Knowledge Base
What is Double VLAN (802.1q Tunneling)?
Double VLAN, also known as 802.1q tunneling or Q-in-Q tunneling, is a network feature that encapsulates one VLAN tag inside another. It allows service providers or administrators to group multiple customer VLANs under a single service-provider VLAN (outer VLAN).
- Outer VLAN: Used by the service provider to manage traffic.
- Inner VLAN: Preserves customer-specific VLAN configurations.
This method ensures secure and isolated communication for each customer over a shared infrastructure.
User Cases
Service Provider Networks:
- Aggregate traffic from multiple customers while keeping their VLANs isolated.
Industrial OT Networks:
- Extend VLANs across subnets without modifying the internal VLAN structure.
How It Works
Encapsulation:
- Customer VLAN traffic (inner VLAN) is tagged with an additional service VLAN (outer VLAN) as it enters the provider’s network.
De-encapsulation:
- At the destination, the service VLAN tag is removed, restoring the customer VLAN.
Network Topology
Devices Involved: A PLC (acting as a server), Industrial Firewall, and clients on Network B.
Setup:
- Network A: 192.168.10.0/24 VLAN 100 (PLC resides here).
- Network B: 10.10.10.0/24 VLAN 200.100 (HMI or external device).
- The firewall has interfaces in both networks and translates traffic between them.
Configuration Steps
Create VLANs
- Configure the outer VLAN for the service provider.
- Allow inner VLANs for customer-specific traffic
IP Configuration
Apply Q-in-Q Rules
Benefit
- Traffic Segmentation: Keeps customer VLANs isolated while sharing infrastructure.
- Scalability: Supports a larger number of VLANs with minimal configuration changes.
- Security: Ensures customer data integrity and isolation.
PCAP Analyze
Traffic that is captured from 192.168.10.10
Traffic that is captured from 10.10.10.10
Was this page helpful?