When configuring VLAN-VPN, go to these
sections for information you are interested in:
l
VLAN-VPN
Overview
l
VLAN-VPN
Configuration
l
Displaying
and Maintaining VLAN-VPN Configuration
l
VLAN-VPN
Configuration Example
Virtual private network (VPN) is a new
technology that emerges with the expansion of the Internet. It can be used for establishing
private networks over the public network. With VPN, you can specify to process packets
on the client or the access end of the service provider in specific ways, establish
dedicated tunnels for user traffic on public network devices, and thus improve data
security.
VLAN-VPN feature is a simple yet flexible Layer
2 tunneling technology. It tags private network packets with outer VLAN tags, thus
enabling the packets to be transmitted through the service providers’
backbone networks with both inner and outer VLAN tags. In public networks,
packets of this type are transmitted by their outer VLAN tags (that is, the
VLAN tags of public networks), and the inner VLAN tags are treated as part of
the payload.
Figure 1-1 describes the
structure of the packets with single-layer VLAN tags.
Figure 1-1 Structure of packets with single-layer
VLAN tags
Figure 1-2 describes the
structure of the packets with double-layer VLAN tags.
Figure 1-2 Structure of packets with double-layer VLAN tags
Compared with MPLS-based Layer 2 VPN,
VLAN-VPN has the following features:
l
It provides Layer 2 VPN tunnels that are
simpler.
l
VLAN-VPN can be implemented through manual configuration.
That is, signaling protocol-related configuration is not needed.
The VLAN-VPN feature provides you with the
following benefits:
l
Saves public network VLAN ID resource.
l
You can have VLAN IDs of your own, which is
independent of public network VLAN IDs.
l
Provides simple Layer 2 VPN solutions for
small-sized MANs or intranets.
With the VLAN-VPN feature enabled, no
matter whether or not a received packet already carries a VLAN tag, the switch
will tag the received packet with the default VLAN tag of the receiving port and
add the source MAC address to the MAC address table of the default VLAN. When a
packet reaches a VLAN-VPN-enabled port:
l
If the packet already carries a VLAN tag, the
packet becomes a dual-tagged packet.
l
Otherwise, the packet becomes a packet carrying
the default VLAN tag of the port.
As shown in Figure 1-3, the user priority field is the
802.1p priority of the tag. The value of this 3-bit field is in the range 0 to
7. By configuring inner-to-outer tag priority replicating or mapping for a VLAN-VPN-enabled
port, you can replicate the inner tag priority to the outer tag or assign outer
tags of different priorities to packets according to their inner tag priorities.
Figure 1-3
The structure of the
VLAN tag in an Ethernet frame
Refer to QoS-QoS Profile part for information
about priority.
Complete the
following tasks to configure VLAN-VPN:
Caution:
As IRF fabric is
mutually exclusive with VLAN-VPN, make sure that IRF fabric is disabled on the
switch before performing any of the configurations listed in the above table. For
information about IRF fabric, refer to IRF Fabric Configuration in
this manual.
Follow these steps
to enable the VLAN-VPN feature for a port:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Enable the VLAN-VPN feature on the port
|
vlan-vpn enable
|
Required
By default, the VLAN-VPN feature is
disabled on a port.
|
Make sure that the VLAN-VPN feature is enabled
on a port before configuring the inner-to-outer tag priority replicating and
mapping feature.
Follow these steps to configure the
inner-to-outer tag priority replicating and mapping feature:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter
system view
|
system-view
|
—
|
|
Enter
Ethernet port view
|
interface interface-type interface-number
|
—
|
|
Enable the
inner-to-outer tag priority replicating feature
|
vlan-vpn
inner-cos-trust enable
|
Either of
the two configurations is required.
