Showing results for 
Search instead for 
Did you mean: 


Level 1
Level 1


Our company is trying to implement Microsoft ExpressRoute. Microsoft gives the solution as a Q-in-Q Vlan. We have to strip our the S-Tag and use the 3 C-Tag VLANs for our BGP links to Microsoft. Our service provider gives us a L2 trunk link which is used to connect to Microsoft and several other services. So they don't see the Q-in-Q, as they deliver each of the services down a single trunk link.

From what I understand, I would have to configure another port on this switch for the Q-in-Q tunnelling viz.,

switchport mode dot1q-tunnel
switchport access vlan 456

Here 456 is the S-Tag which is a normal Vlan we get from the single port on the same switch to the service provider. In this case, I would require another switch behind this switch to split out the 3 C-Tag Vlans from Microsoft. Is there any other way to do this using a single switch, to both do Q-in-Q and split out the 3 Vlans.

Switch 2 (with 3 Vlans) --> Trunk (with 3 Vlans) --> Switch 1 port with Q-in-Q config --> Switch 1 with trunk port to Service Provider --> Service provicder network.

Is there a way to get this done without switch 2, stripping out the 3 Vlans using only switch 1?


Deepu Abraham.

6 Replies 6

Philip D'Ath
VIP Alumni
VIP Alumni

This doesn't sound right.  If you are only using a single outer tag why would you even use QinQ.  Are you sure the service provider is not stripping out the outer tag already for you?

Only reasonably serious Cisco kit can do "full" QinQ.  What sort of kit do you have?  The config should look something like:

interface GigabitEthernet<Interface_Number>.<Number>
 encapsulation dot1Q <s-tag> seconddot1Q <c-tag>
 ip address ...

I am not all confident your tunnel approach will work.



I didn't see your update. I managed to get this done using 1 switch. Basically we are configuring the port to the service provider as a trunk port.Then the two ports connected to our internal devices are configured as a dot1q tunnel port.


Router/Switch on private peering interface (access port Vlan 10 C-Tag Vlan) <--> Switch Port 1 (Dot1q tunnel with S-Tag Vlan 900) <--> Switch port 10 (Regular trunk port with S-Tag Vlan 900) <--> Service Provider Switch <--> Microsoft Switch.


Router/Switch on public peering interface (access port Vlan 20 C-Tag Vlan) <--> Switch Port 1 (Dot1q tunnel with S-Tag Vlan 900) <--> Switch port 10 (Regular trunk port with S-Tag Vlan 900) <--> Service Provider Switch <--> Microsoft Switch.


So a single switch is being used between the service provider network and ours. It's been running for quite a few months now.




I forgot to give you the details.


For private peering the configs are,


Internal Switch <--> DMZ Switch <--> Provider device <--> Microsoft Devices.


Internal Switch

interface GigabitEthernet1/1/2
description Connected to ExpressRoute DMZ Switch Private Peering
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1500    <-- C-Tag for private peering Vlan
switchport mode trunk

DMZ Switch

interface GigabitEthernet1/0/1
description Connected to internal switch for MS ExpressRoute public peering
switchport access vlan 900              <-- S-Tag Vlan
switchport mode dot1q-tunnel
no cdp enable

interface GigabitEthernet1/0/3
description Connected to internal switch for private peering
switchport access vlan 900           <-- S-Tag Vlan
switchport mode dot1q-tunnel


interface GigabitEthernet1/1/1
description Connected to L2 service provider swtich
switchport trunk allowed vlan 900       <-- S-Tag Vlan
switchport mode trunk
speed nonegotiate


The config for the public peering is exactly the same except that the C-Tag is 1520 and our internal switch is different. The DMZ switch is exactly the same. G1/0/1 on our DMZ switch is used for public peering (S-Tag: 900, C-Tag: 1520), G1/0/3 is used for private peering with Microsoft ExpressRoute (S-Tag: 900, C-Tag: 1500).



Deepu Abraham.

Hi... getting 2 switches to do the job, seems an overkill. Cant it be do by using 1 switch, which has the svi for private peering and MS peering? Then it s a trunk to the SP and they push the s-tag on their side and switch it ! ?



I doubt it, as the VLAN on taken out from the trunk port is the S-Tag. This is then connected to our internal switches using access ports (S-Tag VLAN), the internal switch has the MS Private Peering VLAN.



Review Cisco Networking for a $25 gift card