When configuring QinQ, go to these sections
for information you are interested in:
l
Introduction
to QinQ
l
Configuring
Basic QinQ
l
Configuring
Selective QinQ
l
Configuring
the TPID Value to Be Carried in VLAN Tags
l
QinQ
Configuration Example
In the VLAN tag field defined in IEEE
802.1Q, only 12 bits are used for VLAN IDs, so a switch can support a maximum
of 4,094 VLANs. In actual applications, however, a large number of VLANs are
required to isolate users, especially in metropolitan area networks (MANs), and
4,094 VLANs are far from satisfying such requirements.
The port QinQ feature is a flexible,
easy-to-implement Layer 2 VPN technique, which enables the access point to
encapsulate an outer VLAN tag in Ethernet frames from customer networks
(private networks), so that the Ethernet frames will travel across the service
provider’s backbone network (public network) with double VLAN tags. The inner
VLAN tag is the customer network VLAN tag while the outer one is the VLAN tag
assigned by the service provider to the customer. In the public network, frames
are forwarded based on the outer VLAN tag only, with the source MAC address
learned as a MAC address table entry for the VLAN indicated by the outer tag,
while the customer network VLAN tag is transmitted as part of the data in the
frames.
Figure 1-1 shows the
structure of 802.1Q-tagged and double-tagged Ethernet frames. The QinQ feature
enables a device to support up to 4,094 x 4,094 VLANs to satisfy the
requirement for the amount of VLANs in the MAN.
Figure 1-1 Single-tagged frame structure vs. double-tagged Ethernet frame
structure
Advantages of QinQ:
l
Addresses the shortage of public VLAN ID
resource.
l
Enables customers to plan their own VLAN IDs,
without running into conflicts with public network VLAN IDs.
l
Provides an easy-to-do Layer 2 VPN solution for
small-sized MANs or intranets.
The QinQ feature
requires configurations only on the service provider network, and not on the
customer network.
There are two types of QinQ
implementations: basic QinQ and selective QinQ.
1)
Basic QinQ
Basic QinQ is a port-based feature, which
is implemented through VLAN VPN.
With the VLAN VPN feature enabled on a
port, when a frame arrives at the port, the switch will tag it with the
port’s default VLAN tag, regardless of whether the frame is tagged or
untagged. If the received frame is already tagged, this frame becomes a
double-tagged frame; if it is an untagged frame, it is tagged with the
port’s default VLAN tag.
2)
Selective QinQ
l
Selective QinQ is a more flexible, VLAN-based
implementation of QinQ. In addition to all the functions of basic QinQ, selective
QinQ can tag the frame with different outer VLAN tags based on different inner
VLAN IDs.
A VLAN tag
uses the tag protocol identifier (TPID) field to identify the protocol type of
the tag. The value of this field, as defined in IEEE 802.1Q, is 0x8100.
Figure 1-2 shows the
802.1Q-defined tag structure of an Ethernet frame.
Figure 1-2 VLAN Tag structure of an
Ethernet frame
The device
determines whether a received frame carries a service provider VLAN tag or a
customer VLAN tag by checking the corresponding TPID value. Upon receiving a
frame, the device compares the compares the configured TPID value with the
value of the TPID field in the frame. If the two match, the frame carries the
corresponding VLAN tag. For example, if a frame carries VLAN tags with the TPID
values of 0x9100 and 0x8100 respectively while the configured TPID value of the
service provider VLAN tag is 0x9100 and that of the VLAN tag for a customer
network is 0x8200, the device considers that the frame carries only the service
provider VLAN tag but not the customer VLAN tag.
In addition, the systems of different
vendors may set the TPID of the outer VLAN tag of QinQ frames to different
values. For compatibility with these systems, you can modify the TPID value so
that the QinQ frames, when sent to the public network, carry the TPID value
identical to the value of a particular vendor to allow interoperability with
the devices of that vendor.
The TPID in an Ethernet frame has the same
position with the protocol type field in a frame without a VLAN tag. To avoid problems
in packet forwarding and handling in the network, you cannot set the TPID value
to any of the values in the table below.