By
default, neither the inner-to-outer tag priority replicating feature nor the
inner-to-outer tag priority mapping feature is enabled.
|
|
Enable the
inner-to-outer tag priority mapping feature and create a priority mapping
|
vlan-vpn
priority old-priority remark new-priority
|
Caution:
l
If you have configured the port priority (refer
to QoS-QoS Profile Configuration part in this manual), you will
be prompted that the port priority configured for the current port gets invalid
after you enable the inner-to-outer tag priority replicating feature.
l
The inner-to-outer tag priority replicating feature
is mutually exclusive with the inner-to-outer tag priority mapping feature.
1.3 Displaying
and Maintaining VLAN-VPN Configuration
|
To do...
|
Use the command...
|
Remarks
|
|
Display the VLAN-VPN configurations of
all the ports
|
display port vlan-vpn
|
Available in any view
|
1.4 VLAN-VPN
Configuration Example
I. Network requirements
As shown in Figure 1-4, Switch A and Switch B are both
S5600 series switches. They connect the users to the servers through the public
network.
l
PC users and PC servers are in VLAN 100 created
in the private network, while terminal users and terminal servers are in VLAN
200, which is also created in the private network. The VLAN VPN connection is
established in VLAN 1040 of the public network.
l
Employ VLAN-VPN on Switch A and Switch B to
enable the PC users and PC servers to communicate with each through a VPN, and employ
VLAN-VPN on Switch A and Switch B to enable the Terminal users and Terminal
servers to communicate with each other through a VPN.
II. Network diagram
Figure 1-4 Network diagram for VLAN-VPN
configuration
III. Configuration procedure
l
Configure Switch A.
# Enable the VLAN-VPN feature on GigabitEthernet
1/0/11 of Switch A and tag the packets received on this port with the tag of
VLAN 1040 as the outer VLAN tag.
<SwitchA> system-view
[SwitchA] vlan 1040
[SwitchA-vlan1040] port GigabitEthernet
1/0/11
[SwitchA-vlan1040] quit
[SwitchA] interface GigabitEthernet
1/0/11
[SwitchA-GigabitEthernet1/0/11]
vlan-vpn enable
[SwitchA-GigabitEthernet1/0/11] quit
# Set the TPID value of GigabitEthernet 1/0/12
as a trunk port permitting packets of VLAN 1040.
[SwitchA] interface GigabitEthernet 1/0/12
[SwitchA-GigabitEthernet1/0/12] port
link-type trunk
[SwitchA-GigabitEthernet1/0/12] port trunk
permit vlan 1040
l
Configure Switch B.
# Enable the VLAN-VPN feature on GigabitEthernet
1/0/21 of Switch B and tag the packets received on this port with the tag of
VLAN 1040 as the outer VLAN tag.
<SwitchB> system-view
[SwitchB] vlan 1040
[SwitchB-vlan1040] port GigabitEthernet
1/0/21
[SwitchB-vlan1040] quit
[SwitchB] interface GigabitEthernet
1/0/21
[SwitchB-GigabitEthernet1/0/21]
vlan-vpn enable
[SwitchB-GigabitEthernet1/0/21] quit
# Set the TPID value of GigabitEthernet1/0/22
as a trunk port permitting packets of VLAN 1040.
[SwitchB] interface GigabitEthernet 1/0/21
[SwitchB-GigabitEthernet1/0/22] port
link-type trunk
[SwitchB-GigabitEthernet1/0/22] port trunk
permit vlan 1040
l
Do not configure VLAN 1040 as the default VLAN
of GigabitEthernet 1/0/12 of Switch A and GigabitEthernet 1/0/22 of Switch B.
Otherwise, the outer VLAN tag of a packet will be removed during transmission.
l
In this example, both GigabitEthernet1/0/11 of
Switch A and GigabitEthernet1/0/21 of Switch B are access ports. In cases where
the ports are trunk ports or hybrid ports, you need to configure the two ports
to remove the outer VLAN tags before transmitting packets of VLAN 1040. Refer
to VLAN in this manual for detailed configuration.
l
Configure the devices in the public network
# As the devices in the public network are
from other vendors, only the basic principles are introduced here. That is, you
need to configure the devices connecting to GigabitEthernet 1/0/12 of Switch A
and GigabitEthernet 1/0/22 of Switch B to permit the corresponding ports to
transmit tagged packets of VLAN 1040.
