At the NNI, you will receive double-tagged frames (maybe the laptop doesn't like them).
Original Message:
Sent: 11-09-2025 08:12
From: nurairtt
Subject: Q in Q tunnel on QFX
We connected the laptops for testing. Customer switch was not connected.
Switch model is qfx5120 running 23.4R2.
Below is the applied configuration,
set interfaces xe-0/0/0 flexible-vlan-tagging
set interfaces xe-0/0/0 encapsulation extended-vlan-bridge
set interfaces xe-0/0/0 unit 100 vlan-id-list 1-4094
set interfaces xe-0/0/0 unit 100 input-vlan-map push
set interfaces xe-0/0/0 unit 100 output-vlan-map pop
set interfaces xe-0/0/1 flexible-vlan-tagging
set interfaces xe-0/0/1 encapsulation flexible-ethernet-services
set interfaces xe-0/0/1 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members 10
set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members 20
set interfaces xe-0/0/1 unit 100 encapsulation vlan-bridge
set interfaces xe-0/0/1 unit 100 vlan-id 100
set vlans qinq-100 interface xe-0/0/0.100
set vlans qinq-100 interface xe-0/0/1.100
------------------------------
nura irtt
Original Message:
Sent: 11-09-2025 06:54
From: Olivier Benghozi
Subject: Q in Q tunnel on QFX
- you cannot really rely on the in/out bytes/packets values per unit on EX/QFX
- did you try with two real devices at each side ?
- maybe post the actual real content of both interfaces and vlan definition
- and what is the model of the switch btw?
------------------------------
Olivier Benghozi
Original Message:
Sent: 11-09-2025 05:13
From: nurairtt
Subject: Q in Q tunnel on QFX
Hi Oliver,
Thanks for your continuous support.
We applied the recommended configuration changes and connected a test laptop to the UNI port while generating continuous ICMP requests. Both the UNI and NNI ports successfully learned the MAC addresses. However, we observed that the UNI port received 44 packets, but none of them were forwarded to the NNI side.
We enabled packet capture on the UNI interface (using tcpdump from the shell), and we did not see any ICMP or ARP traffic arriving at the switch. Instead, we only saw IPv6 multicast packets, which were not being flooded toward the NNI port.
are we missing anything here?
Logical interface xe-0/0/0.100 (Index 859) (SNMP ifIndex 538)
Flags: Up SNMP-Traps Redundancy-Device 0x20004000 VLAN-Tag [ 1-4094 ] In(push .100) Out(pop) Encapsulation: Extended-VLAN-Bridge
Input packets : 44
Output packets: 0
Protocol eth-switch, MTU: 9216
Flags: 0x4000000
Logical interface xe-1/0/47.100 (Index 858) (SNMP ifIndex 537)
Flags: Up SNMP-Traps 0x20004000 VLAN-Tag [ 0x8100.100 ] Encapsulation: VLAN-Bridge
Input packets : 0
Output packets: 0
Protocol eth-switch, MTU: 9216
Flags: 0x4000000
admin@US-Navy-QFX5120-SW01-B> show ethernet-switching table | match 100
VLAN100 yy.yy.yy.yy.yy.yy D - xe-1/0/47.100 0 0
VLAN100 xx.xx.xx.xx.xx.xx D - xe-0/0/0.100 0 0
01:52:26.786788 In xx.xx.xx.xx.xx.xx > 33:33:00:00:00:16, ethertype 802.1Q (0x8100), length 68: vlan 70, p 0, ethertype IPv6, truncated-ip6 - 26 bytes missing! ff80::182f:6132:725d:5a1f > ff02::16: HBH [icmp6]
01:52:26.803341 In xx.xx.xx.xx.xx.xx > 33:33:00:00:00:16, ethertype 802.1Q (0x8100), length 68: vlan 70, p 0, ethertype IPv6, truncated-ip6 - 26 bytes missing! ff80::182f:6132:725d:5a1f > ff02::16: HBH [icmp6]
01:52:27.265954 In xx.xx.xx.xx.xx.xx > 33:33:00:00:00:16, ethertype 802.1Q (0x8100), length 68: vlan 70, p 0, ethertype IPv6, truncated-ip6 - 46 bytes missing! fe80::182f:6132:725d:5a1f > ff02::16: HBH [icmp6]
------------------------------
nura irtt
Original Message:
Sent: 11-08-2025 11:48
From: Olivier Benghozi
Subject: Q in Q tunnel on QFX
Yes. And at the UNI side (xe-0/0/0), change this, too:
vlan-id-list 1-50
At the NNI side you'll obtain dot1q outer 100 + inner 1.
