VLAN stacking (QnQ)

VLAN stacking allows you to have multiple VLAN headers in an Ethernet frame. The value of the EtherType field specifies where the VLAN header is placed in the Ethernet frame.

Use the VLAN TPID profile to specify the value of the EtherType field. The FortiSwitch unit supports a maximum of four VLAN TPID profiles, including the default (0x8100). The default VLAN TPID profile (0x8100) cannot be deleted or changed.

To see which models support this feature, refer to the FortiSwitch feature matrix.

NOTE: The following features are not supported with VLAN stacking:

DHCP relay
DHCP snooping
IGMP snooping
IP source guard
PVLAN
STP

NOTE: Settings under config qnq are for customer VLANs (C-VLANs). Other settings such as set allowed-vlans, set native-vlan, and set vlan-tpid are for service-provider VLANs (S-VLANs).

Configuring VLAN stacking

Using the GUI:

Go to Switch > Interface > Physical or Switch > Interface > Trunk.
Select the interface or trunk that you want to configure and click Edit.
Select the Enable QnQ checkbox.
Select the Drop Packets on VLAN Miss checkbox if you want to drop the packet if the VLAN ID in the packetʼs tag is not defined in the VLAN-mapping configuration.
Select the Remove Inner checkbox if you want to remove the inner tag upon egress.
By default, the STP QnQ Admin checkbox is selected. You can clear the STP QnQ Admin checkbox if you are not using the options under it.
In the Add Inner field, enter the inner tag number for untagged packets upon ingress.
Click Follow S-Tag or Follow C-Tag to follow the priority of the S-tag (service tag) or C-tag (customer tag).
NOTE: This command is not available on the 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE and 248E-FPOE models.
Click + to add a VLAN mapping.
1. In the ID field, enter a mapping entry identifier.
2. In the Description field, enter a description of the mapping entry.
3. In the C-VLAN field, enter a matching customer (inner) VLAN.
4. In the New C-VLAN field, enter a new customer (inner) VLAN.
  NOTE: The VLAN must be in the portʼs allowed VLAN list.
Click OK.

Using the CLI (asterisks indicate the default setting):

config switch interface

edit <interface_name>

set vlan-tpid <default | string>

config qnq

set status {enable | *disable}

set vlan-mapping-miss-drop {enable | *disable}

set add-inner <1-4095>

set edge-type customer

set priority {follow-c-tag | *follow-s-tag}

set remove-inner {enable | *disable}

set s-tag-priority <0-7>

config vlan-mapping

edit <id>

set description <string>

set match-c-vlan <1-4094>

set new-s-vlan <1-4094>

end

Variable	Description	Default
<interface_name>	Enter the name of the interface.	No default
vlan-tpid <default \| string>	Select which VLAN TPID profile to use. The default VLAN TPID profile has a value of 0x8100 and cannot be deleted or changed. This setting is only for service-provider VLANs (S-VLANs). NOTE: If you are not using the default VLAN TPID profile, you must have already defined the VLAN TPID profile with the `config switch vlan-tpid` command.	default
config qnq
status {enable \| *disable}	Enable this setting to use the VLAN stacking (QnQ) mode.	disable
vlan-mapping-miss-drop {enable \| *disable}	If the QnQ mode is enabled, enable or disable whether a packet is dropped if the VLAN ID in the packetʼs tag is not defined in the vlan-mapping configuration.	disable
add-inner <1-4095>	If the QnQ mode is enabled, add the inner tag for untagged packets upon ingress.	No default
edge-type customer	If the QnQ mode is enabled, the edge type is set to customer.	customer
priority {follow-c-tag \| *follow-s-tag}	If the QnQ mode is enabled, select whether to follow the priority of the S-tag (service tag) or C-tag (customer tag). NOTE: This command is not available on the 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE and 248E-FPOE models.	follow-s-tag
remove-inner {enable \| *disable}	If the QnQ mode is enabled, enable or disable whether the inner tag is removed upon egress.	disable
s-tag-priority <0-7>	If packets follow the priority of the S-tag (service tag), enter the priority value. This option is available only when the priority is set to `follow-s-tag`. NOTE: This command is not available on the 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE and 248E-FPOE models.	0
<id>	Enter a mapping entry identifier.	No default
description <string>	Enter a description of the mapping entry.	No default
match-c-vlan <1-4094>	Enter a matching customer (inner) VLAN.	0
new-s-vlan <1-4094>	Enter a new service (outer) VLAN. NOTE: The VLAN must be in the portʼs allowed VLAN list. This option is only available after you set the value for `match-c-vlan`.	No default