IV. Data transfer process
The following describes how a packet is
forwarded from Switch A to Switch B in this example.
1)
As GigabitEthernet 1/0/11 of Switch A is a
VLAN-VPN port, when a packet from the customer’s network side reaches this
port, it is tagged with the default VLAN tag of the port (VLAN 1040).
2)
The packet is forwarded to the public network through
GigabitEthernet1/0/12 of Switch A.
3)
The outer VLAN tag of the packet remains
unchanged while the packet travels in the public network, till it reaches GigabitEthernet1/0/22
of Switch B.
4)
After the packet reaches Switch B, it is
forwarded through GigabitEthernet1/0/21 of Switch B. As the port belongs to
VLAN 1040 and is an access port, the outer VLAN tag (the tag of VLAN 1040) of
the packet is removed before the packet is forwarded, which restores the packet
to a packet tagged with only the private VLAN tag and enables it to be
forwarded to its destination networks.
5)
It is the same case when a packet travels from
Switch B to Switch A.
The selective QinQ is
new to H3C S5600 Series Ethernet Switches.
When configuring selective QinQ, go to
these sections for information you are interested in:
l
Selective
QinQ Overview
l
Selective
QinQ Configuration
l
Selective
QinQ Configuration Example
Selective QinQ is an enhanced application
of the VLAN-VPN feature. With the selective QinQ feature, you can configure
inner-to-outer VLAN tag mapping, according to which you can add different outer
VLAN tags to the packets with different inner VLAN tags.
The selective QinQ feature makes the service
provider network structure more flexible. You can classify the terminal users
on the port connecting to the access layer device according to their VLAN tags,
and add different outer VLAN tags to these users. In the public network, you
can configure QoS policies based on outer VLAN tags to assign different priorities
to different packets, thus providing differentiated services. See Figure 2-1 for details.
Figure 2-1 Diagram for a selective QinQ
implementation
In this implementation, Switch A is an access device of the service
provider. The users connecting to it include common customers (in VLAN 8 to
VLAN 100), VIPs (in VLAN 101 to VLAN 200), and IP telephone users (in VLAN 201
to VLAN 300). Packets of all these users are forwarded by Switch A to the
public network.
After the selective QinQ feature and the
inner-to-outer tag mapping feature are enabled on the port connecting Switch A
to these users, the port will add different outer VLAN tags to the packets
according to their inner VLAN tags. For example, you can configure to add the
tag of VLAN 1002 to the packets of IP telephone users in VLAN 201 to VLAN 300 and
forward the packets to the VoIP device, which is responsible for processing IP
telephone services.
To guarantee the quality of voice packet
transmission, you can configure QoS policies in the public network to reserve
bandwidth for packets of VLAN 1002 and forward them preferentially.
In this way, you can configure different
forwarding policies for data of different type of users, thus improving the
flexibility of network management. On the other hand, network resources are
well utilized, and users of the same type are also isolated by their inner VLAN
tags. This helps to improve network security.
Like the VLAN-VPN feature, a port with the
selective QinQ enabled adds the source MAC addresses of user packets to the MAC
address table of the default VLAN on the port. However, the port with selective
QinQ enabled can insert an outer VLAN tag other than that of the default VLAN
to the packets. Thus, when packets are forwarded from the service provider to users,
they may be broadcast if their destination MAC addresses cannot be found in the
MAC address table of the outer VLANs.
