DOT1Q Tunnelling

802.1q tunnelling


802.1Q tunnelling expands VLAN space within a provider network. It enables customer vlans to be run over a service provider network using a single VLAN. A port configured to support 802.1q tunnelling is know as a ‘tunnel’ port.

When configuring tunnelling, a tunnel port is assigned to a VLAN that is dedicated to tunnelling. Each service provider customer requires a separate VLAN, but that VLAN supports all customer VLANS.

VLAN tunnelling is transparent to the customer. Their service provider facing trunk is configured as a standard dot1q trunk. The service provider interface is set up as a tunnel port and assigned an access VLAN id, unique for the customer. In this respect the configuration at each end of the CE to PE link is unusual because it is not symmetrical i.e. it does NOT match from a CE and PE perspective.

As 802.1q tagged traffic arrives at the service provider switch it is further encapsulated in another 802.1q tag or the ‘customer’ tag. Upon exiting the service provider infrastructure the tag is removed before transiting to the customer.



PE configuration



Int fa0/1

switchport access vlan 100

switchport mode dot1q-tunnel



vlan dot1q tag native



Over and above 802.1q tunnelling, the service provider may chose to run L2 protocol tunnelling as well i.e. for protocols cdp, stp and vtp. These features can be implemented independently of 802.1Q tunnelling. L2 protocol tunnelling is enabled by protocol on the tunnel ports that are connected to the CE edge switches.

Int fa0/1

L2protocol-tunnel stp

L2protocol-tunnel cdp

L2protocol-tunnel vtp