Configuring VLAN mapping on an interface

Starting in FortiSwitchOS 7.0.2, partial VLAN mapping is supported by the FS-148F, FS-148F-POE, and FS-148F-FPOE models. Starting in FortiSwitchOS 7.0.3, partial VLAN mapping is supported by the FS-124F, FS-124F-POE, and FS-124F-FPOE models. Starting in FortiSwitchOS 7.2.0, partial VLAN mapping is supported by the FSR-112D-POE model. Use the following syntax for partial VLAN mapping:

config switch interface

edit <interface>

conf vlan-mapping

edit <instance>

set match-s-vlan <segment VLAN>

set action replace

set new-s-vlan <primary VLAN>

end

The FS-148F, FS-148F-POE, and FS-148F-FPOE models can map up to 1,024 physical or trunk ports. The FS-124F, FS-124F-POE,and FS-124F-FPOE models can map up to 512 physical or trunk ports. The FSR-112D-POE model can map up to 4,096 entries, but one VLAN can only be mapped to another VLAN; egress VLAN mapping can be enabled or disabled on individual ports.

Using the GUI:

Go to Switch > Interface > Physical or Switch > Interface > Trunk.
Select the interface or trunk that you want to configure and click Edit.
In the ID field, enter a mapping entry identifier.
In the Description field, enter a description of the mapping entry.
In the Direction dropdown list, select Ingress or Egress.
If you selected Ingress for the direction:
1. In the Action dropdown list, select Add S-VLAN or Replace C-VLAN or S-VLAN.
2. In the C-VLAN field, enter a matching customer (inner) VLAN.
3. In the New S-VLAN field, enter the new service (outer) VLAN.
  NOTE: The VLAN must be in the portʼs allowed VLAN list.
If you selected Egress for the direction:
1. In the Action dropdown list, select Delete S-VLAN or Replace C-VLAN or S-VLAN.
2. In the S-VLAN field, enter the matching service (outer) VLAN.
Click OK.

Using the CLI (asterisks indicate the default setting):

config switch interface

edit <interface_name>

set vlan-tpid <default | string>

set vlan-mapping-miss-drop {enable | *disable}

config vlan-mapping

edit <id>

set description <string>

set direction ingress // ingress example

set match-c-vlan <1-4094>

set action {add | replace}

set new-s-vlan <1-4094>

edit <id>

set description <string>

set direction egress // egress example

set match-s-vlan <1-4094>

set action {delete | replace}

set new-s-vlan <1-4094>

end

Variable	Description	Default
<interface_name>	Enter the name of the interface.	No default
vlan-tpid <default \| string>	Select which VLAN TPID profile to use. The default VLAN TPID profile has a value of 0x8100 and cannot be deleted or changed. This setting is only for service-provider VLANs (S-VLANs). NOTE: If you are not using the default VLAN TPID profile, you must have already defined the VLAN TPID profile with the `config switch vlan-tpid` command.	default
vlan-mapping-miss-drop {enable \| *disable}	Enable or disable whether a packet is dropped if the VLAN ID in the packetʼs tag is not defined in the vlan-mapping configuration.	disable
config vlan-mapping
<id>	Enter an identifier for the VLAN mapping entry.	No default
description <string>	Enter a description of the VLAN mapping entry.	No default
direction {egress \| ingress}	Select the ingress or egress direction.	No default
match-s-vlan <1-4094>	If the direction is set to egress, enter the service (outer) VLAN to match.	0
match-c-vlan <1-4094>	If the direction is set to ingress, enter the customer (inner) VLAN to match.	0
action {add \| delete \| replace}	Select what happens when the packet is matched: - `add`—When the packet is matched, add the service VLAN. You cannot set the `action` to `add` for the egress direction. - `delete`—When the packet is matched, delete the service VLAN. You cannot set the `action` to `delete` for the ingress direction. - `replace`—When the packet is matched, replace the customer VLAN or service VLAN. This option is only available after you set a value for `match-c-vlan` or `match-s-vlan`.	No default
new-s-vlan <1-4094>	Set the new service (outer) VLAN. This option is only available after you set the action to `add` or `replace` for the ingress direction or after you set the `action` to `replace` for the egress direction.	No default

Configuring the VLAN TPID profile

Use the CLI to specify the value of the EtherType field in the VLAN TPID profile:

config switch vlan-tpid

edit <VLAN_TPID_profile_name>

set ether-type <0x0001-0xfffe>

end

Variable	Description	Default
<VLAN_TPID_profile_name>	Enter a name for the VLAN TPID profile name.	No default
ether-type <0x0001-0xfffe>	Enter a hexadecimal value for the EtherType field.	0x8100

Checking the VLAN stacking configuration

Use the CLI to check that VLAN stacking is configured correctly:

diagnose switch qnq dtag-cfg

VLAN stacking (QnQ)

VLAN stacking allows you to have multiple VLAN headers in an Ethernet frame. The value of the EtherType field specifies where the VLAN header is placed in the Ethernet frame.

