When configuring VLAN-VPN, go to these
sections for information you are interested in:
l
VLAN-VPN
Overview
l
VLAN-VPN
Configuration
l
Displaying
and Maintaining VLAN-VPN Configuration
l
VLAN-VPN
Configuration Example
Virtual private network (VPN) is a new
technology that emerges with the expansion of the Internet. It can be used for establishing
private networks over the public network. With VPN, you can specify to process packets
on the client or the access end of the service provider in specific ways, establish
dedicated tunnels for user traffic on public network devices, and thus improve data
security.
VLAN-VPN feature is a simple yet flexible Layer
2 tunneling technology. It tags private network packets with outer VLAN tags, thus
enabling the packets to be transmitted through the service providers’
backbone networks with both inner and outer VLAN tags. In public networks,
packets of this type are transmitted by their outer VLAN tags (that is, the
VLAN tags of public networks), and the inner VLAN tags are treated as part of
the payload.
Figure 1-1 describes the
structure of the packets with single-layer VLAN tags.
Figure 1-1 Structure of packets with single-layer
VLAN tags
Figure 1-2 describes the
structure of the packets with double-layer VLAN tags.
Figure 1-2 Structure of packets with double-layer VLAN tags
Compared with MPLS-based Layer 2 VPN,
VLAN-VPN has the following features:
l
It provides Layer 2 VPN tunnels that are
simpler.
l
VLAN-VPN can be implemented through manual
configuration. That is, signaling protocol-related configuration is not needed.
The VLAN-VPN feature provides you with the
following benefits:
l
Saves public network VLAN ID resource.
l
You can have VLAN IDs of your own, which is
independent of public network VLAN IDs.
l
Provides simple Layer 2 VPN solutions for
small-sized MANs or intranets.
With the VLAN-VPN feature enabled, no
matter whether or not a received packet already carries a VLAN tag, the switch
will tag the received packet with the default VLAN tag of the receiving port and
add the source MAC address to the MAC address table of the default VLAN. When a
packet reaches a VLAN-VPN-enabled port:
l
If the packet already carries a VLAN tag, the
packet becomes a dual-tagged packet.
l
Otherwise, the packet becomes a packet carrying
the default VLAN tag of the port.
A VLAN tag uses the tag protocol identifier
(TPID) field to identify the protocol type of the tag. The value of this field
is 0x8100 for IEEE 802.1Q.
Figure 1-3 illustrates
the structure of the IEEE 802.1Q VLAN tag in an Ethernet frame.
Figure 1-3 The structure of the VLAN tag in an
Ethernet frame
An S3100 switch determines whether a
received frame is VLAN tagged by comparing its own TPID with the TPID field in
the received frame. If they match, the frame is considered as a VLAN tagged
frame. If not, the switch tags the frame with the default VLAN tag of the
receiving port.
By default, S3100 series switches adopt the
IEEE 802.1Q TPID value 0x8100. Some vendors, however, use other TPID values
such as 0x9100. For compatibility with these systems, the S3100 series switches
allow you to change the TPID that a port uses when tagging a received VLAN-VPN
frame as needed. When doing that, you should set the same TPID on both the
customer-side port and the service provider-side port.
The TPID in an Ethernet frame has the same
position with the protocol type field in a frame without a VLAN tag. To avoid problems
in packet forwarding and handling, you cannot set the TPID value to any of the
values in the table below.
Table 1-1 Commonly
used protocol type values in Ethernet frames
|
Protocol type
|
Value
|
|
ARP
|
0x0806
|
|
IP
|
0x0800
|
|
MPLS
|
0x8847/0x8848
|
|
IPX
|
0x8137
|
|
IS-IS
|
0x8000
|
|
LACP
|
0x8809
|
|
802.1x
|
0x888E
|
Complete the
following tasks to configure VLAN-VPN:
Follow these steps
to enable the VLAN-VPN feature for a port:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Enable the VLAN-VPN feature on the port
|
vlan-vpn enable
|
Required
By default, the VLAN-VPN feature is
disabled on a port.
|
Caution:
The VLAN mapping
function and the VLAN VPN function are mutually exclusive on the same port.
For your device to correctly identify the VLAN
tagged frames from the public network, make sure that the TPID you will use is
the same as that used on the peer device in the public network.
Follow these steps to configure the TPID
for VLAN-VPN packets :
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Set the TPID value on the port
|
vlan-vpn tpid value
|
Required
Do not set the TPID value to any of the
protocol type values listed in Table 1-1.