Figure 2-2 Learn MAC addresses of
selective QinQ packets
As shown in Figure 2-2, the default VLAN of the port
used to receive packets is VLAN 2. The port is configured to receive packets of
VLAN 3, tag the received packets with the outer tag of VLAN 4, and add the source
MAC addresses (MAC-A) of the packets to the MAC address table of its default
VLAN (VLAN 2).
When a response packet is returned to the
device from VLAN 4 of the service provider network, the device searches the outbound
port for MAC-A in the MAC address table of VLAN 4. However, because the
corresponding entry is not added to the MAC address table of VLAN 4, this
packet is considered to be a unicast packet with unknown destination MAC
address. As a result, this packet will be broadcast to all the ports in VLAN 4,
which wastes the network resources and incurs potential security risks.
The S5600 series Ethernet switches provide the
inter-VLAN MAC address replicating feature, which can replicate the entries in
the MAC address table of the default VLAN to that of the VLAN corresponding to
the outer tag. With the inter-VLAN MAC address replicating feature enabled,
when a device receives a packet from the service provider network, this device
will find the path for the packet by searching the MAC address table of the
VLAN corresponding to the outer tag and unicast the packet. Thus, packet
broadcast is reduced in selective QinQ applications.
Likewise, the entries
in the MAC address table of the outer VLAN can also be replicated to that of the
default VLAN on a port, through which the outbound port to the service provider
network can be determined through the MAC address table of the default VLAN and
user packets destined for the service provider can be unicast.
Complete the following tasks to configure selective
QinQ:
Caution:
If IRF Fabric has
been enabled on a device, you cannot enable the VLAN-VPN feature and the
selective QinQ feature on any port of the device.
The following configurations are required
for the selective QinQ feature:
l
Enabling the VLAN-VPN feature on the current
port
l
Configuring the current port to permit packets
of specific VLANs (the VLANs whose tags are to be used as the outer VLAN tags
are required)
Follow these steps to enable the selective
QinQ feature:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Configure the outer VLAN tag and enter
QinQ view
|
vlan-vpn vid vlan-id
|
Required
|
|
Configure to add outer VLAN tags to the
packets with the specific inner VLAN tags
|
raw-vlan-id inbound vlan-id-list
|
Required
By default, the feature of adding an
outer VLAN tag to the packets with the specific inner VLAN tags is disabled.
|
Do not enable both
the selective QinQ function and the DHCP snooping function on a switch.
Otherwise, the DHCP snooping function may operate improperly.
Follow these steps to enable the inter-VLAN
MAC address replicating feature:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable the inter-VLAN MAC address
replicating feature
|
mac-address-mapping index source-vlan source-vlan-id-list
destination-vlan dest-vlan-id
|
Required
By default, the inter-VLAN MAC address
replicating feature is disabled.
|
Caution:
l
On a port, the inter-VLAN MAC address
replicating feature can be configured only once for a destination VLAN. If the
configuration needs to be modified, you need to remove the existing configuration
first.
l
With the inter-VLAN MAC address replicating
feature disabled, all the MAC address entries that the destination VLAN learns
from the other VLANs through this function are removed.
l
MAC address entries obtained through the
inter-VLAN MAC address replicating feature cannot be removed manually. To remove
a MAC address entry of this kind, you need to disable the inter-VLAN MAC
address replicating feature first.
l
VLAN 4093 is a special VLAN reserved for the IRF
fabric feature. It can not serve as the destination VLAN of the inter-VLAN MAC
address replicating feature to receive MAC address entries from the other
VLANs.
