The VLAN-VPN function enables packets to be
transmitted across the operators’ backbone networks with VLAN tags of
private networks encapsulated in those of public networks. In public networks,
packets of this type are transmitted by their outer VLAN tags (that is, the
VLAN tags of public networks). And those of private networks which are encapsulated
in the VLAN tags of public networks are shielded.
Figure 1-1 describes the structure of the packets with single-layer VLAN tags.
Figure 1-1
Structure of packets with single-layer VLAN tags
Figure 1-2 describes the structure of the packets with nested VLAN tags.
Figure 1-2
Structure of packets with double-layer VLAN tags
Compared with MPLS-based Layer 2 VPN,
VLAN-VPN has the following features:
l
It provides Layer 2 VPN tunnels that are
simpler.
l
VLAN-VPN can be implemented without the support
of signaling protocols. You can enable VLAN-VPN by static configuration.
The VLAN-VPN function provides you with the
following benefits:
l
Saves public network VLAN ID resource.
l
You can have VLAN IDs of your own, which is
independent of public network VLAN IDs.
l
It allows for simple Layer 2 VPN solutions for
small-sized MANs or intranets.
VLAN-VPN can be implemented by enabling the
VLAN-VPN function on ports.
With the VLAN VPN function enabled, a
received packet is tagged with the default VLAN tag of the receiving port no
matter whether or not the packet already carries a VLAN tag. If the packet
already carries a VLAN tag, the packet becomes a dual-tagged packet. Otherwise,
the packet becomes a packet carrying the default VLAN tag of the port.
Tag protocol identifier (TPID) is a field of
the VLAN tag. IEEE 802.1Q specifies the value of TPID to be 0x8100.
Figure 1-3 illustrates the structure of the Tag packet of an Ethernet frame defined by IEEE 802.1Q.
Figure 1-3
The structure of the Tag packet of an Ethernet
frame
H3C S3100-52P switch adopt the protocol default
TPID value (0x8100). Other vendors use other TPID values (such as 0x9100 or
0x9200) in the outer tags of VLAN-VPN packets.
To be compatible with devices coming from
other vendors, S3100-52P switch can adjust the TPID values of VLAN-VPN packets based
on ports. You can configure the TPID value of a port connecting to the public
network side by yourself. When a packet is forwarded through the port, the port
replaces the TPID value in the outer VLAN tag of this packet with the
user-defined value. Thus, the VLAN-VPN packets sent to the public network can
be recognized by devices of other vendors.
As the position of the TPID field in an
Ethernet packet is the same as that of the protocol type field in a packet
without VLAN Tag, to avoid confusion in the process of receiving/forwarding a
packet, the TPID value cannot be any of the protocol type value listed in Table 1-1
Table 1-1 Commonly used protocol type values
in Ethernet frames
|
Protocol type
|
Value
|
|
ARP
|
0x0806
|
|
IP
|
0x0800
|
|
MPLS
|
0x8847/0x8848
|
|
IPX
|
0x8137
|
|
IS-IS
|
0x8000
|
|
LACP
|
0x8809
|
|
802.1x
|
0x888E
|
l
GARP VLAN registration protocol (GVRP), neighbor
topology discovery protocol (NTDP), spanning tree protocol (STP), 802.1x, and
centralized MAC address authentication function are disabled on the port.
l
The port is an access port.
Caution:
l
The VLAN-VPN function is unavailable to a port
if any of the protocols among GVRP, NTDP, STP, 802.1x, and centralized MAC
address authentication function is enabled on the port.
l
By default, STP and NTDP are enabled on a
device. You can disable these two protocols using the stp disable and undo
ntdp enable commands.
Table 1-2 Configure the VLAN-VPN function for a port
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Enable the VLAN-VPN function on the port
|
vlan-vpn enable
|
Required
By default, the VLAN-VPN function is
disabled on a port.
|
|
Display VLAN VPN configuration
information about all the ports
|
display port vlan-vpn
|
This command can be executed in any view.
|
After you enable
the VLAN-VPN function for a port, you cannot change the port to be a trunk port
or hybrid port, nor can you enable GVRP, NTDP, or STP, 802.1x, and centralized
MAC address authentication function for the port.
l
Error message appears if you try to change the
port to be a trunk port or hybrid port or enable GVRP, NTDP, STP, 802.1x, or
centralized MAC address authentication function for the port by executing
corresponding commands.
l
If you use the copy configuration command
to duplicate the configuration of a port to a port enabled with the VLAN-VPN
function, the configuration concerning port type (that is, access, trunk, or
hybrid), GVRP, NTDP, STP, 802.1x, and centralized MAC address authentication function
is not duplicated.
1.3 Inner VLAN Tag Priority Replication
Configuration
You can configure to replicate the tag
priority of the inner VLAN tag of a VLAN-VPN packet to the outer VLAN tag to keep
the original tag priority after the packet is inserted an outer VLAN tag.
