Hello,

In `DC1` I have a cable with hybrid mode:
1) Untagged traffic (Internet Uplink)
2) Traffic with client (802.1Q) tag `SOME_ISP_TAG` which is a L2 VPN to the `DC2` implemented by my ISP.

In `DC2` I have a cable with access mode and untagged traffic from `DC1` (from the point 2)

So, in DC1 I have `ether1` for uplink and `vlan1.on.ether1` for connection that goes to DC2.

I now want to create a separate network between these DCs (and put it into the separate broadcast domain).
On both sides I have switches and I want to have port-based VLAN, so some computers from DC1 could only talk to a dedicated group of computers in DC2.

If provider were using service tag (802.1ad), I could add as many client-tags (802.1Q) as I want, and then use VLAN tags to send traffic to the correct ports.
Unfortunately, It doesn't.

How can I implement Q-in-Q to put my own VLAN inside of ISP VLAN?
I can create vlan interface on top of another vlan and put it into the bridge, but I think this would break hw offloading, and I also want my switches to work in SwOS mode. So, what I really need is to make switch to do the following:

For traffic from `Port1`: add tag `MY_OWN_VLAN42` and send it to the `Port2`. But before sending, add another tag: `SOME_ISP_TAG`.
For ingress on `Port2` remove `SOME_ISP_TAG`, and choose port based on internal tag (which is `MY_OWN_VLAN42` for `Port1`).

Is it somehow possible?

Thank you in advance

This is possible we have done this in the past but the performance isn't great specially if your intentions is to link your DC, all processing is done in CPU we used CRS317 before and we gave up so we are force to used Juniper instead just my 0.2$, this is another wish list from us that we don't know when or will this happen in my life time

Thanks loloski!
Performance is what I care about:( What exactly have you done? Have you added `vlan` interface to the bridge?

I think I have two options:
1. Ask ISP to create another VLAN or use service tag
2. Ignore L2 network separation for now (not good, as people would send broardcasts!)

The CRS3xx and CRS5xx hardware is capable of this, however Mikrotik have not exposed the functionality in RouterOS.

They _really_ need to rewrite the switch rule (ACL) system to support matching SVID and CVID, as well as writing of SVID and CVID to frames. In addition to allowing multiple actions per frame.

our simple use case is just like this and we haven't gotten really far due to the said limitation apart from simple tag stacking we also need double tag stacking since we are offering last mile service

https://help.mikrotik.com/docs/display/ ... ling(QinQ)

nz_monkey thank you.
I assume this can't be done with SwOS either?

loloski, in the example by this link `0x88a8` is used, which is "service tag" and it seems to be supported somehow, but my ISP doesn't use it:(

Well we are lucky because we are the ISP , if you are a customer just get metro-e services from your upstream and be done with it they will be happy to oblige whatever you need