Q-in-Q Subscriber CGNAT · scale with VLAN stacking · single-VLAN + Q-in-Q on one box · PPPoE + IPoE
CGNAT Data-Path Brief · Q-in-Q Subscriber Support
Scale your access network with Q-in-Q — and translate every subscriber natively, single-tag or double-tag, on one box.
Q-in-Q (802.1ad VLAN stacking) is how large access networks scale: an outer service VLAN per aggregation domain and an inner customer VLAN per subscriber — lifting you far past the 4094-VLAN ceiling and giving every subscriber clean Layer-2 isolation. BNGSOFT's eBPF/XDP CGNAT translates those Q-in-Q subscribers natively, both directions, at line rate — and carries your single-VLAN and Q-in-Q subscribers together on the same box, on the same pools. One CGNAT, both modes.
Millions of subs
past the 4094-VLAN ceiling
outer S-tag × inner C-tag addressing space
Native in XDP
both directions, line rate
SNAT + DNAT + tag re-encap in eBPF, no kernel slow-path
PPPoE + IPoE
either encapsulation
double-tagged sessions of both types translated
Both modes
single-VLAN + Q-in-Q
one box, one CGNAT, same pools
Q-in-Q gives you the addressing scale and per-subscriber isolation a large access network needs. With BNGSOFT it simply works — single-tag and double-tag subscribers ride the same line-rate eBPF CGNAT, so a Q-in-Q subscriber is just a subscriber.
Why operators run Q-in-Q
Stacking two 802.1Q tags — an outer S-tag (service VLAN) and an inner C-tag (customer VLAN) — is the standard way to build a scalable, well-isolated access network. It buys you four things at once:
ScaleAddress far past 4094 subscribers
- A single VLAN space tops out at 4094
- Stacking S-tag × C-tag expands that into the millions
- Room to grow every OLT/PON without renumbering
IsolationEvery subscriber in their own VLAN
- Per-subscriber Layer-2 separation by inner C-tag
- No subscriber-to-subscriber bridging or L2 snooping
- Cleaner security posture and per-line accountability
AggregationStructure by service & location
- Outer S-tag groups an OLT, PON, region, or service
- One uplink trunk carries many aggregation domains
- Provisioning maps naturally: S-tag = where, C-tag = who
Q-in-Q is a scaling and isolation win — as long as your BNG/CGNAT treats a double-tagged subscriber as a first-class citizen. BNGSOFT does: the tag stack is parsed, translated, and rebuilt natively in the data path, so you keep every benefit of VLAN stacking with none of the operational compromise.
How it works with BNGSOFT — natively, in the XDP fast path
Q-in-Q handling is built into the same eBPF/XDP CGNAT program that already forwards every subscriber — not a bolt-on gateway or a kernel slow-path. It reads the full tag stack on the way in and rebuilds it exactly on the way out.
Upload · parse + SNATRead the whole stack, then translate
- Parse ETH → outer S-tag → inner C-tag → (PPPoE + PPP, for PPPoE) → IP
- Locate the true IP header wherever it sits in the stack
- Apply source NAT there and forward toward the internet
Download · DNAT + re-encapRebuild the exact subscriber frame
- Reverse-map the return flow back to the private subscriber
- Re-encapsulate ETH + S-tag + C-tag + PPPoE + PPP
- Deliver to the correct physical / bond-member port
PPPoE & IPoEBoth encapsulations, one path
- Double-tagged PPPoE: outer + inner tag + PPPoE session
- Double-tagged IPoE: outer + inner tag, IP directly inside
- Inner customer VLAN retained per subscriber for the return frame
The subscriber frame — single-VLAN and Q-in-Q, handled the same way
# single-VLAN PPPoE subscriber
ETH | C-VLAN | PPPoE PPP | IP
# Q-in-Q (double-tagged) PPPoE subscriber
ETH | S-VLAN | C-VLAN | PPPoE PPP | IP
# bngxdpd locates the IP header in either layout on upload, and on
# download rebuilds the exact tag stack the subscriber expects.
Single-tag and untagged subscribers keep their original layout unchanged; the Q-in-Q path is additive.
One CGNAT, both modes — on the same box
You don't stand up a separate BNG for your double-tagged subscribers. bngxdpd carries single-VLAN, untagged, and Q-in-Q subscribers together on one node, all on the same line-rate eBPF CGNAT — same address pools, same full-cone / EIF behaviour, same per-subscriber visibility. Migrate an OLT to Q-in-Q, or run mixed tagging across your footprint, without splitting your CGNAT tier.