I. Network requirements
l
GigabitEthernet 1/0/3 of Switch A provides public
network access for PC users and IP phone users. PC users belong to VLAN 100
through VLAN 108, and IP phone users belong to VLAN 200 through VLAN 230. GigabitEthernet
1/0/5 of Switch A is connected to the public network. The peer end of Switch A
is Switch B.
l
GigabitEthernet 1/0/11 of Switch B is connected
to the public network. GigabitEthernet 1/0/12 and GigabitEthernet1/0/13 of
Switch B provide network access for PC servers belonging to VLAN 100 through
VLAN 108 and voice gateways (for IP phone users) belonging to VLAN 200 through
VLAN 230 respectively.
l
The public network permits packets of VLAN 1000
and VLAN 1200. Apply QoS policies for these packets to reserve bandwidth for packets
of VLAN 1200. That is, packets of VLAN 1200 have higher transmission priority
over packets of VLAN 1000.
l
Employ the selective QinQ feature on Switch A
and Switch B to differentiate traffic of PC users from that of IP phone users,
for the purpose of using QoS policies to guarantee higher priority for voice
traffic.
l
To reduce broadcast packets in the network,
enable the inter-VLAN MAC address replicating feature for selective QinQ.
II. Network diagram
Figure
2-3 Network diagram for selective QinQ
configuration
III. Configuration procedure
l
Configure Switch A.
# Create VLAN 1000, VLAN 1200 and VLAN 5
(the default VLAN of GigabitEthernet 1/0/3) on SwitchA.
<SwitchA> system-view
[SwitchA] vlan 1000
[SwitchA-vlan1000] quit
[SwitchA] vlan 1200
[SwitchA-vlan1200] quit
[SwitchA] vlan 5
[SwitchA-vlan5] quit
# Configure GigabitEthernet 1/0/5 as a
hybrid port and configure it not to remove VLAN tags when forwarding packets of
VLAN 5, VLAN 1000, and VLAN 1200.
[SwitchA] interface GigabitEthernet
1/0/5
[SwitchA-GigabitEthernet1/0/5] port
link-type hybrid
[SwitchA-GigabitEthernet1/0/5] port
hybrid vlan 5 1000 1200 tagged
[SwitchA-GigabitEthernet1/0/5] quit
# Configure GigabitEthernet 1/0/3 as a
hybrid port and configure VLAN 5 as its default VLAN. Configure GigabitEthernet
1/0/3 to remove VLAN tags when forwarding packets of VLAN 5, VLAN 1000, and
VLAN 1200.
[SwitchA] interface GigabitEthernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port
link-type hybrid
[SwitchA-GigabitEthernet1/0/3] port
hybrid pvid vlan 5
[SwitchA-GigabitEthernet1/0/3] port hybrid
vlan 5 1000 1200 untagged
# Enable the VLAN-VPN feature on GigabitEthernet
1/0/3.
[SwitchA-GigabitEthernet1/0/3]
vlan-vpn enable
# Enable the selective QinQ feature on GigabitEthernet
1/0/3 to tag packets of VLAN 100 through VLAN 108 with the tag of VLAN 1000 as
the outer VLAN tag, and tag packets of VLAN 200 through VLAN 230 with the tag
of VLAN 1200 as the outer VLAN tag.
[SwitchA-GigabitEthernet1/0/3]
vlan-vpn vid 1000
[SwitchA-GigabitEthernet1/0/3-vid-1000]
raw-vlan-id inbound 100 to 108
[SwitchA-GigabitEthernet1/0/3-vid-1000]
quit
[SwitchA-GigabitEthernet1/0/3]
vlan-vpn vid 1200
[SwitchA-GigabitEthernet1/0/3-vid-1200]
raw-vlan-id inbound 200 to 230
# Enable the inter-VLAN MAC address replicating
feature to replicate the MAC address entries of the MAC address tables of the
outer VLANs to the MAC address table of the default VLAN, and replicate the MAC
address entries of the MAC address table of the default VLAN to the MAC address
tables of the outer VLANs.
