When configuring QinQ, go to these sections
for information you are interested in:
l
Introduction
to QinQ
l
Configuring
Basic QinQ
l
Configuring
Selective QinQ
l
Configuring
the TPID Value to Be Carried in VLAN Tags
l
QinQ
Configuration Example
In the VLAN tag field defined in IEEE
802.1Q, only 12 bits are used for VLAN IDs, so a switch can support a maximum
of 4,094 VLANs. In actual applications, however, a large number of VLANs are
required to isolate users, especially in metropolitan area networks (MANs), and
4,094 VLANs are far from satisfying such requirements.
The port QinQ feature is a flexible,
easy-to-implement Layer 2 VPN technique, which enables the access point to
encapsulate an outer VLAN tag in Ethernet frames from customer networks
(private networks), so that the Ethernet frames will travel across the service
provider’s backbone network (public network) with double VLAN tags. The
inner VLAN tag is the customer network VLAN tag while the outer one is the VLAN
tag assigned by the service provider to the customer. In the public network,
frames are forwarded based on the outer VLAN tag only, with the source MAC
address learned as a MAC address table entry for the VLAN indicated by the
outer tag, while the customer network VLAN tag is transmitted as part of the
data in the frames.
Figure 1-1 shows the
structure of 802.1Q-tagged and double-tagged Ethernet frames. The QinQ feature
enables a device to support up to 4,094 x 4,094 VLANs to satisfy the
requirement for the amount of VLANs in the MAN.
Figure 1-1 Single-tagged frame structure vs. double-tagged Ethernet frame
structure
Advantages of QinQ:
l
Addresses the shortage of public VLAN ID
resource.
l
Enables customers to plan their own VLAN IDs,
without running into conflicts with public network VLAN IDs.
l
Provides an easy-to-do Layer 2 VPN solution for
small-sized MANs or intranets.
The QinQ feature
requires configurations only on the service provider network, and not on the
customer network.
There are two types of QinQ
implementations: basic QinQ and selective QinQ.
1)
Basic QinQ
Basic QinQ is a port-based feature, which
is implemented through VLAN VPN.
With the VLAN VPN feature enabled on a
port, when a frame arrives at the port, the switch will tag it with the
port’s default VLAN tag, regardless of whether the frame is tagged or
untagged. If the received frame is already tagged, this frame becomes a
double-tagged frame; if it is an untagged frame, it is tagged with the
port’s default VLAN tag.
2)
Selective QinQ
Selective QinQ is a more flexible, VLAN-based
implementation of QinQ. In addition to all the functions of basic QinQ,
selective QinQ can tag the frame with different outer VLAN tags based on
different inner VLAN IDs.
For an S5500-SI
switch with both basic QinQ function and selective QinQ function enabled,
packets received are processed according to the settings of selective QinQ
first. Those that do not match selective QinQ settings are tagged with outer
VLAN tags according to the basic QinQ settings.
A VLAN tag uses the tag protocol identifier
(TPID) field to identify the protocol type of the tag. The value of this field,
as defined in IEEE 802.1Q, is 0x8100.
Figure 1-2 shows the
802.1Q-defined tag structure of an Ethernet frame.
Figure 1-2 VLAN Tag structure of an
Ethernet frame
On devices of
different vendors, the TPID field of the outer VLAN tag of QinQ frames may have
different default values. You can set and/or modify this TPID value.
Normally, a frame with the TPID field being
0x8100 is regarded carrying a VLAN tag with it and is processed in the preset
way when it reaches a switch. Those with their TPID not being 0x8100 are
regarded carrying no VLAN tag.
After you configure the TPID value to be
adjustable, the switch replaces the TPID value in the outer VLAN tag of a
received frame with the customer-defined value before forwarding the frame, so
that the frame, when arriving at the public network, is of specific protocol
type. This enables a switch to communicate with devices of other vendors.
The TPID in an Ethernet frame has the same
position with the protocol type field in a frame without a VLAN tag. To avoid
problems in packet forwarding and handling in the network, you cannot set the
TPID value to any of the values in the table below.
