# QinQ experience (VLAN VPN)



## blind0ne (Dec 7, 2021)

Hi, I'm currently trying to search around and build scheme with QinQ implemented. My question for people already familiar with such "double tagged" frames concept. How It is done in the nutshell, is this 2 tags are originated from access layer switch (The switch were client is connected), or second tag is inserted by the next-hop second network switch that already receives this one-tagged frame. 

Not sure that this forum is the right place to ask such questions, but I hope it's not the last one. 
Thank you for attention


----------



## astyle (Dec 7, 2021)

Do you even have the hardware to play with that kind of setup? You'll need to study netcat, ifconfig, and how to create (and keep track of) virtual network interfaces. Under FreeBSD, jails are a commonly recommended setup for such research. Even then, a jail takes up around 1/2 a gigabyte of actual disk space. And you'll need like 5 of them to both send AND receive the packets. 
--
I can tell that you're willing to do the homework, but at this point, I'd suggest that you avoid getting too specific right off the bat.


----------



## blind0ne (Dec 8, 2021)

astyle said:


> Do you even have the hardware to play with that kind of setup? You'll need to study netcat, ifconfig, and how to create (and keep track of) virtual network interfaces. Under FreeBSD, jails are a commonly recommended setup for such research. Even then, a jail takes up around 1/2 a gigabyte of actual disk space. And you'll need like 5 of them to both send AND receive the packets.
> --
> I can tell that you're willing to do the homework, but at this point, I'd suggest that you avoid getting too specific right off the bat.


Why do I need any jails for this?


----------



## astyle (Dec 8, 2021)

blind0ne said:


> Why do I need any jails for this?


Because, if you look at the diagrams for the setup, you need at least 5 hosts, each with 2 IP addresses at least. It's possible to virtualize the setup on just one host, but it does need to be pretty powerful hardware to hold 5 VM's or jails that are running at the same time. And, can you easily keep track of each IP address to make sure the routing is correct? That would be kind of a hard pre-requisite to 'Q in Q' on VLANs... VLANs is not the same thing as simple networking between virtual interfaces. Once you get simple networking correct, then you can look at traffic shaping. It's your hardware, of course, and your time/effort, but there's a reason some things just come first, and need to be done right, before moving on to anything fancier. Skipping too far ahead to fancy stuff is only gonna result in you wondering why it didn't work.


----------



## blind0ne (Dec 8, 2021)

astyle said:


> Because, if you look at the diagrams for the setup, you need at least 5 hosts, each with 2 IP addresses at least. It's possible to virtualize the setup on just one host, but it does need to be pretty powerful hardware to hold 5 VM's or jails that are running at the same time. And, can you easily keep track of each IP address to make sure the routing is correct? That would be kind of a hard pre-requisite to 'Q in Q' on VLANs... VLANs is not the same thing as simple networking between virtual interfaces. Once you get simple networking correct, then you can look at traffic shaping. It's your hardware, of course, and your time/effort, but there's a reason some things just come first, and need to be done right, before moving on to anything fancier. Skipping too far ahead to fancy stuff is only gonna result in you wondering why it didn't work.


For now I want just to make 1 single frame and send it on the interface, just to look how this double tagged one should look like, just to see the dump in wireshark and try to send it through some old Chinese L2 blackbox. How can I construct such request and send it?


----------



## astyle (Dec 8, 2021)

blind0ne said:


> For now I want just to make 1 single frame and send it on the interface, just to look how this double tagged one should look like, just to see the dump in wireshark and try to send it through some old Chinese L2 blackbox. How can I construct such request and send it?


You do need to know stuff like nc(1) and ifconfig(1), as well as have a pretty good handle on what to look for in a wireshark dump before trying stuff like that. In isolation, trying something that fancy doesn't make much sense, you do need to build up some context first, and have a pretty good handle on fundamentals.


----------