Additive, never disruptive
Single-VLAN subscribers follow a byte-identical path — the Q-in-Q handling engages only when an inner tag is present. Turning on double-tag support changes nothing for the single-tag subscribers already in service.
Bond-aware delivery
The download path resolves the true physical member of a LAG/bond before it transmits, so the re-stacked frame leaves on a real port. Correct on bonded uplinks, not just single links — which is how most high-capacity BNGs are cabled.
| Piece | What bngxdpd does for a Q-in-Q subscriber |
| Upload SNAT | Parses through the outer S-tag, inner C-tag, and (for PPPoE) the PPPoE/PPP headers to locate the real IP header, then applies source NAT at that resolved offset. |
| Download DNAT | Reverse-maps the return flow from the pool's public address:port back to the subscriber's private address, using the same session table the upload path populated. |
| Download re-encap | Rebuilds the exact Layer-2 frame the subscriber's link expects — Ethernet, outer service VLAN, inner customer VLAN, and the PPPoE session for PPPoE — from per-subscriber state captured at session setup. |
| Egress port | Redirects the finished frame to the correct physical / bond-member port so a bonded (LAG) uplink delivers it cleanly. |
| Encapsulation | Handles both double-tagged PPPoE and double-tagged IPoE subscribers; the inner customer VLAN is retained per subscriber for a precise return frame. |
| Single-VLAN subs | Unchanged and coexisting. Untagged and single-tag subscribers ride the same CGNAT on the same box with a byte-identical path. |
Runs on the CGNAT you already have. Q-in-Q support isn't a second appliance in the path — it's part of the same eBPF/XDP CGNAT program that forwards every subscriber, so double-tagged subscribers get the same full-cone / EIF pools, per-subscriber X-ray visibility, and line-rate forwarding as everyone else. No separate licence, no per-subscriber kernel slow-path.
Keep the scale of Q-in-Q. Skip the compromise.
Stacking an outer service VLAN and an inner customer VLAN is how large access networks scale past the single-tag ceiling and isolate every subscriber — and it shouldn't cost you a separate CGNAT tier or a slow kernel path. bngxdpd translates double-tagged subscribers natively in the XDP fast path: it parses through both tags to SNAT on the way up, and rebuilds the exact S-tag + C-tag + PPPoE stack to the right port on the way down.
PPPoE or IPoE, single-tag or double-tag, on bonded or single uplinks — they all ride the same line-rate eBPF CGNAT, on one box, with the same pools and the same per-subscriber visibility.
Running Q-in-Q, or planning to? We'll walk through the upload SNAT and download re-encapsulation on a test double-tagged subscriber and confirm both directions on your tag scheme — single-tag and Q-in-Q side by side on the same node.
Honest framing: This is a data-path capability brief;
no throughput or price figures are claimed. Q-in-Q here means IEEE 802.1ad-style VLAN stacking: an outer service VLAN (S-tag) and an inner customer VLAN (C-tag). The addressing-scale figure reflects the theoretical VLAN-stacking space (two 12-bit tags); usable scale in any deployment is governed by the operator's VLAN plan, hardware, and subscriber-capacity engineering, not by the tag space alone. bngxdpd's upload path parses through both VLAN tags — and, for PPPoE subscribers, the PPPoE and PPP headers — to the encapsulated IP header and applies SNAT at the resolved offset; the download path applies DNAT and re-encapsulates the exact Ethernet + S-tag + C-tag + PPPoE/PPP frame, redirecting it to the underlying physical or bond-member port. The double-tag handling is additive: untagged and single-VLAN subscribers follow a byte-identical code path, and the double-tag path engages only when an inner tag is present. This capability was validated end-to-end on a live 4×100G BNGSOFT node carrying a real double-tagged PPPoE subscriber — upload SNAT and download delivery confirmed on the wire, coexisting with a single-VLAN subscriber on the same box; double-tagged IPoE subscribers use the same data-path handling. The outer-tag ethertype emitted on the download frame follows the operator's access VLAN configuration (e.g. 0x8100 stacked 802.1Q versus 0x88a8 802.1ad); confirm the tag scheme for your deployment. Frame-structure examples above are illustrative of a common PPPoE encapsulation and vary with the exact header set present. Validate against your own access topology and VLAN plan. Related briefs:
Full CGNAT,
CGNAT-Only Appliance,
Per-Subscriber CGNAT X-Ray,
IPv6 & Dual-Stack.