Table 1-1 Reserved protocol type values
|
Protocol type
|
Value
|
|
ARP
|
0x0806
|
|
PUP
|
0x0200
|
|
RARP
|
0x8035
|
|
IP
|
0x0800
|
|
IPv6
|
0x86DD
|
|
PPPoE
|
0x8863/0x8864
|
|
MPLS
|
0x8847/0x8848
|
|
IPX/SPX
|
0x8137
|
|
IS-IS
|
0x8000
|
|
LACP
|
0x8809
|
|
802.1x
|
0x888E
|
|
Cluster
|
0x88A7
|
|
Reserved
|
0xFFFD/0xFFFE/0xFFFF
|
Follow these steps to configure basic QinQ:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view or port group
view
|
Enter Ethernet port view
|
interface interface-type interface-number
|
Required
Use either command.
Configurations made in Ethernet port view
will take effect on the current port only; configuration made in port group
view will take effect on all ports in the port group.
|
|
Enter port group view
|
port-group { manual port-group-name | aggregation agg-id }
|
|
Enable QinQ on the port(s)
|
qinq enable
|
Required
Disabled by default.
|
The outer VLAN
tag added to a frame by the basic QinQ feature is the VLAN tag corresponding to
the port’s default VLAN ID, while the selective QinQ feature allows
adding different outer VLAN tags based on different inner VLAN tags.
With selective QinQ configured on a port,
the device attaches different outer VLAN tags based on the inner VLAN tags;
frames with a VLAN ID out of the range specified in the raw-vlan-id inbound
command are attached the port’s default VLAN tag as the outer tag.
Follow these steps to configure selective
QinQ:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter
system view
|
system-view
|
—
|
|
Enter
Ethernet port view or port group view
|
Enter
Ethernet port view
|
interface interface-type interface-number
|
Required
Use either
command.
Configurations
made in Ethernet port view will take effect on the current port only;
configurations made in port group view will take effect on all ports in the
port group.
|
|
Enter port
group view
|
port-group
{ manual port-group-name | aggregation agg-id }
|
|
Enter QinQ
view and configure the outer VLAN tag for the port to add
|
qinq
vid vlan-id
|
Required
|
|
Configure
inner VLAN tags corresponding to the outer VLAN tags
|
raw-vlan-id
inbound { all | vlan-id-list }
|
Required
|
Caution:
l
An inner VLAN tag corresponds to only one outer
VLAN tag. If you want to change an outer VLAN tag, you must delete the old
outer VLAN tag configuration and configure a new outer VLAN tag.
l
You can configure selective QinQ and basic QinQ
on the same port. The switch uses the basic QinQ function to attach the
port’s default VLAN tag as the outer tag to frames that do not match the
selective QinQ mapping rule.
1.4 Configuring
the TPID Value to Be Carried in VLAN Tags
You can configure the TPID value to be
carried in a VLAN tag TPID globally (configuration will take effect on all
ports of the device).
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Configure the TPID value to be carried in
VLAN tags
|
qinq ethernet-type hex-value
|
Optional
Both 0x8100 by default
|
I. Network requirements
l
Provider A and Provider B are service provider
network access devices.
l
Customer A, Customer B and Customer C are
customer network access devices.
l
Provider A and Provider B are interconnected
through a configured trunk port. Provider A belongs to VLAN 1000 of the service
provider network, and Provider B belongs to VLAN 2000 of the service provider
network.
l
Third-party devices are deployed between Provider
A and Provider B, with a TPID value of 0x8200.
After configuration, the network should
satisfy the following requirement:
l
Frames of VLAN 10 of Customer A and frames of
VLAN 10 of Customer B can be forwarded to each other through VLAN 1000 of the provider
network;
l
Frames of VLAN 20 of Customer A and frames of
VLAN 20 of Customer C can be forwarded to each other through VLAN 2000 of the
provider network.
II. Network diagram
Figure 1-3 Network diagram for QinQ
configuration
III. Configuration procedure
With this configuration, the user must allow the QinQ packets to
pass between the devices of the service providers.
1)
Configuration on Provider A
# Enter system view.
<ProviderA> system-view
l
Configuration on GigabitEthernet 1/0/1
# Configure GigabitEthernet 1/0/1 as a
Hybrid port that permits frames of VLAN 1000 and VLAN 2000 to pass, and
configure the port to remove the outer tag of the fames when sending them out.