------------------------------
Olivier Benghozi
Original Message:
Sent: 11-08-2025 11:23
From: nurairtt
Subject: Q in Q tunnel on QFX
Thanks Oliver for the clarification. Could you please let me know how we can include untagged traffic. Basically I want to consider untagged traffic as vlan 1 ( native vlan) and add outer tag as we are doing it for tagged traffic.
The following commands will help?
set interfaces xe-0/0/0 native-vlan-id 1
set interfaces xe-0/0/0 input-native-vlan-push enable
------------------------------
nura irtt
Original Message:
Sent: 11-08-2025 08:33
From: Olivier Benghozi
Subject: Q in Q tunnel on QFX
Correct, in the vlan definition, the vlan-id is not defined for the S-VLAN.
It's defined in the unit on the NNI, and nowhere on the UNI (but uses the unit number).
mac-learning should be disabled ; not mandatory, but useful and relevant, as it's completely useless to learn MAC on a tunnel (as show in Juniper doc: Configuring Q-in-Q Tunneling and VLAN Q-in-Q Tunneling and VLAN Translation ).
------------------------------
Olivier Benghozi
Original Message:
Sent: 11-08-2025 07:38
From: nurairtt
Subject: Q in Q tunnel on QFX
Thanks for your valuable inputs, Oliver.
S-vlan should not have the vlan-id assigned to it , correct (set vlans qinq-100 vlan-id 100)? Kindly confirm.
mac-learning should be disabled on qinq vlan as well?
------------------------------
ARUNKUMAR RAJASEKARAN
Original Message:
Sent: 11-08-2025 07:14
From: Olivier Benghozi
Subject: Q in Q tunnel on QFX
Nope:
- you don't have to specify any vlan-id for the S-vlan on the UNI interface
- you forgot to show the vlan definitions (and you don't define the S-Vlan with its dot1q tag)
- the S-Vlan is not a normal vlan, therefore it's not configured within the family ethernet-switching on unit 0, on the NNI
- As you want both normal vlans and S-Vlan on your NNI, its encap must be flexible-ethernet-services
- As QinQ is a point to point tunnel, you should deactivate MAC learning on it
Therefore:
set interfaces xe-0/0/0 flexible-vlan-taggingset interfaces xe-0/0/0 encapsulation extended-vlan-bridgeset interfaces xe-0/0/0 unit 100 vlan-id-list 2-50set interfaces xe-0/0/0 unit 100 input-vlan-map pushset interfaces xe-0/0/0 unit 100 output-vlan-map popset interfaces xe-0/0/1 flexible-vlan-taggingset interfaces xe-0/0/1 encapsulation flexible-ethernet-servicesset interfaces xe-0/0/1 unit 0 family ethernet-switching interface-mode trunkset interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members 10set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members 20set interfaces xe-0/0/1 unit 100 encapsulation vlan-bridgeset interfaces xe-0/0/1 unit 100 vlan-id 100set vlans qinq-100 interface xe-0/0/0.100set vlans qinq-100 interface xe-0/0/1.100set vlans qinq-100 switch-options no-mac-learning
------------------------------
Olivier Benghozi
Original Message:
Sent: 11-04-2025 07:45
From: ARUNKUMAR RAJASEKARAN
Subject: Q in Q tunnel on QFX
I'm planning to configure a Q-in-Q tunnel on a Juniper QFX switch running JunOS 23.x, and I'd like to confirm if my approach looks correct.
The goal is to use VLAN 100 as the outer service tag (S-tag) for double-tagged traffic. The provider-facing interface should continue to carry both:
Below is the draft configuration plan.
Could you please review it and let me know if any adjustments are needed to make this work properly?
set interfaces xe-0/0/0 flexible-vlan-tagging
set interfaces xe-0/0/0 encapsulation extended-vlan-bridge
set interfaces xe-0/0/0 unit 100 vlan-id-list 2-50
set interfaces xe-0/0/0 unit 100 input-vlan-map push
set interfaces xe-0/0/0 unit 100 input-vlan-map vlan-id 100
set interfaces xe-0/0/0 unit 100 output-vlan-map pop
set interfaces xe-0/0/1 flexible-vlan-tagging
set interfaces xe-0/0/1 encapsulation extended-vlan-bridge
set interfaces xe-0/0/1 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members 10
set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members 20
set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members 100
------------------------------
ARUNKUMAR RAJASEKARAN
------------------------------