Table 1-1 Reserved protocol type values
|
Protocol type
|
Value
|
|
ARP
|
0x0806
|
|
PUP
|
0x0200
|
|
RARP
|
0x8035
|
|
IP
|
0x0800
|
|
IPv6
|
0x86DD
|
|
PPPoE
|
0x8863/0x8864
|
|
MPLS
|
0x8847/0x8848
|
|
IPX/SPX
|
0x8137
|
|
IS-IS
|
0x8000
|
|
LACP
|
0x8809
|
|
802.1x
|
0x888E
|
|
Cluster
|
0x88A7
|
|
Reserved
|
0xFFFD/0xFFFE/0xFFFF
|
Follow these steps to configure basic QinQ:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view or port group
view
|
Enter Ethernet port view
|
interface interface-type interface-number
|
Required
Use either command.
Configurations made in Ethernet port view
will take effect on the current port only; configuration made in port group
view will take effect on all ports in the port group.
|
|
Enter port group view
|
port-group { manual port-group-name | aggregation agg-id }
|
|
Enable QinQ on the port(s)
|
qinq enable
|
Required
Disabled by default.
|
The outer VLAN
tag added to a frame by the basic QinQ feature is the VLAN tag corresponding to
the port’s default VLAN ID, while the selective QinQ feature allows
adding different outer VLAN tags based on different inner VLAN tags.
With selective QinQ configured on a port,
the device attaches different outer VLAN tags based on the inner VLAN tags;
frames with a VLAN ID out of the range specified in the raw-vlan-id inbound
command are attached the port’s default VLAN tag as the outer tag.
Follow these
steps to configure selective QinQ:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter
system view
|
system-view
|
—
|
|
Enter Ethernet
port view or port group view
|
Enter Ethernet
port view
|
interface interface-type interface-number
|
Required
Use either
command.
Configurations
made in Ethernet port view will take effect on the current port only;
configurations made in port group view will take effect on all ports in the
port group.
|
|
Enter port
group view
|
port-group
{ manual port-group-name | aggregation agg-id }
|
|
Enter QinQ view and configure the outer
VLAN tag for the port to add
|
qinq vid vlan-id
|
Required
|
|
Configure inner VLAN tags corresponding
to the outer VLAN tags
|
raw-vlan-id inbound { all |
vlan-id-list }
|
Required
|
Caution:
l
An inner VLAN tag corresponds to only one outer
VLAN tag. If you want to change an outer VLAN tag, you must delete the old
outer VLAN tag configuration and configure a new outer VLAN tag.
l
You can configure selective QinQ and basic QinQ on
the same port. The switch uses the basic QinQ function to attach the
port’s default VLAN tag as the outer tag to frames that do not match the
selective QinQ mapping rule.
1.4 Configuring
the TPID Value to Be Carried in VLAN Tags
You can configure the TPID value to be
carried in a VLAN tag TPID globally (configuration will take effect on all
ports of the device).
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Configure the TPID value to be carried in
the customer VLAN tag or the service provider VLAN tag
|
qinq ethernet-type [ customer-tag | service-tag ] hex-value
|
Optional
Both 0x8100 by default
|
1.5 QinQ Configuration Example
I. Network requirements
l
Provider A and Provider B are service provider
network access devices.
l
Customer A, Customer B and Customer C are
customer network access devices.
l
Provider A and Provider B are interconnected
through a configured trunk port. Provider A belongs to VLAN 1000 of the service
provider network, and Provider B belongs to VLAN 2000 of the service provider
network.
l
Third-party devices are deployed between Provider
A and Provider B, with a TPID value of 0x8200.
After configuration, the network should satisfy
the following requirement:
l
Frames of VLAN 10 of Customer A and frames of
VLAN 10 of Customer B can be forwarded to each other through VLAN 1000 of the provider
network; frames of VLAN 20 of Customer A and frames of VLAN 20 of Customer C
can be forwarded to each other through VLAN 2000 of the provider network.
II. Network diagram
Figure 1-3 Network diagram for QinQ
configuration
III. Configuration procedure
With this configuration, the user must allow the QinQ packets to pass
between the devices of the service providers.
1)
Configuration on Provider A
# Enter system view.
<ProviderA> system-view
l
Configuration on GigabitEthernet 1/0/1
# Configure GigabitEthernet 1/0/1 as a Hybrid
port that permits frames of VLAN 1000 and VLAN 2000 to pass, and configure the
port to remove the outer tag of the fames when sending them out.