For H3C series switches, the TPID
defaults to 0x8100.
|
1.3 Displaying and Maintaining VLAN-VPN
Configuration
|
To do...
|
Use the command...
|
Remarks
|
|
Display the VLAN-VPN configurations of
all the ports
|
display port vlan-vpn
|
Available in any view
|
1.4 VLAN-VPN Configuration Example
I. Network requirements
As shown in Figure 1-4, Switch A
and Switch B are both S3100 series switches. They connect the users to the
servers through the public network.
l
PC users and PC servers are in VLAN 100 created
in the private network, while terminal users and terminal servers are in VLAN
200, which is also created in the private network. The VLAN VPN connection is
established in VLAN 1040 of the public network.
l
Switches of other vendors’ are used in the
public network. They use the TPID value 0x9200.
l
Employ VLAN-VPN on Switch A and Switch B to
enable the PC users and PC servers to communicate with each through a VPN, and employ
VLAN-VPN on Switch A and Switch B to enable the Terminal users and Terminal
servers to communicate with each other through a VPN.
II. Network diagram
Figure 1-4 Network diagram for VLAN-VPN
configuration
III. Configuration procedure
l
Configure Switch A.
# Enable the VLAN-VPN feature on Ethernet 1/0/11
of Switch A and tag the packets received on this port with the tag of VLAN 1040
as the outer VLAN tag.
<SwitchA> system-view
[SwitchA] vlan 1040
[SwitchA-vlan1040] port Ethernet
1/0/11
[SwitchA-vlan1040] quit
[SwitchA] interface Ethernet 1/0/11
[SwitchA-Ethernet1/0/11] vlan-vpn
enable
[SwitchA-Ethernet1/0/11] quit
# Set the global TPID value to 0x9200 (for
intercommunication with the devices in the public network) and configure
Ethernet 1/0/12 as a trunk port permitting packets of VLAN 1024.
[SwitchA] vlan-vpn tpid 9200
[SwitchA] interface Ethernet 1/0/12
[SwitchA-Ethernet1/0/12] port
link-type trunk
[SwitchA-Ethernet1/0/12] port trunk
permit vlan 1040
l
Configure Switch B.
# Enable the VLAN-VPN feature on Ethernet 1/0/21
of Switch B and tag the packets received on this port with the tag of VLAN 1040
as the outer VLAN tag.
<SwitchB> system-view
[SwitchB] vlan 1040
[SwitchB-vlan1040] port Ethernet
1/0/21
[SwitchB-vlan1040] quit
[SwitchB] interface Ethernet 1/0/21
[SwitchB-Ethernet1/0/21] vlan-vpn
enable
# Set the global TPID value to 0x9200 (for
intercommunication with the devices in the public network) and set Ethernet
1/0/22 as a trunk port permitting packets of VLAN 1024.
[SwitchB-Ethernet1/0/21] quit
[SwitchB] vlan-vpn tpid 9200
[SwitchB] interface Ethernet 1/0/22
[SwitchB-Ethernet1/0/22] port
link-type trunk
[SwitchB-Ethernet1/0/22] port trunk
permit vlan 1040
l
Do not configure VLAN 1040 as the default VLAN
of Ethernet 1/0/12 of Switch A and Ethernet 1/0/22 of Switch B. Otherwise, the
outer VLAN tag of a packet will be removed during transmission.
l
In this example, both Ethernet1/0/11 of Switch A
and Ethernet1/0/21 of Switch B are access ports. In cases where the ports are
trunk ports or hybrid ports, you need to configure the two ports to remove the
outer VLAN tags before transmitting packets of VLAN 1040. Refer to VLAN
in this manual for detailed configuration.
l
Configure the devices in the public network
# As the devices in the public network are
from other vendors, only the basic principles are introduced here. That is, you
need to configure the devices connecting to Ethernet 1/0/12 of Switch A and
Ethernet 1/0/22 of Switch B to permit the corresponding ports to transmit tagged
packets of VLAN 1040.
IV. Data transfer process
The following describes how a packet is
forwarded from Switch A to Switch B in this example.
1)
As Ethernet 1/0/11 of Switch A is a VLAN-VPN
port, when a packet from the customer’s network side reaches this port,
it is tagged with the default VLAN tag of the port (VLAN 1040).
2)
The TPID value of the outer VLAN tag is set to
0x9200 before the packet is forwarded to the public network through Ethernet1/0/12
of Switch A.
3)
The outer VLAN tag of the packet remains
unchanged while the packet travels in the public network, till it reaches Ethernet1/0/22
of Switch B.