To see which models support this feature, refer to the FortiSwitch feature matrix.

NOTE: The following features are not supported with VLAN stacking:

DHCP relay
DHCP snooping
IGMP snooping
IP source guard
PVLAN
STP

NOTE: Settings under config qnq are for customer VLANs (C-VLANs). Other settings such as set allowed-vlans, set native-vlan, and set vlan-tpid are for service-provider VLANs (S-VLANs).

Configuring VLAN stacking

Using the GUI:

Go to Switch > Interface > Physical or Switch > Interface > Trunk.
Select the interface or trunk that you want to configure and click Edit.
Select the Enable QnQ checkbox.
Select the Drop Packets on VLAN Miss checkbox if you want to drop the packet if the VLAN ID in the packetʼs tag is not defined in the VLAN-mapping configuration.
Select the Remove Inner checkbox if you want to remove the inner tag upon egress.
By default, the STP QnQ Admin checkbox is selected. You can clear the STP QnQ Admin checkbox if you are not using the options under it.
In the Add Inner field, enter the inner tag number for untagged packets upon ingress.
Click Follow S-Tag or Follow C-Tag to follow the priority of the S-tag (service tag) or C-tag (customer tag).
NOTE: This command is not available on the 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE and 248E-FPOE models.
Click + to add a VLAN mapping.
1. In the ID field, enter a mapping entry identifier.
2. In the Description field, enter a description of the mapping entry.
3. In the C-VLAN field, enter a matching customer (inner) VLAN.
4. In the New C-VLAN field, enter a new customer (inner) VLAN.
  NOTE: The VLAN must be in the portʼs allowed VLAN list.
Click OK.

Using the CLI (asterisks indicate the default setting):

config switch interface

edit <interface_name>

set vlan-tpid <default | string>

config qnq

set status {enable | *disable}

set vlan-mapping-miss-drop {enable | *disable}

set add-inner <1-4095>

set edge-type customer

set priority {follow-c-tag | *follow-s-tag}

set remove-inner {enable | *disable}

set s-tag-priority <0-7>

config vlan-mapping

edit <id>

set description <string>

set match-c-vlan <1-4094>

set new-s-vlan <1-4094>

end

Variable	Description	Default
<interface_name>	Enter the name of the interface.	No default
vlan-tpid <default \| string>	Select which VLAN TPID profile to use. The default VLAN TPID profile has a value of 0x8100 and cannot be deleted or changed. This setting is only for service-provider VLANs (S-VLANs). NOTE: If you are not using the default VLAN TPID profile, you must have already defined the VLAN TPID profile with the `config switch vlan-tpid` command.	default
config qnq
status {enable \| *disable}	Enable this setting to use the VLAN stacking (QnQ) mode.	disable
vlan-mapping-miss-drop {enable \| *disable}	If the QnQ mode is enabled, enable or disable whether a packet is dropped if the VLAN ID in the packetʼs tag is not defined in the vlan-mapping configuration.	disable
add-inner <1-4095>	If the QnQ mode is enabled, add the inner tag for untagged packets upon ingress.	No default
edge-type customer	If the QnQ mode is enabled, the edge type is set to customer.	customer
priority {follow-c-tag \| *follow-s-tag}	If the QnQ mode is enabled, select whether to follow the priority of the S-tag (service tag) or C-tag (customer tag). NOTE: This command is not available on the 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE and 248E-FPOE models.	follow-s-tag
remove-inner {enable \| *disable}	If the QnQ mode is enabled, enable or disable whether the inner tag is removed upon egress.	disable
s-tag-priority <0-7>	If packets follow the priority of the S-tag (service tag), enter the priority value. This option is available only when the priority is set to `follow-s-tag`. NOTE: This command is not available on the 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE and 248E-FPOE models.	0
<id>	Enter a mapping entry identifier.	No default
description <string>	Enter a description of the mapping entry.	No default
match-c-vlan <1-4094>	Enter a matching customer (inner) VLAN.	0
new-s-vlan <1-4094>	Enter a new service (outer) VLAN. NOTE: The VLAN must be in the portʼs allowed VLAN list. This option is only available after you set the value for `match-c-vlan`.	No default