[ProviderA] interface GigabitEthernet
1/0/1
[ProviderA-GigabitEthernet1/0/1] port
link-type hybrid
[ProviderA-GigabitEthernet1/0/1] port
hybrid vlan 1000 2000 untagged
# Configure the port to tag frames from
VLAN 10 with an outer tag with the VLAN ID of 1000.
[ProviderA-GigabitEthernet1/0/1] qinq
vid 1000
[ProviderA-GigabitEthernet1/0/1-vid-1000]
raw-vlan-id inbound 10
[ProviderA-GigabitEthernet1/0/1-vid-1000]
quit
# Configure the port to tag frames from
VLAN 20 with an outer tag with the VLAN ID of 2000.
[ProviderA-GigabitEthernet1/0/1] qinq
vid 2000
[ProviderA-GigabitEthernet1/0/1-vid-2000]
raw-vlan-id inbound 20
[ProviderA-GigabitEthernet1/0/1-vid-2000]
quit
[ProviderA-GigabitEthernet1/0/1] quit
l
Configuration on GigabitEthernet 1/0/2
# Configure VLAN 1000 as the default VLAN
of the port.
[ProviderA] interface GigabitEthernet
1/0/2
[ProviderA-GigabitEthernet1/0/2] port
access vlan 1000
# Enable basic QinQ so that the port tags
frames from VLAN 10 with an outer tag with the VLAN ID of 1000.
[ProviderA-GigabitEthernet1/0/2] qinq
enable
[ProviderA-GigabitEthernet1/0/2] quit
l
Configuration on GigabitEthernet 1/0/3.
# Configure GigabitEthernet 1/0/3 as a
trunk port, and permit frames of VLAN 1000 and VLAN 2000 to pass.
[ProviderA] interface GigabitEthernet
1/0/3
[ProviderA-GigabitEthernet1/0/3] port
link-type trunk
[ProviderA-GigabitEthernet1/0/3] port
trunk permit vlan 1000 2000
# To enable interoperability with the
third-party devices in the public network, set the TPID value to be carried in
VLAN Tags to 0x8200.
[ProviderA-GigabitEthernet1/0/3] quit
[ProviderA] qinq ethernet-type 8200
2)
Configuration on Provider B
l
Configuration on GigabitEthernet 1/0/1
# Configure GigabitEthernet 1/0/1 as a
trunk port, and permit frames of VLAN 1000 and VLAN 2000.
<ProviderB> system-view
[ProviderB] interface GigabitEthernet
1/0/1
[ProviderB-GigabitEthernet1/0/1] port
link-type trunk
[ProviderB-GigabitEthernet1/0/1] port
trunk permit vlan 1000 2000
# To enable interoperability with the
third-party devices in the public network, set the TPID value to be carried in
VLAN Tags to 0x8200.
[ProviderB-GigabitEthernet1/0/1] quit
[ProviderB] qinq ethernet-type 8200
l
Configuration on GigabitEthernet 1/0/2
# Configure VLAN 2000 as the default VLAN
of the port.
[ProviderB] interface GigabitEthernet
1/0/2
[ProviderB-GigabitEthernet1/0/2] port
access vlan 2000
# Enable basic QinQ so as to tag frames
from VLAN 20 with an outer tag with the VLAN ID of 2000.
[ProviderB-GigabitEthernet1/0/2] qinq
enable
3)
Configuration on devices on the public network
As third-party devices are deployed between
Provider A and Provider B, what we discuss here is only the basic configuration
that should be made on the devices. Configure that device connecting with
GigabitEthernet 1/0/3 of Provider A and the device connecting with
GigabitEthernet 1/0/1 of Provider B so that their corresponding ports send
tagged frames of VLAN 1000 and VLAN 2000. The configuration steps are omitted
here.
Chapter 2 BPDU
Tunneling Configuration
When configuring BPDU tunneling, go to these sections for
information you are interested in:
l
Introduction to BPDU
Tunneling
l
Configuring BPDU
Isolation
l
Configuring BPDU
Transparent Transmission
l
Configuring Destination
Multicast MAC Address for BPDU Tunnel Frames
l
BPDU Tunneling
Configuration Example
To avoid loops in your network, you can
enable the spanning tree protocol (STP) on your device. However, STP gets aware
of the topological structure of a network by means of bridge protocol data
units (BPDUs) exchanged between different devices and the BPDUs are Layer 2
multicast packets, which can be received and processed by all STP-enabled
devices on the network. This prevents each network from correctly calculating
its spanning tree. As a result, when redundant links exist in a network, data
loops will unavoidably occur.