The VLAN-VPN function is enabled.
Table 1-3 Replicate the tag priority of the inner VLAN tag
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type interface-number
|
—
|
|
Enable the inner VLAN Tag priority
replication function
|
vlan-vpn inner-cos-trust enable
|
Required
By default, the inner VLAN tag priority
replication function is disabled. And the priority of an outer VLAN tag is
that of the default priority of the current port.
|
|
Display the VLAN-VPN configuration of about
all ports
|
display port vlan-vpn
|
This command can be executed in any view.
|
If you have
configured the port priority, (refer to the QACL part of H3C S3100-52P Ethernet
Switch Operation Manual for more), after you configure to replicate the tag
priority of the inner VLAN tag of a VLAN-VPN packet, the switch will prompt
that the port priority configuration on the current port is invalid.
1.4 TPID Adjusting Configuration
The TPID value of the peer end of the public
network is available.
Table 1-4 Adjust TPID values for VLAN-VPN packets
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Set a TPID value for the port
|
vlan-vpn tpid value
|
Required
Do not set the TPID value to any of the protocol
type values listed in Table 1-1.
|
|
Display VLAN-VPN configuration
information about all ports
|
display port vlan-vpn
|
You can execute the display
command in any view.
|
I. Network requirements
l
Switch A and Switch C are S3100-52P switch.
Switch B is a switch coming from another manufacturer, which uses the TPID
value of 0x9100.
l
Two user networks are connected to the
Ethernet1/0/1 ports of Switch A and Switch C respectively.
l
Switch B only permits packets of VLAN 10.
l
It is required that packets of the VLANs other than
VLAN 10 can be exchanged between the user networks connected to Switch A and
Switch C.
II. Network diagram
Figure 1-4 Network diagram for VLAN-VPN
configuration
III. Configuration Procedure
1)
Configure Switch A and Switch C.
As the configuration performed on Switch A
and Switch C is the same, configuration on Switch C is omitted.
# Set the TPID value of Ethernet1/0/2 port
of Switch A to 0x9100, and add the port to VLAN 10.
<SwitchA> system-view
[SwitchA] vlan 10
[SwitchA-vlan10] quit
[SwitchA] interface Ethernet1/0/2
[SwitchA-Ethernet1/0/2] vlan-vpn tpid
9100
[SwitchA-Ethernet1/0/2] port
link-type trunk
[SwitchA-Ethernet1/0/2] port trunk
permit vlan 10
# Add Ethernet1/0/1 port of Switch A to VLAN
10 and enable the VLAN-VPN function for the port.
[SwitchA] interface Ethernet1/0/1
[SwitchA-Ethernet1/0/1] port access vlan
10
[SwitchA-Ethernet1/0/1] vlan-vpn enable
[SwitchA-Ethernet1/0/1] quit
2)
Configure Switch B
Because Switch B comes from another manufacturer,
the commands involved may differ from those for S3100-52P switch. So only the
operations are listed, as shown below:
l
Configure Ethernet3/1/1 and Ethernet3/1/2 ports
of Switch B to be trunk ports.
l
Add the two ports to VLAN 10.
The following
describes how a packet is forwarded from Switch A to Switch C.
l
As the Ethernet1/0/1 port of Switch A is a
VLAN-VPN port, when a packet from the user’s network side reaches
Ethernet1/0/1 port of Switch A, it is tagged with the default VLAN tag of the
port (VLAN 10) and is then forwarded to Ethernet1/0/2 port.
l
Because Ethernet1/0/2 port is configured with
VLAN-VPN TPID, Switch A changes the TPID value in the outer VLAN Tag of the
packet to 0x9100 and forwards the packet to the public network.
l
The packet reaches Ethernet3/1/2 port of Switch
B in the public network. Switch B forwards the packet to Ethernet3/1/1, which
belongs to VLAN 10.
l
The packet is forwarded from Ethernet3/1/1 port
of Switch B to the network on the other side and enters Ethernet1/0/2 port of
Switch C. Then Switch C forwards the packet to its Ethernet1/0/1 port, which
also belongs to VLAN 10. As Ethernet1/0/1 port is an access port, Switch C
strips off the outer VLAN tag of the packet and restores the original packet.
l
It is the same case when a packet travels from
Switch C to Switch A.
After the configuration, the networks
connecting Switch A and Switch C can receive data packets from each other.
In MAN networking solutions, the
requirements may arise that the branches of an enterprise be interconnected
through the operator’s network. This can be achieved through VPN (virtual
private network), which can integrate geographically dispersed networks to form
a logical LAN. The tunnel function is required when you implement VPN. It
enables packets of private networks to travel through operator’s network
and reach another private network securely. To make networks of this kind
essentially comparable with an actual LAN, Layer 2 protocol packets used to
maintain the network are also required to travel across the tunnels.