[SwitchA-GigabitEthernet1/0/3-vid-1200]
quit
[SwitchA-GigabitEthernet1/0/3]
mac-address mapping 0 source-vlan 5 destination-vlan 1000
[SwitchA-GigabitEthernet1/0/3]
mac-address mapping 1 source-vlan 5 destination-vlan 1200
[SwitchA-GigabitEthernet1/0/3] quit
[SwitchA] interface GigabitEthernet
1/0/5
[SwitchA-GigabitEthernet1/0/5]
mac-address mapping 0 source-vlan 1000 1200 destination-vlan 5
After the
above configuration, packets of VLAN 100 through VLAN 108 (that is, packets of
PC users) are tagged with the tag of VLAN 1000 as the outer VLAN tag when they
are forwarded to the public network by Switch A; and packets of VLAN 200
through VLAN 230 (that is, packets of IP phone users) are tagged with the tag
of VLAN 1200 as the outer VLAN tag when they are forwarded to the public
network.
l
Configure Switch B.
# Create VLAN 1000, VLAN 1200, VLAN 12 (the
default VLAN of GigabitEthernet1/0/12) and VLAN 13 (the default VLAN of GigabitEthernet1/0/13)
on Switch B.
<SwitchB> system-view
[SwitchB] vlan 1000
[SwitchB-vlan1000] quit
[SwitchB] vlan 1200
[SwitchB-vlan1200] quit
[SwitchB] vlan 12 to 13
# Configure GigabitEthernet 1/0/11 as a
hybrid port, and configure GigabitEthernet 1/0/11 not to remove VLAN tags when
forwarding packets of VLAN 12, VLAN 13, VLAN 1000, and VLAN 1200.
<SwitchB> system-view
[SwitchB] interface GigabitEthernet
1/0/11
[SwitchB-GigabitEthernet1/0/11] port
link-type hybrid
[SwitchB-GigabitEthernet1/0/11] port
hybrid vlan 12 13 1000 1200 tagged
# Configure GigabitEthernet1/0/12 as a
hybrid port and configure VLAN 12 as its default VLAN . Configure GigabitEthernet
1/0/12 to remove VLAN tags when forwarding packets of VLAN 12 and VLAN 1000.
[SwitchB] interface GigabitEthernet 1/0/12
[SwitchB-GigabitEthernet1/0/12] port link-type
hybrid
[SwitchB-GigabitEthernet1/0/12] port
hybrid pvid vlan 12
[SwitchB-GigabitEthernet1/0/12] port
hybrid vlan 12 1000 untagged
[SwitchB-GigabitEthernet1/0/12] quit
# Configure GigabitEthernet 1/0/13 as a
hybrid port and configure VLAN 13 as its default VLAN . Configure GigabitEthernet
1/0/13 to remove VLAN tags when forwarding packets of VLAN 13 and VLAN 1200.
[SwitchB] interface GigabitEthernet
1/0/13
[SwitchB-GigabitEthernet1/0/13] port
link-type hybrid
[SwitchB-GigabitEthernet1/0/13] port hybrid
pvid vlan 13
[SwitchB-GigabitEthernet1/0/13] port
hybrid vlan 13 1200 untagged
After the above configuration, Switch B can
forward packets of VLAN 1000 and VLAN 1200 to the corresponding servers through
GigabitEthernet 1/0/12 and GigabitEthernet 1/0/13 respectively.
To make the packets from the servers be
transmitted to the clients in the same way, you need to configure the selective
QinQ feature and the inter-VLAN MAC address replicating feature on GigabitEthernet
1/0/12 and GigabitEthernet 1/0/13. The configuration on Switch B is similar to
that on Switch A and is thus omitted.
l
The port configuration on Switch B is only an
example for a specific network requirement. The key to this example is to
enable the ports to receive and forward packets of specific VLANs. So you can
also configure the ports as trunk ports. Refer to VLAN Configuration for
details.
l
A selective QinQ-enabled device tags a user packet
with an outer VLAN tag regardless of the VLAN tag of the user packet, so there
is no need to configure user VLANs on the device.
l
Make sure the packets of the default VLAN of a
selective QinQ-enabled port are permitted on both the local port and the port
connecting to the public network.