By allowing each network to have its own
spanning tree while running STP, BPDU tunneling can resolve this problem.
l
BPDU tunneling can isolate BPDUs of different
customer networks, so that one network is not affected by others while
calculating the topological structure.
l
BPDU tunneling enables BPDUs of the same
customer network to be broadcast in a specific VLAN in the provider network, so
that the geographically dispersed customer networks of the same customer can
implement consistent spanning tree calculation across the provider network.
The BPDU tunneling implements the following
two functions:
l
BPDU isolation
l
BPDU transparent transmission
The work process of IGMP is as follows:
When a port receives BPDUs of other
networks, the port will discard the BPDUs, so that they will not take part in
spanning tree calculation. Refer to Configuring BPDU Isolation.
As shown in Figure 2-1, the upper part is the service
provider network, and the lower part represents the customer networks. The
customer networks include network A and network B. Enabling the BPDU tunneling
function on the BPDU input/output devices across the service provider network
allows BPDUs of the customer networks to be transparently transmitted in the
service provider network, and allows each customer network to implement
independent spanning tree calculation, without affecting each other. Refer to Configuring BPDU Transparent
Transmission.
Figure 2-1 Network
hierarchy of BPDU tunneling
l
At the BPDU input side, the device changes the
destination MAC address of a BPDU from a customer network from 0x0180-C200-0000
to a special multicast MAC address, 0x010F-E200-0003 by default. In the service
provider’s network, the modified BPDUs are forwarded as data packets in
the user VLAN.
l
At the packet output side, the device recognizes
the BPDU with the destination MAC address of 0x010F-E200-0003 and restores its
original destination MAC address 0x0180-C200-0000. Then, the device removes the
outer tag, and sends the BPDU to the destination customer network.
Make sure, through
configuration, that the VLAN tag of the BPDU is neither changed nor removed
during its transparent transmission in the service provider network; otherwise,
the system will fail to transparently transmit the customer network BPDU
correctly.
Perform the following tasks to configure
BPDU isolation:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable BPDU tunneling globally
|
bpdu-tunnel
dot1q enable
|
Optional
Enabled by
default
|
|
Enter Ethernet port view or port group
view
|
Enter Ethernet port view
|
interface interface-type interface-number
|
Required
Use either command.
Configurations made in Ethernet port view
will take effect on the current port only; configurations made in port group
view will take effect on all ports in the port group.
|
|
Enter port group view
|
port-group { manual port-group-name | aggregation agg-id
}
|
|
Enable BPDU tunneling for the port(s)
|
bpdu-tunnel dot1q enable
|
Required
Disabled by default
|
l
BPDU tunneling must be enabled globally before
the BPDU tunnel configuration for a port can take effect.
l
The BPDU tunneling feature is incompatible with
the GVRP feature, so these two features cannot be enabled at the same time. For
introduction to GVRP, refer to VLAN Configuration.
l
The BPDU tunneling feature is incompatible with
the NTDP feature, so these two features cannot be enabled at the same time. If
you want to enable BPDU tunneling on a port, use the undo ntdp enable
command to disable NTDP first. For introduction to NTDP, refer to Cluster
Management Configuration.
Perform the following tasks to configure
BPDU transparent transmission:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable BPDU tunneling globally
|
bpdu-tunnel
dot1q enable
|
Optional
Enabled by
default
|
|
Enter Ethernet port view or port group
view
|
Enter Ethernet port view
|
interface interface-type interface-number
|
Required
Use either command.
Configurations made in Ethernet port view
will take effect on the current port only; configurations made in port group
view will take effect on all ports in the port group.
|
|
Enter port group view
|
port-group { manual port-group-name | aggregation agg-id
}
|
|
Enable BPDU tunneling on the port(s)
|
bpdu-tunnel dot1q enable
|
Required
Disabled by default
|
|
Disable STP on the port(s)
|
stp disable
|
Required
Enabled by
default
|
|
Enable BPDU tunneling for STP on the
port(s)
|
bpdu-tunnel dot1q stp
|
Required
Disabled
by default
|
l
BPDU tunneling must be enabled globally before
the BPDU tunnel configuration for a port can take effect.
l
The BPDU tunneling feature is incompatible with
the GVRP feature, so these two features cannot be enabled at the same time. For
introduction to GVRP, refer to VLAN Configuration.
l
The BPDU tunneling feature is incompatible with
the NTDP feature, so these two features cannot be enabled at the same time. If
you want to enable BPDU tunneling on a port, use the undo ntdp enable
command to disable NTDP first. For introduction to NTDP, refer to Cluster
Management Configuration.