4)
After the packet reaches Switch B, it is
forwarded through Ethernet1/0/21 of Switch B. As the port belongs to VLAN 1040 and
is an access port, the outer VLAN tag (the tag of VLAN 1040) of the packet is
removed before the packet is forwarded, which restores the packet to a packet
tagged with only the private VLAN tag and enables it to be forwarded to its
destination networks.
5)
It is the same case when a packet travels from
Switch B to Switch A.
When configuring selective QinQ, go to
these sections for information you are interested in:
l
Selective
QinQ Overview
l
Selective
QinQ Configuration
l
Selective
QinQ Configuration Example
Selective QinQ is an enhanced application
of the VLAN-VPN feature. With the selective QinQ feature, you can configure
inner-to-outer VLAN tag mapping, according to which you can add different outer
VLAN tags to the packets with different inner VLAN tags.
The selective QinQ feature makes the service
provider network structure more flexible. You can classify the terminal users
on the port connecting to the access layer device according to their VLAN tags,
and add different outer VLAN tags to these users. In the public network, you
can configure QoS policies based on outer VLAN tags to assign different priorities
to different packets, thus providing differentiated services. See Figure 2-1 for details.
Figure 2-1 Diagram for a selective QinQ
implementation
In this implementation, Switch A is an access device of the service
provider. The users connecting to it include common customers (in VLAN 8 to
VLAN 100), VIPs (in VLAN 101 to VLAN 200), and IP telephone users (in VLAN 201
to VLAN 300). Packets of all these users are forwarded by Switch A to the
public network.
After the selective QinQ feature and the
inner-to-outer tag mapping feature are enabled on the port connecting Switch A
to these users, the port will add different outer VLAN tags to the packets
according to their inner VLAN tags. For example, you can configure to add the
tag of VLAN 1002 to the packets of IP telephone users in VLAN 201 to VLAN 300 and
forward the packets to the VoIP device, which is responsible for processing IP
telephone services.
To guarantee the quality of voice packet
transmission, you can configure QoS policies in the public network to reserve
bandwidth for packets of VLAN 1002 and forward them preferentially.
In this way, you can configure different
forwarding policies for data of different type of users, thus improving the
flexibility of network management. On the other hand, network resources are
well utilized, and users of the same type are also isolated by their inner VLAN
tags. This helps to improve network security.
Complete the following tasks to configure selective
QinQ:
2.2.2 Configuring Global Tag Mapping Rules
for Selective QinQ
Table 2-1
Configure global tag mapping rules for selective
QinQ
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Configure the outer VLAN tag and enter
QinQ view
|
vlan-vpn vid vlan-id
|
Required
|
|
Configure to add outer VLAN tags to the
packets with the specific inner VLAN tags
|
raw-vlan-id inbound vlan-id-list
|
Required
By default, the feature of adding an
outer VLAN tag to the packets with the specific inner VLAN tags is disabled.
|
Do not enable both
the selective QinQ function and the DHCP snooping function on a switch.
Otherwise, the DHCP snooping function may operate improperly.
2.2.3 Enabling the Selective QinQ Feature
for a Port
Table 2-2
Enable the selective QinQ feature
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Enable the selective QinQ feature
|
vlan-vpn selective enable
|
Required
By default, the selective QinQ feature is
not enabled on a port.
|
I. Network requirements
l
Ethernet 1/0/3 of Switch A provides public network
access for PC users and IP phone users. PC users belong to VLAN 100 through
VLAN 108, and IP phone users belong to VLAN 200 through VLAN 230. Ethernet 1/0/5
of Switch A is connected to the public network. The peer end of Switch A is
Switch B.
l
Ethernet 1/0/11 of Switch B is connected to the public
network. Ethernet 1/0/12 and Ethernet1/0/13 of Switch B provide network access
for PC servers belonging to VLAN 100 through VLAN 108 and voice gateways (for
IP phone users) belonging to VLAN 200 through VLAN 230 respectively.
l
The public network permits packets of VLAN 1000
and VLAN 1200. Apply QoS policies for these packets to reserve bandwidth for packets
of VLAN 1200. That is, packets of VLAN 1200 have higher transmission priority over
packets of VLAN 1000.
l
Employ the selective QinQ feature on Switch A
and Switch B to differentiate traffic of PC users from that of IP phone users,
for the purpose of using QoS policies to guarantee higher priority for voice
traffic.
l
To reduce broadcast packets in the network,
enable the inter-VLAN MAC address replicating feature for selective QinQ.
II. Network diagram
Figure
2-2 Network diagram for selective QinQ
configuration
III. Configuration procedure
l
Configure Switch A.