[ProviderA] interface GigabitEthernet
1/0/1
[ProviderA-GigabitEthernet1/0/1] port
link-type hybrid
[ProviderA-GigabitEthernet1/0/1] port
hybrid vlan 1000 2000 untagged
# Configure the port to tag frames from
VLAN 10 with an outer tag with the VLAN ID of 1000.
[ProviderA-GigabitEthernet1/0/1] qinq
vid 1000
[ProviderA-GigabitEthernet1/0/1-vid-1000]
raw-vlan-id inbound 10
[ProviderA-GigabitEthernet1/0/1-vid-1000]
quit
# Configure the port to tag frames from
VLAN 20 with an outer tag with the VLAN ID of 2000.
[ProviderA-GigabitEthernet1/0/1] qinq
vid 2000
[ProviderA-GigabitEthernet1/0/1-vid-2000]
raw-vlan-id inbound 20
[ProviderA-GigabitEthernet1/0/1-vid-2000]
quit
[ProviderA-GigabitEthernet1/0/1] quit
l
Configuration on GigabitEthernet 1/0/2
# Configure VLAN 1000 as the default VLAN
of the port.
[ProviderA] interface GigabitEthernet
1/0/2
[ProviderA-GigabitEthernet1/0/2] port
access vlan 1000
# Enable basic QinQ so that the port tags
frames from VLAN 10 with an outer tag with the VLAN ID of 1000.
[ProviderA-GigabitEthernet1/0/2] qinq
enable
[ProviderA-GigabitEthernet1/0/2] quit
l
Configuration on GigabitEthernet 1/0/3.
# Configure GigabitEthernet
1/0/3 as a trunk port, and permit frames of VLAN 1000 and VLAN 2000 to pass.
[ProviderA]
interface GigabitEthernet 1/0/3
[ProviderA-GigabitEthernet1/0/3]
port link-type trunk
[ProviderA-GigabitEthernet1/0/3]
port trunk permit vlan 1000 2000
# To enable interoperability with the
third-party devices in the public network, set the TPID value to be carried in
VLAN Tags to 0x8200.
[ProviderA-GigabitEthernet1/0/3] quit
[ProviderA] qinq ethernet-type
service-tag 8200
2)
Configuration on Provider B
l
Configuration on GigabitEthernet 1/0/1
# Configure GigabitEthernet 1/0/1 as a
trunk port, and permit frames of VLAN 1000 and VLAN 2000.
<ProviderB> system-view
[ProviderB] interface GigabitEthernet
1/0/1
[ProviderB-GigabitEthernet1/0/1] port
link-type trunk
[ProviderB-GigabitEthernet1/0/1] port
trunk permit vlan 1000 2000
# To enable interoperability with the
third-party devices in the public network, set the TPID value to be carried in
VLAN Tags to 0x8200.
[ProviderB-GigabitEthernet1/0/1] quit
[ProviderB] qinq ethernet-type
service-tag 8200
l
Configuration on GigabitEthernet 1/0/2
# Configure VLAN 2000 as the default VLAN
of the port.
[ProviderB] interface GigabitEthernet
1/0/2
[ProviderB-GigabitEthernet1/0/2] port
access vlan 2000
# Enable basic QinQ so as to tag frames
from VLAN 20 with an outer tag with the VLAN ID of 2000.
[ProviderB-GigabitEthernet1/0/2] qinq
enable
3)
Configuration on devices on the public network
As third-party devices are deployed between
Provider A and Provider B, what we discuss here is only the basic configuration
that should be made on the devices. Configure that device connecting with GigabitEthernet
1/0/3 of Provider A and the device connecting with GigabitEthernet 1/0/1 of Provider
B so that their corresponding ports send tagged frames of VLAN 1000 and VLAN 2000.
The configuration steps are omitted here.
Chapter 2 BPDU
Tunneling Configuration
When configuring BPDU tunneling, go to these sections for
information you are interested in:
l
Introduction to BPDU Tunneling
l
Configuring BPDU Isolation
l
Configuring BPDU Transparent
Transmission
l
Configuring Destination
Multicast MAC Address for BPDU Tunnel Frames
l
BPDU Tunneling Configuration
Example
To avoid loops in your network, you can
enable the spanning tree protocol (STP) on your device. However, STP gets aware
of the topological structure of a network by means of bridge protocol data
units (BPDUs) exchanged between different devices and the BPDUs are Layer 2
multicast packets, which can be received and processed by all STP-enabled
devices on the network. This prevents each network from correctly calculating
its spanning tree. As a result, when redundant links exist in a network, data loops
will unavoidably occur.