By default, the destination multicast MAC
address for BPDU Tunnel frames is 0x010F-E200-0003. You can modify it to
0x0100-0CCD-CDD0, 0x0100-0CCD-CDD1 or 0x0100-0CCD-CDD2 through the following
configuration.
Follow these steps to configure destination
multicast MAC address for BPDU tunnel frames:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter
system view
|
system-view
|
—
|
|
Configure
the destination multicast MAC address for BPDU Tunnel frames
|
bpdu-tunnel
tunnel-dmac mac-address
|
Optional
0x010F-E200-0003
by default.
|
I. Network requirements
l
Customer A, Customer B, Customer C, and Customer
D are customer network access devices.
l
Provider A, Provider B, and Provider C are
service provider network access devices, which are interconnected through
configured trunk ports.
The configuration is required to satisfy
the following requirements:
l
Geographically dispersed customer network
devices Customer A, Customer C and Customer D can implement consistent spanning
tree calculation across the service provider network.
l
BPDU packets from Customer B are isolated so it
does not take part in the spanning tree calculation.
II. Network diagram
Figure 2-2 Network diagram for BPDU
tunneling configuration
III. Configuration procedure
1)
Configuration on Provider A
# Configure BPDU transparent transmission on
GigabitEthernet 1/0/1.
<ProviderA> system-view
[ProviderA] interface GigabitEthernet
1/0/1
[ProviderA-GigabitEthernet1/0/1] port
access vlan 2
[ProviderA-GigabitEthernet1/0/1] stp
disable
[ProviderA-GigabitEthernet1/0/1] undo
ntdp enable
[ProviderA-GigabitEthernet1/0/1]
bpdu-tunnel dot1q enable
[ProviderA-GigabitEthernet1/0/1]
bpdu-tunnel dot1q stp
2)
Configuration on Provider B
# Configure BPDU isolation on GigabitEthernet
1/0/2.
<ProviderB> system-view
[ProviderB] interface GigabitEthernet
1/0/2
[ProviderB-GigabitEthernet1/0/2] port
access vlan 4
[ProviderB-GigabitEthernet1/0/2] undo
ntdp enable
[ProviderB-GigabitEthernet1/0/2]
bpdu-tunnel dot1q enable
3)
Configuration on Provider C
# Configure BPDU transparent transmission on
GigabitEthernet 1/0/3.
<ProviderC> system-view
[ProviderC] interface GigabitEthernet
1/0/3
[ProviderC-GigabitEthernet1/0/3] port
access vlan 2
[ProviderC-GigabitEthernet1/0/3] stp
disable
[ProviderC-GigabitEthernet1/0/3] undo
ntdp enable
[ProviderC-GigabitEthernet1/0/3]
bpdu-tunnel dot1q enable
[ProviderC-GigabitEthernet1/0/3]
bpdu-tunnel dot1q stp
# Configure BPDU transparent transmission
on GigabitEthernet 1/0/4.
[ProviderC-GigabitEthernet1/0/3] quit
[ProviderC] interface GigabitEthernet
1/0/4
[ProviderC-GigabitEthernet1/0/4] port
access vlan 2
[ProviderC-GigabitEthernet1/0/4] stp
disable
[ProviderC-GigabitEthernet1/0/4] undo
ntdp enable
[ProviderC-GigabitEthernet1/0/4]
bpdu-tunnel dot1q enable
[ProviderC-GigabitEthernet1/0/4] bpdu-tunnel
dot1q stp
When STP works
stably on the customer network, if Customer A acts as the root bridge, the
ports of Customer C and Customer D connected with Provider C can receive BPDUs from
Customer A. Since BPDU isolation is enabled on Customer B, the port that
connects Customer B to Provider B cannot receive BPDUs from Customer A.