# Create VLAN 1000, VLAN 1200 and VLAN 5 (the
default VLAN of Ethernet 1/0/3) on SwitchA.
<SwitchA> system-view
[SwitchA] vlan 1000
[SwitchA-vlan1000] quit
[SwitchA] vlan 1200
[SwitchA-vlan1200] quit
[SwitchA] vlan 5
[SwitchA-vlan5] quit
# Configure Ethernet 1/0/5 as a hybrid port
and configure it not to remove VLAN tags when forwarding packets of VLAN 5,
VLAN 1000, and VLAN 1200.
[SwitchA] interface Ethernet 1/0/5
[SwitchA-Ethernet1/0/5] port
link-type hybrid
[SwitchA-Etherent1/0/5] port hybrid
vlan 5 1000 1200 tagged
[SwitchA-Ethernet1/0/5] quit
# Configure Ethernet 1/0/3 as a hybrid port
and configure VLAN 5 as its default VLAN. Configure Ethernet 1/0/3 to remove
VLAN tags when forwarding packets of VLAN 5, VLAN 1000, and VLAN 1200.
[SwitchA] interface Ethernet 1/0/3
[SwitchA-Ethernet1/0/3] port
link-type hybrid
[SwitchA-Ethernet1/0/3] port hybrid
pvid vlan 5
[SwitchA-Etherent1/0/3] port hybrid vlan
5 1000 1200 untagged
# Configure global tag mapping rules for selective
QinQ to insert VLAN 1000 tag as the outer VLAN tag in packets with the tags of
VLAN 100 through VLAN 108 as the inner tags, and insert VLAN 1200 tag as the
outer VLAN tag in packets with the tags of VLAN 200 through VLAN 230 as the
inner tags.
[SwitchA-Ethernet1/0/3] quit
[SwitchA] vlan-vpn vid 1000
[SwitchA-vid-1000] raw-vlan-id
inbound 100 to 108
[SwitchA-vid-1000] quit
[SwitchA] vlan-vpn vid 1200
[SwitchA-vid-1200] raw-vlan-id
inbound 200 to 230
# Enable the selective QinQ feature on
Ethernet 1/0/3.
[SwitchA-vid-1200] quit
[SwitchA] interface Ethernet 1/0/3
[SwitchA-Ethernet1/0/3] vlan-vpn
selective enable
After the above configuration, packets of
VLAN 100 through VLAN 108 (that is, packets of PC users) are tagged with the
tag of VLAN 1000 as the outer VLAN tag when they are forwarded to the public
network by Switch A; and packets of VLAN 200 through VLAN 230 (that is, packets
of IP phone users) are tagged with the tag of VLAN 1200 as the outer VLAN tag
when they are forwarded to the public network.
l
Configure Switch B.
# Create VLAN 1000, VLAN 1200, VLAN 12 (the
default VLAN of Ethernet1/0/12) and VLAN 13 (the default VLAN of
Ethernet1/0/13) on Switch B.
<SwitchB> system-view
[SwitchB] vlan 1000
[SwitchB-vlan1000] quit
[SwitchB] vlan 1200
[SwitchB-vlan1200] quit
[SwitchB] vlan 12 to 13
# Configure Ethernet 1/0/11 as a hybrid port,
and configure Ethernet 1/0/11 not to remove VLAN tags when forwarding packets of
VLAN 12, VLAN 13, VLAN 1000, and VLAN 1200.
<SwitchB> system-view
[SwitchB] interface Ethernet 1/0/11
[SwitchB-Etherent1/0/11] port
link-type hybrid
[SwitchB-Etherent1/0/11] port hybrid
vlan 12 13 1000 1200 tagged
# Configure Ethernet1/0/12 as a hybrid port
and configure VLAN 12 as its default VLAN . Configure Ethernet 1/0/12 to remove
VLAN tags when forwarding packets of VLAN 12 and VLAN 1000.
[SwitchB] interface Ethernet 1/0/12
[SwitchB-Etherent1/0/12] port link-type
hybrid
[SwitchB-Etherent1/0/12] port hybrid
pvid vlan 12
[SwitchB-Etherent1/0/12] port hybrid
vlan 12 1000 untagged
[SwitchB-Ethernet1/0/12] quit
# Configure Ethernet 1/0/13 as a hybrid
port and configure VLAN 13 as its default VLAN . Configure Ethernet 1/0/13 to
remove VLAN tags when forwarding packets of VLAN 13 and VLAN 1200.