By allowing each network to have its own
spanning tree while running STP, BPDU tunneling can resolve this problem.
l
BPDU tunneling can isolate BPDUs of different
customer networks, so that one network is not affected by others while
calculating the topological structure.
l
BPDU tunneling enables BPDUs of the same
customer network to be broadcast in a specific VLAN in the provider network, so
that the geographically dispersed customer networks of the same customer can
implement consistent spanning tree calculation across the provider network.
The BPDU tunneling implements the following
two functions:
l
BPDU isolation
l
BPDU transparent transmission
The work process of IGMP is as follows:
When a port receives BPDUs of other
networks, the port will discard the BPDUs, so that they will not take part in
spanning tree calculation. Refer to Configuring BPDU Isolation.
As shown in Figure 2-1, the upper part is the service
provider network, and the lower part represents the customer networks. The
customer networks include network A and network B. Enabling the BPDU tunneling
function on the BPDU input/output devices across the service provider network
allows BPDUs of the customer networks to be transparently transmitted in the
service provider network, and allows each customer network to implement independent
spanning tree calculation, without affecting each other. Refer to Configuring BPDU Transparent Transmission.
Figure 2-1 Network hierarchy of BPDU tunneling
l
At the BPDU input side, the device changes the
destination MAC address of a BPDU from a customer network from 0x0180-C200-0000
to a special multicast MAC address, 0x010F-E200-0003 by default. In the service
provider’s network, the modified BPDUs are forwarded as data packets in
the user VLAN.
l
At the packet output side, the device recognizes
the BPDU with the destination MAC address of 0x010F-E200-0003 and restores its
original destination MAC address 0x0180-C200-0000. Then, the device removes the
outer tag, and sends the BPDU to the destination customer network.
Make sure, through
configuration, that the VLAN tag of the BPDU is neither changed nor removed
during its transparent transmission in the service provider network; otherwise,
the system will fail to transparently transmit the customer network BPDU
correctly.
Perform the
following tasks to configure BPDU isolation:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable BPDU tunneling globally
|
bpdu-tunnel
dot1q enable
|
Optional
Enabled by
default
|
|
Enter Ethernet port view or port group
view
|
Enter Ethernet port view
|
interface interface-type interface-number
|
Required
Use either command.
Configurations made in Ethernet port view
will take effect on the current port only; configurations made in port group
view will take effect on all ports in the port group.
|
|
Enter port group view
|
port-group { manual port-group-name | aggregation agg-id
}
|
|
Enable BPDU tunneling for the port(s)
|
bpdu-tunnel dot1q enable
|
Required
Disabled by default
|
l
BPDU tunneling must be enabled globally before
the BPDU tunnel configuration for a port can take effect.
l
The BPDU tunneling feature is incompatible with
the GVRP feature, so these two features cannot be enabled at the same time. For
introduction to GVRP, refer to VLAN Configuration.
l
The BPDU tunneling feature is incompatible with
the NTDP feature, so these two features cannot be enabled at the same time. If
you want to enable BPDU tunneling on a port, use the undo ntdp enable
command to disable NTDP first. For introduction to NTDP, refer to Cluster
Management Configuration.
Perform the following tasks to configure
BPDU transparent transmission:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable BPDU tunneling globally
|
bpdu-tunnel
dot1q enable
|
Optional
Enabled by
default
|
|
Enter Ethernet port view or port group
view
|
Enter Ethernet port view
|
interface interface-type interface-number
|
Required
Use either command.
Configurations made in Ethernet port view
will take effect on the current port only; configurations made in port group
view will take effect on all ports in the port group.
|
|
Enter port group view
|
port-group { manual port-group-name | aggregation agg-id
}
|
|
Enable BPDU tunneling on the port(s)
|
bpdu-tunnel dot1q enable
|
Required
Disabled by default
|
|
Disable STP on the port(s)
|
stp disable
|
Required
Enabled by
default
|
|
Enable BPDU tunneling for STP on the
port(s)
|
bpdu-tunnel dot1q stp
|
Required
Disabled
by default
|
l
BPDU tunneling must be enabled globally before
the BPDU tunnel configuration for a port can take effect.
l
The BPDU tunneling feature is incompatible with
the GVRP feature, so these two features cannot be enabled at the same time. For
introduction to GVRP, refer to VLAN Configuration.
l
The BPDU tunneling feature is incompatible with
the NTDP feature, so these two features cannot be enabled at the same time. If
you want to enable BPDU tunneling on a port, use the undo ntdp enable
command to disable NTDP first. For introduction to NTDP, refer to Cluster
Management Configuration.
