set action {add | replace}

set new-s-vlan <1-4094>

next

edit <id>

set description <string>

set direction egress // egress example

set match-s-vlan <1-4094>

set action {delete | replace}

set new-s-vlan <1-4094>

next

end

next

end

Variable

Description

Default

<interface_name>

Enter the name of the interface.

No default

vlan-tpid <default | string>

Select which VLAN TPID profile to use. The default VLAN TPID profile has a value of 0x8100 and cannot be deleted or changed.

This setting is only for service-provider VLANs (S-VLANs).

NOTE: If you are not using the default VLAN TPID profile, you must have already defined the VLAN TPID profile with the config switch vlan-tpid command.

default

vlan-mapping-miss-drop {enable | *disable}

Enable or disable whether a packet is dropped if the VLAN ID in the packetʼs tag is not defined in the vlan-mapping configuration.

disable

config vlan-mapping

<id>

Enter an identifier for the VLAN mapping entry.

No default

description <string>

Enter a description of the VLAN mapping entry.

No default

direction {egress | ingress}

Select the ingress or egress direction.

No default

match-s-vlan <1-4094>

If the direction is set to egress, enter the service (outer) VLAN to match.

0

match-c-vlan <1-4094>

If the direction is set to ingress, enter the customer (inner) VLAN to match.

0

action {add | delete | replace}

Select what happens when the packet is matched:

- add—When the packet is matched, add the service VLAN. You cannot set the action to add for the egress direction.

- delete—When the packet is matched, delete the service VLAN. You cannot set the action to delete for the ingress direction.

- replace—When the packet is matched, replace the customer VLAN or service VLAN.

This option is only available after you set a value for match-c-vlan or match-s-vlan.

No default

new-s-vlan <1-4094>

Set the new service (outer) VLAN.

This option is only available after you set the action to add or replace for the ingress direction or after you set the action to replace for the egress direction.

No default

To configure the VLAN TPID profile:

config switch vlan-tpid

edit <VLAN_TPID_profile_name>

set ether-type <0x0001-0xfffe>

next

end

Variable

Description

Default

<VLAN_TPID_profile_name>

Enter a name for the VLAN TPID profile name.

No default

ether-type <0x0001-0xfffe>

Enter a hexadecimal value for the EtherType field.

0x8100

To check the VLAN stacking (QinQ) configuration:

diagnose switch qnq dtag-cfg