Hi All
We have a “small” network which spans across a large geographical area and as a means of connecting all the remote locations we utilise a VLAN on another entities corporate network.
We have come to a point though where we would like to start segmenting our network and I was wondering if it’s possible to run VLANs through another VLAN?
We basically run Mikrotik (core) and Ubiquiti (remote) while the corporate network (VLAN) is predominantly Cisco.
Thanks.
R
Yes Possible, its called Q-in-Q. On Mikrotik its more referred to as S-tag, which would be the outer tag.
So you could potentially:
VLAN100 - STag enabled
VLAN101 - Parent Int VLAN100
VLAN102 - Parent Int VLAN100
etc
but networks between you and remote need to support you tagging this way too, they may already be encapsulating your tags into an outer VLAN to parse their network. You might have to run some tests to see if possible in your current setup.
There is even a name for it, QinQ. However the intention was to have (experts, pardon my plain words) to have an inner layer of “enterprise” or “customer” VLANs and an outer layer of “(internet) service (provider)” VLANs distinguished by the ethertype value of the tags, hence you can see them referred to as C- and S-VLANs and C- and S-tags.
Mikrotik’s flexibility allows you to stack tags of the same type but only in software, and some non-mikrotik hardware switches may strip down all tags or get confused or not accept already C-tagged frames on an access port; even Mikrotik’s software was stripping all tags of the same type in certain ROS releases.
So it is possible to stack VLAN tags but it is not safe to transport the result through a 3rd party network. It might seem tempting to use the idea of QinQ upside down and use service tagged VLANs in your part of the network, but think twice before doing so because if you ever migrate to a normal ISP using S-VLANs for individual customers, you’ll be in trouble as by that time you’ll already depend on the existence of VLANs in your network so you’ll have to switch over all your devices from S.tagging to C-tagging simultaneously.
If a network “becomes so large that it asks for segmentation”, the first thing which comes to my mind is the size of broadcast domains, i.e. to reduce the size of IP subnets and deploy routing between sites instead of L2 transparency. Am I missing something?
Thanks for the replies. It seems even though it might be an option, QinQ is not as simplistic a solution as I imagined and could be problematic going through a plethora of Ciscos. It does seem like the corporate guys will grant us another VLAN or two which will make things a lot simpler.
Cheers,
R
You could also try to run l2vpn over mpls through that link.
That’s plan B incase the additional VLANs don’t pan out 