I. Layer 2 packet identification
Different from the processing of data
packets, a Layer 2 protocol packet is classified first when it reaches a
network device. A Layer 2 protocol packet conforming with IEEE standards
carries a special destination MAC address and contains a type field. Some
proprietary protocols adopt the same packet structure, where a private MAC
address is used to identify the corresponding proprietary protocol, and the
type field is used to identify the specific protocol type.
II. Transmitting BPDU packets
transparently
As shown in Figure 2-1, the network on the top is the operator’s network, and the
one on the bottom is a user network. The operator’s network contains
devices that receive/transmit packets. The user network contains Network A and
Network B. You can make the BPDU packets to be transmitted in the
operator’s network transparently by enabling the BPDU Tunnel function on
the devices with user networks connected to in the operator’s network.
l
When a BPDU packet coming from a user network
reaches a device in the operator’s network, the device changes the
destination MAC address carried in the packet from a protocol-specific MAC
address to a normal MAC address, which can be identified by both the local
device and the peer device. In such a way, the BPDU packet is converted to a
normal data packet and is forwarded in the operator’s network.
l
Before the device in the operator’s
network forwards the packet to the destination user network, the device
restores the original protocol-specific MAC address. This ensures the data
portion of the packet is consistent with that before the packet enters the
tunnel. So, a tunnel here acts as a local link for user devices. It enables
Layer 2 protocol packets to travel across a logical LAN.
Figure
2-1 BPDU Tunnel network hierarchy
Figure 2-2 and Figure 2-3 show the structure of a BPDU packet before and after it enter a
BPDU tunnel.
Figure 2-2
The structure of a BPDU packet before it enters a
BPDU tunnel
Figure
2-3 The structure of a BPDU packet after it enters
a BPDU tunnel
You can establish BPDU tunnels between S3100-52P
Ethernet switch for the packets of the following protocols:
l
ALCP (link aggregation control protocol)
l
NDP (neighbor discovery protocol)
l
Proprietary protocols, including CDP and VTP
One or more protocols among LACP, NDP, CDP,
and VTP operate properly on the devices.
Table 2-1 Configure BPDU Tunnel
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Set the port to be a BPDU Tunnel uplink
port
|
Enable the function in system view
|
bpdu-tunnel uplink interface-list
|
You can enable the BPDU Tunnel in system
view or in Ethernet view.
By default, NDP is enabled globally.
|
|
Enable the function in Ethernet port view
|
Enter Ethernet port view
|
interface interface-type interface-number
|
|
Enable the BPDU Tunnel function
|
bpdu-tunnel uplink
|
|
Return to system view
|
quit
|
|
Enter Ethernet port view
|
interface interface-type interface-number
|
-
|
|
Enable the BPDU Tunnel function for the
packets of a specific protocol
|
bpdu-tunnel { lacp | ndp | cdp | vtp }
|
Required
By default, the BPDU Tunnel function is
disabled on a port.
|
I. Network requirements
l
Custimer1 and Customer2 are access devices
operating in a user network.
l
Provider1 and Provider2 are access devices
operating in the operator’s network. They are interconnected through
their trunk ports, as shown in Figure 2-4.
l
Enable the BPDU Tunnel function for NDP packets
on the Ethernet1/0/1 and Ethernet1/0/4 port shown in the Figure 2-4.Set the port Ethernet1/0/2 and Ethernet1/0/3 to be BPDU Tunnel
uplink ports.
II. Network diagram
Figure
2-4 Network diagram for BPDU Tunnel configuration
III. Configuration procedure
1)
Configure Provide1.
# Enable the BPDU Tunnel fuction for NDP
packets on port Ethernet1/0/1.
<H3C> system-view
[H3C] interface Ethernet 1/0/1
[H3C-Ethernet1/0/1] undo ndp enable
[H3C-Ethernet1/0/1] bpdu-tunnel ndp
# Set the port Ethernet 1/0/2 to be a BPDU
Tunnel uplink port.
[H3C-Ethernet1/0/1] quit
[H3C] interface Ethernet 1/0/2
[H3C-Ethernet1/0/2] bpdu-tunnel
uplink
2)
Configure Provider2.
# Set the port Ethernet 1/0/3 to be a BPDU
Tunnel uplink port.
<H3C> system-view
[H3C] interface Ethernet 1/0/3
[H3C-Ethernet1/0/3] bpdu-tunnel
uplink
# Enable the BPDU Tunnel function for NDP
packets on port Ethernet1/0/4
[H3C-Ethernet1/0/3] quit
[H3C] interface Ethernet 1/0/4
[H3C-Ethernet1/0/4] undo ndp enable
[H3C-Ethernet1/0/4] bpdu-tunnel ndp