Two features, the
BPDU Tunnel support for packets of multiple protocols and adjusting tunnel
packet MAC addresses, are newly added. For details, refer to BPDU Tunnel Configuration.
When configuring BPDU tunnel, go to these
sections for information you are interested in:
l
BPDU
Tunnel Overview
l
BPDU
Tunnel Configuration
l
Displaying
and Maintaining BPDU Tunnel Configuration
l
BPDU
Tunnel Configuration Example
Normally, Layer 2 protocols are needed in a
LAN for network topology maintenance and management. For example, spanning tree
protocol (STP) is used for maintaining spanning trees and preventing loops.
Huawei group management protocol (HGMP) is used for managing network topology
and devices in a network.
When multiple branch networks of an
organization are connected together through a public network, you can combine the
corresponding network nodes into one so as to maintain the branch networks as a
whole. This requires the packets of some of the user’s Layer 2 protocol
packets be transmitted across the provider’s network without getting involved
in the computation of the public network.
The BPDU Tunnel feature is designed to address
the above requirements. It enables some Layer 2 protocol packets of private
networks to be transmitted along tunnels established in the public network.
I. Layer 2 protocol packet
identification
Different from the processing of data
packets, a Layer 2 protocol packet is classified first when it reaches a
network device. A Layer 2 protocol packet conforming to IEEE standards carries
a special destination MAC address (for example, the destination MAC address of an
STP protocol packet is 0180-c200-0000) and contains a type field. Some
proprietary protocols adopt the same packet structure, where a private MAC
address is used to identify the corresponding proprietary protocol, and the
type field is used to identify the specific protocol type.
II. Transmitting BPDU packets
transparently
As shown in Figure 3-1, the network on the top is the service
provider network, and the one on the bottom is a customer network. The service
provider network contains edge devices connecting the customer network to the service
provider network. The customer network contains Network A and Network B. You
can make the BPDU packets of the customer network to be transmitted in the service
provider network transparently by enabling the BPDU tunnel feature on the edge devices
at both ends of the service provider network.
Figure 3-1 BPDU Tunnel network hierarchy
l
When a BPDU packet coming from a customer
network reaches an edge device in the service provider network, the edge device
changes the destination MAC address carried in the packet from a
protocol-specific MAC address to a private multicast MAC address, which can be defined
using a command. A packet with this multicast address as its destination
address is called a tunnel packet. In the service provider network, the tunnel
packet can be forwarded as a normal data packet.
l
Before the device in the service provider
network forwards the packet to the destination customer network, the edge device
will identify the tunnel packet, determine the packet type based on the type
field in the packet, restore its destination MAC address to the original
protocol-specific MAC address and then forward the packet to the access device
on the user side. This ensures the packet to be forwarded is consistent with the
packet before entering the tunnel. So, a tunnel here acts as a local link for
user devices. It enables Layer 2 protocols to run on a virtual local network.
Figure 3-2 and Figure 3-3
show the structure of a BPDU packet before and after it enter a BPDU tunnel.
Figure 3-2
The structure of a BPDU packet before it enters a
BPDU tunnel
Figure
3-3 The structure of a BPDU packet after it enters
a BPDU tunnel
Caution:
You can establish BPDU tunnels between S5600
series Ethernet switches for the packets of the following protocols:
l
LACP (link aggregation control protocol)
l
STP (spanning tree protocol)
l
HGMP-related protocols, including: NDP (neighbor
discovery protocol), NTDP (neighbor topology discovery protocol), cluster MRC (cluster
member remote control), and HABP (Huawei authentication bypass protocol)
l
Proprietary protocols of other vendors,
including CDP (CISCO discovery protocol), PAGP (port aggregation protocol),
PVST (per-VLAN spanning tree), VTP (VLAN trunk protocol), and UDLD
(uni-directional link discovery)
The edge devices can communicate with the
user devices properly.
Follow these steps to configure a BPDU tunnel:
