The VLAN-VPN function enables packets to be
transmitted across the operators’ backbone networks with VLAN tags of
private networks encapsulated in those of public networks. In public networks,
packets of this type are transmitted by their outer VLAN tags (that is, the
VLAN tags of public networks). And those of private networks which are encapsulated
in the VLAN tags of public networks are shielded.
Figure 1-1 describes the structure of the packets with single-layer VLAN tags.
Figure 1-1 Structure of packets with single-layer VLAN tags
Figure 1-2 describes the structure of the packets with nested VLAN tags.
Figure 1-2 Structure of packets with double-layer
VLAN tags
Compared with MPLS-based Layer 2 VPN,
VLAN-VPN has the following features:
l
It provides Layer 2 VPN tunnels that are
simpler.
l
VLAN-VPN can be implemented without the support
of signaling protocols. You can enable VLAN-VPN by static configuration.
The VLAN-VPN function provides you with the
following benefits:
l
Saves public network VLAN ID resource.
l
You can have VLAN IDs of your own, which is
independent of public network VLAN IDs.
l
Provides simple Layer 2 VPN solutions for
small-sized MANs or intranets.
VLAN-VPN can be implemented by enabling the
VLAN-VPN function on ports.
With the VLAN VPN function enabled, a
received packet is tagged with the default VLAN tag of the receiving port no
matter whether or not the packet already carries a VLAN tag. If the packet already
carries a VLAN tag, the packet becomes a dual-tagged packet. Otherwise, the
packet becomes a packet carrying the default VLAN tag of the port.
l
GARP VLAN registration protocol (GVRP), GARP
multicast registration protocol (GMRP), neighbor topology discovery protocol
(NTDP), spanning tree protocol (STP) , 802.1x protocol,and Centralized MAC
address authentication are disabled on the port.
l
The port is must an access port.
Caution:
l
If any of the protocols among GVRP, GMRP, NTDP,
STP, 802.1x, and Centralized MAC address authentication is enabled for a port,
you can not enable the VLAN-VPN function for the port.
l
By default, STP and NTDP are enabled on a
device. You can disable these two protocols using the stp disable and undo
ntdp enable commands.
Table 1-1 Configure the VLAN-VPN function for a port
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Enable
the VLAN-VPN function on the port
|
vlan-vpn
enable
|
Required
By
default, the VLAN-VPN function is disabled on a port.
|
|
Display
VLAN VPN configuration information about all ports
|
display
port vlan-vpn
|
You can
execute the display command in any view.
|
After you enable
the VLAN-VPN function for a port, you cannot change the attribute of the port
to trunk or hybrid, or enable GVRP, GMRP, NTDP, STP, 802.1x, and Centralized
MAC address authentication function for the port.
l
If you use commands to change the attribute of
the port or enable GVRP, GMRP, IRF, NTDP, STP, 802.1x, and Centralized MAC
address authentication function for the port, the switch will prompt error.
l
If you use the copy configuration command
to copy the configuration of other port to the port enabled with VLAN-VPN
function, the port attribute configuration and the feature that GVRP, GMRP,
IRF, NTDP, STP, 802.1x, and Centralized MAC address authentication function and
the VLAN-VPN function are mutually exclusive will not be copied.
1.3 Inner VLAN Tag Priority Replication Configuration
You can configure to replicate the tag
priority of the inner VLAN tag of a VLAN-VPN packet to the outer VLAN tag to remain
the original tag priority after the packet is inserted an outer VLAN tag.
The VLAN-VPN function is enabled.
Table 1-2 Configure to replicate the tag priority of the inner VLAN tag
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type interface-number
|
—
|
|
Enable the inner VLAN Tag priority
replication function
|
vlan-vpn inner-cos-trust enable
|
Required
By default, the inner VLAN tag priority
replicating function is disabled. And the priority of a outer VLAN tag is
that of the default priority of the current port.
|
|
Display the VLAN-VPN configuration
information about all ports
|
display port vlan-vpn
|
You can execute the display
command in any view.
|
If you have
configured the port priority, (refer to the ”QoS&QoS profile”
part of H3C S5600 Series Ethernet Switches Operation Manual), after you
configure to replicate the tag priority of the inner VLAN tag of a VLAN-VPN
packet, the switch will prompt that the port priority configuration on the
current port is disabled.
1.4 VLAN-VPN Configuration Example
I. Network requirements
l
Switch A , Switch B and Switch C are S5600
series switches.
l
Two networks are connected to the GigabitEthernet1/0/1
ports of Switch A and Switch C respectively.
l
Switch B only permits packets of VLAN 10.
l
It is required that packets of VLANs other than
VLAN 10 can be exchanged between the networks connected to Switch A and Switch
C.
II. Network diagram
Figure 1-3
Network diagram for VLAN-VPN
III. Configuration Procedure
1)
Configure Switch A and Switch C.
As the configuration performed on Switch A
and Switch C is the same, configuration on Switch C is omitted.
# Set GigabitEthernet1/0/2 port of Switch A
toTrunk port, and add the port to VLAN 10.
<SwitchA> system-view
[SwitchA] vlan 10
[SwitchA-vlan10] quit
[SwitchA] interface GigabitEthernet1/0/2
[SwitchA-GigabitEthernet1/0/2] port
link-type trunk
[SwitchA-GigabitEthernet1/0/2] port trunk
permit vlan 10
# Configure GigabitEthernet1/0/1 port of
Switch A to be a VLAN-VPN port and add it to VLAN 10.
[SwitchA] interface GigabitEthernet1/0/1
[SwitchA-GigabitEthernet1/0/1] port
access vlan 10
[SwitchA-GigabitEthernet1/0/1] vlan-vpn
enable
[SwitchA-GigabitEthernet1/0/1] quit
2)
Configure Switch B
# Set ports GigabitEthernet3/1/1 and GigabitEthernet3/1/2
of Switch B to Trunk ports, both of which belong to VLAN 10.
<SwitchB> system-view
[SwitchB] vlan 10
[SwitchB-vlan10] quit
[SwitchB] interface GigabitEthernet
3/1/1
[SwitchB-GigabitEthernet3/1/1] port
link-type trunk
[SwitchB-GigabitEthernet3/1/1] port trunk
permit vlan 10
[SwitchB-GigabitEthernet3/1/1] quit
[SwitchB] interface GigabitEthernet
3/1/2
[SwitchB-GigabitEthernet3/1/2] port
link-type trunk
[SwitchB-GigabitEthernet3/1/2] port trunk
permit vlan 10
The following describes how a packet is forwarded from Switch A to
Switch C.
l
As the GigabitEthernet1/0/1 port of Switch A is
a VLAN-VPN port, when a packet from the user’s private network side reaches
GigabitEthernet1/0/1 port of Switch A, it is tagged with the default VLAN tag
of the port (VLAN 10) and is then forwarded to GigabitEthernet1/0/2 port.
l
The packet reaches GigabitEthernet3/1/2 port of
Switch B in the public network. Switch B forwards the packet in VLAN 10 to GigabitEthernet3/1/1.
l
The packet is forwarded from GigabitEthernet3/1/1
port of Switch B to the network on the other side and enters GigabitEthernet1/0/2
port of Switch C. Then Switch C forwards the packet in VLAN 10 to its GigabitEthernet1/0/1.
As GigabitEthernet1/0/1 port is an access port, Switch C strips off the outer
VLAN tag of the packet and restores the original packet.
l
It is the same case when a packet travels from
Switch C to Switch A.
After the configuration, the networks
connecting Switch A and Switch C can receive data packets from each other.
In MAN networking solutions, the
requirements may arise that the branches of an enterprise be interconnected
through the operator’s network. This can be achieved through VPN (virtual
private network), which can integrate geographically dispersed networks to form
a logical LAN. The tunnel function is required when you implement VPN. It
enables packets of private networks to travel through operator’s network
and reach another private network securely. To make networks of this kind
essentially comparable with an actual LAN, Layer 2 protocol packets used to
maintain the network are also required to travel across the tunnels.
I. Layer 2 packet identification
Different from the processing of data
packets, a Layer 2 protocol packet is classified first when it reaches a
network device. A Layer 2 protocol packet conforming with IEEE standards
carries a special destination MAC address and contains a type field. Some
proprietary protocols adopt the same packet structure, where a private MAC address
is used to identify the corresponding proprietary protocol, and the type field
is used to identify the specific protocol type.
II. Transmitting BPDU packets
transparently
As shown in Figure
2-1, the network on the top is the operator’s network, and the one on the bottom is a user network. The operator’s network contains devices that receive/transmit packets. The user network contains Network A
and Network B. You can make the BPDU packets to be transmitted in the
operator’s network transparently by enable the BPDU Tunnel function on
the devices that receive/transmit packets in the operator’s network. With
the BPDU tunnel function enabled between two devices, a tunnel is established
between them.
l
When a BPDU packet coming from a user network
reaches a device in the operator’s network, the device changes the
destination MAC address carried in the packet from a protocol-specific MAC
address to a normal MAC address, which can be identified by both the local device
and the peer device. In such a way, the BPDU packet is converted to a normal
data packet and is forwarded in the operator’s network.
l
Before the device in the operator’s
network forwards the packet to the destination user network, the device
restores the original protocol-specific MAC address. This ensures the data
portion of the packet is consistent with that before the packet enters the
tunnel. So, a tunnel here acts as a local link for user devices. It enables
Layer 2 protocol packets to travel across a logical LAN.
Figure 2-1 BPDU Tunnel network hierarchy
Figure 2-2 and Figure 2-3 show the structure of a BPDU packet before and after it enter a BPDU tunnel.
Figure 2-2 The structure of a BPDU
packet before it enters a BPDU tunnel
Figure 2-3 The structure of a BPDU
packet after it enters a BPDU tunnel
You can establish BPDU tunnels between
S5600 series Ethernet switches for the packets of the following protocols:
l
ALCP (link aggregation control protocol)
l
NDP (neighbor discovery protocol)
l
Proprietary protocols, including CDP and VTP
One or more protocols among LACP, NDP, CDP,
and VTP operate properly on the devices.
Table 2-1 Configure BPDU Tunnel
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Set the port to be a BPDU Tunnel uplink
port
|
Enable the function in system view
|
bpdu-tunnel uplink interface-list
|
You can enable the BPDU Tunnel in system
view or in Ethernet view.
By default, NDP is enabled globally.
|
|
Enable the function in Ethernet port view
|
Enter Ethernet port view
|
interface interface-type interface-number
|
|
Enable the BPDU Tunnel function
|
bpdu-tunnel uplink
|
|
Return to system view
|
quit
|
|
Enter Ethernet port view
|
interface interface-type interface-number
|
-
|
|
Enable the BPDU Tunnel function for the
packets of a specific protocol
|
bpdu-tunnel { lacp | ndp | cdp | vtp }
|
Required
By default, the BPDU Tunnel function is
disabled on a port.
|
The BPDU Tunnel is
unavailable to all the ports of a device if the device has the fabric function
enabled on one of its ports.
I. Network requirements
l
Custimer1 and Customer2 are access devices
operating in a user network.
l
Provider1 and Provider2 are access devices
operating in the operator’s network. They are interconnected through
their trunk ports, as shown in Figure 2-4.
l
Enable the BPDU Tunnel function for NDP packets
on the GigabitEtherent1/0/1 and GigabitEtherent1/0/4 port shown in the Figure 2-4.Set the port GigabitEtherent1/0/2 and GigabitEtherent1/0/3 to be BPDU Tunnel uplink ports.
II. Network diagram
Figure 2-4 Network diagram for BPDU
Tunnel configuration
1)
Configure Provide1.
# Enable the BPDU Tunnel fuction for NDP
packets on port GigabitEtherent1/0/1.
<H3C> system-view
[H3C] interface GigabitEtherent 1/0/1
[H3C-GigabitEtherent1/0/1] undo ndp
enable
[H3C-GigabitEtherent1/0/1] bpdu-tunnel
ndp
# Set the port GigabitEtherent 1/0/2 to be
a BPDU Tunnel uplink port.
[H3C-GigabitEtherent1/0/1] quit
[H3C] interface GigabitEtherent 1/0/2
[H3C-GigabitEtherent1/0/2] bpdu-tunnel
uplink
2)
Configure Provider2.
# Set the port GigabitEtherent 1/0/3 to be
a BPDU Tunnel uplink port.
<H3C> system-view
[H3C] interface GigabitEtherent 1/0/3
[H3C-GigabitEtherent1/0/3] bpdu-tunnel
uplink
# Enable the BPDU Tunnel function for NDP
packets on port GigabitEtherent1/0/4
[H3C-GigabitEtherent1/0/3] quit
[H3C] interface GigabitEtherent 1/0/4
[H3C-GigabitEtherent1/0/4] undo ndp
enable
[H3C-GigabitEtherent1/0/4] bpdu-tunnel ndp
