Purpose of the Document 

This article is intended to help network administrators and security engineers understand the expected behavior of TPS devices when processing ingress Q-in-Q traffic. It provides guidance on proper configuration and highlights the Layer 2 treatment of Q-in-Q traffic, which affects how various filtering and inspection features operate.

Inspection Bypass  

As traffic enters the TXE TPS devices, the internal switching architecture treats Q-in-Q traffic as Layer 2, Non IP traffic. This means that Inspection Bypass rules for Q-in-Q traffic can only match at Layer 1 and Layer 2, specifically the physical segment and outer VLAN ID. To successfully bypass Q-in-Q traffic, the IP type must be specified as "Not IP." Selecting any IP-based option will cause the bypass rule to fail.  
 

Virtual Segments 

Virtual Segment assignment for Q-in-Q traffic is always based exclusively on the outer VLAN ID. The TXE TPS device will always use the outer VLAN tag to determine Virtual Segment membership, completely ignoring the inner VLAN tag.  

DV Filter Events 

When monitoring Digital Vaccine (DV) filter events for Q-in-Q traffic, the events table will only display the outer VLAN tag. The inner VLAN tag for Q-in-Q traffic will not be reported in any event logs or alerts generated by the system. This limitation means that multiple inner VLANs may appear as a single outer VLAN in event reporting, potentially causing event aggregation at the outer VLAN level 

Traffic Management Filters 

Traffic Management Filters are designed to operate on Layer 3 and Layer 4 attributes such as IP addresses, CIDR ranges, and TCP/UDP ports. Since VLAN tagging and Q-in-Q traffic are part of Layer 2, these filters are unaffected by Q-in-Q traffic. An alternative filtering method for Q-in-Q, such as Inspection Bypass rules, should be used.