Configuring VLAN mapping on an interface

config switch interface

edit <interface>

conf vlan-mapping

edit <instance>

set match-s-vlan <segment VLAN>

set action replace

set new-s-vlan <primary VLAN>

end

Using the GUI:

Go to Switch > Interface > Physical or Switch > Interface > Trunk.
Select the interface or trunk that you want to configure and click Edit.
In the ID field, enter a mapping entry identifier.
In the Description field, enter a description of the mapping entry.
In the Direction dropdown list, select Ingress or Egress.
If you selected Ingress for the direction:
1. In the Action dropdown list, select Add S-VLAN or Replace C-VLAN or S-VLAN.
2. In the C-VLAN field, enter a matching customer (inner) VLAN.
3. In the New S-VLAN field, enter the new service (outer) VLAN.
  NOTE: The VLAN must be in the portʼs allowed VLAN list.
If you selected Egress for the direction:
1. In the Action dropdown list, select Delete S-VLAN or Replace C-VLAN or S-VLAN.
2. In the S-VLAN field, enter the matching service (outer) VLAN.
Click OK.

Using the CLI (asterisks indicate the default setting):

config switch interface

edit <interface_name>

set vlan-tpid <default | string>

set vlan-mapping-miss-drop {enable | *disable}

config vlan-mapping

edit <id>

set description <string>

set direction ingress // ingress example

set match-c-vlan <1-4094>

set action {add | replace}

set new-s-vlan <1-4094>

edit <id>

set description <string>

set direction egress // egress example

set match-s-vlan <1-4094>

set action {delete | replace}

set new-s-vlan <1-4094>

end

Variable	Description	Default
<interface_name>	Enter the name of the interface.	No default
vlan-tpid <default \| string>	Select which VLAN TPID profile to use. The default VLAN TPID profile has a value of 0x8100 and cannot be deleted or changed. This setting is only for service-provider VLANs (S-VLANs). NOTE: If you are not using the default VLAN TPID profile, you must have already defined the VLAN TPID profile with the `config switch vlan-tpid` command.	default
vlan-mapping-miss-drop {enable \| *disable}	Enable or disable whether a packet is dropped if the VLAN ID in the packetʼs tag is not defined in the vlan-mapping configuration.	disable
config vlan-mapping
<id>	Enter an identifier for the VLAN mapping entry.	No default
description <string>	Enter a description of the VLAN mapping entry.	No default
direction {egress \| ingress}	Select the ingress or egress direction.	No default
match-s-vlan <1-4094>	If the direction is set to egress, enter the service (outer) VLAN to match.	0
match-c-vlan <1-4094>	If the direction is set to ingress, enter the customer (inner) VLAN to match.	0
action {add \| delete \| replace}	Select what happens when the packet is matched: - `add`—When the packet is matched, add the service VLAN. You cannot set the `action` to `add` for the egress direction. - `delete`—When the packet is matched, delete the service VLAN. You cannot set the `action` to `delete` for the ingress direction. - `replace`—When the packet is matched, replace the customer VLAN or service VLAN. This option is only available after you set a value for `match-c-vlan` or `match-s-vlan`.	No default
new-s-vlan <1-4094>	Set the new service (outer) VLAN. This option is only available after you set the action to `add` or `replace` for the ingress direction or after you set the `action` to `replace` for the egress direction.	No default

Configuring the VLAN TPID profile

Use the CLI to specify the value of the EtherType field in the VLAN TPID profile:

config switch vlan-tpid

edit <VLAN_TPID_profile_name>

set ether-type <0x0001-0xfffe>

end

Variable	Description	Default
<VLAN_TPID_profile_name>	Enter a name for the VLAN TPID profile name.	No default
ether-type <0x0001-0xfffe>	Enter a hexadecimal value for the EtherType field.	0x8100

Checking the VLAN stacking configuration

Use the CLI to check that VLAN stacking is configured correctly:

diagnose switch qnq dtag-cfg

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Administration Guide

VLAN stacking (QnQ)

VLAN stacking (QnQ)

Configuring VLAN stacking

Using the GUI:

Using the CLI (asterisks indicate the default setting):

Configuring VLAN mapping on an interface

Using the GUI:

Using the CLI (asterisks indicate the default setting):

Configuring the VLAN TPID profile

Checking the VLAN stacking configuration

VLAN stacking (QnQ)

VLAN stacking (QnQ)

Configuring VLAN stacking