[SwitchB] interface Ethernet 1/0/13
[SwitchB-Etherent1/0/13] port
link-type hybrid
[SwitchB-Etherent1/0/13] port hybrid
pvid vlan 13
[SwitchB-Etherent1/0/13] port hybrid
vlan 13 1200 untagged
After the above configuration, Switch B can
forward packets of VLAN 1000 and VLAN 1200 to the corresponding servers through
Ethernet 1/0/12 and Ethernet 1/0/13 respectively.
To make the packets from the servers be
transmitted to the clients in the same way, you need to configure the selective
QinQ feature on SwitchB. The configuration on Switch B is similar to that on
Switch A and is thus omitted.
l
A selective QinQ-enabled device tags a user
packet with an outer VLAN tag regardless of the VLAN tag of the user packet, so
there is no need to configure user VLANs on the device.
l
Make sure the packets of the default VLAN of a
selective QinQ-enabled port are permitted on both the local port and the port
connecting to the public network.
The VLAN mapping function can replace the
private network VLAN tag of a customer packet with a public network VLAN tag,
so that the customer packet can be transmitted within the public network in a
way conforming to the public network layout. When the packet reaches the peer
customer network, the VLAN tag of the packet is restored to the previous
private network VLAN tag. In this way, the packet is transmitted to the
destination properly.
With the VLAN mapping function enabled,
when the switch receives a packet tagged with a network VLAN tag, it looks up
the mapping rules configured for the matched VLAN tag and then replaces the existing
VLAN tag with the corresponding one (if the matched mapping rule exists).
Figure 3-1 shows the structure of a packet tagged with a private network VLAN
tag.
Figure 3-1 The structure of a packet tagged
with a private network VLAN tag
Figure 3-2 shows the structure of a packet after VLAN tag replacement.
Figure 3-2 The structure of a packet tagged
with a public network VLAN tag
Different from VLAN VPN and selective QinQ,
the VLAN mapping function does not cause a packet to carry multiple VLAN tags.
A packet is transmitted with only one VLAN tag. Therefore, you need to make
sure the private network VLAN tags can be restored before customer packets
enter the destination private network for customer packets to be transmitted
properly.
You can configure VLAN mapping rules for
each port of an S3100 series switch. With the VLAN mapping function enabled on
a port, the port maps private network VLAN tags to the corresponding public
network VLAN tags for packets to be forwarded to the public network and
performs the converse operation for the packets to be forwarded to the
destination private network.
Table 3-1
VLAN mapping configuration task list
Caution:
The VLAN mapping
function and the VLAN VPN function are mutually exclusive on the same port.
Table 3-2
Enable the VLAN mapping function based on a global
VLAN mapping rule
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Define a VLAN mapping rule
|
vlan-mapping vlan old-vlan-id remark new-vlan-id
|
Required
By default, no VLAN mapping rule is
defined.
|
|
Enter Ethernet port view
|
interface interface-type interface-number
|
—
|
|
Enable the
VLAN mapping function
|
vlan-mapping
enable
|
Required
By
default, the VLAN mapping function is disabled.
|
l
A port that is in a link aggregation port group
cannot have the VLAN Mapping feature enabled.
l
The VLAN mapping function and the protocol-based
VLAN function are mutually exclusive on the same port.
l
Enabling the VLAN mapping function based on a
global VLAN mapping rule for a port also enables the selective QinQ function on
the port.
Table 3-3
Enable the VLAN mapping function based on a
port-level VLAN mapping rule
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface
interface-type interface-number
|
—
|
|
Define a VLAN mapping rule
|
vlan-mapping vlan old-vlan-id remark new-vlan-id
|
Required
This command also enables the VLAN
mapping function for the port.
By default, no VLAN mapping rule is defined,
and the VLAN mapping function is not enabled on a port.
|
l
A port that is in a link aggregation port group
cannot have the VLAN Mapping feature enabled.
l
When configuring a VLAN mapping rule, make sure that
the mapping relationship between private network VLANs and public network VLANs
is one-to-one.
l
To modify a VLAN mapping relationship, you need
to delete the corresponding VLAN mapping rule and then define a new one.
l
The VLAN mapping function based on global VLAN
mapping rules is mutually exclusive with the VLAN mapping function based on
port-level VLAN mapping rules.
l
The VLAN mapping function and the protocol-based
VLAN function are mutually exclusive on the same port.
l
To use the VLAN mapping function together with
the ARP detection function, you need to enable ARP detection in both the
initial VLAN and the mapped VLAN. For detailed description of the ARP detection
function, refer to the ARP part of the manual.
l
You are not allowed to configure both the VLAN
mapping function and the IP filtering function on the device. For description
of the IP filter function, refer to the DHCP part of the manual.