By default, the destination multicast MAC
address for BPDU Tunnel frames is 0x010F-E200-0003. You can modify it to
0x0100-0CCD-CDD0, 0x0100-0CCD-CDD1 or 0x0100-0CCD-CDD2 through the following
configuration.
Follow these
steps to configure destination multicast MAC address for BPDU tunnel frames:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter
system view
|
system-view
|
—
|
|
Configure
the destination multicast MAC address for BPDU Tunnel frames
|
bpdu-tunnel
tunnel-dmac mac-address
|
Optional
0x010F-E200-0003
by default.
|
I. Network requirements
l
Customer A, Customer B, Customer C, and Customer
D are customer network access devices.
l
Provider A, Provider B, and Provider C are
service provider network access devices, which are interconnected through
configured trunk ports.
The configuration is required to satisfy
the following requirements:
l
Geographically dispersed customer network devices
Customer A, Customer C and Customer D can implement consistent spanning tree
calculation across the service provider network.
l
BPDU packets from Customer B are isolated so it
does not take part in the spanning tree calculation.
II. Network diagram
Figure 2-2 Network diagram for BPDU
tunneling configuration
III. Configuration procedure
1)
Configuration on Provider A
# Configure BPDU transparent transmission on GigabitEthernet
1/0/1.
<ProviderA> system-view
[ProviderA] interface GigabitEthernet
1/0/1
[ProviderA-GigabitEthernet1/0/1] port
access vlan 2
[ProviderA-GigabitEthernet1/0/1] stp
disable
[ProviderA-GigabitEthernet1/0/1] undo
ntdp enable
[ProviderA-GigabitEthernet1/0/1]
bpdu-tunnel dot1q enable
[ProviderA-GigabitEthernet1/0/1] bpdu-tunnel
dot1q stp
2)
Configuration on Provider B
# Configure BPDU isolation on GigabitEthernet 1/0/2.
<ProviderB> system-view
[ProviderB] interface GigabitEthernet
1/0/2
[ProviderB-GigabitEthernet1/0/2] port
access vlan 4
[ProviderB-GigabitEthernet1/0/2] undo
ntdp enable
[ProviderB-GigabitEthernet1/0/2]
bpdu-tunnel dot1q enable
3)
Configuration on Provider C
# Configure BPDU transparent transmission on GigabitEthernet
1/0/3.
<ProviderC> system-view
[ProviderC] interface GigabitEthernet
1/0/3
[ProviderC-GigabitEthernet1/0/3] port
access vlan 2
[ProviderC-GigabitEthernet1/0/3] stp
disable
[ProviderC-GigabitEthernet1/0/3] undo
ntdp enable
[ProviderC-GigabitEthernet1/0/3]
bpdu-tunnel dot1q enable
[ProviderC-GigabitEthernet1/0/3]
bpdu-tunnel dot1q stp
# Configure BPDU transparent transmission
on GigabitEthernet 1/0/4.
[ProviderC-GigabitEthernet1/0/3] quit
[ProviderC] interface GigabitEthernet
1/0/4
[ProviderC-GigabitEthernet1/0/4] port
access vlan 2
[ProviderC-GigabitEthernet1/0/4] stp
disable
[ProviderC-GigabitEthernet1/0/4] undo
ntdp enable
[ProviderC-GigabitEthernet1/0/4]
bpdu-tunnel dot1q enable
[ProviderC-GigabitEthernet1/0/4]
bpdu-tunnel dot1q stp
When STP works stably on the customer network, if Customer A acts as
the root bridge, the ports of Customer C and Customer D connected with Provider
C can receive BPDUs from Customer A. Since BPDU isolation is enabled on
Customer B, the port that connects Customer B to Provider B cannot receive
BPDUs from Customer A.
